md5 collisions and the way php interprets types (php hash collisions)

As I was recently working on the Homeless vulnhub CTF by Min Ko Ko, one of steps required to proceed further contained the following code: So that’s quite a tricky challenge requiring all the md5 input fields to collide. While trying to solve this and researching about collisions further I gathered the following resources: http://cryptologie.net/article/268/how-to-compare-password-hashes-in-php/ https://github.com/spaze/hashes http://turbochaos.blogspot.bg/2013/08/exploiting-exotic-bugs-php-type-juggling.html https://pen-testing.sans.org/blog/2014/12/18/php-weak-typing-woes-with-some-pontification-about-code-and-pen-testing @joshwr1ght It may also be a good idea to look at the birthday problem and the birthday attack. Additional threads: https://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo https://stackoverflow.com/questions/12598407/php-expresses-two-different-strings-to-be-the-same/12598484#comment17003890_12598407 http://digitalloft.org/init/plugin_wiki/page/juggling-hashes-with-your-eyes-closed-in-php I’ve still not found a solution to it as md5 preimage attacks do not seem to be currently achievable, however I consider the above resources were a good way to start. Update: the solution on how to generate md5 collisions and send binary data over HTTP is described in the Homeless CTF walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *