Article directory
- refer to
- environment
- Recommended reading
- MD5
-
-
- toughness
- vulnerability
- md5()
-
- implicit type conversion
-
-
- String concatenation
- computation
- Boolean judgment
- equality operator
-
- Scientific notation
-
-
- Scientific notation
- Prefix 0E and 0e
-
- Specific rules for converting strings into numerical values in PHP8 and other versions of PHP
-
-
- PHP8
-
-
- numeric string
- optimization
-
- Other versions
- A more detailed explanation
-
- Weak comparison of string to string
- Weak comparison of strings and numbers
- 0e215962017
Reference
Project | Description |
---|---|
Search Engine | Bing, Google |
AI large model | Wen Xinyiyan< /strong>, Tongyi Qianwen, iFlytek Spark Cognitive Model, ChatGPT |
PHP Manual | PHP Manual |
wsfgrdgh | Saner string to number comparisons< /strong> |
Environment
Project | Description |
---|---|
PHP | 5.5.0 , 5.6.8 , 7.0.0 , 7.2.5 , 7.4.9 , 8.0.0 , 8.2.9 |
Recommended reading
Project | Description |
---|---|
CSDN | MD5 bypasses the first formula: Weak comparison bypasses |
CSDN | MD5 bypasses the second formula: Array bypass |
CSDN | MD5 bypass third formula: ffifdyop |
MD5
MD5 (Message Digest Algorithm 5)
is a commonly used hash function algorithm, used to convert data of any length
into fixed length
Hash value. MD5
is an improved version of the MD4
algorithm, designed by Ronald Rivest
in 1992
and widely used.
The output result
of the MD5 algorithm is a 128
bit, that is, a hash value of 16
bytes in length, usually expressed as a 32 A
.hexadecimal number
of bits
Resilience
-
irreversibility
MD5 is aone-way hash function
that is irreversible. This means that it isunable
to accuratelydetermine the original input data
from aknown MD5 hash
. -
avalanche effect
The avalanche effect of MD5 refers to the characteristic thatsmall changes to the input data
will lead tohuge changes in the output hash value
. Specifically, even if only one bit of the input data changes, the calculated MD5 hash value will produce aglobal change
, not just a difference in the modified position. -
uniqueness
Ideally
thehash value generated by the MD5 algorithm should be unique for different input data. In other words, different input data should produce different hash values.
-
Rapidity
MD5 is an algorithm for quickly calculating hash values, suitable forhash calculations on large amounts of data
.
Vulnerability
The hash output space
of the MD5 algorithm is relatively small, only 128
bits (can only accommodate 128-bit binary data), while the input space is unlimited
code>, this mismatch between input and output
leads to the possibility
of hash collision. An attacker can use cleverly constructed input data
to find different inputs with the same hash value
through a carefully chosen collision attack algorithm
.
-
collision attack
Due to thedesign features
andalgorithm structure
of MD5, attackers can use cleverly constructed input data to find collisions. The discovery of collision attacks renders MD5 no longer suitable for reliable protection of data integrity and authentication. -
Precomputed attack
Because MD5 iscomputed faster
, an attacker canprecompute MD5 hashes of common input data and store them in a hash table
. In this way, during the actual attack process, the attacker can quickly crack the hash value bycomparing
the hash value to be cracked with the pre-calculated hash value.
md5()
In PHP, the md5()
function is used to calculate the MD5 hash value
of a given string. The function takes a string as input and returns its correspondence hash value
.
md5(string $string, bool $binary = false): string
Where:
Project | Description |
---|---|
$string | The string whose MD5 hash is to be calculated. |
$binary | The parameter value is a Boolean type data, used to specify that the returned hash value is Binary format or Hex format . The default is false , which means the hash value in hexadecimal format is returned. If set to true , it returns binary format hash value. |
Give me a chestnut
<?php //Try to convert the string Hello World to an MD5 hash var_dump(md5('Hello World')); //Try to convert string 12 to MD5 hash var_dump(md5('12')); // When the input value of function md5() is a numeric value, non-numeric data will be automatically converted into numeric data. var_dump(md5(12));
Execution effect
string(32) "b10a8db164e0754105b7a99be72e3fe5" string(32) "c20ad4d76fe97759aa27a0c99bff6710" string(32) "c20ad4d76fe97759aa27a0c99bff6710"
Note:
The value of the $binary
parameter of the md5
function is set to true
. At this time, if the conversion result is output to the terminal, garbled characters< will appear. /code> phenomenon. This is because PHP will
automatically try
to convert binary data
into text information that can be displayed
. PHP will convert each byte
in the binary data into the corresponding ASCII character
, and the conversion result contains some unprintable characters (carriage return characters, Null characters, etc.)
, these invisible characters will be displayed in the form of garbled characters
. Among them, although the carriage return character
is an invisible character
, it plays the role of wrapping the text content in the text. For this, please refer to the following example:
<?php //Try to output the hash value to the terminal in binary format var_dump(md5('Hello World', true)); //Try to convert the binary representation of the hash value to hexadecimal and output it to the terminal var_dump(bin2hex(md5('Hello World', true)));
Execution effect
Since the result of converting binary data into text contains the invisible character newline character
, the output result of var_dump(md5('Hello World', true));
Presented as two lines
.
string(16) "? d?uA." string(32) "b10a8db164e0754105b7a99be72e3fe5"
Implicit type conversion
In PHP, Implicit Type Conversion
means that in certain operations, PHP will automatically
convert the data from one data type to Another data type
without writing explicit
code for the type conversion
.
PHP's implicit type conversion will convert the operands according to certain rules (specific analysis of specific situations), so that the relevant operations can can proceed normally
.
String concatenation
When performing a string concatenation operation using the period operator .
, PHP will attempt to convert other data types to the string data type
. For this, please refer to the following example:
<?php //Try to concatenate two strings var_dump('Hello ' . 'World'); // Try to concatenate a value with a string var_dump('1 + 1 = ' . 2); //Try to concatenate two values var_dump(1 . 1);
Execution effect
string(11) "Hello World" string(9) "1 + 1 = 2" string(2) "11"
Mathematical operations
When performing mathematical operations via mathematical operators
, PHP will attempt to convert data of other data types to numeric types
. For this, please refer to the following example:
<?php // Attempt to subtract the Boolean value true from the value 1 var_dump(true - 1); // Attempt to add the boolean values true and false var_dump(true + false); // Attempt to perform multiplication between strings var_dump('2' * '150'); // The string 100djdj will be converted to 100 var_dump('100djdj' / 10); // The string djdj100 will be converted to zero var_dump('djdj100' / 10);
Execution effect
int(0) int(1) int(300) int(10) int(0)
Boolean judgment
Where a Boolean value is required, PHP will attempt to convert non-Boolean data to Boolean data
. For this, please refer to the following example:
<?php //Try to convert empty string to boolean if(''){<!-- --> print('Hello World' . "\\ "); } //Try to convert the string Hello World to a boolean if('Hello World'){<!-- --> print('Hello China' . "\\ "); } //Try to convert the value 999 to a boolean if(999){<!-- --> print('Jiujiujiu' . "\\ "); }
Execution effect
Hello China jiujiujiu
Equality operator
There are two equality operators in PHP, namely the weak type equality operator ==
and the strong type equality operator ===
, both of which can be used to judge two The operands are equal, but there are some differences.
The difference
between the two is that the weakly typed equality operator
will automatically
perform type conversion to use Both belong to the same data type
. When comparing, the strongly typed equality operator
requires that the type
and value
of the two values must be identical
>, No type conversion
. For this, please refer to the following example:
<?php // Use weak type comparison operators to compare values and strings // When comparing rows, PHP first converts strings to numeric values. // Since the two values are the same after being converted to the same type, // So it will return true. var_dump('123' == 123); // Since the data types and values of the two are different, so // Will return false. var_dump('123' === 123);
Execution effect
bool(true) bool(false)
Scientific notation
Scientific notation
In PHP, e
and E
both represent Scientific Notation
. Scientific notation consists of two parts: base
and exponent
. Commonly used
to represent very large or very small values.
In scientific notation, the base usually
is a floating-point number between 1
and 10
, while the exponent is an integer representing the desired Multiply the base by the power of 10
. The base and exponent are separated by the characters e
or E
.
Give me a chestnut
<?php // 3.78 * 10 ^ 3 var_dump(3.78e3); // 3 * 10 ^ -1 var_dump(3E-1);
Execution effect
float(3780) float(0.3)
Prefix 0E and 0e
Zero raised to any power is zero
, so any number expressed in scientific notation prefixed with 0E
or 0e
will result in The value is zero. For this, please refer to the following example:
<?php var_dump(0e3280); var_dump((float)'0e30284083'); var_dump((float)'0esjlfjsld');
Execution effect
float(0) float(0) float(0)
Specific rules for converting strings into numerical values in PHP8 and other versions of PHP
PHP8
Numerical string
Numeric string
refers to a string containing numeric characters. Numeric strings can be used to directly represent a numerical value.
Give me a chestnut
"123" "-42" " + 384" "3.14" "-0.5" "0.0000" "00000000.0000" "2.5e3" "1.2e-2" " + 42.0E0" "0004746" "0305940" " 484748 " " 4847 " "3847"
Note:
- Strings containing
symbols that represent values in other bases (non-decimal)
cannot be called numeric strings (These symbols are not usually used in mathematics to identify values in other bases
), such as0x1F
,0b10101
and other strings. In PHP,octal values
are represented byleading zeros
, but innumeric strings
, leading zeros areconsidered normal Numbers do not have the function of identifying octal values
. - If there is a need to convert strings in other bases (non-decimal) into numerical values, you can consider using functions such as
intval()
for explicit type conversion. A string containing whitespace characters such as spaces
Why can it also be a numerical string? You can understand it asWhat appears to be a numerical value at first glance is a numerical string
.
Optimization
PHP8 still retains the feature of implicit type conversion
, but has made optimizations in weak comparison between strings and values. During the weak comparison of strings and numeric values
, PHP will convert the string to a numeric value
or depending on the string.
Convert the numeric value to a string before comparing. The specific rules are as follows:
- If the string
conforms to the definition of a numeric string
, PHP attempts toconvert the string into a numeric value
before comparing. - If the string
does not conform to the definition of a numeric string
, PHP will try toconvert the numeric value into a string
before comparing.
Other versions
In PHP's implicit type conversion process
, the specific rules for converting strings into numerical values are as follows:
- If the
first character of the string is not a number or a whitespace character such as a space
, the string will be converted to zero. - If the
first character of the string is not a number but is a blank character such as a space
, try to read the remaining characters.will convert all blank characters before the number into zero, and will All whitespace characters after a number are treated as non-numeric characters; when a non-numeric character is encountered, the reading of the string is stopped and the read characters are converted into numerical values
. - If the
first character of the string is a number
, try to read the remaining characters.stops reading when it encounters non-numeric characters (except for characters e or E that conform to scientific notation format). Read the string and convert the read characters into numerical values
.
Give me a chestnut
Target string | Conversion result |
---|---|
Hello123 | 0 |
1Hell2o3 | 1 |
0x8aHello123 | 0 |
9.384Hello | 9.384 |
0008743738Hello948 | 8743738 |
1.223e100 | 122.3 |
Note:
When PHP performs the implicit type conversion process from string to numeric value, it is based on decimal notation. Similar to the above example, 0x8a
in 0x8aHello123
will not be recognized as a hexadecimal number, because x
does not exist in decimal, so When PHP recognizes the character x
, it will immediately stop reading and convert the read string 0
into a numerical value, so the final conversion result is zero.
More detailed explanation
If you want a more detailed explanation of the rules for converting strings into numerical values in PHP8 and other PHP versions, you can refer to my other blogPHP Changes: Weak Comparison of Strings and Numerical Values in PHP 8 Version< /strong>.
Weak comparison between string and string
In PHP, if the two operands of the weak comparison operator are both strings
. PHP will convert the two operands into numeric values according to the rules for converting strings into numeric values under different PHP versions
.
In the process of bypassing MD5, strings whose MD5 encryption results conform to the following format
are often used:
A string prefixed with `0e` or `0E` (the subsequent format instructions are only for PHP 8 and above) and the subsequent characters are all numbers.
And byGcY
and 0e215962017
are strings that comply with this rule.
If there is a weak comparison link containing MD5 decryption
in the attack target, we can use such strings to try to make the judgment result meet our expectations
.
Give me a chestnut
<?php # The variable $user_input stores the user's input $user_input = '0e215962017'; # != is a weakly typed inequality operator, and a strong typed inequality operator is !== if (md5('byGcY') != md5($user_input)) {<!-- --> print("Come to my city" . "\\ "); } elseif ("Hack Me" == md5($user_input)) {<!-- --> print("Be my king" . "\\ "); } else {<!-- --> print("Look at my invincible defense" . "\\ "); } # byGcY with MD5 of 0e215962017 # The encryption results are all prefixed with 0e, and the return value of the md5() function # The data type of the result is string, so string to value conversion will occur. # Implicit type conversion. var_dump(md5('byGcY')); var_dump(md5($user_input));
Execution effect
Look at my invincible defense string(32) "0e591948146966052067035298880982" string(32) "0e291242476940776845150308577824"
Note:
In PHP, if the operands of the weakly typed comparison operator are all strings
, if and only if the string operands can be converted into numerical values in the current PHP version
>, PHP will convert it into a numerical value for comparison. Otherwise, the comparison is performed according to the string comparison rules.
Weak comparison between strings and numbers
In PHP, if the two operands of the weak comparison operator are numeric
and string
. PHP will convert one of the two operands to another data type according to the conversion rules of different PHP versions
.
Similar to weak comparison between strings
, when there is a weak comparison link containing MD5 decryption
in the attack target, you can use the weak comparison rule by constructing a string Make the judgment results meet our expectations
.
Give me a chestnut
<?php $user_input = '0e215962017'; $hello = 'Hello WOrld'; if (0.000 != md5($user_input)) {<!-- --> print("Come to my city" . "\\ "); } elseif (68 == md5($hello)) {<!-- --> print("Be my king" . "\\ "); } else {<!-- --> print("Look at my invincible defense" . "\\ "); } # Since the MD5 encryption result in $hello starts with the number 68, in # In versions below PHP8, this string will be converted to the value 68. var_dump(md5($hello));
Execution effect
The result of running the above example in PHP8 or below
is:
Be my king string(32) "68c131c6982a0bbbbae667624d8eca7d"
The result of running the above example in PHP8 version
is:
Look at my invincible defense string(32) "68c131c6982a0bbbbae667624d8eca7d"
0e215962017
0e215962017
This string is special because this string and the MD5 encryption result of this string are both prefixed with 0e
. When participating in security competitions about MD5 bypass, you may encounter questions similar to the following:
<?php $user_input = '0e215962017'; if ($user_input == md5($user_input)) {<!-- --> print("Come to my city,Be my king" . "\\ "); } else {<!-- --> print("Look at my invincible defense" . "\\ "); } var_dump(md5($user_input));
Execution results
Come to my city,Be my king string(32) "0e291242476940776845150308577824"