醉梦半醒的博客

hash_hmac_php_bug

字数统计: 167阅读时长: 1 min
2019/12/26 Share

hash_hmac

hash_hmac — 使用 HMAC 方法生成带有密钥的哈希值
hash_hmac(algo, data, key)
当data为数组时,结果为NULL

php_code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
highlight_file();
if (empty($_POST['hmac']) || empty($_POST['host'])){
header('HTTP/1.0 400 Bad Request');
exit;
}

$secert = getenv('SECRET');

if(isset($_POST['nonce']))
$secret=hash_hmac('sha256',$_POST['nonce'], $secret);

$hmac = hash_hmac('sha256',$_POST["host"],$secret);

if ($hmac !== $_POST['hmac']){
header('HTTP/1.0 403 Forbiden');
exit;
}
echo exec("host".$_POST['host']);
?>

当不知道$secret的值时,将nonce为数组传入,使第一个生成的$secret为NULL,则$hmac可控,利用host参数传入
可在本地先生产盐值绕过比较
hash_hmac_php_bug1.png
hash_hmac_php_bug2.png

payload

hash_hmac_php_bug3.png

Link and environment

From LiveOverflow
Environment

CATALOG
  1. 1. hash_hmac
  2. 2. php_code
  3. 3. payload
  4. 4. Link and environment