MD5 sums in code blocks: πππ πππ©πͺπ§π£
-
Remember
***\****
turning into a MD5 sum when DiscoParsed?Well, I tried to quote parts of todayβs article, and this happened:
`[:#.$",'#-/|]` ο‘[:#.$",'#-/|]
Simplified version:
`$"` ο‘$"
Notice that the MD5 sum changed. Itβs in fact the hash of the whole code block. If you add characters before the $ or after the ", the hash will reflect the changes!
Filed under: We need more feature articles about regex abuse
-
$&
Body is invalid; try to be a little more descriptive
-
-
@Zacrath - Last Day Without A Discourse Bug: null
-
This is amazing.
Looks like$'
,$"
,$>
,$<
and$&
cause it. Also,$$
shows as$$
.
-
$&
Body is invalid; try to be a little more descriptive
RegEx.input ($_):
$_
RegEx.lastMatch ($&):$&
RegEx.lastParen ($+):$+
RegEx.leftContext ($`): (doesnβt work because of the backtick)
RegEx.rightContext ($'):$'
$$:$$
$$$:$$$
-
RegEx.lastParen ($+):
$+
That one produces an empty code block in the preview but works once the post is sent...
-
Good old
Di$"course
-
Meta.d'd:
-
Seems a fix has appeared:
-
And a test was added!
-
gasp
-
-
And todays excursion in bruteforcing md5:
$&de/V%8wK59K_NO'xl>rwuVyTJ+UByy= M;r 9WSg)m^f?=04WY.u[
Turns out finding something that hashes to a md5 hash that contains "badc0de" isn't that hard (a few sec). Requiring it to be at the start is a bit harder (a few min of bruteforcing). Still waiting for one where it occurs twice.
-
Seems a fix has appeared:
And a test was added!
It's not very effective.
-
$'
Seems to work with single quotes too.Code blocks (be sure to leave a blank line before it):
$"
$'`
But not BBCode/HTML:
[code]$"[/code]$"</code?
-
It's anything that escapes to a string containing $&.
-
Hmm...
`$Γ©` ->
$Γ©
`$Γ©` ->$é
Nobody else published a ```-block based exploit before I did, though :P
-
Turns out finding something that hashes to a md5 hash that contains "badc0de" isn't that hard
Too bad they didnβt use binary MD5 -- we could have bruteforced
<script>
or something...
-
It's not very effective.
How do you know? Did you go over to try.d or meta.d and demonstrate its suckage?
-
Not a factual statement, but a reference. Which was somewhat effective it seems, some people seem to have caught it.
-
Not a factual statement, but a reference. Which was somewhat effective it seems, some people seem to have caught it.
That looks borderline woosh to me...