一个简单的CMS系统
Flag0
- Try creating a new page
- How are pages indexed?
- Look at the sequence of IDs
- If the front door doesn’t open, try the window
- In what ways can you retrieve page contents?
打开页面长这样
新建一个页面先,发现新页面ID为10,而前两个页面ID为1、2,那3-9去哪了?
构造链接 试一下把ID改为3,404没有这个页面,不要放弃再试一下,当ID换成6的时候403,可能有戏
发现编辑页面的URL是这样的 /page/edit/1
, 试一下 /page/edit/6
成功得到FLAG
Flag1
- Make sure you tamper with every input
- Have you tested for the usual culprits? XSS, SQL injection, path injection
- Bugs often occur when an input should always be one type and turns out to be another
- Remember, form submissions aren’t the only inputs that come from browsers
URL的ID,可能可以注入,访问/page/edit/1‘%20or%201=1’ 得到FLAG
Flag2
- Sometimes a given input will affect more than one page
- The bug you are looking for doesn’t exist in the most obvious place this input is shown
title 可能可以脚本注入 编辑页面 标题改成 <script>
返回首页,得到FLAG
Flag3
- Script tags are great, but what other options do you have?
正文过滤了 <script>
标记,试一下用 <img onclick="alert(1)">
然后查看网页源码得到flag,得到FLAG