wh1t3p1g/CTF_PHP_TIPs.md

## CTF_PHP_TIPs.md

      
    Raw
  

              CTF_PHP_TIPs.md
            
          
    null==null

url:http://xxx/?username[]=1&password[]=1

绕过

md5($_GET['username'])==md5($_GET['password'])

sha1(...)==sha1(...)

因为md5,sha1函数不能计算数组的hash值，返回的都是null，导致null==null等式成立

魔术hash---0e

php中使用弱比较时，md5(xxx)的值的开头为0e的字符串，可以绕过

if(md5(xxx)==0) true

计算出来为0e的字符串有人已经总结了http://www.219.me/posts/2884.html
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020


in_array()函数

in_array()函数不带第3个参数true时，比较为弱比较，既“1adf”==1 true类似
is_numeric函数

判断是否是数字，是则返回true，反之为false

可以使用16进制绕过，对于整型insert语句，将可能产生二次注入
windows下php，url访问文件

windows下php中访问文件名使用”<” “>”将会被替换成”*” “?”，分别代表N个任意字符与1个任意字符

?file=a<%00  ==> a开头的文件 %00用来截断后面的.php
后台file_get_contents("./".$_GET['file'].".php")
http://www.phpbug.cn/archives/87.html
empty函数

empty(0) ==> true http://zone.wooyun.org/content/15859