Hacker101 CTF level 1

"Micro-CMS v1"

Posted by jindaxia on December 21, 2018

Flag0

• Try creating a new page
• How are pages indexed?
• Look at the sequence of IDs
• If the front door doesn’t open, try the window
• In what ways can you retrieve page contents?

Flag1

• Make sure you tamper with every input
• Have you tested for the usual culprits? XSS, SQL injection, path injection
• Bugs often occur when an input should always be one type and turns out to be another
• Remember, form submissions aren’t the only inputs that come from browsers

URL的ID,可能可以注入，访问/page/edit/1‘%20or%201=1’ 得到FLAG

Flag2

• Sometimes a given input will affect more than one page
• The bug you are looking for doesn’t exist in the most obvious place this input is shown

title 可能可以脚本注入 编辑页面 标题改成 <script> 返回首页，得到FLAG

Flag3

• Script tags are great, but what other options do you have?