Micro-CMS v1
Micro-CMS is a CTF held by Hacker101 created by HackerOne, which is a great resource and community for CTF starter to start hacking, this is a review of Micro-CMS v1.
Opening page looks nothing surprise, after playing around it only shows basic CRUD functions to add new page and modify some contents. By tapping “Create a new page”, you’re adding new page with Title and Content. Well, so what is the vulnerability here?
- Flag 0 : Try creating a new page
Tryna create a new page by the hint, let’s see what happening.
At first glance, nothing fancy. But… Wait! what’s wrong with the url here?
http://35.227.24.107/892f16974a/page/12
Why we started page 12? Shouldn’t we start with 1 if we get some spare room? Curiosity drove me to scan over 1 to 12 pages. I found something interested on page 7, we got some auth issue here instead of 404! Meaning we have sauce in this page, we gonna dig this out! But this page is auth protected, let’s figure way out into it.
Look back to where we created a page, the url looks like this
http://35.227.24.107/892f16974a/page/12
and if we wanna modify the content, url looks like this
http://35.227.24.107/892f16974a/page/edit/12
Knock the door on page 7 with edit, is there anyone there?
Mr. Token opened the door. The vulnerability just caused by wrongly routed the page with other pages, or didn’t provided auth protection on the page.
Flag 1: Make sure you tamper with every input
Tamper with every input HUH? It’s vague hint, but it gave basic category of what kind of vulnerability this site acquired. We can inject something into this site. Based on flag 0, we knew we are creating and search the page with id after url. Is this website can sustain some sql injection? Let’s replace id with some sql query.
http://35.227.24.107/892f16974a/page/edit/12
to
http://35.227.24.107/892f16974a/page/edit/'SELECT * FROM USER'
Boom! this vulnerability shows user can put some sql get some sensitivity data from your warehouse, do some escaping for Jesus’s sake. Behind the scene is there is some sql looks like id = 12.
But we stop earlier and insert some nasty in it into id = 12; SELECT * from USER;
Nasty nasty.
Resources:
- SQL Injection | OWASP Foundation
- What is SQL Injection? Tutorial & Examples | Web Security Academy (portswigger.net)
- SQL Injection (w3schools.com)
Flag 2: Sometimes a given input will affect more than one page
Affect more than one page? What you mean exactly? Is that mean code will be executed somewhere else? How could I check that’s happening? Well, let’s try with method 101 by putting alert everywhere. How’s that?
Save and get back to edited page.
Sadly nothing happened…yet. Look at the title, <script> is escaped, sweet you developer. Nice work with escaping <script>, and <script> within my content is somehow removed? Nice work! Usually when inserting script into user input content, website will pop up an error blaming you. It didn’t, so friendly. Let’s go back to main page, and alerts popped out gave to the flag.
Open the inspector, you can found the alert executed when served. That’s because it’s a stored XSS that executes when it tries to retrieve snippet in the main page. Brilliant!
Well, it should be avoided by escaping your code when deals with input every time. It should be a must for every popular framework nowadays IMO.
Flag 3: Script tags are great, but what other options do you have?
Except Stored XSS, what are the options we got to exploit? How about using DOM-based XSS? And how should we approach it?
Well, first come into my mind is to make sure if this application will accept javascript code by putting some code snippet in it. We tried inserting <script></script> in previous flag, this one asks us for something else. First try with some HTML tag with action when hover.
First thing we found out it successfully putting an image in the post, which is kinda… just kinda weird. Usually we don’t expect user to put any code related and WORK OUT FINE! Let’s hover over the image.
Alert popped out, and we found the flag hidden in out image tag. You cunning little application! Well, this vulnerability comes with not escaping snippet in application. Cha-ching!
Resource :
- Cross Site Scripting (XSS) Software Attack | OWASP Foundation
- What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy (portswigger.net)
Farewell, peace.