弱类型:就是不需要声明变量类型,编程语言会根据变量的值自动把变量转换为正确的数据类型。
若字符串以数字开头,则取开头数字作为转换结果,若无则输出0
var_dump(0 == '0'); // true
var_dump(0 == 'abcdefg'); // true
var_dump(0 === 'abcdefg'); // false
var_dump(1 == '1abcdef'); // true
<?php
error_reporting(0);
include_once('flag.php');
highlight_file('index.php');
$md51 = md5('QNKCDZO');
$a = $_GET['b'];
$md52 = md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
echo $flag;
} else {
echo "false!!!";
}}
弱类型哈希值比较,PHP把每个以0e开头的哈希值都解释为0
0E开头的哈希值对应的一些字符串:
| 源字符串 | MD5值(32位) |
|---|---|
| s878926199a | 0e545993274517709034328855841020 |
| s155964671a | 0e342768416822451524974117254469 |
| s214587387a | 0e848240448830537924465865611904 |
| s214587387a | 0e848240448830537924465865611904 |
| s878926199a | 0e545993274517709034328855841020 |
| s1091221200a | 0e940624217856561557816327384675 |
| s1885207154a | 0e509367213418206700842008763514 |
| s1502113478a | 0e861580163291561247404381396064 |
| s1885207154a | 0e509367213418206700842008763514 |
| s1836677006a | 0e481036490867661113260034900752 |
| s155964671a | 0e342768416822451524974117254469 |
| s1184209335a | 0e072485820392773389523109082030 |
| s1665632922a | 0e731198061491163073197128363787 |
| s1502113478a | 0e861580163291561247404381396064 |
| s1836677006a | 0e481036490867661113260034900752 |
| s1091221200a | 0e940624217856561557816327384675 |
| s155964671a | 0e342768416822451524974117254469 |
| s1502113478a | 0e861580163291561247404381396064 |
| s155964671a | 0e342768416822451524974117254469 |
| s1665632922a | 0e731198061491163073197128363787 |
| s155964671a | 0e342768416822451524974117254469 |
| s1091221200a | 0e940624217856561557816327384675 |
| s1836677006a | 0e481036490867661113260034900752 |
| s1885207154a | 0e509367213418206700842008763514 |
| s532378020a | 0e220463095855511507588041205815 |
| s878926199a | 0e545993274517709034328855841020 |
| s1091221200a | 0e940624217856561557816327384675 |
| s214587387a | 0e848240448830537924465865611904 |
| s1502113478a | 0e861580163291561247404381396064 |
| s1091221200a | 0e940624217856561557816327384675 |
| s1665632922a | 0e731198061491163073197128363787 |
| s1885207154a | 0e509367213418206700842008763514 |
| s1836677006a | 0e481036490867661113260034900752 |
| s1665632922a | 0e731198061491163073197128363787 |
| s878926199a | 0e545993274517709034328855841020 |
| 源字符串 | sha1 |
|---|---|
| 10932435112 | 0e07766915004133176347055865026311692244 |
| aaroZmOk | 0e66507019969427134894567494305185566735 |
| aaK1STfY | 0e76658526655756207688271159624026011393 |
| aaO8zKZF | 0e89257456677279068558073954252716165668 |
| aa3OFF9m | 0e36977786278517984959260394024281014729 |
md5编码后与编码前相同的值
0e215962017
当md5函数跟sha1函数对参数进行加密处理时,如果碰到一个数组,md5和sha1函数会返回null
a[]=1
param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2