code.php

1. <?php
2.  
3. /**
4.  * rest.php
5.  *
6.  * Remote Execution Service Tomato™
7.  *
8.  * @category   REST
9.  * @package    Fishbowl 0day DB
10.  * @author     @hnzlmnn <[email protected]>
11.  * @endpoint   /api/vegan/rest
12.  * @license    MIT
13.  * @version    1.0
14.  */
15.  
16. require_once("../../libs/tomato.php");
17.  
18. $secret = getenv('secret');
19. $command = array(
20.     'algo' => "sha256",
21.     'nonce' => $_POST['nonce'],
22.     'hash' => $_POST['hash'],
23.     'action' => base64_decode($_POST['action'])
24. );
25.  
26. if (empty($command['action'])) {
27.     error(400);
28. }
29.  
30. if (!in_array($command['algo'], hash_hmac_algos()) || empty($command['hash'])) {
31.     error(400);
32. }
33.  
34. if (!empty($command['nonce'])) {
35.     $secret = hash_hmac($command['algo'], $command['nonce'], $secret);
36. }
37.  
38. if (hash_hmac($command['algo'], $command['action'], $secret) !== $command['hash']) {
39.     error(401);
40.     exit;
41. }
42.  
43. passthru($command['action']);