←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 2 comments | 21 Sep 25 05:52 UTC | HN request time: 0.403s | source
Show context
Incipient ◴[24 Sep 25 06:04 UTC] No.45356813[source]
The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?
replies(2): >>45356897 #>>45357819 #
chipsrafferty ◴[24 Sep 25 06:18 UTC] No.45356897[source]
Yes, but you'd need a situation where:

1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

replies(3): >>45357487 #>>45357578 #>>45357654 #
1. szszrk ◴[24 Sep 25 07:49 UTC] No.45357487[source]
Is there any fairly popular software that still uses md5 in this context?

Most I've seen (sec scans, backup validation/dedup etc) pushed to phase out md5 very long time ago.

replies(1): >>45357875 #
2. h33t-l4x0r ◴[24 Sep 25 08:58 UTC] No.45357875[source]
Wordpress uses md5 checksums for core files. That doesn't make it vulnerable to this, except in the sense that it kind of validates using them.