php中hash比较缺陷

哈希算法(Hash Algorithm)又称散列算法、散列函数、哈希函数，哈希算法主要有MD4、MD5、SHA

php中处理hash时的缺陷

我们比较 hash字符串的时候，常常用到 等于（ == ）、不等于（ != ）来进行比较

一个hash的值如果是以0e开头，并且后面全是数字的话，在php中这种特殊的hash(也就是所谓的Magic Hash)，会被解析为科学计数法0 x 10^n，即和0相等

所以如果两个不同的密码经过哈希以后，其哈希值都是以0e开头的，那么php将会认为他们相同，都是0

此外，0 == 字符会被认为是正确的，可以绕过验证

强弱类型比较

• == 弱类型比较中，字符'0e123'和字符'0e456'虽然是字符类型，但是因为 == 比较不比较数据类型，只比较值，结果都是0，所以相等，返回true
• === 强类型比较中，字符'0e123'和字符'0e456'在比较数据类型的时候就被当作字符类型，而字符'0e123'和字符'0e456'当然不相等，所以返回false

这种缺陷在PHP程序中使用哈希算法加密(如md5、md4、SHA1等)进行有关强弱类型比较的地方很容易被用来进行绕过，在CTF题目中算是比较常见的

Magic Hashes

• hash以0e开头

  • MD5

  Plaintext	MD5 Hash
  240610708	0e462097431906509019562988736854
  QLTHNDT	0e405967825401955372549139051580
  QNKCDZO	0e830400451993494058024219903391
  PJNPDWY	0e291529052894702774557631701704
  NWWKITQ	0e763082070976038347657360817689
  NOOPCJF	0e818888003657176127862245791911
  MMHUWUV	0e701732711630150438129209816536
  MAUXXQC	0e478478466848439040434801845361
  IHKFRNS	0e256160682445802696926137988570
  GZECLQZ	0e537612333747236407713628225676
  GGHMVOE	0e362766013028313274586933780773
  GEGHBXL	0e248776895502908863709684713578
  EEIZDOI	0e782601363539291779881938479162
  DYAXWCA	0e424759758842488633464374063001
  DQWRASX	0e742373665639232907775599582643
  BRTKUJZ	00e57640477961333848717747276704
  ABJIHVY	0e755264355178451322893275696586
  aaaXXAYW	0e540853622400160407992788832284
  aabg7XSs	0e087386482136013740957780965295
  aabC9RqS	0e041022518165728065344349536299
  s878926199a	0e545993274517709034328855841020
  s155964671a	0e342768416822451524974117254469
  s214587387a	0e848240448830537924465865611904
  s214587387a	0e848240448830537924465865611904
  0e215962017	0e291242476940776845150308577824

  • MD4

  Plaintext	MD4 Hash
  bhhkktQZ	0e949030067204812898914975918567
  0e001233333333333334557778889	0e434041524824285414215559233446
  0e00000111222333333666788888889	0e641853458593358523155449768529
  0001235666666688888888888	0e832225036643258141969031181899

  • SHA1

  Plaintext	SHA1 Hash
  aaroZmOk	0e66507019969427134894567494305185566735
  aaK1STfY	0e76658526655756207688271159624026011393
  aaO8zKZF	0e89257456677279068558073954252716165668
  aa3OFF9m	0e36977786278517984959260394024281014729

• hash转换前后相等（等于0）

  • MD5

  Plaintext	MD5 Hash
  0e215962017	0e291242476940776845150308577824
  0e1284838308	0e708279691820928818722257405159
  0e1137126905	0e291659922323405260514745084877
  0e807097110	0e318093639164485566453180786895
  0e730083352	0e870635875304277170259950255928

  • MD4

  Plaintext	MD4 Hash
  0e001233333333333334557778889	0e434041524824285414215559233446
  0e00000111222333333666788888889	0e641853458593358523155449768529
  0001235666666688888888888	0e832225036643258141969031181899

  • SHA1

  Plaintext	SHA1 Hash
  0e00000000000000000000081614617300000000	0e65307525940999632287492285468259219070
  0e00000000000000000000721902017120000000	0e94981159498252295418182453841140483274
  0e01011001101011010001101110101100101000	0e48906523151976751117677463787111106598
  0e11001000001010011000100000010001101000	0e63407184960930419027062777705081379452
  0e01000001100000001010011011001000000100	0e55962072388397083814346733718698213796
  0e10011110000101101000011101011010100100	0e31188585417285828785355336774237712792
  0e01010111000111111010101011010111010100	0e45906344569616659428808892091261969181
  0e00100001110000001111010000010011101100	0e14860258669052332549568607710438132953
  0e11110000111010001001101111111110010010	0e12174258436385758552874426941686538483
  0e10111110011100101100010101111010000110	0e99774398282593376043462038572281385389
  0e11001111110111110010111010000011110110	0e63185221301034624940345471074357888797
  0e00001010010101100100101011101110001110	0e90943988772171749054413593888105986782
  0e01011101110010111011110010010010101110	0e01608800192659803576771346607441737826
  0e10111110101111001000000100011101101110	0e49094541458479495263034294421025186938
  0e11100111101110011010111001010101111110	0e55770706149948760086200713505841887543
  0e11111001010101100110011001010001110001	0e91120687121163809515824135435029958137
  0e01000111101111110010010010000001001001	0e78071797328546369301825420848872451849
  0e00100110100010100110001101110110110101	0e06077380408260614659219920561082767632
  0e11111100001011000011110100100010111101	0e12149120354415335220758399492713921588
  0e00111100110101101001000101011011111101	0e38661126569790555598431905065403870516
  0e10100011100101000001110010100110100011	0e55745078154640212511596259055910278070
  0e10011110011111001001100100000111011011	0e20319731123101477913295720812414482217

更多Magic Hashes请参考：https://github.com/spaze/hashes

与hash缺陷无关的数组绕过方法

一般用于强比较

利用的是md5()、md4()、sha1()等在处理非字符数据的时候异常返回，如这里传入数组，返回的是NULL

PS：这里无论===或者==，两边都是NULL

payload:	a[]=1&b[]=2

关于MD5强碰撞问题

当php对传参进行了类型控制，那么强比较就不能和上面一样一个数组传参就能解决

例：

需要寻找md5完全相等，本身却不一样的字符

参考：https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value

file1的十六进制字节流数据

d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70

file2的十六进制字节流数据

d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70

将字节流写入成文件可以发现这两个不相同的文件它们的md5值完全相等

将十六进制数据解码然后url编码一遍得到：

file1

%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%87%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap

file2

%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%07%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

以上两串字符的md5值都为：79054025255fb1a26e4bc422aef54eb4

构造payload：

param1=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%87%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap&param2=%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%07%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

总结部分md5强比较相等字符

%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%87%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25qAZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BD%F2%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E2%B4%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%A8%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%2Bo%F7%2Ap

%D11%DD%02%C5%E6%EE%C4i%3D%9A%06%98%AF%F9%5C/%CA%B5%07%12F~%AB%40%04X%3E%B8%FB%7F%89U%AD4%06%09%F4%B3%02%83%E4%88%83%25%F1AZ%08Q%25%E8%F7%CD%C9%9F%D9%1D%BDr%807%3C%5B%D8%82%3E1V4%8F%5B%AEm%AC%D46%C9%19%C6%DDS%E24%87%DA%03%FD%029c%06%D2H%CD%A0%E9%9F3B%0FW~%E8%CET%B6p%80%28%0D%1E%C6%98%21%BC%B6%A8%83%93%96%F9e%ABo%F7%2Ap

以上两串字符的md5值都为：79054025255fb1a26e4bc422aef54eb4

M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2

M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

以上两串字符的md5值都为：008ee33a9d58b51cfeb425b0959121c9

%0E0eaU%9A%A7%87%D0%0B%C6%F7%0B%BD%FE4%04%CF%03e%9EpO%854%C0%0F%FBe%9CL%87%40%CC%94/%EB-%A1%15%A3%F4%15%5C%BB%86%07Is%86em%7D%1F4%A4%20Y%D7%8FZ%8D%D1%EF

%0E0eaU%9A%A7%87%D0%0B%C6%F7%0B%BD%FE4%04%CF%03e%9EtO%854%C0%0F%FBe%9CL%87%40%CC%94/%EB-%A1%15%A3%F4%15%DC%BB%86%07Is%86em%7D%1F4%A4%20Y%D7%8FZ%8D%D1%EF

以上两串字符的md5值都为：cee9a457e790cf20d4bdaa6d69f01e41

最后

以上就是妩媚长颈鹿为你收集整理的php中hash比较缺陷php中hash比较缺陷的全部内容，希望文章能够帮你解决php中hash比较缺陷php中hash比较缺陷所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错，欢迎将靠谱客网站推荐给程序员好友。