Hacker101 课程作业(二)

0x03 Level 3: Breaker CMS
In this exercise, you see a basic CMS interface. Administration is fun!
Hint: Watch the JavaScript.

看源码,六个漏洞,又出现了Unrelated Bonuses不懂什么意思
In this level, there are 6 vulnerabilities, falling into the following classes:
Various XSS
Improper Authorization
Unrelated Bonuses
Have fun!

  • Improper Authorization
  • <script>
    	// We should only display the edit link to authenticated admins.
    	// http://i.imgur.com/WPaknth.jpg
    	var page = window.location.hash.substring(1);
    	if(page == '')
    		page = 'index';
    	var cookies = document.cookie.split(';');
    	for(var i in cookies) {
    		var cookie = cookies[i].replace(/ /g, '').split('=');
    		if(cookie[0] == 'admin' && cookie[1] == '1')
    			document.write('<a href="/levels/3/admin?page=' + page + '">Edit this page</a>');


  • XSS
  • 上面的代码还有XSS漏洞,构造好url中#后面的值就可以触发

  • XSS-2
  • 后台文章修改处

    0x04 Level 4: Breaker News
    Here’s a news aggregator for your perusal. Have any good links to share with us?
    Hint: Just because you’re authorized doesn’t mean you should do it.

    In this level, there are 13 vulnerabilities (some of them may present multiple times on a page!), falling into the following classes:
    Unchecked Redirects
    Systemic Information Disclosures
    Improper Identity Handling
    Have fun!

  • XSS
  • CSRF 投票
  • CSRF 删除
  • CSRF 评论
  • 评论功能服务端出现了错误,但应该存在,原理都是一样的

  • URL跳转
  • https://levels-a.hacker101.com/levels/4/vote?change=1&type=Story&id=4862378378264576&from=https://www.google.com

  • XSS-2
  • 准确说上面url的每个参数都有相同的问题

    0x05 Level 5: Document Repository
    In this exercise, you get to read some books!

    In this level, there are 6 vulnerabilities, falling into the following classes:
    Directory Traversal
    Reflected XSS
    Command Injection
    Have fun!

  • 反射性XSS
  • 目录遍历
  • 命令注入
  • 运用反引号“将内容当作命令优先执行



    电子邮件地址不会被公开。 必填项已用*标注