Micro CMS v1
Thoughts: Have you ever sat at a website and messed around with directories ? or custom switches? or even crawled a website like using wget -m and mirrored everything and seeing a alot of directories and it’s randomness and you stumble upon random stuff and some stuff you really wished you didn’t like porn, warez etc.. well I didn’t use wget per-se here but I did mess around with this, not everything is linked.
This is a micro cms, it’s a lightweight content management system, typically every newbie web developer who wants to make a cms system starts here.
Note: hey I helped developed one for my old ISP, Hey! this should be a walk in the park.
- Flag 1, lets find it.
– I started off by creating a new page, to learn the system, now edit that page, (Keep an eye on the ID’s given) lets view that page? lets change the id given (http://url/dynamic folder/page/Id) assuming you where assigned as like I was at ID 9, and change that to 8, lets walk it up from 8 to 1 and view all these pages.
Note: One of these will show an Forbidden permission page. Remember that ID, for me it was ID7.
Lets go back to your page, edit your page it should show: (http://url/dynamic folder/page/edit/9) now lets test that permissions of page 7? because remember this is a exploitation of security so lets break stuff shall we? it should show: (http://url/dynamic folder/page/edit/7)
Found the Flag!
- Flag 2
Lets add a character, this normally breaks stuff
View page 1 (http://url/dynamic folder/page/1)
add ‘ to the end of the 1 (http://url/dynamic folder/page/1’) now this should break the page.
Now edit page 1. : (http://url/dynamic folder/page/edit/1)
lets do it again add ‘ to the end of page 1.
(http://url/dynamic folder/page/edit/1’)
Instead of breaking, it dropped a flag!
- Flag 3
Ok, this is something I’ve heard about for a while cross site scripting.
-> Give a heads up check out this for more information. https://www.nuharborsecurity.com/alertxss-pwn3d-real-dangers-cross-site-scripting/
Edit page 1, add a script snippet, this needs to use the Alert – XSS cross site scripting or I call it the Alert X-Ass… (http://url/dynamic folder/page/edit/1)
add in the title and body <script> Alert ‘XSS'</script>
Now save it and hit “Go Back”
Should error out and give you Flag 3 as it did for me!
- Flag 4
This is similar with Flag 3 but this one needs a bit of creativity,
do you remember when I said find the id’s and count down, you seen that adorable kitty on page 2 just like I did? (http://url/dynamic folder/page/2)
Lets edit this one! since we have done ID7 and 1, 8, 4,3,5,6 are all dead and doesn’t exist.
(http://url/dynamic folder/page/edit/2)
Note: Being a web developer in the past, you know if you add things that could interfere such as adding another script call this one brought me back to the early days of geocities in the late 90’s as I wrote a page people went to that looped back this button.
Add in this command <button onclick=alert(1)> Kitty Button, CLICK ME!!!! </button>
Hit save and click the button and this alert should error out because you know bad java scripting. Now check your dev tools (hint: F12) back it these days Netscape was the only browser that had this feature. but back then it didn’t show a button flag, instead it used to display java script errors or break the whole site or depends on how you have coded your site, you could have looped that button click a lot of times instead. In the dev tools you will see the last flag^
Now we are getting nostalgic, this is how H101 got me hooked with this nostalgic