0. Open the web page and check the title prompt
Description: Backup is a good habit
Of course I thought of the backup file: index.php.bak
Of course, you can get the results quickly if you hand it over to Yujian to scan
1. Use Yujian to scan the catalog
2. Open the backup file for code audit
<?php
/**
* Created by PhpStorm.
* User: Norse
* Date: 2017/8/6
* Time: 20:22
*/
include_once "flag.php";
ini_set("display_errors", 0);
$str = strstr($_SERVER['REQUEST_URI'], '?');
$str = substr($str,1);
$str = str_replace('key','',$str);
parse_str($str);
echo md5($key1);
echo md5($key2);
if(md5($key1) == md5($key2) && $key1 !== $key2){
echo $flag."取得flag";
}
?>
Note that the code == judgment on the md5 values of key1 and key2, and key1!=key2
Belongs to MD5 weak type collision, just use array to bypass
At the same time, the key is bypassed once to construct a double variable: kkeyey1 and kkeyey2
The final payload: ?kekeyy1[]=1&kekeyy2[]=2 (ie null==null)
Other payload: ? Kekeyy1 = QNKCDZO & kekeyy2 = 240,610,708 (ie QNKCDZO MD5 value of 240,610,708 equal MD5 value)
This type of PHP weak type comparison bypass can try the above structure (if it is === comparison will be invalid)
3. Submit the payload:?kekeyy1[]=1&kekeyy2[]=2
4. Get the flag: flag{26f79619f953aae01177dcd432947059}