[Challenge] Can you find the bug?

Hello folks!
So a friend just sent me that piece of code with the explanation "The following script performs a DNS lookup for a host that a user provides. It uses an HMAC to make sure it is requested from a trusted source.". There is an important bug in it that's making the whole request source verification useless.
Let's see if anybody is able to find it :wink:

Hidden Content

You must

[To see links please register here]

or

[To see links please register here]

to view this content.

Holy shit this was hard...
I tried a couple of things and than remembered another cool thing and solved it.
I know the answer but I don't want to spoil it for anyone else so I wont post the solution here, but if someone wants the solution you can PM me.

I thought the exec would be the dangerous part in the beginning but then I noticed you can just use a small trick to set the secret to something predictable haha but yea it was definitely harder then the average challenges because I didn’t expect the issue to be where it actually is.

Got it almost immidately after your hint. This might be a good ctf question.

The only error was the parenthesis at the top, the rest, im not quite sure what your wanting lol, its just a post request to find the IP of a domain

Easy i know the bug after reading the comments

(02-12-2019, 04:08 PM)daizu Wrote:

[To see links please register here]

Easy i know the bug after reading the comments

This is from 2 months ago, just to let you know :wink:.