←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 1 comments | 21 Sep 25 05:52 UTC | HN request time: 0.198s | source
Show context
dsab ◴[24 Sep 25 05:23 UTC] No.45356607[source]
It's a pity that there is no description of what it is supposed to be used for.
replies(5): >>45356899 #>>45356950 #>>45357043 #>>45357572 #>>45358129 #
1. integralid ◴[24 Sep 25 09:45 UTC] No.45358129[source]
After, sometimes, the initial scanning, the security and AV industry deals with file hashes, not actual files. This means that if you wrote a legitimate, harmful program, and a malicious version with the same hash, you would be able to troll the security rolls in many cases. Basically, those two files would look the same to the security program.

The thing that makes this blog post not realistic is:

* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.

* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.

But it's still a fun PoC.