Most active commenters

    ←back to thread

    A webshell and a normal file that have the same MD5

    (github.com)
    98 points shlomo_z | 17 comments | 21 Sep 25 05:52 UTC | HN request time: 0.001s | source | bottom
    1. dsab ◴[24 Sep 25 05:23 UTC] No.45356607[source]
    It's a pity that there is no description of what it is supposed to be used for.
    replies(5): >>45356899 #>>45356950 #>>45357043 #>>45357572 #>>45358129 #
    2. chipsrafferty ◴[24 Sep 25 06:19 UTC] No.45356899[source]
    Because there's unlikely to be a use case
    3. h4ck_th3_pl4n3t ◴[24 Sep 25 06:25 UTC] No.45356950[source]
    The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
    replies(1): >>45357120 #
    4. lisper ◴[24 Sep 25 06:38 UTC] No.45357043[source]
    If you don't know, then you aren't the target audience.

    But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.

    replies(2): >>45358864 #>>45360080 #
    5. 0points ◴[24 Sep 25 06:50 UTC] No.45357120[source]
    > The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

    That's only true if you ignore all the details.

    As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

    WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

    So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

    Source: https://developer.wordpress.org/reference/functions/wp_hash_...

    replies(4): >>45357200 #>>45357282 #>>45357344 #>>45379061 #
    6. downtown_ ◴[24 Sep 25 07:02 UTC] No.45357200{3}[source]
    This is not related to password hashing.,.
    7. high_na_euv ◴[24 Sep 25 07:16 UTC] No.45357282{3}[source]
    Literally in this "article"

    >Can use it bypass some cached webshell detections.

    8. eptcyka ◴[24 Sep 25 07:27 UTC] No.45357344{3}[source]
    > As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone.

    The amount of sweet, sweet irony displayed here will make me diabetic. Did you read the article at all? Salting? What are you on about?

    Honestly, it feels that some HN commenters are LLMs instructed to defend a given entity.

    replies(1): >>45379023 #
    9. IshKebab ◴[24 Sep 25 08:02 UTC] No.45357572[source]
    It says at the end of the README:

    > Can use it bypass some cached webshell detections.

    10. integralid ◴[24 Sep 25 09:45 UTC] No.45358129[source]
    After, sometimes, the initial scanning, the security and AV industry deals with file hashes, not actual files. This means that if you wrote a legitimate, harmful program, and a malicious version with the same hash, you would be able to troll the security rolls in many cases. Basically, those two files would look the same to the security program.

    The thing that makes this blog post not realistic is:

    * Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.

    * Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.

    But it's still a fun PoC.

    11. bawolff ◴[24 Sep 25 11:26 UTC] No.45358864[source]
    > If you don't know, then you aren't the target audience.

    If you do know, then you also know md5 being broken is really really old news.

    Seriously. Cryptographers have been warning that md5 seems weak since 1996. There are probably people reading this thread who weren't even alive yet. (It got totally broken in 2004 but the warning signs were way earlier).

    replies(1): >>45358991 #
    12. ramses0 ◴[24 Sep 25 11:42 UTC] No.45358991{3}[source]
    Someone with more karma motivation could post this as a top level story, but Plex offers to validate their Debian public key via MD5: https://support.plex.tv/articles/235974187-enable-repository...

    Such security! Much wow!

    replies(1): >>45369484 #
    13. alkonaut ◴[24 Sep 25 13:31 UTC] No.45360080[source]
    > system under some very obscure set of circumstances that you are very unlikely to encounter in the real world.

    Is there any way to use HN karma? Like, can I sell my account on some shady exchange like people sell big twitter accounts? And if I can, what's the going rate for internet points these days? Asking for an unscrupulous friend.

    replies(1): >>45361315 #
    14. lisper ◴[24 Sep 25 14:57 UTC] No.45361315{3}[source]
    > Is there any way to use HN karma?

    Nothing other than vanity AFAIK.

    It's actually a bit of a scam because karma accumulates and never expires. I've been on the leaderboard for a long time, not because I'm making particularly valuable contributions (I only post a few times a week) but just because I've been on HN since it launched.

    15. bawolff ◴[25 Sep 25 05:13 UTC] No.45369484{4}[source]
    While this is a bad idea, as far as i know its secure since nobody has broken md5 second preimage.
    16. ◴[25 Sep 25 21:01 UTC] No.45379023{4}[source]
    17. h4ck_th3_pl4n3t ◴[25 Sep 25 21:04 UTC] No.45379061{3}[source]
    Your source described wp_hash_password(), not wp_hash().

    As the OP article/PoC is about hashing uploaded files, not passwords btw, I think you should read it again.

    Because as I pointed out, wp_hash() is used to check against uploaded files.

    Oh, and source: https://developer.wordpress.org/reference/functions/wp_hash/

    And as I cannot resist quoting you for trying to smartass while literally not having read the source code the PoC was about:

    > As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.