Vampi
Last updated
Last updated
This is the list from the documentation To keep track, I will check everytime I find one
To deploy it I used Docker
docker run -p 5000:5000 erev0s/vampi:latest
First thing we would usually do is to enumerate a little, however, we do have the doc here so it seems to be enough for now. We can dive in.
Launch burp or zap (I will be using burp)
I am going to look around a little and then try to exploit the vulnerabilities mentionned in the list from the doc (that I pasted above)
If we access http://127.0.0.1:5000/ we get this page
We already have some data but let's still try the request to create the db just to see what happens.
We can do this with a post request on the endpoint /users/v1/register
We are not suppose to be able to create an admin user but if we use the previous endpoint but add in the json the parameter "admin": true, we are able to create our admin user.
We can see that our user is indeed created.
Once we created a user we can use it to login by issuing a post request on this endpoint /users/v1/login. This way, we will get a token.
Then when we will need to do something with a logged in user we will just have to specify the token we just got like this in our request header:
We have a request to list the users and we have an even more interesting request /users/v1/_debug that gives also the users passwords.
So this is definitely excessive data exposure
When trying to login with a non existent user we have the response "Username does not exist".
Another way to enumerate user is to try to find a specific user using the endpoint /users/v1/{username} with a get request.
When a user exists we get this
When it does not we get this:
We have a way of knowing if a password is correct or not. This vulnerability is really helpful for bruteforce attacks.
If we try to login with an existing user but with a wrong password, we get a specific message "Password is not correct for the given username.".
When issuing a PUT request on this endpoint, we can change our password /users/v1/<username>/password.
But can we change another user password.
Let's try to change the password of admin user with my token of the csbygb non admin user.
It works!
Request to change the password of admin with csbygb user's token
The password of admin has changed
If we add a quote in the request to get the users we get a sql error
So here we know now that the database is sqlite At this point we can continue with sqlmap and this will dump the db sqlmap -u http://localhost:5000/users/v1/csbygb* --dbms=sqlite --dump
We can find books that do not belong to us. Using the book title as the ID with this endpoint /books/v1/{book-title}
So here with the token of my user csbygb I am able to access a book that belongs to the user name1.
Here we are able to send a lot of request without being blocked in anyway by the application. For example we can send plenty of requests to bruteforce the login. I am going to use burp (pro version) intruder for this. I send the login request to the intruder, I set up variables on username and password.
So here we were able to send more than 800 request without being blocked
So we could try one of the regex provided in the OWASP document.
We could try this on this endpoint /users/v1/{username}/email if we issue a put request here we are suppose to be able to update our email address.
We need to be logged in for this.
Using this request we were able to trigger the vulnerability and dos the application.
Avoid to do this in real context except if it is a request or if you have the authorization of you customer. With these types of attack you are actually impacting the availability of the application.
Go
Get the yaml in your local machine from or wget https://raw.githubusercontent.com/erev0s/VAmPI/master/openapi_specs/openapi3.yml
Then you can play in the browser with the request and you get a full list of requests
For the reference of this vulnerability on OWASP, you can find it
