1

Goal

I tried to make a hash out of my user device mac + URI that they attempt to visit

Tried

I tried in Terminal on my Mac OS by executing

echo -n "00:00:11:22:33:44||http://www.bunlongheng.com" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_"

I got

QNyia8Q2VvKNJapAAVfXQw

I tried it in php

$client_mac = Session::get('client_mac');
$original_uri = Session::get('original_uri');
$clean_uri = urldecode($original_uri);
$cmd = 'echo -n "'.$client_mac.'||'.$clean_uri.'" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_"';

//cmd = echo -n "00:00:11:22:33:44||http://www.bunlongheng.com" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_"

$clean_url_hash = exec($cmd);
//$clean_url_hash = t7Xnq9ClfRWciqFAYXbu7g

I've tried exec() and shell_exec() - same result.

I got

t7Xnq9ClfRWciqFAYXbu7g

Result

Terminal

QNyia8Q2VvKNJapAAVfXQw

PHP

t7Xnq9ClfRWciqFAYXbu7g

Why is that ? Any ideas, anyone ?

More details

Detail PHP function

public function forward(){

    $cp_host = env('CAPTIVE_PORTAL_HOST');
    $client_mac = Session::get('client_mac');
    $original_uri = Session::get('original_uri');
    $clean_uri = urldecode($original_uri);

    $cmd = 'echo -n "'.$client_mac.'||'.$clean_uri.'" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_"';

    $clean_url_hash = exec($cmd);

    //dd($clean_url_hash); <--- I got t7Xnq9ClfRWciqFAYXbu7g
    //dd(get_defined_vars());

    Session::put('c_'.$clean_url_hash,$original_uri);
    Session::put('clean_url_hash',$clean_url_hash);
    return Redirect::to($cp_host.'fbwifi/auth?c='.$clean_url_hash);

}

Variables Value of the function

dd(get_defined_vars()); will return 

array:6 [▼
  "cp_host" => "http://localhost:8888/"
  "client_mac" => "00:00:11:22:33:44"
  "original_uri" => "http%3A%2F%2Fwww.bunlongheng.com"
  "clean_uri" => "http://www.bunlongheng.com"
  "cmd" => "echo -n "00:00:11:22:33:44||http://www.bunlongheng.com" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_""
  "clean_url_hash" => "t7Xnq9ClfRWciqFAYXbu7g"
]
Improve this question
21
  • both produce the exact same hash here, so it's undoubtedly SOME invisible character that didn't survive the cut&paste process. You'll have to examine BOTH of your input strings to see what the byte-level difference is. And the hash I got is your "terminal" version as well, for both lines. Commented Oct 6, 2016 at 18:36
  • @MarcB : wait, what is the result of your php ? if you run exec($cmd); - where $cmd = echo -n "00:00:11:22:33:44||http://www.bunlongheng.com" | openssl dgst -md5 -binary | base64 | tr -d "=" | tr "+/" "-_" Commented Oct 6, 2016 at 18:40
  • I get the QN... hash no matter how I run it. from within php, or directly at the command line. Commented Oct 6, 2016 at 18:41
  • @MarcB : I've updated my post. Can you please take a peek at it ? I hope I didn't really do anything that I'm not suppose to. Commented Oct 6, 2016 at 18:47
  • simple testing: use var_dump() on all your variables. vardump will report string lengths as well, so if you have a different length between the two versions, you KNOW there's some difference between the strings, even though they're visually identical. just because two strings LOOK identical, doesn't mean they actually are. Commented Oct 6, 2016 at 18:49

1 Answer 1

Reset to default
2

You can generate this same hash using PHP functions, with no shell call.

Like this:

$hash = rtrim(base64_encode(md5("00:00:11:22:33:44||http://www.bunlongheng.com", true)),'=');
// QNyia8Q2VvKNJapAAVfXQw

Working example: https://3v4l.org/KkR9v

Improve this answer
Sign up to request clarification or add additional context in comments.

14 Comments

You have no idea, how much I owed you. :) You're awesome.
How would turn this in to PHP ? echo -n "123||http://localhost:8888/fbwifi/auth?c=QNyia8Q2VvKNJapAAVfXQw" | openssl dgst -sha256 -hmac abc -binary | base64 | tr -d "=" | tr "+/" "-_" return BZQ-DtGpjQYBP-OBPfKJb7ZQxnNU1iQ1XgxOy4CAMn8
If it is too much to ask, I'll create a new question with what I have tried.
Have you looked at php.net/manual/en/function.hash-hmac.php? You can specify the algo (sha256), provide your string, your key (abc) raw_output (binary), and then wrap base in base64_encode just like I did in my answer.
Here you go 3v4l.org/tDeYv. But seriously... read the PHP docs, that are quite helpful. =)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.