test
## Problem
10 years has passed since MD5 was broken, yet it is still frequently used in web applications, particularly PHP powered applications (maybe because there's a function after it?). Break it again to prove the point!
## Solution
Source code: SourceCODE-CTF/md5.php at main · onsra03/SourceCODE-CTF (github.com)
The only way we can get the flag is to pass string, which MD5 hash is exact the same as the string itself. Because such string does not exists (or I don't know one) we have to find another solution.The only way to solve this challenge is to exploit PHP type juggling (as $md5 is compared with md5($md5) with == instead of strict comparision operator ===).The easiest way to do this is to provide a number starting with 0e, which MD5 hash begins with 0e as well and contains only numbers.
Thats because such comparision will return true:
// test.php
<?php
echo intval('0e123' == '0e999'); // result 1, which means TRUE
echo "\n";
echo intval('0e123' === '0e999'); // result 0, which means FALSE
echo "\n";As we can see, comparision with == returned true.
So we have to find a number, starting from 0e, which MD5 hash will contain only digits (both string and its MD5 hash have to be numbers typed in scientific notation), which is indicated by 0e at the beginning; any sign other than digit will cause than one of them can't be casted to number and condition returns false).
My approach to this challenge was to use simple brute force. I've created Python script, which iterates over incremented numbers with 0e as a prefix, calculate MD5 hash of it and checks if that hash starts with 0e and contains only digits after.
Payload: 0e215962017
Explore more:
Share story
0 Comments: