# PHP Juggling type and magic hashes PHP provides two ways to compare two variables: - Loose comparison using `== or !=` : both variables have "the same value". - Strict comparison using `=== or !==` : both variables have "the same type and the same value". ## Type Juggling ### True statements ```php var_dump('0010e2' == '1e3'); # true var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0 var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0 var_dump('0x01' == 1) # true PHP 5.0 / false PHP 7.0 var_dump('0x1234Ab' == '1193131'); ``` ```php '123' == 123 '123a' == 123 'abc' == 0 ``` ```php '' == 0 == false == NULL '' == 0 # true 0 == false # true false == NULL # true NULL == '' # true ``` ### NULL statements ```php var_dump(sha1([])); # NULL var_dump(md5([])); # NULL ``` ## Magic Hashes - Exploit If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. | Hash | “Magic” Number / String | Magic Hash | Found By | | ---- | -------------------------- |:---------------------------------------------:| -------------:| | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | | SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | | SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) | ```php ``` ## References * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/)