[chunky]

Hello folks!
So a friend just sent me that piece of code with the explanation "The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.". There is an important bug in it that's making the whole request source verification useless.
Let's see if anybody is able to find it

Code:

<?php

if(empty($_POST['hmac'])) || empty($_POST['host']))
{
header('HTTP/1.0 400 Bad Request');
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if($hmac !== $_POST['hmac'])
{
header('HTTP/1.0 403 Forbidden');
exit;
}

echo exec("host ".$_POST['host']);
?>

[Pikami]

Holy shit this was hard...
I tried a couple of things and than remembered another cool thing and solved it.
I know the answer but I don't want to spoil it for anyone else so I wont post the solution here, but if someone wants the solution you can PM me.

[chunky]

I thought the exec would be the dangerous part in the beginning but then I noticed you can just use a small trick to set the secret to something predictable haha but yea it was definitely harder then the average challenges because I didn’t expect the issue to be where it actually is.

[ryzen]

Got it almost immidately after your hint. This might be a good ctf question.

[sunjester]

The only error was the parenthesis at the top, the rest, im not quite sure what your wanting lol, its just a post request to find the IP of a domain

[daizu]

Easy i know the bug after reading the comments

[AustinBoot]

Easy i know the bug after reading the comments

This is from 2 months ago, just to let you know .