flag1
随意注册账号后登录,发现已经存在的文章,两篇文章id分别为1和3,手动修改查看2即可获取:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021502.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021503.jpg)
flag2
弱口令 user:password
登录成功后获得:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021501.jpg)
flag3
对文章id进行遍历,发现一个较大的id存在内容:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021504.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021505.jpg)
flag4
编辑文章,修改id为空:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021506.jpg)
flag5
删除文章使用加密id,使用前面获取的user账号获取属于user用户的文章id,之后登录自己注册的账号进行越权删除:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021507.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021508.jpg)
flag6
对Cookie值进行查询发现只是数字id的md5,将其修改为1的md5后访问:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021509.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021510.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021511.jpg)
flag7
创建文章时修改userid为其他用户id,越权创建,获得flag:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019021512.jpg)