Welcome to “Flagging Flaws: Hacker101 Micro-CMS v1,” where we gon find those vulnerabilities within this machine. Join me as we navigate the box Micro-CMS v1, identifying flaws and gettin those flags :)
Micro-CMS v1 is a web application designed for content management. It features a homepage(image 1) with three anchors leading to distinct articles while showing its titles. You can access the articles(image 2) and edit them(image 3). Users can create their own articles(Image 4), filling in a title and body, and submit them for publication. However, we’ve discovered several flaws in the system that will feed us the juice.
N°0 Broken Access Control on /page/edit/5:
The URL structure of Micro-CMS v1 allows unauthorized access to editing pages. By manipulating the page ID parameter in the URL, users can access and modify existing articles without proper authorization, potentially compromising the integrity of the system.
N°1 XSS on Title — Referred in a Less Protected Page:
Micro-CMS v1 suffers from an XSS vulnerability when injecting malicious scripts into the article title. This vulnerability becomes even more critical when the manipulated title is displayed in less protected areas of the system(homepage), allowing attackers to execute unauthorized actions or compromise sensitive data.
simple xss example: <script>alert(‘XSS Attack!’);</script>
N°2 XSS when script tag is disabled//on Mousehover Alert:
An additional XSS vulnerability is found in the article body, specifically when an <a> tag with an onmouseover alert event is injected. Exploiting this vulnerability enables attackers to execute malicious scripts when unsuspecting users hover over the affected area. This can lead to potential attacks, including phishing or session hijacking.
Simple xss without script tag: <a onmousehover=”alert(‘x’);”>
N°3 SQL Injection Vulnerability — Edit Page Indexation:
The URL indexing mechanism used in the edit page introduces a potential SQL injection vulnerability. Attackers can craft malicious SQL queries within the URL parameter, potentially gaining unauthorized access to the backend database, and manipulating data beyond the intended scope.
Simple SQLI like attack: ##machine##.ctf.hacker101.com/page/edit/2' or 1=1
This was it for todayyy!!! Let us continue our journey of Flagging Flaws by studying vulnerabilities & reports, and exercising our problem-solving skills. LET’S GOOO!
Follow me for more !!!!!! or if you love kitties !!!!!!! or whateverrrrrr!!!!!!! :)