<- HACKER101CTF

Micro-CMS v1

2 minutes to read

We have a simple website that allows us to edit and create posts using Markdown:

Website

Let’s click on “Testing”:

Testing post

Now, we can try to edit the current post. A text area is shown in order to write Markdown code:

Filtered XSS payload

Markdown is a markup language similar to HTML but simpler and easier. Furthermore, Markdown supports the use of HTML tags as well. Hence, let’s try a Cross-Site Scripting (XSS) payload like:

<script>alert(123)</script>

It seems not to work. In fact, if we show the source code of the updated page, our payload has been replaced:

Filtered XSS payload

So the payload has been blocked. Let’s try with this one:

<img src="x" onerror="alert(123)">

Now it seems to work, and the alert is shown:

Successful XSS payload

If we inspect the source code again, we obtain a flag:

First flag

Looking at the URL, we can notice that there is a number at the end (/page/1). Let’s try putting other numbers: for /page/2 we have the “Markdown test”, for /page/3 we get a 404 Not Found error. However, for /page/4 we get 403 Forbidden:

Page 2

Page 3

Page 4

Trying more page numbers will only give 404 Not Found errors.

Let’s mess around with “Markdown test”:

Markdown test edit

There is nothing more to do on this post. However, we can see that the URL has changed: now it is /page/edit/2. Let’s try to view /page/edit/4, the one that gave 403 Forbidden error:

Forbiden site edit

And we have the second flag, exploiting an Insecure Direct Object Reference (IDOR) vulnerability.

Let’s continue creating a new post:

Create new post

I decided to put New1 as title and Test1 as content. After that I created another post using New2 and Test2. Now, the main page looks like this:

Updated main page

Let’s try the <img> XSS payload on the title of one of the posts. We do not see the HTML interpreted here:

XSS failed on title

But if we go to the main page we get another flag:

XSS successful on main page

And finally, we can guess that the web application is using a database to store the posts. Therefore, to show them, the server is performing a query on the database to obtain the actual posts. Hence, we can try som SQL injection payload.

For instance, we can add a single quote to break the SQL syntax:

SQLi successful

And we have the fourth and last flag.