mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
3.1 KiB
3.1 KiB
PHP Juggling type and magic hashes
PHP provides two ways to compare two variables:
- Loose comparison using
== or !=
: both variables have "the same value". - Strict comparison using
=== or !==
: both variables have "the same type and the same value".
Type Juggling
True statements
var_dump('0010e2' == '1e3'); # true
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
var_dump('0xABCdef' == ' 0xABCdef'); # true PHP 5.0 / false PHP 7.0
var_dump('0x01' == 1) # true PHP 5.0 / false PHP 7.0
var_dump('0x1234Ab' == '1193131');
'123' == 123
'123a' == 123
'abc' == 0
'' == 0 == false == NULL
'' == 0 # true
0 == false # true
false == NULL # true
NULL == '' # true
NULL statements
var_dump(sha1([])); # NULL
var_dump(md5([])); # NULL
Magic Hashes - Exploit
If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
Hash | “Magic” Number / String | Magic Hash | Found By / Description |
---|---|---|---|
MD5 | 240610708 | 0e462097431906509019562988736854 | @spazef0rze |
MD5 | QNKCDZO | 0e830400451993494058024219903391 | @spazef0rze |
MD5 | 0e1137126905 | 0e291659922323405260514745084877 | @spazef0rze |
MD5 | 0e215962017 | 0e291242476940776845150308577824 | @spazef0rze |
MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | @TihanyiNorbert |
SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | @TihanyiNorbert |
SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | @Chick3nman512 |
<?php
var_dump(md5('240610708') == md5('QNKCDZO')); # bool(true)
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
?>