A webshell and a normal file that have the same MD5
13 comments
·September 21, 2025dsab
It's a pity that there is no description of what it is supposed to be used for.
lisper
If you don't know, then you aren't the target audience.
But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.
chipsrafferty
Because there's unlikely to be a use case
h4ck_th3_pl4n3t
The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
0points
> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.
That's only true if you ignore all the details.
As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.
WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.
So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.
Source: https://developer.wordpress.org/reference/functions/wp_hash_...
high_na_euv
Literally in this "article"
>Can use it bypass some cached webshell detections.
downtown_
This is not related to password hashing.,.
eptcyka
> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone.
The amount of sweet, sweet irony displayed here will make me diabetic. Did you read the article at all? Salting? What are you on about?
Honestly, it feels that some HN commenters are LLMs instructed to defend a given entity.
Incipient
The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?
chipsrafferty
Yes, but you'd need a situation where:
1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it
3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.
andreareina
The normal file doesn't look that normal
o11c
Keep in mind that the stated use is cache-poisoning of automated scanners, not fooling humans.
Proof of Concept or GTFO issue 0x14 is a PDF document file that can also be run as a NES ROM. The file will display its own MD5 hash in a PDF viewer, and also displays its own MD5 hash in a NES emulator (only first 40KB+16 bytes are actually loaded there)
https://github.com/angea/pocorgtfo#0x14
And yes, documents are not normally supposed to be able to display their own MD5 hash.