Api7-can't Print Flag - Githubissues

roottusk / vapi

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

GNU General Public License v3.0

1.17k stars 303 forks source link

Api7-can't Print Flag #7

Closed idlefire closed 3 years ago

idlefire commented 3 years ago

getKey.php

if($_SERVER["HTTP_ORIGIN"]=="")
    {
        header("Access-Control-Allow-Origin: *");
    }
    else{
        header("Access-Control-Allow-Origin: ".$_SERVER["HTTP_ORIGIN"]);
        $row["flag"]=base64_decode("ZmxhZ3thcGk3X2U3MWI2NTA3MTY0NWUyNGVkNTBhfQ==");
    }
......
if(mysqli_num_rows($result) > 0)
    {
        http_response_code(200);
        $row=$result->fetch_assoc();
        $row["success"]="true";
        print json_encode($row);
    }

 $result->fetch_assoc() overwrite $row,$row["flag"] is null.

roottusk commented 3 years ago

Hey,

Thanks for pointing this out . Can you check 19ff3734d342439b6a5a68d258c365913bfbe19e and Let me know