MD5 bypasses the first formula: weak comparison bypass

Article directory

  • refer to
  • environment
  • Recommended reading
  • MD5
      • toughness
      • vulnerability
      • md5()
  • implicit type conversion
      • String concatenation
      • computation
      • Boolean judgment
      • equality operator
  • Scientific notation
      • Scientific notation
      • Prefix 0E and 0e
  • Specific rules for converting strings into numerical values in PHP8 and other versions of PHP
      • PHP8
          • numeric string
          • optimization
      • Other versions
      • A more detailed explanation
  • Weak comparison of string to string
  • Weak comparison of strings and numbers
  • 0e215962017

Reference

Project Description
Search Engine Bing, Google
AI large model Wen Xinyiyan< /strong>, Tongyi Qianwen, iFlytek Spark Cognitive Model, ChatGPT
PHP Manual PHP Manual
wsfgrdgh Saner string to number comparisons< /strong>

Environment

Project Description
PHP 5.5.0, 5.6.8, 7.0.0, 7.2.5, 7.4.9 , 8.0.0, 8.2.9

Recommended reading

Project Description
CSDN MD5 bypasses the first formula: Weak comparison bypasses
CSDN MD5 bypasses the second formula: Array bypass
CSDN MD5 bypass third formula: ffifdyop

MD5

MD5 (Message Digest Algorithm 5) is a commonly used hash function algorithm, used to convert data of any length into fixed length Hash value. MD5 is an improved version of the MD4 algorithm, designed by Ronald Rivest in 1992 and widely used.

The output result of the MD5 algorithm is a 128 bit, that is, a hash value of 16 bytes in length, usually expressed as a 32 A hexadecimal number of bits.

Resilience

  1. irreversibility
    MD5 is a one-way hash function that is irreversible. This means that it is unable to accurately determine the original input data from a known MD5 hash.

  2. avalanche effect
    The avalanche effect of MD5 refers to the characteristic that small changes to the input data will lead to huge changes in the output hash value. Specifically, even if only one bit of the input data changes, the calculated MD5 hash value will produce a global change, not just a difference in the modified position.

  3. uniqueness
    Ideally the hash value generated by the MD5 algorithm should be unique for different input data. In other words, different input data should produce different hash values.

  4. Rapidity
    MD5 is an algorithm for quickly calculating hash values, suitable for hash calculations on large amounts of data.

Vulnerability

The hash output space of the MD5 algorithm is relatively small, only 128 bits (can only accommodate 128-bit binary data), while the input space is unlimited code>, this mismatch between input and output leads to the possibility of hash collision. An attacker can use cleverly constructed input data to find different inputs with the same hash value through a carefully chosen collision attack algorithm.

  1. collision attack
    Due to the design features and algorithm structure of MD5, attackers can use cleverly constructed input data to find collisions. The discovery of collision attacks renders MD5 no longer suitable for reliable protection of data integrity and authentication.

  2. Precomputed attack
    Because MD5 is computed faster, an attacker can precompute MD5 hashes of common input data and store them in a hash table. In this way, during the actual attack process, the attacker can quickly crack the hash value by comparing the hash value to be cracked with the pre-calculated hash value.

md5()

In PHP, the md5() function is used to calculate the MD5 hash value of a given string. The function takes a string as input and returns its correspondence hash value.

md5(string $string, bool $binary = false): string

Where:

Project Description
$string The string whose MD5 hash is to be calculated.
$binary The parameter value is a Boolean type data, used to specify that the returned hash value is Binary format or Hex format. The default is false, which means the hash value in hexadecimal format is returned. If set to true, it returns binary format hash value.

Give me a chestnut

<?php

//Try to convert the string Hello World to an MD5 hash
var_dump(md5('Hello World'));

//Try to convert string 12 to MD5 hash
var_dump(md5('12'));

// When the input value of function md5() is a numeric value, non-numeric data will be automatically converted into numeric data.
var_dump(md5(12));

Execution effect

string(32) "b10a8db164e0754105b7a99be72e3fe5"
string(32) "c20ad4d76fe97759aa27a0c99bff6710"
string(32) "c20ad4d76fe97759aa27a0c99bff6710"

Note:

The value of the $binary parameter of the md5 function is set to true. At this time, if the conversion result is output to the terminal, garbled characters< will appear. /code> phenomenon. This is because PHP will automatically try to convert binary data into text information that can be displayed. PHP will convert each byte in the binary data into the corresponding ASCII character, and the conversion result contains some unprintable characters (carriage return characters, Null characters, etc.), these invisible characters will be displayed in the form of garbled characters. Among them, although the carriage return character is an invisible character, it plays the role of wrapping the text content in the text. For this, please refer to the following example:

<?php

//Try to output the hash value to the terminal in binary format
var_dump(md5('Hello World', true));

//Try to convert the binary representation of the hash value to hexadecimal and output it to the terminal
var_dump(bin2hex(md5('Hello World', true)));

Execution effect

Since the result of converting binary data into text contains the invisible character newline character, the output result of var_dump(md5('Hello World', true)); Presented as two lines.

string(16) "?
d?uA."
string(32) "b10a8db164e0754105b7a99be72e3fe5"

Implicit type conversion

In PHP, Implicit Type Conversion means that in certain operations, PHP will automatically convert the data from one data type to Another data type without writing explicit code for the type conversion.

PHP's implicit type conversion will convert the operands according to certain rules (specific analysis of specific situations), so that the relevant operations can can proceed normally.

String concatenation

When performing a string concatenation operation using the period operator ., PHP will attempt to convert other data types to the string data type. For this, please refer to the following example:

<?php

//Try to concatenate two strings
var_dump('Hello ' . 'World');

// Try to concatenate a value with a string
var_dump('1 + 1 = ' . 2);

//Try to concatenate two values
var_dump(1 . 1);

Execution effect

string(11) "Hello World"
string(9) "1 + 1 = 2"
string(2) "11"

Mathematical operations

When performing mathematical operations via mathematical operators, PHP will attempt to convert data of other data types to numeric types. For this, please refer to the following example:

<?php

// Attempt to subtract the Boolean value true from the value 1
var_dump(true - 1);

// Attempt to add the boolean values true and false
var_dump(true + false);

// Attempt to perform multiplication between strings
var_dump('2' * '150');

// The string 100djdj will be converted to 100
var_dump('100djdj' / 10);

// The string djdj100 will be converted to zero
var_dump('djdj100' / 10);

Execution effect

int(0)
int(1)
int(300)
int(10)
int(0)

Boolean judgment

Where a Boolean value is required, PHP will attempt to convert non-Boolean data to Boolean data. For this, please refer to the following example:

<?php

//Try to convert empty string to boolean
if(''){<!-- -->
    print('Hello World' . "\\
");
}

//Try to convert the string Hello World to a boolean
if('Hello World'){<!-- -->
    print('Hello China' . "\\
");
}

//Try to convert the value 999 to a boolean
if(999){<!-- -->
    print('Jiujiujiu' . "\\
");
}

Execution effect

Hello China
jiujiujiu

Equality operator

There are two equality operators in PHP, namely the weak type equality operator == and the strong type equality operator ===, both of which can be used to judge two The operands are equal, but there are some differences.

The difference between the two is that the weakly typed equality operator will automatically perform type conversion to use Both belong to the same data type. When comparing, the strongly typed equality operator requires that the type and value of the two values must be identical >, No type conversion. For this, please refer to the following example:

<?php

// Use weak type comparison operators to compare values and strings
// When comparing rows, PHP first converts strings to numeric values.

// Since the two values are the same after being converted to the same type,
// So it will return true.
var_dump('123' == 123);

// Since the data types and values of the two are different, so
// Will return false.
var_dump('123' === 123);

Execution effect

bool(true)
bool(false)

Scientific notation

Scientific notation

In PHP, e and E both represent Scientific Notation. Scientific notation consists of two parts: base and exponent. Commonly used to represent very large or very small values.

In scientific notation, the base usually is a floating-point number between 1 and 10, while the exponent is an integer representing the desired Multiply the base by the power of 10. The base and exponent are separated by the characters e or E.

Give me a chestnut

<?php

// 3.78 * 10 ^ 3
var_dump(3.78e3);

// 3 * 10 ^ -1
var_dump(3E-1);

Execution effect

float(3780)
float(0.3)

Prefix 0E and 0e

Zero raised to any power is zero, so any number expressed in scientific notation prefixed with 0E or 0e will result in The value is zero. For this, please refer to the following example:

<?php

var_dump(0e3280);
var_dump((float)'0e30284083');
var_dump((float)'0esjlfjsld');

Execution effect

float(0)
float(0)
float(0)

Specific rules for converting strings into numerical values in PHP8 and other versions of PHP

PHP8

Numerical string

Numeric string refers to a string containing numeric characters. Numeric strings can be used to directly represent a numerical value.

Give me a chestnut

"123"
"-42"
" + 384"

"3.14"
"-0.5"
"0.0000"
"00000000.0000"

"2.5e3"
"1.2e-2"
" + 42.0E0"

"0004746"
"0305940"
" 484748 "
" 4847 "
"3847"

Note:

  1. Strings containing symbols that represent values in other bases (non-decimal) cannot be called numeric strings (These symbols are not usually used in mathematics to identify values in other bases), such as 0x1F, 0b10101 and other strings. In PHP, octal values are represented by leading zeros, but in numeric strings, leading zeros are considered normal Numbers do not have the function of identifying octal values.
  2. If there is a need to convert strings in other bases (non-decimal) into numerical values, you can consider using functions such as intval() for explicit type conversion.
  3. A string containing whitespace characters such as spaces Why can it also be a numerical string? You can understand it as What appears to be a numerical value at first glance is a numerical string.
Optimization

PHP8 still retains the feature of implicit type conversion, but has made optimizations in weak comparison between strings and values. During the weak comparison of strings and numeric values, PHP will convert the string to a numeric value or depending on the string. Convert the numeric value to a string before comparing. The specific rules are as follows:

  1. If the string conforms to the definition of a numeric string, PHP attempts to convert the string into a numeric value before comparing.
  2. If the string does not conform to the definition of a numeric string, PHP will try to convert the numeric value into a string before comparing.

Other versions

In PHP's implicit type conversion process, the specific rules for converting strings into numerical values are as follows:

  1. If the first character of the string is not a number or a whitespace character such as a space, the string will be converted to zero.
  2. If the first character of the string is not a number but is a blank character such as a space, try to read the remaining characters. will convert all blank characters before the number into zero, and will All whitespace characters after a number are treated as non-numeric characters; when a non-numeric character is encountered, the reading of the string is stopped and the read characters are converted into numerical values.
  3. If the first character of the string is a number, try to read the remaining characters. stops reading when it encounters non-numeric characters (except for characters e or E that conform to scientific notation format). Read the string and convert the read characters into numerical values.

Give me a chestnut

Target string Conversion result
Hello123 0
1Hell2o3 1
0x8aHello123 0
9.384Hello 9.384
0008743738Hello948 8743738
1.223e100 122.3

Note:

When PHP performs the implicit type conversion process from string to numeric value, it is based on decimal notation. Similar to the above example, 0x8a in 0x8aHello123 will not be recognized as a hexadecimal number, because x does not exist in decimal, so When PHP recognizes the character x, it will immediately stop reading and convert the read string 0 into a numerical value, so the final conversion result is zero.

More detailed explanation

If you want a more detailed explanation of the rules for converting strings into numerical values in PHP8 and other PHP versions, you can refer to my other blogPHP Changes: Weak Comparison of Strings and Numerical Values in PHP 8 Version< /strong>.

Weak comparison between string and string

In PHP, if the two operands of the weak comparison operator are both strings. PHP will convert the two operands into numeric values according to the rules for converting strings into numeric values under different PHP versions.

In the process of bypassing MD5, strings whose MD5 encryption results conform to the following format are often used:

A string prefixed with `0e` or `0E` (the subsequent format instructions are only for PHP 8 and above) and the subsequent characters are all numbers.

And byGcY and 0e215962017 are strings that comply with this rule.

If there is a weak comparison link containing MD5 decryption in the attack target, we can use such strings to try to make the judgment result meet our expectations.

Give me a chestnut

<?php


# The variable $user_input stores the user's input
$user_input = '0e215962017';

# != is a weakly typed inequality operator, and a strong typed inequality operator is !==
if (md5('byGcY') != md5($user_input)) {<!-- -->
    print("Come to my city" . "\\
");
} elseif ("Hack Me" == md5($user_input)) {<!-- -->
    print("Be my king" . "\\
");
} else {<!-- -->
    print("Look at my invincible defense" . "\\
");
}


# byGcY with MD5 of 0e215962017
# The encryption results are all prefixed with 0e, and the return value of the md5() function
# The data type of the result is string, so string to value conversion will occur.
# Implicit type conversion.
var_dump(md5('byGcY'));
var_dump(md5($user_input));

Execution effect

Look at my invincible defense
string(32) "0e591948146966052067035298880982"
string(32) "0e291242476940776845150308577824"

Note:

In PHP, if the operands of the weakly typed comparison operator are all strings, if and only if the string operands can be converted into numerical values in the current PHP version >, PHP will convert it into a numerical value for comparison. Otherwise, the comparison is performed according to the string comparison rules.

Weak comparison between strings and numbers

In PHP, if the two operands of the weak comparison operator are numeric and string. PHP will convert one of the two operands to another data type according to the conversion rules of different PHP versions.

Similar to weak comparison between strings, when there is a weak comparison link containing MD5 decryption in the attack target, you can use the weak comparison rule by constructing a string Make the judgment results meet our expectations.

Give me a chestnut

<?php


$user_input = '0e215962017';
$hello = 'Hello WOrld';

if (0.000 != md5($user_input)) {<!-- -->
    print("Come to my city" . "\\
");
} elseif (68 == md5($hello)) {<!-- -->
    print("Be my king" . "\\
");
} else {<!-- -->
    print("Look at my invincible defense" . "\\
");
}

# Since the MD5 encryption result in $hello starts with the number 68, in
# In versions below PHP8, this string will be converted to the value 68.
var_dump(md5($hello));

Execution effect

The result of running the above example in PHP8 or below is:

Be my king
string(32) "68c131c6982a0bbbbae667624d8eca7d"

The result of running the above example in PHP8 version is:

Look at my invincible defense
string(32) "68c131c6982a0bbbbae667624d8eca7d"

0e215962017

0e215962017 This string is special because this string and the MD5 encryption result of this string are both prefixed with 0e. When participating in security competitions about MD5 bypass, you may encounter questions similar to the following:

<?php


$user_input = '0e215962017';

if ($user_input == md5($user_input)) {<!-- -->
    print("Come to my city,Be my king" . "\\
");
} else {<!-- -->
    print("Look at my invincible defense" . "\\
");
}

var_dump(md5($user_input));

Execution results

Come to my city,Be my king
string(32) "0e291242476940776845150308577824"
syntaxbug.com © 2021 All Rights Reserved.