Hacker101 CTF level 1

"Micro-CMS v1"

Posted by jindaxia on December 21, 2018

一个简单的CMS系统

Flag0

  • Try creating a new page
  • How are pages indexed?
  • Look at the sequence of IDs
  • If the front door doesn’t open, try the window
  • In what ways can you retrieve page contents?

打开页面长这样

1545385409074

新建一个页面先,发现新页面ID为10,而前两个页面ID为1、2,那3-9去哪了?

1545385682992

构造链接 试一下把ID改为3,404没有这个页面,不要放弃再试一下,当ID换成6的时候403,可能有戏

发现编辑页面的URL是这样的 /page/edit/1, 试一下 /page/edit/6 成功得到FLAG

1545386034282

Flag1

  • Make sure you tamper with every input
  • Have you tested for the usual culprits? XSS, SQL injection, path injection
  • Bugs often occur when an input should always be one type and turns out to be another
  • Remember, form submissions aren’t the only inputs that come from browsers

URL的ID,可能可以注入,访问/page/edit/1‘%20or%201=1’ 得到FLAG

Flag2

  • Sometimes a given input will affect more than one page
  • The bug you are looking for doesn’t exist in the most obvious place this input is shown

title 可能可以脚本注入 编辑页面 标题改成 <script> 返回首页,得到FLAG

Flag3

  • Script tags are great, but what other options do you have?

正文过滤了 <script>标记,试一下用 <img onclick="alert(1)">

然后查看网页源码得到flag,得到FLAG

1545731707198