Bugkuctf-web16 (backup is a good habit)

The main point of solving the problem

1. Use the sword 、dirmap perhaps dirsearch Wait for a scan tool , Clean the location of the backup file

2. Open the backup file , The code is as follows ：

   <?php
   /** * Created by PhpStorm. * User: Norse * Date: 2017/8/6 * Time: 20:22 */
   
   include_once "flag.php";
   ini_set("display_errors", 0);
   $str = strstr($_SERVER['REQUEST_URI'], '?');
   $str = substr($str,1);
   $str = str_replace('key','',$str);
   parse_str($str);
   echo md5($key1);
   
   echo md5($key2);
   if(md5($key1) == md5($key2) && $key1 !== $key2){
         
       echo $flag." obtain flag";
   }
   ?>
   

   Code meaning ：

   md5 After encryption ,key1==key2, At the same time, ensure the original key1!=key2
   

How to meet the conditions

1. PHP There is a flaw in implicit conversion ,PHP When dealing with hash strings , Make use of ”!=” or ”==” To compare the hash values , It takes each of them ”0E” The initial hash is interpreted as 0, So if two different passwords go through the hash , The hash value is zero ”0E” At the beginning , that PHP Will think they are the same , All are 0
2. md5 Unable to process array , Will change the array to null

How to construct conditions

1. QNKCDZO and 240610708 stay md5 After encryption , Meet the conditions of the first point above
2. structure ?kekeyy1[]=1&kekeyy2[]=2, send NULL=NULL, But the two parameters themselves are not equal ,, Meet the condition of the second point above

 Two methods of constructing parameters can be obtained flag:

/?kekeyy1=QNKCDZO&kekeyy2=240610708

/?kekeyy1[]=1&kekeyy2[]=2

 Using parameter  ?kekeyy  Because php One in the code  replace  take  key  Replace empty , So structure  ?kekeyy  Bypass