Type Juggling
R3zk0n ยท October 2, 2025
PHP Strings to Numbers
php -a
# Loose comparisons of user-controlled values
var_dump('0xAAAA' == '43690'); # TRUE
var_dump('0xAAAA' == 43690); # TRUE
var_dump(0xAAAA == 43690); # TRUE
var_dump('0xAAAA' == '43691'); # FALSE
# Exponent vulnerability - any number + 'e' + any number in a string evaluated in a numerical context is evaluated as a number
var_dump('0eAAAA' == '0'); # FALSE
var_dump('0e1111' == '0'); # TRUE
var_dump('0e9999' == 0); # TRUE
Vulnerability Discovery
$code = substr(md5($e . $row['creation_date'] . $id), 0, 10); # Using MD5 + exponent value
if ($code == $m) # Loose comparison
Magic Hashes
- List of identified magic hashes: https://www.whitehatsec.com/blog/magic-hashes/
# certain MD5 and SHA1 hashes conform to exponents in hexadecimal
echo md5('240610708'); # returns '0e462097431906509019562988736854' == '0'
# use script to enumerate valid email addresses
for word in itertools.imap(''.join, itertools.product(string.lowercase, repeat=int(prefix_length)))
# itertools - fast iteration of algorithms
# imap - calls function on the values in the input iterators
# product - joining characters together
