chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list [Challenge] Can you find the bug?
Author
Message
[Challenge] Can you find the bug? #1
Hello folks!
So a friend just sent me that piece of code with the explanation "The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.". There is an important bug in it that's making the whole request source verification useless.
Let's see if anybody is able to find it Wink

Code:
<?php

if(empty($_POST['hmac'])) || empty($_POST['host']))
{
header('HTTP/1.0 400 Bad Request');
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if($hmac !== $_POST['hmac'])
{
header('HTTP/1.0 403 Forbidden');
exit;
}

echo exec("host ".$_POST['host']);
?>

Reply

RE: [Challenge] Can you find the bug? #2
Holy shit this was hard...
I tried a couple of things and than remembered another cool thing and solved it.
I know the answer but I don't want to spoil it for anyone else so I wont post the solution here, but if someone wants the solution you can PM me.

Reply

RE: [Challenge] Can you find the bug? #3
I thought the exec would be the dangerous part in the beginning but then I noticed you can just use a small trick to set the secret to something predictable haha but yea it was definitely harder then the average challenges because I didn’t expect the issue to be where it actually is.

Reply

RE: [Challenge] Can you find the bug? #4
Got it almost immidately after your hint. This might be a good ctf question.

Reply

RE: [Challenge] Can you find the bug? #5
The only error was the parenthesis at the top, the rest, im not quite sure what your wanting lol, its just a post request to find the IP of a domain

Reply






Users browsing this thread: 1 Guest(s)