A webshell and a normal file that have the same MD5

(github.com)

98 points shlomo_z | 1 comments | 21 Sep 25 05:52 UTC | HN request time: 0.001s | source

Show context

dsab ◴[24 Sep 25 05:23 UTC] No.45356607[source]▶

>>45320382 (OP) #

It's a pity that there is no description of what it is supposed to be used for.

replies(5): >>45356899 #>>45356950 #>>45357043 #>>45357572 #>>45358129 #

h4ck_th3_pl4n3t ◴[24 Sep 25 06:25 UTC] No.45356950[source]▶

>>45356607 #

The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

replies(1): >>45357120 #

0points ◴[24 Sep 25 06:50 UTC] No.45357120[source]▶

>>45356950 #

> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

replies(4): >>45357200 #>>45357282 #>>45357344 #>>45379061 #

1. h4ck_th3_pl4n3t ◴[25 Sep 25 21:04 UTC] No.45379061[source]▶

>>45357120 #

Your source described wp_hash_password(), not wp_hash().

As the OP article/PoC is about hashing uploaded files, not passwords btw, I think you should read it again.

Because as I pointed out, wp_hash() is used to check against uploaded files.

Oh, and source: https://developer.wordpress.org/reference/functions/wp_hash/

And as I cannot resist quoting you for trying to smartass while literally not having read the source code the PoC was about:

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

↑