chevron_left chevron_right
Login Register invert_colors photo_library
Thread Rating:
  • 0 Vote(s) - 0 Average

filter_list [Challenge] Can you find the bug?
[Challenge] Can you find the bug? #1
Hello folks!
So a friend just sent me that piece of code with the explanation "The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.". There is an important bug in it that's making the whole request source verification useless.
Let's see if anybody is able to find it Wink


if(empty($_POST['hmac'])) || empty($_POST['host']))
header('HTTP/1.0 400 Bad Request');

$secret = getenv("SECRET");

$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if($hmac !== $_POST['hmac'])
header('HTTP/1.0 403 Forbidden');

echo exec("host ".$_POST['host']);


RE: [Challenge] Can you find the bug? #2
Holy shit this was hard...
I tried a couple of things and than remembered another cool thing and solved it.
I know the answer but I don't want to spoil it for anyone else so I wont post the solution here, but if someone wants the solution you can PM me.


RE: [Challenge] Can you find the bug? #3
I thought the exec would be the dangerous part in the beginning but then I noticed you can just use a small trick to set the secret to something predictable haha but yea it was definitely harder then the average challenges because I didn’t expect the issue to be where it actually is.


RE: [Challenge] Can you find the bug? #4
Got it almost immidately after your hint. This might be a good ctf question.


RE: [Challenge] Can you find the bug? #5
The only error was the parenthesis at the top, the rest, im not quite sure what your wanting lol, its just a post request to find the IP of a domain


Users browsing this thread: 1 Guest(s)