MD5绕过相关

1. if($a != $b && md5($a) == md5($b))

  • 数组绕过法:如:?a[]=1&b[]=2
  • 直接传入参数a=s1885207154a,b=s1836677006a,即可,为什么呢?看一下这两个字符串的md5值可以返现分别如下:
MD5值: 
 md5("s1885207154a") => 0e509367213418206700842008763514
 md5("s1836677006a") => 0e481036490867661113260034900752

由于二者都是0e开头,在php中0e会被当做科学计数法,就算后面有字母,其结果也是0,所以上面的if判断结果使true,成功绕过!

2. if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2']))

由于php的md5函数处理数组时直接返回null,将param1,param2设为数组即可,如:?param1[]=1&param2[]=2

3. 双MD5碰撞绕过  if ($a != $b && md5($a) == md5(md5($b))

由 1 知双面的判断出现了md5(md5($b),有了前面的铺垫,这里我们第一感觉就是找到一个字符串其MD5值的MD5仍然是0e开头的那就好了。

双md5结果仍为0e开头字符串:

CbDLytmyGm2xQyaLNhWn
 
md5(CbDLytmyGm2xQyaLNhWn) => 0ec20b7c66cafbcc7d8e8481f0653d18
 
md5(md5(CbDLytmyGm2xQyaLNhWn)) => 0e3a5f2a80db371d4610b8f940d296af
 
770hQgrBOjrcqftrlaZk
 
md5(770hQgrBOjrcqftrlaZk) => 0e689b4f703bdc753be7e27b45cb3625
 
md5(md5(770hQgrBOjrcqftrlaZk)) => 0e2756da68ef740fd8f5a5c26cc45064
 
7r4lGXCH2Ksu2JNT3BYM
 
md5(7r4lGXCH2Ksu2JNT3BYM) => 0e269ab12da27d79a6626d91f34ae849
 
md5(md5(7r4lGXCH2Ksu2JNT3BYM)) => 0e48d320b2a97ab295f5c4694759889f

MD5碰撞脚本

# -*- coding: utf-8 -*-
import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len,. start=0, size=20):
    global CHARS
    while not stop_event.is_set():
        rnds = ''.join(random.choice(CHARS) for _ in range(size))
        md5 = hashlib.md5(rnds)
        value = md5.hexdigest()
        if value[start: start+str_len] == substr:
            print rnds
            stop_event.set()
            '''
            #碰撞双md5
            md5 = hashlib.md5(value)
            if md5.hexdigest()[start: start+str_len] == substr:
                print rnds+ "=>" + value+"=>"+ md5.hexdigest()  + "\n"
                stop_event.set()
            '''
 
if __name__ == '__main__':
    substr = sys.argv[1].strip()
    start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0
    str_len = len(substr)
    cpus = multiprocessing.cpu_count()
    stop_event = multiprocessing.Event()
    processes = [multiprocessing.Process(target=cmp_md5, args=(substr,
                                         stop_event, str_len, start_pos))
                 for i in range(cpus)]
    for p in processes:
        p.start()
    for p in processes:
        p.join()

上面脚本注释部分是双MD5碰撞,取消注释然后注释掉16行即可。

使用方法:python md5Crack.py "你要碰撞的字符串" 字符串的起始位置

例如:python md5Crack.py “0e" 0

将产生MD5值为0e开头的字符串。

转载于:

 

posted @ 2021-08-16 21:47  z9m8r8  阅读(399)  评论(0编辑  收藏  举报