You can use any system with Python 3, I suppose, but I only tested it on Debian 11. Execute these commands:
cd
git clone https://github.com/jorritfolmer/vulnerable-api.git
sudo apt update
sudo apt install virtualenv
virtualenv venv
source venv/bin/activate
cd vulnerable-api
pip install -r requirements.txt
python ./vAPI.py -p 8080
Vulnerable API starts,
as shown below.
Open a Web browser and open the
IP address of your Deban machine,
with port 8080.
You see a message showing that vAPI is running, as shown below.
Restarting Vulnerable API
If you shut down the server, you can restart it with these commands:
cd virtualenv venv source venv/bin/activate cd vulnerable-api python ./vAPI.py -p 8080
https://www.zaproxy.org/download/
In Zap, from the menu, click Import, "Import an Open API definition from a URL" Enter this URL into the top field, and your API URL in the lower field, as shown below.
https://github.com/jorritfolmer/vulnerable-api/raw/main/openapi/vAPI.yaml
Click Import.A box pops up saying "Successfully imported...". Click OK.
Click Attack.
The attack takes a minute or two, as shown below.
The Alerts now show some SQL Injections, as shown below.In the top right pane, click the Response tab.
This shows that the command simply executed the "uptime" Linux command-line command, suggesting that there may be a command injection vulnerability here.
This looks like a classic SQL injection in the password field. Entering an apostrophe there results in a "syntax error".
Flag AP 121.1: Username (10 pts)
In the top right pane, click the Request tab.The flag is covered by a green rectangle in the image below.
Reinstalling Vulnerable API
The ZAP scan broke my API, so it gave this error: "sqlite3.OperationalError: no such table: users".I deleted the vulnerable-api directory and reinstalled the whole thing from the beginning to fix it.
After that, I got a fresh auth token and put it in the "token" variable in Postman.
In Postman, in the "Vulnerable API" collection, navigate to the "display uptime" request, as shown below.
Send the request. The response shows the command, uptime, and its output, as shown below.
In Postman, in the "Vulnerable API" collection, navigate to the "display uptime flag" request, as shown below.On the Params tab, the "flag" variable has the value "sed". Change this value to "h", as shown below.
Send the request. The command is now "uptime -h", as shown below.
The flag value is added to the end of the command, suggesting that we could insert other bash commands here.On the Params tab, change the "flag" variable to ";id", as shown below.
Send the request. The command is now "uptime -;id", and the "id" command runs, showing information about the current user, as shown below.
Flag AP 121.2: Filename (5 pts)
On the Params tab, change the "flag" variable to ";dir", as shown below.Send the request.
The flag is covered by a green rectangle in the image below.
On the Body tab, change the password to:
'(Click the blue Send button.
The response is "syntax error", as shown below.
On the Body tab, change the password to:' OR 1=1 --Click the blue Send button.
You get an access token, as shown below.
admin1'--Click the blue Send button.
You get an administrator access token, as shown below!
Flag AP 121.3: Error Message (10 pts)
Using the administrator token, use the "create user" endpoint to create a user named "test".The flag is covered by a green rectangle in the image below.
Posted 5-11-22