←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 3 comments | 21 Sep 25 05:52 UTC | HN request time: 0.714s | source
1. sim7c00 ◴[24 Sep 25 08:45 UTC] No.45357816[source]
honestly, normal.php is not a valid php file. i do understand that it might bypass some checks if say normal.php was somehow flagged as a valid / benign file but in all honesty that would be really bad sec product u wanna swap with something that more intelligently classifies files... additionally, most products these days also use sha1, sha2 and sometimes things like ssdeep to have multiple hash variants to check. this ensures that any collisions will be mitigated as it's not known yet to make 1 file match on all of these different types of hashes, despite collisions being possible in a number of them for sure.

if normal.php had actual php code in there, being really 'normal' as the name implies, this would be much more severe / interesting because it might be more easy to convince modern security products it's actually a benign file.

Currently if it would be analysed, it would be flagged as suspicious simply because its not a valid file. and really, it dont need to be php, it could be any valid file format as long as it's an actually file that has benign behavior or contents.

plaintext might be easier to generate, but you'd need it to be 'executable' format or something interpretable like a script to have it actually stored in databases marking files as malicious or benign. matching filetype with the malicious file, in a valid form that does actual benign behavior would be 'best'.

don't take me wrong tho. still fun to see these things and honestly props, if it bypasses anything that's always a 'nice result' :)

replies(1): >>45359182 #
2. Blahagun ◴[24 Sep 25 12:08 UTC] No.45359182[source]
normal.php is a perfectly valid php file. Sure, it doesn't contain php code but that doesn't make it invalid php file. If it did have <?php somewhere and if the following wasn't a syntactically valid PHP code, then you could say it's not a valid php file.
replies(1): >>45394623 #
3. sim7c00 ◴[27 Sep 25 10:34 UTC] No.45394623[source]
yeah ok fair point. from the interpreter perspective. but that is not the tool which checks security. in that context validity is determined by another tool, which will look beyond merely being interpretable by the php interpreter.

its funny often web basted languages have this property tho , i mean, how else you gonna poison logs and execute them :')... js and php are just adorable for providing opportunities :D