Skip to content

Latest commit

 

History

History
 
 

Type Juggling

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

PHP Juggling type and magic hashes

PHP provides two ways to compare two variables:

  • Loose comparison using == or != : both variables have "the same value".
  • Strict comparison using === or !== : both variables have "the same type and the same value".

Type Juggling

True statements

var_dump('0010e2'   == '1e3');           # true
var_dump('0xABCdef' == ' 0xABCdef');     # true PHP 5.0 / false PHP 7.0
var_dump('0xABCdef' == '     0xABCdef'); # true PHP 5.0 / false PHP 7.0
var_dump('0x01'     == 1)                # true PHP 5.0 / false PHP 7.0
var_dump('0x1234Ab' == '1193131');
'123'  == 123
'123a' == 123
'abc'  == 0
'' == 0 == false == NULL
'' == 0       # true
0  == false   # true
false == NULL # true
NULL == ''    # true

NULL statements

var_dump(sha1([])); # NULL
var_dump(md5([]));  # NULL

Magic Hashes - Exploit

If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.

Hash “Magic” Number / String Magic Hash Found By
MD5 240610708 0e462097431906509019562988736854 Michal Spacek
SHA1 10932435112 0e07766915004133176347055865026311692244 Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham 
<?php
var_dump(md5('240610708') == md5('QNKCDZO')); # bool(true)
var_dump(md5('aabg7XSs')  == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
?>

References