πŸ”’μ •λ³΄λ³΄μ•ˆ/μ›Ή λ³΄μ•ˆ

μ›Ή λ³΄μ•ˆ - PHP 맀직 ν•΄μ‹œ(Magic Hashes) 취약점

Janger 2023. 5. 24. 19:49
728x90

 

 

 

νƒ€μž… 저글링(Type Juggling)


PHPλŠ” νƒ€μž… 강도가 μ•½ν•˜κΈ° λ•Œλ¬Έμ— 상황에 따라 νƒ€μž…μ΄ λ™μ μœΌλ‘œ λ³€ν•˜κ²Œ λ˜λŠ”λ° 이λ₯Ό νƒ€μž… 저글링(Type Juggling)이라고 ν•œλ‹€.

 

νƒ€μž… μΊμŠ€νŒ…κ³Ό λ‹€λ₯Έ 점은 ν”„λ‘œκ·Έλž˜λ¨Έκ°€ λͺ…μ‹œμ μœΌλ‘œ 지정 ex) (float) a ν•˜λŠ” 것을 νƒ€μž… μΊμŠ€νŒ…μ΄κ³ ,

ν”„λ‘œκ·Έλž˜λ° μ–Έμ–΄κ°€ μžλ™μ μœΌλ‘œ λ³€ν™˜ν•΄μ£ΌλŠ” 것을 νƒ€μž… 저글링이라고 ν•˜λŠ” 것 κ°™λ‹€. 

 

php > var_dump(5 * "2");
int(10)

μ •μˆ˜ν˜•(int) 5와 λ¬Έμžν˜•(string) 2λ₯Ό μ—°μ‚°μ‹œν‚€λ©΄ μ •μˆ˜ν˜•(int) 10이 λ°˜ν™˜λœλ‹€. 

 

 

λ§ˆμ°¬κ°€μ§€λ‘œ $a == $bλ₯Ό 비ꡐ할 λ•Œ λ˜ν•œ νƒ€μž… 저글링을 거치게 λœλ‹€.

php > var_dump('1234'==1234);
bool(true)

 

php > var_dump("123" == "123.0");
bool(true)

λ¬Έμžμ—΄(string) 123κ³Ό λ¬Έμžμ—΄(string) 123.0의 비ꡐ κ²°κ³ΌλŠ” λ†€λžκ²Œλ„ κ°™λ‹€κ³  λ‚˜μ˜¨λ‹€. 

 

 

맀직 ν•΄μ‹œ(Magic Hashes)

 

ν”„λ‘œκ·Έλž˜λ° μ–Έμ–΄μ—μ„œ μ§€μˆ˜λ₯Ό ν‘œν˜„ν•  λ•Œμ—λŠ” ex) 1*10^2 = 1e2 이런 μ‹μœΌλ‘œ μ•ŒνŒŒλ²³ eλ₯Ό μ‚¬μš©ν•œλ‹€. 

 

ν•΄μ‹œ ν•¨μˆ˜λ₯Ό 거치게 λ˜λ©΄μ„œ 이런 μ§€μˆ˜ν˜•νƒœμ²˜λŸΌ λ³΄μ΄λŠ” κ²½μš°κ°€ μžˆλŠ”λ° 이λ₯Ό 맀직 ν•΄μ‹œ(Magic Hashes)라고 ν•œλ‹€. 

php > var_dump(md5("240610708"));
string(32) "0e462097431906509019562988736854"

맀우 λ“œλ¬Όκ²Œ 0e{숫자} ν˜•νƒœλ‘œ μ‹œμž‘ν•˜λŠ” λ¬Έμžμ—΄μ΄λ‹€. 

 

 

μ—¬κΈ°μ„œ λ¬Έμ œκ°€ λ°œμƒν•˜κ²Œ λœλ‹€.

λ§Œμ•½ md5λ₯Ό 거친 νŒ¨μŠ€μ›Œλ“œκ°€ 0e{숫자} ν˜•νƒœκ°€ λ‚˜μ™”μœΌλ©°, μ‚¬μš©μžλ‘œ λΆ€ν„° λΉ„λ°€λ²ˆν˜Έλ₯Ό μž…λ ₯λ°›μ•„ ν•΄μ‹œλ₯Ό 거친 게 또 0e{숫자} ν˜•νƒœμΌ 경우

 

μ•„λž˜μ˜ μ‹μ²˜λŸΌ == (Equal)λ₯Ό μ‚¬μš©ν•˜λ©΄ νƒ€μž… 저글링을 거치게 λ˜λ©΄μ„œ 두 수의 κ²°κ³ΌλŠ” 0κ³Ό 0μ΄λ―€λ‘œ

(0e{숫자}의 κ²°κ³ΌλŠ” μ–Έμ œλ‚˜ 0 [0*10^숫자 = 0])

 

참이 λ‚˜μ˜€κ²Œ λœλ‹€. 

php > var_dump(md5("240610708") == md5("QNKCDZO"));
bool(true)

 

λŒ€μ²˜ 방법

νƒ€μž… 저글링을 κ±°μΉ˜μ§€ μ•ŠλŠ” 즉 같은 νƒ€μž…μΈ stringκ³Ό string으둜 κ³„μ‚°ν•˜λŠ” === (Identical)을 μ‚¬μš©ν•˜λŠ” 방법이 μžˆλ‹€. 

 

php > var_dump(md5("240610708") === md5("QNKCDZO"));
bool(false)

 

 

ν•΄μ‹œ ν•¨μˆ˜ μ’…λ₯˜λ³„ 맀직 ν•΄μ‹œ(Magic Hashes) λͺ¨μŒ

 

μ•„λž˜ κΉƒν—ˆλΈŒ μ£Όμ†Œλ‘œ κ°€λ©΄ MD5, SHA-1, SHA-224, SHA-256 λ“± λ‹€μ–‘ν•œ ν•΄μ‹œ ν•¨μˆ˜λ“€μ˜ 맀직 ν•΄μ‹œλ₯Ό 확인할 수 μžˆλ‹€. 

 

https://github.com/spaze/hashes

 

GitHub - spaze/hashes: Magic hashes – PHP hash "collisions"

Magic hashes – PHP hash "collisions". Contribute to spaze/hashes development by creating an account on GitHub.

github.com

 

[MD5]
240610708:0e462097431906509019562988736854
QLTHNDT:0e405967825401955372549139051580
QNKCDZO:0e830400451993494058024219903391
PJNPDWY:0e291529052894702774557631701704
NWWKITQ:0e763082070976038347657360817689
NOOPCJF:0e818888003657176127862245791911

...

[sha256]
34250003024812:0e46289032038065916139621039085883773413820991920706299695051332
TyNOQHUS:0e66298694359207596086558843543959518835691168370379069085300385
CGq'v]`1:0e24075800390395003020016330244669256332225005475416462877606139
\}Fr@!-a:0e72388986848908063143227157175161069826054332235509517153370253
|+ydg uahashcat:0e47232208479423947711758529407170319802038822455916807443812134

 

 



좜처 및 참고:
https://youtu.be/VCwiZ2dh17Q



https://www.tcpschool.com/php/php_basic_typeJuggling

 

μ½”λ”©κ΅μœ‘ ν‹°μ”¨ν”ΌμŠ€μΏ¨

4μ°¨μ‚°μ—…ν˜λͺ…, μ½”λ”©κ΅μœ‘, μ†Œν”„νŠΈμ›¨μ–΄κ΅μœ‘, μ½”λ”©κΈ°μ΄ˆ, SWμ½”λ”©, κΈ°μ΄ˆμ½”λ”©λΆ€ν„° μžλ°” 파이썬 λ“±

tcpschool.com

 

https://rootable.tistory.com/148

 

λ§€μ§ν•΄μ‹œ(Magic Hashes) 취약점

* λ§€μ§ν•΄μ‹œ(Magic Hashes)λž€ ? - 비ꡐ 연산을 ν•  λ•Œ Type Juggling을 μ΄μš©ν•˜μ—¬ μ„œλ‘œ λ‹€λ₯Έ 값이 같은 κ°’μœΌλ‘œ μΈμ‹λ˜λ„λ‘ ν•˜λŠ” νŠΉμˆ˜ν•œ λ™μž‘ - 항상 κ°€λŠ₯ν•œ 것이 μ•„λ‹ˆλΌ νŠΉμˆ˜ν•œ 경우('0e'둜 μ‹œμž‘ν•˜λŠ” λ¬Έμžμ—΄μΌ

rootable.tistory.com

 

https://www.php.net/manual/en/language.operators.comparison.php

 

728x90