Hacker101 - No.2 - Micro-CMS v1
Hints for “Micro-CMS v1”
Flag0 -- Found
- Try creating a new page
- How are pages indexed?
- Look at the sequence of IDs
- If the front door doesn't open, try the window
- In what ways can you retrieve page contents?
Flag1 -- Found
- Make sure you tamper with every input
- Have you tested for the usual culprits? XSS, SQL injection, path injection
- Bugs often occur when an input should always be one type and turns out to be another
- Remember, form submissions aren't the only inputs that come from browsers
Flag2 -- Found
- Sometimes a given input will affect more than one page
- The bug you are looking for doesn't exist in the most obvious place - this input is shown
Flag3 -- Found
- Script tags are great, but what other options do you have?
Flag 0
页面分别有/page/1,/page/2,随便创建一个新的页面,为/page/11
所以中间都是什么呢?挨个访问……在/page/5发现不是404,而是403
又发现在编辑页面处,url为/page/edit/11,访问/page/edit/5,得到Flag 0
Flag 1
根据/page/edit/1,访问/page/edit/2,我们不妨猜测页面取出内容是根据id
加一个'试一下,即访问/page/1',404了
但是还有编辑页面有取值的可能,再试一下/page/edit/1',得到Flag 1
Flag 2
很容易想到在创建页面的地方进行xss注入
title: <script>alter(1)</script>,返回首页得到Flag 2
Flag 3
同样这次在创建页面的内容里进行xss注入
body: <script>alter(1)</script>,发现<script>被过滤了,我们换一种注入方式
body: <img alter(1) />,在源码里得到Flag 3