PHP AUTH BYPASS

1. PHP auth bypass
2.  
3. All the PHP webshells that are "password protected" are using the == to verify if the hard-coded md5 hashed password is matching the user input. The fact that they use the == sign together with md5 hashes can sometimes be dangerous and lead to authentication bypass.
4.  
5. It can be bypassed by simply typing this string as a password: 240610708 md5('240610708') - 0e462097431906509019562988736854
6. This kind of thing is called Magic Hashes. It doesn't always work, however. Here's why:
7.  
8. IF the hard-coded hash in the webshell begins with 0e - it can be bypassed with Magic Hashes.
9. Why? Because, PHP is a flexible language. The problem is in == comparison. the 0e means that if the following characters are all digits, the whole string gets treated as a float. Think of "0e…" as being the scientific notation for "0 to the power of some value" and that is always "0".
10.  
11. PoC:
12. Notice that the hashes are different? Yet, we got a successful login:
13. Code:
14. md5('240610708') - 0e462097431906509019562988736854
15. our secret unknown hash - 0e232097431616219012560978731854
16.  
17. How php interprets it:
18. PHP Code:
19. if( 0 == 0 ) { echo 'welcome!'; }
20.  
21. Some more magic hashes:
22. PHP Code:
23. <?php
24. var_dump(md5('240610708') == md5('QNKCDZO'));
25. var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
26. var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
27. var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
28. var_dump('0010e2' == '1e3');
29. var_dump('0x1234Ab' == '1193131');
30. var_dump('0xABCdef' == ' 0xABCdef');
31. ?>
32.  
33. How to mitigate this: use === operator