The problem boils down to a single line of PHP code:

   $_GET["md4"] == hash("md4", $_GET["md4"])

There are two ways of making the check pass:

- Find a MD4 hash that's hashes to itself (a so-called fix point)
- Exploit PHP's whacky weak typing

The former didn't yield any results whatsoever, so I set out to find
some shortcut.  Unlike in strongly typed programming languages `==`
will do things in PHP such as coercing strings looking like numbers to
numbers, then compare the coerced values with each other.  For this to
work a number of conditions need to be fulfilled:

- The user input needs to look numerical
- The hash output needs to look numerical
- The numerical value of the user input and the hash output needs to
 be equal

The easiest approach to pass all three checks is to have a string
starting with at least one zero, followed by digits only.  An
alternative approach is a string starting with `0e` (scientific
notation) followed by digits only.  The big difference between both
approaches is that while the hash output needs to look similar, the
numerical value doesn't matter in the latter case as no matter what
follows as exponent is interpreted as zero.  Knowing this writing a
bruteforce script isn't hard.  Mine ran for about an hour, then
printed a working pair of hashes.

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.