Last active
July 19, 2020 17:54
-
-
Save thearyanahmed/7cfa9306d88ce6c3ed9f2a81acba6b3d to your computer and use it in GitHub Desktop.
The program takes hmac,nonce and host from request and $secret from the .env. If nonce is sent from the request, the value of the secret is changed, but if the $hmac doesn't match, you can't go to the exec() command portion on line 20. You have no way of knowing the $secret from .env. Do you see the bug? How can you bypass the security exploitin…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if(empty($_POST['hmac']) || empty($_POST['host'])) { | |
| header('HTTP/1.0 400 Bad Request'); | |
| exit; | |
| } | |
| $secret = getenv('SECRET'); | |
| if (isset($_POST['nonce'])) { | |
| $secret = hash_hmac('sha256',$_POST['nonce'],$secret); | |
| } | |
| $hmac = hash_hmac('sha256',$_POST['host'],$secret); | |
| if ($hmac != $_POST['hmac']) { | |
| header('HTTP/1.0 403 Forbidden'); | |
| } | |
| echo exec("host " . $_POST['host']); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@rifatron999 you are not supposed to give your answer here. :) I'll be deleting your comment shortly.