←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 2 comments | 21 Sep 25 05:52 UTC | HN request time: 0.517s | source
Show context
Incipient ◴[24 Sep 25 06:04 UTC] No.45356813[source]
The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?
replies(2): >>45356897 #>>45357819 #
chipsrafferty ◴[24 Sep 25 06:18 UTC] No.45356897[source]
Yes, but you'd need a situation where:

1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

replies(3): >>45357487 #>>45357578 #>>45357654 #
1. falcor84 ◴[24 Sep 25 08:17 UTC] No.45357654[source]
>The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

Wouldn't the sensible thing for a server that gets an upload matching an existing file's hash be to just treat it as an idempotent no-op? What reason would it have to replace the old version with a presumably identical copy? What am I missing?

replies(1): >>45358621 #
2. dnet ◴[24 Sep 25 10:50 UTC] No.45358621[source]
I assume the scanner is a separate library/service that receives the contents and returns a boolean safe/malicious result, and the implementation using MD5 to avoid expensive re-scans is an internal detail hidden from the caller.