←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 7 comments | 21 Sep 25 05:52 UTC | HN request time: 0s | source | bottom
Show context
dsab ◴[24 Sep 25 05:23 UTC] No.45356607[source]
It's a pity that there is no description of what it is supposed to be used for.
replies(5): >>45356899 #>>45356950 #>>45357043 #>>45357572 #>>45358129 #
1. h4ck_th3_pl4n3t ◴[24 Sep 25 06:25 UTC] No.45356950[source]
The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
replies(1): >>45357120 #
2. 0points ◴[24 Sep 25 06:50 UTC] No.45357120[source]
> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

replies(4): >>45357200 #>>45357282 #>>45357344 #>>45379061 #
3. downtown_ ◴[24 Sep 25 07:02 UTC] No.45357200[source]
This is not related to password hashing.,.
4. high_na_euv ◴[24 Sep 25 07:16 UTC] No.45357282[source]
Literally in this "article"

>Can use it bypass some cached webshell detections.

5. eptcyka ◴[24 Sep 25 07:27 UTC] No.45357344[source]
> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone.

The amount of sweet, sweet irony displayed here will make me diabetic. Did you read the article at all? Salting? What are you on about?

Honestly, it feels that some HN commenters are LLMs instructed to defend a given entity.

replies(1): >>45379023 #
6. ◴[25 Sep 25 21:01 UTC] No.45379023{3}[source]
7. h4ck_th3_pl4n3t ◴[25 Sep 25 21:04 UTC] No.45379061[source]
Your source described wp_hash_password(), not wp_hash().

As the OP article/PoC is about hashing uploaded files, not passwords btw, I think you should read it again.

Because as I pointed out, wp_hash() is used to check against uploaded files.

Oh, and source: https://developer.wordpress.org/reference/functions/wp_hash/

And as I cannot resist quoting you for trying to smartass while literally not having read the source code the PoC was about:

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.