A little something to get you started (Trivial (1))
在源码里有:
1 | <style> |
访问background.png得到flag。
Micro-CMS v1 (Easy (2))
flag1
在页面的编辑页,URL类似于/page/edit/2,可能有注入,在最后一个数字后加一个单引号弹出flag。
flag2
在Markdown Test的页面元素里可以看到一个html标签而且这个标签成功解析。尝试XSS。
新建一个page,在标题里输入<script>alert(1)</script>,点击<-- Go Home弹出flag。
flag3
和flag2类似,在文章中也可以XSS,payload如下:
1 | <img src=1 onerror=javascript:alert(1) /> |
在源码中找到flag。
flag4
找页面发现page3是404,但page4是403,访问/page/edit/4获得flag。
Hints:
Flag0
- Try creating a new page
- How are pages indexed?
- Look at the sequence of IDs
- If the front door doesn’t open, try the window
- In what ways can you retrieve page contents?
Flag1
- Make sure you tamper with every input
- Have you tested for the usual culprits? XSS, SQL injection, path injection
- Bugs often occur when an input should always be one type and turns out to be another
- Remember, form submissions aren’t the only inputs that come from browsers
Flag2
- Sometimes a given input will affect more than one page
- The bug you are looking for doesn’t exist in the most obvious place this input is shown
Flag3
- Script tags are great, but what other options do you have?
Micro-CMS v2 (Moderate (3))
flag1
在v2里有一个changelog:
1 | This version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we're still not sure why we didn't think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now. |
在Create a new page需要登录。
使用admin'加单引号登录报错:
1 | Traceback (most recent call last): |
看到sql语句是:
1 | SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%') |
使用payload:
1 | Username: admin' union select 123 as password;--+ |
登录成功后看到Private Page得到flag。
flag2
提示说:
1 | What actions could you perform as a regular user on the last level, which you can't now? |
页面编辑页面是只有登录才可以进行修改的,但是获取API后把cookie删除就可以获得flag。
API内容:
1 | POST: |