
md5 collisions and the way php interprets types (php hash collisions)
As I was recently working on the Homeless vulnhub CTF by Min Ko Ko, one of steps required to proceed further contained the following code:
So that’s quite a tricky challenge requiring all the md5 input fields to collide. While trying to solve this and researching about collisions further I gathered the following resources:
http://cryptologie.net/article/268/how-to-compare-password-hashes-in-php/
https://github.com/spaze/hashes
http://turbochaos.blogspot.bg/2013/08/exploiting-exotic-bugs-php-type-juggling.html
https://pen-testing.sans.org/blog/2014/12/18/php-weak-typing-woes-with-some-pontification-about-code-and-pen-testing @joshwr1ght
It may also be a good idea to look at the birthday problem and the birthday attack.
Additional threads:
https://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo
https://stackoverflow.com/questions/12598407/php-expresses-two-different-strings-to-be-the-same/12598484#comment17003890_12598407
http://digitalloft.org/init/plugin_wiki/page/juggling-hashes-with-your-eyes-closed-in-php
I’ve still not found a solution to it as md5 preimage attacks do not seem to be currently achievable, however I consider the above resources were a good way to start.
Update: the solution on how to generate md5 collisions and send binary data over HTTP is described in the Homeless CTF walkthrough
