API-Hacking-2

Dockerfile

@@ -17,6 +17,7 @@ RUN apt-get install -y \
 	php-cgi \
 	php-cli \
 	php-common \
+	php-gd 	\
 	php-curl \
 	php-dev \
 	php-json \

README.md

@@ -1,6 +1,6 @@
 <!-- PROJECT LOGO -->
 <p align="center">
-  <a href="https://siberyavuzlar.com">
+  <a href="https://yavuzlar.org">
     <img src="https://i.ibb.co/nDLHW7m/logomodern.png" alt="Logo" width="180" height="180">
   </a>
 
@@ -30,6 +30,9 @@
 * Broken Authentication
 * Race Condition
 * Server Side Template Injection (SSTI)
+* API Hacking
+* Captcha Bypass
+* Path Traversal
 
 <!-- Installation -->
 ## Installation
@@ -42,7 +45,7 @@
    ```
 2. Go to http://localhost:1337
 
-### Manuel Installation
+### Manual Installation
 
 1. Clone the repo
    ```sh

app/lab/api-hacking/api-hacking1/all_wallpapers.php

@@ -0,0 +1,52 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+
+$uploadDirectory = '../api-hacking1/api/uploads/';
+$images = scandir($uploadDirectory);
+
+$images = array_diff($images, array('..', '.'));
+
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>API Hacking</title>
+    <!-- Bootstrap CSS -->
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+
+<div class="container mt-5">
+    <button type="button" class="btn btn-primary mt-2" onclick="backToLoginPage()"><?php echo $strings['backtologin']; ?></button>
+    <p></p>
+    <div class="row">
+        <?php foreach ($images as $image) : ?>
+            <div class="col-md-4 mb-4">
+                <div class="card h-100">
+                    <img src="<?= $uploadDirectory . $image ?>" class="card-img-top" alt="<?= $image ?>">
+                    <div class="card-body text-center">
+                        <h5 class="card-title"><?= $image ?></h5>
+                    </div>
+                </div>
+            </div>
+        <?php endforeach; ?>
+    </div>
+
+    <div class="mt-3">
+    </div>
+</div>
+
+<!-- Bootstrap JS and Popper.js (required for Bootstrap JavaScript plugins) -->
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
+<script id="VLBar" title="<?= $strings['title'] ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+<script>
+    function backToLoginPage() {
+        window.location.href = 'index.php'; 
+    }
+</script>
+</body>
+</html>

app/lab/api-hacking/api-hacking1/api/all_wallpapers.php

@@ -0,0 +1,43 @@
+<?php
+$uploadDirectory = '../api/uploads/';
+$images = scandir($uploadDirectory);
+
+$images = array_diff($images, array('..', '.'));
+
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>API Hacking</title>
+    <!-- Bootstrap CSS -->
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+
+<div class="container mt-5">
+    <p></p>
+    <div class="row">
+        <?php foreach ($images as $image) : ?>
+            <div class="col-md-4 mb-4">
+                <div class="card h-100">
+                    <img src="<?= $uploadDirectory . $image ?>" class="card-img-top" alt="<?= $image ?>">
+                    <div class="card-body text-center">
+                        <h5 class="card-title"><?= $image ?></h5>
+                    </div>
+                </div>
+            </div>
+        <?php endforeach; ?>
+    </div>
+
+    <div class="mt-3">
+    </div>
+</div>
+
+<!-- Bootstrap JS and Popper.js (required for Bootstrap JavaScript plugins) -->
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
+<script id="VLBar" title="<?= $strings['title'] ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>

app/lab/api-hacking/api-hacking1/api/delete_image.php

@@ -12,14 +12,14 @@
 
     if (file_exists($targetFile) && unlink($targetFile)) {
         $response['success'] = true;
-        $response['message'] = "Image deleted successfully.";
+        $response['message'] = $strings['success2'];
     } else {
         $response['success'] = false;
-        $response['message'] = "Error deleting the image.";
+        $response['message'] = $strings['deleteerr'];
     }
 } else {
     $response['success'] = false;
-    $response['message'] = "Invalid request method.";
+    $response['message'] = $strings['requestmethod'];
 }
 
 echo json_encode($response);

app/lab/api-hacking/api-hacking1/api/get_images.php

@@ -1,7 +1,19 @@
 <?php
+session_start();
+
 $uploadDirectory = '../api/uploads/';
 
-$images = array_diff(scandir($uploadDirectory), array('..', '.'));
+if (isset($_SESSION['user_id'])) {
+    $userId = $_SESSION['user_id'];
+
+    $images = array_filter(scandir($uploadDirectory), function ($image) use ($userId) {
+        //Check if the number at the beginning of the file name matches the user ID.
+        preg_match('/^(\d+)_/', $image, $matches);
+        return isset($matches[1]) && $matches[1] == $userId;
+    });
 
-echo json_encode(array_values($images));
+    echo json_encode(array_values($images));
+} else {
+    echo json_encode([]);
+}
 ?>

app/lab/api-hacking/api-hacking1/api/logout.php

@@ -0,0 +1,8 @@
+<?php
+session_start();
+
+session_unset();
+session_destroy();
+
+$response = array('success' => true);
+echo json_encode($response);

app/lab/api-hacking/api-hacking1/api/reset_images.php

@@ -0,0 +1,35 @@
+<?php
+
+header("Content-Type: application/json");
+
+$response = array();
+
+$backupDirectory = __DIR__ . '/backup_images/';
+
+if (!file_exists($backupDirectory)) {
+    $response['success'] = false;
+    echo json_encode($response);
+    exit;
+}
+
+$uploadDirectory = 'uploads/';
+
+$files = glob($uploadDirectory . '*'); 
+foreach ($files as $file) {
+    if (is_file($file)) {
+        unlink($file); 
+    }
+}
+
+$backupFiles = glob($backupDirectory . '*');
+foreach ($backupFiles as $backupFile) {
+    if (is_file($backupFile)) {
+        $targetFile = $uploadDirectory . basename($backupFile);
+        copy($backupFile, $targetFile); 
+    }
+}
+
+$response['success'] = true;
+$response['message'] = $strings['reset'];
+echo json_encode($response);
+?>

app/lab/api-hacking/api-hacking1/api/upload.php

@@ -1,23 +1,48 @@
 <?php
 
+session_start();
 header("Content-Type: application/json");
 
 $response = array();
 
 $uploadDirectory = 'uploads/';
 
-if (!is_dir($uploadDirectory)) {
-    mkdir($uploadDirectory, 0755, true);
+// Check the user's identity.
+if (!isset($_SESSION['user_id'])) {
+    $response['success'] = false;
+    $response['message'] = $strings['authenticate'];
+    echo json_encode($response);
+    exit;
+}
+
+$userId = $_SESSION['user_id'];
+
+// Check the allowed file types.
+$allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
+if (!in_array($_FILES['image']['type'], $allowedTypes)) {
+    $response['success'] = false;
+    $response['message'] = $strings['invalidtype'] . implode(', ', $allowedTypes);
+    echo json_encode($response);
+    exit;
 }
 
-$targetFile = $uploadDirectory . basename($_FILES['image']['name']);
+// Create the file name.
+$targetFile = $uploadDirectory . $userId . '_' . basename($_FILES['image']['name']);
+
+// Check if a file with the same name exists.
+if (file_exists($targetFile)) {
+    $response['success'] = false;
+    $response['message'] = $strings['samename'];
+    echo json_encode($response);
+    exit;
+}
 
 if (move_uploaded_file($_FILES['image']['tmp_name'], $targetFile)) {
     $response['success'] = true;
-    $response['message'] = "The upload process has been successfully completed.";
+    $response['message'] = $strings['success1'];
 } else {
     $response['success'] = false;
-    $response['message'] = "An error occurred while uploading the file.";
+    $response['message'] = $strings['uploaderr'];
 }
 
 echo json_encode($response);

app/lab/api-hacking/api-hacking1/api/users.json

@@ -0,0 +1,7 @@
+[
+    {"id":"1", "username":"admin", "password":"admin"},
+    {"id":"2","username":"user","password":"user"},
+    {"id":"3","username":"user2","password":"user2"},
+    {"id":"4","username":"user3","password":"user3"},
+    {"id":"5","username":"user4","password":"user4"}
+]