Objective | 目标
This challenge demonstrates how to interact with a CRUD API to perform Update, Delete, and Search operations to retrieve the flag.
本次挑战旨在演示如何与 CRUD API 交互,通过执行 更新、删除 和 搜索 操作来获取 Flag。
操控 CRUD API:一步步提取 Flag
Steps | 操作步骤
Step 1: Retrieve the Current List of Cities | 获取现有城市列表
-
Use the
GETmethod to retrieve all entries in the database: 使用GET方法检索数据库中的所有条目:curl -s http://94.237.54.42:48263/api.php/city/ | jq -
Output Example | 输出示例:
[{"city_name": "London","country_name": "(UK)"},{"city_name": "Birmingham","country_name": "(UK)"},...{"city_name": "Memphis","country_name": "(US)"},{"city_name": "Baltimore","country_name": "(US)"} ]Analysis | 分析:
From this list, we can select any city for the Update and Delete operations. Here, we chooseMemphisto update andBaltimoreto delete.
Step 2: Update a City’s Name to ‘flag’ | 更新城市名称为 ‘flag’
-
Use the
PUTmethod to update the cityMemphistoflag: 使用PUT方法将城市Memphis更新为flag:curl -X PUT http://94.237.54.42:48263/api.php/city/Memphis -d '{"city_name":"flag", "country_name":"HTB"}' -H 'Content-Type: application/json' -
Explanation | 说明:
-X PUT: Specifies the HTTP method asPUT.
指定 HTTP 方法为PUT。-d '{"city_name":"flag", "country_name":"HTB"}': Sends the updated city name and country in JSON format.
以 JSON 格式发送更新后的城市名称和国家。-H 'Content-Type: application/json': Sets the content type to JSON.
设置内容类型为 JSON。
Step 3: Delete Another City | 删除其他城市
-
Use the
DELETEmethod to delete the cityBaltimore:
使用DELETE方法删除城市Baltimore:curl -X DELETE http://94.237.54.42:48263/api.php/city/BaltimoreExplanation | 说明:
-X DELETE: Specifies the HTTP method asDELETE.
指定 HTTP 方法为DELETE。
Step 4: Search for the City Named ‘flag’ | 搜索名称为 ‘flag’ 的城市
-
Use the
GETmethod to search for the cityflag:
使用GET方法搜索城市flag:curl -s http://94.237.54.42:48263/api.php/city/flag | jq -
Output Example | 输出示例:
[{"city_name": "flag","country_name": "HTB{crud_4p!_m4n!pul4t0r}"} ]Result | 结果:
The flag is found in the
country_namefield:
Flag 位于country_name字段中:HTB{crud_4p!_m4n!pul4t0r}。
Summary | 总结
Key Steps Recap | 关键步骤回顾
-
Retrieve Cities: Listed all available cities using a
GETrequest.获取城市:使用
GET请求列出所有可用城市。 -
Update City Name: Updated
Memphistoflagusing aPUTrequest.更新城市名称:使用
PUT请求将Memphis更新为flag。 -
Delete Another City: Deleted
Baltimoreusing aDELETErequest.删除其他城市:使用
DELETE请求删除Baltimore。 -
Search for Flag: Retrieved the flag by searching for the city
flag.搜索 Flag:通过搜索城市
flag找到 Flag。
Flag | Flag
HTB{crud_4p!_m4n!pul4t0r}
Purpose of the Test | 测试目的
-
Understand CRUD Operations | 理解 CRUD 操作:
-
Practice creating, reading, updating, and deleting database entries through an API.
练习通过 API 创建、读取、更新和删除数据库条目。
-
-
Direct API Interaction | 直接与 API 交互:
-
Gain hands-on experience interacting with APIs to manipulate backend data.
通过直接操作 API 熟悉后端数据的操控。
-
-
Simulate Real-World Scenarios | 模拟真实场景:
-
Understand how unauthorized access to APIs can lead to unintended data modifications.
理解未授权访问 API 如何导致数据被篡改。
-
Best Practices | 最佳实践
-
Restrict API Access | 限制 API 访问:
-
Ensure proper authentication and role-based access control for all API operations.
确保所有 API 操作都进行适当的身份验证和基于角色的访问控制。
-
-
Validate Input | 验证输入:
-
Sanitize all user inputs to prevent malicious data injections.
清理所有用户输入以防止恶意数据注入。
-
-
Log API Activities | 记录 API 活动:
-
Maintain logs of all API requests and responses to detect misuse.
记录所有 API 请求和响应以检测滥用行为。
-
