Preface

The article is synchronized with my personal blog https://quan9i.top/phpcompare
Looking at some ctf I found that most of the simple questions used == and === these , Therefore, it is necessary to summarize and learn , I hope it can be solved directly the next time I see it , The knowledge is summarized as follows , I hope it will be helpful to the masters who are learning

The hash algorithm

The definition of hash algorithm is as follows

 The hash algorithm （Hash） Also known as digest algorithm （Digest）, Its function is ： Calculate any set of input data , Get a fixed length 
 Output summary .  The most important feature of hash algorithm is ：  The same input must get the same output ;  Different input probabilities lead to different outputs .

Commonly used hash algorithms are ：

 Algorithm 			 Output length （ position ）	 Output length （ byte ）
MD5				128 bits		16 bytes
SHA-1			160 bits		20 bytes
RipeMD-160		160 bits		20 bytes
SHA-256			256 bits		32 bytes
SHA-512			512 bits		64 bytes

php Hash algorithm

There is a hash algorithm. The special form obtained after encryption is 0e+xxx( Numbers ) The combination of . and php When dealing with such characters , Unify and regard it as 0, Test the following


The reason for this , Because php The representation method of scientific counting in is similar to this , Take a chestnut , To the power of ten use php To show that is 1e10, Two × To the power of ten Namely 2e10, Test the following

Now let's look at 0exxx such , that php It will be regarded as scientific counting , So as to 0×10 Of xxx Power To calculate , At this point, we can see , No matter how it counts, it is 0, Therefore, the two values are equal

php Weak comparison

php Weak comparison refers to == such , Two == Its calculation method is to convert it into the same type first , recompute , This is equivalent to that it only compares values at this time , So there is php Weak comparison vulnerability , We have thus achieved a bypass

0X01

<?php
if($_POST['a']!=$_POST['b']&& md5($_POST['a'])==md5($_POST['b'])){
    
	die("success!");
}
else
{
    
	echo"hacker";
}
show_source(__FILE__);
?>

It can be seen that the condition is that the two are not equal, but md5 The value needs to be quite , We know md5 Is a kind of hash algorithm , So now we think of using 0e This method is used to bypass , So we need to find a few strings , Let it md5 Encrypted as 0e Such , After learning the notes of other masters , We know that the following strings are md5 Encrypted as 0e Format

aabg7XSs
aabC9RqS
s878926199a
QNKCDZO
240610708

The test results are as follows

So here we can use these to bypass

0X02

<?php
$flag='flag{quan9i is best}';
if ($_GET['name']!=$_GET['pwd']){
    
    if (md5($_GET['name'])==md5($_GET['pwd'])){
    
        echo $flag;
    }
}
?>

You can see that you first compare whether the user name and password have the same value , At the same time, connect the two separately md5 encryption , Then make a weak comparison , There was no problem , But it's used here md5 encryption ,md5 If we encrypt, we will think of 0e, At this time, use those passing through md5 After encryption, it becomes 0e Format , You can bypass

php Strong comparison

<?php
if($_POST['a']!==$_POST['b']&& md5($_POST['a'])===md5($_POST['b'])){
    
	die("success!");
}
?>

Strong comparison refers to ===, At this time, not only the detection value , And check whether it is the same type , Therefore, the above method cannot be used to bypass
, If you bypass here, you need to use an array ,, We know php in md5 The function requires that what we put in it should be string Type of , If we put an array here , It will neither report an error , Its value will not be parsed , At this time, both reported the same error , Does that constitute equality , Our array is in echo The output is array, after md5 After encryption, all are null, So you can bypass , Test the following

, Therefore, we construct here as follows payload You can bypass

a[]=1&b[]=2