Spot The Bug challenge warm-up

Draco · August 13, 2019, 5:20am

See if you can spot the bug in this php code …

securifybv/spotthebug/blob/master/STB_2018_WARMUP/STB_2018_Warmup.php

<?php

if (empty($_POST['hmac']) || empty($_POST['host'])) {
    header('HTTP/1.0 400 Bad Request');
    exit;
}

$secret = getenv("SECRET"); 

if (isset($_POST['nonce']))
	$secret = hash_hmac('sha256', $_POST['nonce'], $secret);

$hmac = hash_hmac('sha256', $_POST['host'], $secret);

if ($hmac !== $_POST['hmac']) {
    header('HTTP/1.0 403 Forbidden');
    exit;
}

echo exec("host ".$_POST['host']);

This file has been truncated. show original

Draco · August 13, 2019, 5:22am

@brenly @brian @raffi @denzuko

brenly · August 13, 2019, 7:30am

pm’d responses. mulling over this right now at work

denzuko · August 13, 2019, 1:53pm

Bah… wonder what post ‘localhost; rm -rf /’ would do

Draco · August 13, 2019, 2:59pm

It is a fatal bug … Brenly hasn’t gotten it yet …

Hint: Data Types

denzuko · August 13, 2019, 3:23pm

yeah but still cli injection is a fatal bug.

HankCowdog · August 13, 2019, 5:35pm

Spoilers below:

Summary

if ($hmac !== $_POST['hmac']) {

The !== operator compares whether types are identical, not whether values match. You should use != here.

Draco · August 13, 2019, 5:39pm

Actually === and !== compare both type and value… == and != only compare value with automatic type casting

Draco · August 13, 2019, 5:49pm

The Answer

https://www.youtube.com/watch?v=MpeaSNERwQA