2024-02-16 08:50:44 +03:00
# PHP magic hashes
2024-02-16 16:56:28 +03:00
PHP has some unique features which makes hash "collisions" more easier when using the `==` to compare.
2024-02-16 08:50:44 +03:00
The raw text are taken directly from [spaze/hashes ](https://github.com/spaze/hashes/ )
- - -
### Floating comparison
Any strings that starts with any numbers of `0` , followed by `e` then ends with only numbers will be treated as zero. An example of such strings are `0e123456` and `00e123456` . [Example code ](https://3v4l.org/n8iOp )
2024-02-16 16:56:28 +03:00
This behavior can be extended to numbers, like `'0' == '000'` . [Example code ](https://3v4l.org/K9QRb )
2024-02-16 08:50:44 +03:00
2024-02-16 16:56:28 +03:00
With loose comparison `==` , these two example strings will equate to each other as both of them are treated as a zero in the backend.
2024-02-16 08:50:44 +03:00
Sometimes, hashes of specific strings will result in those special strings as an result. Those hashes are called `magic hashes`
Here is an example of such weak comparison for [sha256 ](https://3v4l.org/Lu7tm ).
- - -
### Plaintext
Plaintext.txt just contains some ways to abuse php's weak comparison
- - -
### Truncated text
For bcrypt, passwords are automatically truncated to 72 characters, so as long as the first 72 characters match, the hashes will match.
[Bcrypt example ](https://3v4l.org/MsfS0 )
Descrypt have similar behavior to bcrypt, but passwords are instead truncated to 8 characters.
2024-02-16 09:27:05 +03:00
- - -
## Pre-hashed
<!-- - Modified from https://github.com/spaze/hashes?tab%253Dreadme - ov - file#pbkdf2 - hmac - sha1 - pbkdf2 - hmac - sha224 - pbkdf2 - hmac - sha256 -->
2024-02-16 16:56:28 +03:00
These are a different kind of magic hashes, they don't need the loose comparison operator `==` and work even with strict comparison `===` .
2024-02-16 09:27:05 +03:00
If you use a password longer than 64 bytes and hash it with PBKDF2-HMAC-SHA1, it is first pre-hashed with SHA1.
For example, `PBKDF2-HMAC-SHA1(password1) === PBKDF2-HMAC-SHA1(password2)` as `sha1(password1) === bin2hex(password2)` .
2024-02-16 16:56:28 +03:00
This behavior can also be seen in `PBKDF2-HMAC-SHA224` and `PBKDF2-HMAC-SHA256` .