title: CTF-MD5碰撞
categories: CTF
tags: [MD5]

date: 2020-01-15 11:02:18

<p style="text-align: left;">0x00:今天天气寒冷,但是再严峻的天气也不能阻挡本屌爱学习的热心,按照国际惯例困了累了做CTF题,于是乎遇到下面这道题</p>

<!-- wp:image {"id":479,"sizeSlug":"large"} -->

<figure class="wp-block-image size-large"></figure>

<!-- /wp:image -->

<p style="text-align: left;">0x01:从源码审计上看很好理解,就是说输入个数值“a”,完了“a”的MD5值要与“QNKCDZO”的一样,而且“a”还不等于“QNKCDZO”,其实从题目“MD5碰撞“我们就已经知道了解题方法了</p>
<p>0x02:我们加密了“QNKCDZO”,发现MD5值是“0e830400451993494058024219903391”</p>
<p>这就很有意思了</p>

<!-- wp:image {"id":481,"sizeSlug":"large"} -->

<figure class="wp-block-image size-large"></figure>

<!-- /wp:image -->

<!-- wp:paragraph -->

<p>0x03:下面科普一波</p>

<!-- /wp:paragraph -->

<div>PHP在处理哈希字符串时,会利用”!=”或”==”来对哈希值进行比较,它把每一个以”0E”开头的哈希值都解释为0,所以如果两个不同的密码经过哈希以后,其哈希值都是以”0E”开头的,那么PHP将会认为他们相同,都是0。</div>
<div> <wbr></div>
<div>关于PHP hash比较缺陷详细介绍:</div>
<div>http://www.freebuf.com/news/67007.html</div>
<div> </div>
<div>下面是部分MD5值开头为0e的明文</div>
<div> </div>
<div>QNKCDZO</div>
<div>0e8304004519934940580242<wbr>19903391</div>
<div> <wbr> <wbr></div>
<div>s878926199a</div>
<div>0e5459932745177090343288<wbr>55841020</div>
<div> <wbr> <wbr></div>
<div>s155964671a</div>
<div>0e3427684168224515249741<wbr>17254469</div>
<div> <wbr> <wbr></div>
<div>s214587387a</div>
<div>0e8482404488305379244658<wbr>65611904</div>
<div> <wbr> <wbr></div>
<div>s214587387a</div>
<div>0e8482404488305379244658<wbr>65611904</div>
<div> <wbr> <wbr></div>
<div>s878926199a</div>
<div>0e5459932745177090343288<wbr>55841020</div>
<div> <wbr> <wbr></div>
<div>s1091221200a</div>
<div>0e9406242178565615578163<wbr>27384675</div>
<div> <wbr> <wbr></div>
<div>s1885207154a</div>
<div>0e5093672134182067008420<wbr>08763514</div>
<div> <wbr> <wbr></div>
<div>s1502113478a</div>
<div>0e8615801632915612474043<wbr>81396064</div>
<div> <wbr> <wbr></div>
<div>s1885207154a</div>
<div>0e5093672134182067008420<wbr>08763514</div>
<div> <wbr> <wbr></div>
<div>s1836677006a</div>
<div>0e4810364908676611132600<wbr>34900752</div>
<div> <wbr> <wbr></div>
<div>s155964671a</div>
<div>0e3427684168224515249741<wbr>17254469</div>
<div> <wbr> <wbr></div>
<div>s1184209335a</div>
<div>0e0724858203927733895231<wbr>09082030</div>
<div> <wbr> <wbr></div>
<div>s1665632922a</div>
<div>0e7311980614911630731971<wbr>28363787</div>
<div> <wbr> <wbr></div>
<div>s1502113478a</div>
<div>0e8615801632915612474043<wbr>81396064</div>
<div> <wbr> <wbr></div>
<div>s1836677006a</div>
<div>0e4810364908676611132600<wbr>34900752</div>
<div> <wbr> <wbr></div>
<div>s1091221200a</div>
<div>0e9406242178565615578163<wbr>27384675</div>
<div> <wbr> <wbr></div>
<div>s155964671a</div>
<div>0e3427684168224515249741<wbr>17254469</div>
<div> <wbr> <wbr></div>
<div>s1502113478a</div>
<div>0e8615801632915612474043<wbr>81396064</div>
<div> <wbr> <wbr></div>
<div>s155964671a</div>
<div>0e3427684168224515249741<wbr>17254469</div>
<div> <wbr> <wbr></div>
<div>s1665632922a</div>
<div>0e7311980614911630731971<wbr>28363787</div>
<div> <wbr> <wbr></div>
<div>s155964671a</div>
<div>0e3427684168224515249741<wbr>17254469</div>
<div> <wbr> <wbr></div>
<div>s1091221200a</div>
<div>0e9406242178565615578163<wbr>27384675</div>
<div> <wbr> <wbr></div>
<div>s1836677006a</div>
<div>0e4810364908676611132600<wbr>34900752</div>
<div> <wbr> <wbr></div>
<div>s1885207154a</div>
<div>0e5093672134182067008420<wbr>08763514</div>
<div> <wbr> <wbr></div>
<div>s532378020a</div>
<div>0e2204630958555115075880<wbr>41205815</div>
<div> <wbr> <wbr></div>
<div>s878926199a</div>
<div>0e5459932745177090343288<wbr>55841020</div>
<div> <wbr> <wbr></div>
<div>s1091221200a</div>
<div>0e9406242178565615578163<wbr>27384675</div>
<div> <wbr> <wbr></div>
<div>s214587387a</div>
<div>0e8482404488305379244658<wbr>65611904</div>
<div> <wbr> <wbr></div>
<div>s1502113478a</div>
<div>0e8615801632915612474043<wbr>81396064</div>
<div> <wbr> <wbr></div>
<div>s1091221200a</div>
<div>0e9406242178565615578163<wbr>27384675</div>
<div> <wbr> <wbr></div>
<div>s1665632922a</div>
<div>0e7311980614911630731971<wbr>28363787</div>
<div> <wbr> <wbr></div>
<div>s1885207154a</div>
<div>0e5093672134182067008420<wbr>08763514</div>
<div> <wbr> <wbr></div>
<div>s1836677006a</div>
<div>0e4810364908676611132600<wbr>34900752</div>
<div> <wbr> <wbr></div>
<div>s1665632922a</div>
<div>0e7311980614911630731971<wbr>28363787</div>
<div> <wbr> <wbr></div>
<div>s878926199a</div>
<div>0e5459932745177090343288<wbr>55841020</div>
<p style="text-align: left;">0x04:没错,QNKCDZO也在这里特殊的字符串里面,那么php进行处理MD5值时会认为它的MD5值为0,我们只需要用另一组特殊字符串把值赋给a,那么问题就迎刃而解了</p>

<!-- wp:image {"id":483,"sizeSlug":"large"} -->

<figure class="wp-block-image size-large"></figure>

<!-- /wp:image -->

<p>0x05:附上MD5值是0e开头的字符串生成器</p>

<!-- wp:code {"lineNumbers":true} -->

import hashlib,random,string


while True:
    s = ''.join(random.sample(string.ascii_letters + string.digits, 5))
    m = hashlib.md5(s.encode("utf-8")).hexdigest()
    if m[:2] == "0e":
        print(s)
        break

<!-- /wp:code -->

标签: MD5

添加新评论