Ace Valentine
Honorary Poster
- Joined
- Jun 7, 2018
- Posts
- 573
- Reaction
- 169
- Points
- 225
Hi!
Some of the PHP websites that are "password protected" are using the == to verify if the hard-coded md5 hashed password is matching the user input.
The fact that they use the == sign together with md5 hashes is sometimes can be dangerous and lead to authentication bypass.
Example:
Pwede siya mabypass by using this string as a password: 240610708
md5('240610708') = 0e462097431906509019562988736854
This kind of thing is called Magic Hashes. It's not always works, here's why:
IF the hard-coded hash in the website begins with 0e - it can be bypassed with Magic Hashes.
why? because well, PHP is a flexible language.
The problem is in == comparison. 0e means that if the following characters are all digits the whole string gets treated as a float.
Think of "0e…" as being the scientific notation for "0 to the power of some value" and that is always "0".
This is how php interprets it:
More magic hashes:
How to mitigate this:
Just use === operator
Yun lang po guys, I hope naintindihan niyo. Happy coding! Keep your apps secure..
Some of the PHP websites that are "password protected" are using the == to verify if the hard-coded md5 hashed password is matching the user input.
The fact that they use the == sign together with md5 hashes is sometimes can be dangerous and lead to authentication bypass.
Example:
PHP:
<?php
$password = '0e232097431616219012560978731854'; //md5 form
if (md5($_GET['password'] == $password)
echo 'welcome!';
else
echo 'Wrong password!'
Pwede siya mabypass by using this string as a password: 240610708
md5('240610708') = 0e462097431906509019562988736854
This kind of thing is called Magic Hashes. It's not always works, here's why:
IF the hard-coded hash in the website begins with 0e - it can be bypassed with Magic Hashes.
why? because well, PHP is a flexible language.
The problem is in == comparison. 0e means that if the following characters are all digits the whole string gets treated as a float.
Think of "0e…" as being the scientific notation for "0 to the power of some value" and that is always "0".
This is how php interprets it:
PHP:
if( 0 == 0 ) { echo 'welcome!'; }
More magic hashes:
PHP:
<?php
var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
var_dump('0010e2' == '1e3');
var_dump('0x1234Ab' == '1193131');
var_dump('0xABCdef' == ' 0xABCdef');
?>[/COLOR]
How to mitigate this:
Just use === operator
Yun lang po guys, I hope naintindihan niyo. Happy coding! Keep your apps secure..