forked from hongriSec/PHP-Audit-Labs
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b5bed36
commit 6bbfcfc
Showing
98 changed files
with
2,866 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
FROM zhhhy/lampp | ||
|
||
|
||
ADD ./day1/ /var/www/html | ||
RUN ls /var/www/html/ | ||
RUN chmod 777 /var/www/html/run.sh | ||
CMD ["sh","/var/www/html/run.sh"] | ||
EXPOSE 80 |
16 changes: 16 additions & 0 deletions
16
PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/config.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
<?php | ||
$servername = "localhost"; | ||
$username = "root"; | ||
$password = "root"; | ||
$dbname = "day1"; | ||
|
||
function stop_hack($value){ | ||
$pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval"; | ||
$back_list = explode("|",$pattern); | ||
foreach($back_list as $hack){ | ||
if(preg_match("/$hack/i", $value)) | ||
die("$hack detected!"); | ||
} | ||
return $value; | ||
} | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
create database day1; | ||
use day1; | ||
create table users ( | ||
id int(6) unsigned auto_increment primary key, | ||
name varchar(20) not null, | ||
email varchar(30) not null, | ||
salary int(8) unsigned not null ); | ||
|
||
INSERT INTO users VALUES(1,'Lucia','[email protected]',3000); | ||
INSERT INTO users VALUES(2,'Danny','[email protected]',4500); | ||
INSERT INTO users VALUES(3,'Alina','[email protected]',2700); | ||
INSERT INTO users VALUES(4,'Jameson','[email protected]',10000); | ||
INSERT INTO users VALUES(5,'Allie','[email protected]',6000); | ||
|
||
create table flag(flag varchar(30) not null); | ||
INSERT INTO flag VALUES('HRCTF{1n0rrY_i3_Vu1n3rab13}'); |
37 changes: 37 additions & 0 deletions
37
PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
<?php | ||
include 'config.php'; | ||
$conn = new mysqli($servername, $username, $password, $dbname); | ||
if ($conn->connect_error) { | ||
die("连接失败: "); | ||
} | ||
|
||
$sql = "SELECT COUNT(*) FROM users"; | ||
$whitelist = array(); | ||
$result = $conn->query($sql); | ||
if($result->num_rows > 0){ | ||
$row = $result->fetch_assoc(); | ||
$whitelist = range(1, $row['COUNT(*)']); | ||
} | ||
|
||
$id = stop_hack($_GET['id']); | ||
$sql = "SELECT * FROM users WHERE id=$id"; | ||
|
||
if (!in_array($id, $whitelist)) { | ||
die("id $id is not in whitelist."); | ||
} | ||
|
||
$result = $conn->query($sql); | ||
if($result->num_rows > 0){ | ||
$row = $result->fetch_assoc(); | ||
echo "<center><table border='1'>"; | ||
foreach ($row as $key => $value) { | ||
echo "<tr><td><center>$key</center></td><br>"; | ||
echo "<td><center>$value</center></td></tr><br>"; | ||
} | ||
echo "</table></center>"; | ||
} | ||
else{ | ||
die($conn->error); | ||
} | ||
|
||
?> |
5 changes: 5 additions & 0 deletions
5
PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/privileges.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
use mysql; | ||
select host, user from user; | ||
create user root identified by 'root'; | ||
grant all on day.* to root@'%' identified by 'root' with grant option; | ||
flush privileges; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
#查看mysql服务的状态,方便调试,这条语句可以删除 | ||
echo `service mysql status` | ||
chown -R mysql:mysql /var/lib/mysql | ||
|
||
echo '1.启动mysql....' | ||
#启动mysql | ||
service mysql start | ||
sleep 3 | ||
echo `service mysql status` | ||
mysql -uroot -proot | ||
echo '2.开始导入数据....' | ||
#导入数据 | ||
mysql < /var/www/html/day1.sql | ||
echo '3.导入数据完毕....' | ||
|
||
sleep 3 | ||
echo `service mysql status` | ||
|
||
|
||
#sleep 3 | ||
echo `service mysql status` | ||
echo 'mysql容器启动完毕,且数据导入成功' | ||
/usr/sbin/apache2ctl -D FOREGROUND | ||
|
||
echo `service apache2 satus` | ||
|
||
tail -f /dev/null |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
FROM zhhhy/lampp | ||
|
||
ADD day10 /var/www/html | ||
|
||
|
||
RUN ls /var/www/html/ | ||
RUN chmod 777 /var/www/html/run.sh | ||
CMD ["sh","/var/www/html/run.sh"] | ||
expose 80 |
6 changes: 6 additions & 0 deletions
6
PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/config.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<?php | ||
$servername = "localhost"; | ||
$username = "fire"; | ||
$password = "fire"; | ||
$dbname = "day10"; | ||
?> |
41 changes: 41 additions & 0 deletions
41
PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
<?php | ||
include 'config.php'; | ||
function stophack($string){ | ||
if(is_array($string)){ | ||
foreach($string as $key => $val) { | ||
$string[$key] = stophack($val); | ||
} | ||
} | ||
else{ | ||
$raw = $string; | ||
$replace = array("\\","\"","'","/","*","%5C","%22","%27","%2A","~","insert","update","delete","into","load_file","outfile","sleep",); | ||
$string = str_ireplace($replace, "HongRi", $string); | ||
$string = strip_tags($string); | ||
if($raw!=$string){ | ||
error_log("Hacking attempt."); | ||
header('Location: /error/'); | ||
} | ||
return trim($string); | ||
} | ||
} | ||
$conn = new mysqli($servername, $username, $password, $dbname); | ||
if ($conn->connect_error) { | ||
die("连接失败: "); | ||
} | ||
if(isset($_GET['id']) && $_GET['id']){ | ||
$id = stophack($_GET['id']); | ||
$sql = "SELECT * FROM students WHERE id=$id"; | ||
$result = $conn->query($sql); | ||
if($result->num_rows > 0){ | ||
$row = $result->fetch_assoc(); | ||
echo '<center><h1>查询结果为:</h1><pre>'.<<<EOF | ||
+----+---------+--------------------+-------+ | ||
| id | name | email | score | | ||
+----+---------+--------------------+-------+ | ||
| {$row['id']} | {$row['name']} | {$row['email']} | {$row['score']} | | ||
+----+---------+--------------------+-------+</center> | ||
EOF; | ||
} | ||
} | ||
else die("你所查询的对象id值不能为空!"); | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
|
||
#!/bin/bash | ||
set -e | ||
|
||
#查看mysql服务的状态,方便调试,这条语句可以删除 | ||
echo `service mysql status` | ||
chown -R mysql:mysql /var/lib/mysql | ||
|
||
echo '1.启动mysql....' | ||
#启动mysql | ||
service mysql start | ||
sleep 3 | ||
echo `service mysql status` | ||
mysql -uroot -proot | ||
echo '2.开始导入数据....' | ||
#导入数据 | ||
mysql < /var/www/html/sql.sql | ||
echo '3.导入数据完毕....' | ||
|
||
sleep 3 | ||
echo `service mysql status` | ||
|
||
|
||
#sleep 3 | ||
echo `service mysql status` | ||
echo 'mysql容器启动完毕,且数据导入成功' | ||
/usr/sbin/apache2ctl -D FOREGROUND | ||
|
||
echo `service apache2 satus` | ||
|
||
tail -f /dev/null | ||
|
16 changes: 16 additions & 0 deletions
16
PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/sql.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
create database day10; | ||
use day10; | ||
create table students ( | ||
id int(6) unsigned auto_increment primary key, | ||
name varchar(20) not null, | ||
email varchar(30) not null, | ||
score int(8) unsigned not null ); | ||
|
||
INSERT INTO students VALUES(1,'Lucia','[email protected]',100); | ||
INSERT INTO students VALUES(2,'Danny','[email protected]',59); | ||
INSERT INTO students VALUES(3,'Alina','[email protected]',66); | ||
INSERT INTO students VALUES(4,'Jameson','[email protected]',13); | ||
INSERT INTO students VALUES(5,'Allie','[email protected]',88); | ||
|
||
create table flag(flag varchar(30) not null); | ||
INSERT INTO flag VALUES('HRCTF{tim3_blind_Sql}'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
FROM zhhhy/lampp | ||
|
||
|
||
ADD ./day11/ /var/www/html | ||
RUN ls /var/www/html/ | ||
RUN chmod 777 /var/www/html/run.sh | ||
CMD ["sh","/var/www/html/run.sh"] | ||
EXPOSE 80 |
7 changes: 7 additions & 0 deletions
7
PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/config.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
<?php | ||
$db_host = 'localhost'; | ||
$db_name = 'day11'; | ||
$db_user = 'root'; | ||
$db_pass = 'root'; | ||
$DEBUG = 'xx'; | ||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<?php | ||
!defined('IN_FLAG') && exit('Access Denied'); | ||
echo "flag{un3eri@liz3_i3_s0_fun}"; | ||
|
||
?> |
112 changes: 112 additions & 0 deletions
112
PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
<?php | ||
include "config.php"; | ||
|
||
class HITCON{ | ||
public $method; | ||
public $args; | ||
public $conn; | ||
|
||
function __construct($method, $args) { | ||
$this->method = $method; | ||
$this->args = $args; | ||
$this->__conn(); | ||
} | ||
|
||
function __conn() { | ||
global $db_host, $db_name, $db_user, $db_pass, $DEBUG; | ||
if (!$this->conn) | ||
$this->conn = mysql_connect($db_host, $db_user, $db_pass); | ||
mysql_select_db($db_name, $this->conn); | ||
if ($DEBUG) { | ||
$sql = "DROP TABLE IF EXISTS users"; | ||
$this->__query($sql, $back=false); | ||
$sql = "CREATE TABLE IF NOT EXISTS users (username VARCHAR(64), | ||
password VARCHAR(64),role VARCHAR(256)) CHARACTER SET utf8"; | ||
|
||
$this->__query($sql, $back=false); | ||
$sql = "INSERT INTO users VALUES ('orange', '$db_pass', 'admin'), ('phddaa', 'ddaa', 'user')"; | ||
$this->__query($sql, $back=false); | ||
} | ||
mysql_query("SET names utf8"); | ||
mysql_query("SET sql_mode = 'strict_all_tables'"); | ||
} | ||
|
||
function __query($sql, $back=true) { | ||
$result = @mysql_query($sql); | ||
if ($back) { | ||
return @mysql_fetch_object($result); | ||
} | ||
} | ||
|
||
function login() { | ||
list($username, $password) = func_get_args(); | ||
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, md5($password)); | ||
$obj = $this->__query($sql); | ||
|
||
if ( $obj != false ) { | ||
define('IN_FLAG', TRUE); | ||
$this->loadData($obj->role); | ||
} | ||
else { | ||
$this->__die("sorry!"); | ||
} | ||
} | ||
|
||
function loadData($data) { | ||
if (substr($data, 0, 2) !== 'O:' && !preg_match('/O:\d:/', $data)) { | ||
return unserialize($data); | ||
} | ||
return []; | ||
} | ||
|
||
function __die($msg) { | ||
$this->__close(); | ||
header("Content-Type: application/json"); | ||
die( json_encode( array("msg"=> $msg) ) ); | ||
} | ||
|
||
function __close() { | ||
mysql_close($this->conn); | ||
} | ||
|
||
function source() { | ||
highlight_file(__FILE__); | ||
} | ||
|
||
function __destruct() { | ||
$this->__conn(); | ||
if (in_array($this->method, array("login", "source"))) { | ||
@call_user_func_array(array($this, $this->method), $this->args); | ||
} | ||
else { | ||
$this->__die("What do you do?"); | ||
} | ||
$this->__close(); | ||
} | ||
|
||
function __wakeup() { | ||
foreach($this->args as $k => $v) { | ||
$this->args[$k] = strtolower(trim(mysql_escape_string($v))); | ||
} | ||
} | ||
} | ||
class SoFun{ | ||
public $file='index.php'; | ||
|
||
function __destruct(){ | ||
if(!empty($this->file)) { | ||
include $this->file; | ||
} | ||
} | ||
function __wakeup(){ | ||
$this-> file='index.php'; | ||
} | ||
} | ||
if(isset($_GET["data"])) { | ||
@unserialize($_GET["data"]); | ||
} | ||
else { | ||
new HITCON("source", array()); | ||
} | ||
|
||
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
#查看mysql服务的状态,方便调试,这条语句可以删除 | ||
echo `service mysql status` | ||
chown -R mysql:mysql /var/lib/mysql | ||
|
||
echo '1.启动mysql....' | ||
#启动mysql | ||
service mysql start | ||
sleep 3 | ||
echo `service mysql status` | ||
mysql -uroot -proot | ||
echo '2.开始导入数据....' | ||
#导入数据 | ||
mysql < /var/www/html/sql.sql | ||
echo '3.导入数据完毕....' | ||
|
||
sleep 3 | ||
echo `service mysql status` | ||
|
||
|
||
#sleep 3 | ||
echo `service mysql status` | ||
echo 'mysql容器启动完毕,且数据导入成功' | ||
/usr/sbin/apache2ctl -D FOREGROUND | ||
|
||
echo `service apache2 satus` | ||
|
||
tail -f /dev/null | ||
|
Oops, something went wrong.