[Challenge] Can you find the bug?

exceed.cx

Koerperklaus

Administrator
Green Gaming
Jul 11, 2018
69
125
33
#1
Hello folks,
I just found this interesting challenge in the depths of the internet and I'm quite curious how many of you guys will find the major problem in that code.

The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.
PHP:
<?php
if (empty($_POST['hmac'])) || empty($_POST['host']))
{
    header('HTTP/1.0 400 Bad Request');
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
    $secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if ($hmac !== $_POST['hmac'])
{
    header('HTTP/1.0 403 Forbidden');
    exit;
}

echo exec("host ".$_POST['host']);
 
Hourboost.net

Ukulele

Vendor
Advanced
Jul 14, 2018
48
63
18
hourboost.net
#2
[QUOTE="Koerperklaus, post: 507, member: 2"
I'm quite curious how many of you guys will find the major problem in that code.[/QUOTE]
Besides that its php?
 
Last edited:
Likes: aethstetic
Latin Lover

c1nedog

Green Gaming
Aug 21, 2018
20
31
13
#4
im not the best coder but don't you need another exit? and you had 1 clip to much?

PHP:
<?php
if (empty($_POST['hmac']) || empty($_POST['host']))
{
header('HTTP/1.0 400 Bad Request');
exit;
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if ($hmac !== $_POST['hmac'])
{
header('HTTP/1.0 403 Forbidden');
exit;
}

echo exec("host ".$_POST['host']);


but im not 100% sure about that
 
kappaklaus

epr1me

Advanced
Sep 22, 2018
55
91
18
#5
im not the best coder but dont you need another exit? and you had 1 clip to much?

PHP:
<?php
if (empty($_POST['hmac'])) || empty($_POST['host']))
{
header('HTTP/1.0 400 Bad Request');
exit;
}


but im not 100% sure about that
or not: if (empty($_POST['hmac'])) || (empty($_POST['host']))
 
exceed.cx

Koerperklaus

Administrator
Green Gaming
Jul 11, 2018
69
125
33
#6
im not the best coder but don't you need another exit? and you had 1 clip to much?

PHP:
<?php
if (empty($_POST['hmac']) || empty($_POST['host']))
{
header('HTTP/1.0 400 Bad Request');
exit;
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if ($hmac !== $_POST['hmac'])
{
header('HTTP/1.0 403 Forbidden');
exit;
}

echo exec("host ".$_POST['host']);


but im not 100% sure about that
or not: if (empty($_POST['hmac'])) || (empty($_POST['host']))
First of all, sorry for the late reply.
Adding an additional exit isn't a must-have even tho I gotta admit that it would be smart. And the issue with the parenthesis you mentioned just occurred because I made a typo hehe. So both things aren't as serious as the problem I was referring to.

In case anybody is interested in what the major issue is: securify.nl
 
Likes: c1nedog
New member
Dec 19, 2018
3
1
3
21
Germany
palone.top
#8
Hello folks,
I just found this interesting challenge in the depths of the internet and I'm quite curious how many of you guys will find the major problem in that code.

The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.
PHP:
<?php
if (empty($_POST['hmac'])) || empty($_POST['host']))
{
    header('HTTP/1.0 400 Bad Request');
}

$secret = getenv("SECRET");

if(isset($_POST['nonce']))
    $secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if ($hmac !== $_POST['hmac'])
{
    header('HTTP/1.0 403 Forbidden');
    exit;
}

echo exec("host ".$_POST['host']);
Not experienced with crypto that much, but a nonce isnt neccesary is it?

Also exec() without sanitization is a big no no