←back to thread

A webshell and a normal file that have the same MD5

(github.com)
98 points shlomo_z | 2 comments | 21 Sep 25 05:52 UTC | HN request time: 0s | source
Show context
Incipient ◴[24 Sep 25 06:04 UTC] No.45356813[source]
The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?
replies(2): >>45356897 #>>45357819 #
chipsrafferty ◴[24 Sep 25 06:18 UTC] No.45356897[source]
Yes, but you'd need a situation where:

1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

replies(3): >>45357487 #>>45357578 #>>45357654 #
IshKebab ◴[24 Sep 25 08:03 UTC] No.45357578[source]
There's no need to rescan. You just need to use a secure hash.
replies(1): >>45358971 #
1. jgalt212 ◴[24 Sep 25 11:41 UTC] No.45358971[source]
Secure for now, rather. A solid game plan would be to have your code base set up to easily swap in a new hashing method when called for. I believe Django automatically promotes passwords stored with insecure hashes to secure ones the next time a user logs in.
replies(1): >>45364457 #
2. IshKebab ◴[24 Sep 25 18:49 UTC] No.45364457[source]
Yeah not really an issue for a cache since you can just invalidate the cache when you change algorithm.