Jason Sheh

Hacker101 课程作业(二)


0x03 Level 3: Breaker CMS
In this exercise, you see a basic CMS interface. Administration is fun!
Hint: Watch the JavaScript.

看源码,六个漏洞,又出现了Unrelated Bonuses不懂什么意思
In this level, there are 6 vulnerabilities, falling into the following classes:
Various XSS
Improper Authorization
Unrelated Bonuses
Have fun!

  • Improper Authorization
  • <script>
    // We should only display the edit link to authenticated admins.
    // http://i.imgur.com/WPaknth.jpg
    var page = window.location.hash.substring(1);
    if(page == ‘’)
    page = ‘index’;
    var cookies = document.cookie.split(‘;’);
    for(var i in cookies) {
    var cookie = cookies[i].replace(/ /g, ‘’).split(‘=’);
    if(cookie[0] == ‘admin’ && cookie[1] == ‘1’)
    document.write(‘<a href="/levels/3/admin?page=’ + page + ‘">Edit this page</a>’);
    }
    </script>
    

    把cookie中的admin的值改为1就进入了admin界面,或者直接自己输网址

  • XSS

  • 上面的代码还有XSS漏洞,构造好url中#后面的值就可以触发

  • XSS-2

  • 后台文章修改处

    0x04 Level 4: Breaker News
    Here’s a news aggregator for your perusal. Have any good links to share with us?
    Hint: Just because you’re authorized doesn’t mean you should do it.

    有13个漏洞
    In this level, there are 13 vulnerabilities (some of them may present multiple times on a page!), falling into the following classes:
    XSS
    CSRF
    Unchecked Redirects
    Systemic Information Disclosures
    Improper Identity Handling
    Have fun!

  • XSS

  • CSRF 投票

  • CSRF 删除
  • CSRF 评论

  • 评论功能服务端出现了错误,但应该存在,原理都是一样的

  • URL跳转

  • https://levels-a.hacker101.com/levels/4/vote?change=1&type=Story&id=4862378378264576&from=https://www.google.com

  • XSS-2

  • 准确说上面url的每个参数都有相同的问题

    0x05 Level 5: Document Repository
    In this exercise, you get to read some books!

    多读点书
    In this level, there are 6 vulnerabilities, falling into the following classes:
    Directory Traversal
    Reflected XSS
    Command Injection
    Have fun!

  • 反射性XSS

  • 目录遍历

  • 命令注入

  • 运用反引号``将内容当作命令优先执行
    这里的文件内容查找应该是使用命令实现的,实际场景中意义不大

    还想再试试看能不能反弹shell