Skip to content

Commit

Permalink
1
Browse files Browse the repository at this point in the history
  • Loading branch information
@redbull2015
redbull2015 committed Sep 14, 2019
1 parent b5bed36 commit 6bbfcfc
Show file tree
Hide file tree
Showing 98 changed files with 2,866 additions and 0 deletions.
8 changes: 8 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM zhhhy/lampp


ADD ./day1/ /var/www/html
RUN ls /var/www/html/
RUN chmod 777 /var/www/html/run.sh
CMD ["sh","/var/www/html/run.sh"]
EXPOSE 80
16 changes: 16 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/config.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "day1";

function stop_hack($value){
$pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
$back_list = explode("|",$pattern);
foreach($back_list as $hack){
if(preg_match("/$hack/i", $value))
die("$hack detected!");
}
return $value;
}
?>
16 changes: 16 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/day1.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
create database day1;
use day1;
create table users (
id int(6) unsigned auto_increment primary key,
name varchar(20) not null,
email varchar(30) not null,
salary int(8) unsigned not null );

INSERT INTO users VALUES(1,'Lucia','[email protected]',3000);
INSERT INTO users VALUES(2,'Danny','[email protected]',4500);
INSERT INTO users VALUES(3,'Alina','[email protected]',2700);
INSERT INTO users VALUES(4,'Jameson','[email protected]',10000);
INSERT INTO users VALUES(5,'Allie','[email protected]',6000);

create table flag(flag varchar(30) not null);
INSERT INTO flag VALUES('HRCTF{1n0rrY_i3_Vu1n3rab13}');
37 changes: 37 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/index.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<?php
include 'config.php';
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("连接失败: ");
}

$sql = "SELECT COUNT(*) FROM users";
$whitelist = array();
$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
$whitelist = range(1, $row['COUNT(*)']);
}

$id = stop_hack($_GET['id']);
$sql = "SELECT * FROM users WHERE id=$id";

if (!in_array($id, $whitelist)) {
die("id $id is not in whitelist.");
}

$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
echo "<center><table border='1'>";
foreach ($row as $key => $value) {
echo "<tr><td><center>$key</center></td><br>";
echo "<td><center>$value</center></td></tr><br>";
}
echo "</table></center>";
}
else{
die($conn->error);
}

?>
5 changes: 5 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/privileges.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
use mysql;
select host, user from user;
create user root identified by 'root';
grant all on day.* to root@'%' identified by 'root' with grant option;
flush privileges;
30 changes: 30 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day1/day1/run.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/bin/bash
set -e

#查看mysql服务的状态,方便调试,这条语句可以删除
echo `service mysql status`
chown -R mysql:mysql /var/lib/mysql

echo '1.启动mysql....'
#启动mysql
service mysql start
sleep 3
echo `service mysql status`
mysql -uroot -proot
echo '2.开始导入数据....'
#导入数据
mysql < /var/www/html/day1.sql
echo '3.导入数据完毕....'

sleep 3
echo `service mysql status`


#sleep 3
echo `service mysql status`
echo 'mysql容器启动完毕,且数据导入成功'
/usr/sbin/apache2ctl -D FOREGROUND

echo `service apache2 satus`

tail -f /dev/null
9 changes: 9 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM zhhhy/lampp

ADD day10 /var/www/html


RUN ls /var/www/html/
RUN chmod 777 /var/www/html/run.sh
CMD ["sh","/var/www/html/run.sh"]
expose 80
6 changes: 6 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/config.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?php
$servername = "localhost";
$username = "fire";
$password = "fire";
$dbname = "day10";
?>
41 changes: 41 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/index.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<?php
include 'config.php';
function stophack($string){
if(is_array($string)){
foreach($string as $key => $val) {
$string[$key] = stophack($val);
}
}
else{
$raw = $string;
$replace = array("\\","\"","'","/","*","%5C","%22","%27","%2A","~","insert","update","delete","into","load_file","outfile","sleep",);
$string = str_ireplace($replace, "HongRi", $string);
$string = strip_tags($string);
if($raw!=$string){
error_log("Hacking attempt.");
header('Location: /error/');
}
return trim($string);
}
}
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("连接失败: ");
}
if(isset($_GET['id']) && $_GET['id']){
$id = stophack($_GET['id']);
$sql = "SELECT * FROM students WHERE id=$id";
$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
echo '<center><h1>查询结果为:</h1><pre>'.<<<EOF
+----+---------+--------------------+-------+
| id | name | email | score |
+----+---------+--------------------+-------+
| {$row['id']} | {$row['name']} | {$row['email']} | {$row['score']} |
+----+---------+--------------------+-------+</center>
EOF;
}
}
else die("你所查询的对象id值不能为空!");
?>
32 changes: 32 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/run.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@

#!/bin/bash
set -e

#查看mysql服务的状态,方便调试,这条语句可以删除
echo `service mysql status`
chown -R mysql:mysql /var/lib/mysql

echo '1.启动mysql....'
#启动mysql
service mysql start
sleep 3
echo `service mysql status`
mysql -uroot -proot
echo '2.开始导入数据....'
#导入数据
mysql < /var/www/html/sql.sql
echo '3.导入数据完毕....'

sleep 3
echo `service mysql status`


#sleep 3
echo `service mysql status`
echo 'mysql容器启动完毕,且数据导入成功'
/usr/sbin/apache2ctl -D FOREGROUND

echo `service apache2 satus`

tail -f /dev/null

16 changes: 16 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day10/day10/sql.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
create database day10;
use day10;
create table students (
id int(6) unsigned auto_increment primary key,
name varchar(20) not null,
email varchar(30) not null,
score int(8) unsigned not null );

INSERT INTO students VALUES(1,'Lucia','[email protected]',100);
INSERT INTO students VALUES(2,'Danny','[email protected]',59);
INSERT INTO students VALUES(3,'Alina','[email protected]',66);
INSERT INTO students VALUES(4,'Jameson','[email protected]',13);
INSERT INTO students VALUES(5,'Allie','[email protected]',88);

create table flag(flag varchar(30) not null);
INSERT INTO flag VALUES('HRCTF{tim3_blind_Sql}');
8 changes: 8 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM zhhhy/lampp


ADD ./day11/ /var/www/html
RUN ls /var/www/html/
RUN chmod 777 /var/www/html/run.sh
CMD ["sh","/var/www/html/run.sh"]
EXPOSE 80
7 changes: 7 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/config.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<?php
$db_host = 'localhost';
$db_name = 'day11';
$db_user = 'root';
$db_pass = 'root';
$DEBUG = 'xx';
?>
5 changes: 5 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/flag.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<?php
!defined('IN_FLAG') && exit('Access Denied');
echo "flag{un3eri@liz3_i3_s0_fun}";

?>
112 changes: 112 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/index.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
<?php
include "config.php";

class HITCON{
public $method;
public $args;
public $conn;

function __construct($method, $args) {
$this->method = $method;
$this->args = $args;
$this->__conn();
}

function __conn() {
global $db_host, $db_name, $db_user, $db_pass, $DEBUG;
if (!$this->conn)
$this->conn = mysql_connect($db_host, $db_user, $db_pass);
mysql_select_db($db_name, $this->conn);
if ($DEBUG) {
$sql = "DROP TABLE IF EXISTS users";
$this->__query($sql, $back=false);
$sql = "CREATE TABLE IF NOT EXISTS users (username VARCHAR(64),
password VARCHAR(64),role VARCHAR(256)) CHARACTER SET utf8";

$this->__query($sql, $back=false);
$sql = "INSERT INTO users VALUES ('orange', '$db_pass', 'admin'), ('phddaa', 'ddaa', 'user')";
$this->__query($sql, $back=false);
}
mysql_query("SET names utf8");
mysql_query("SET sql_mode = 'strict_all_tables'");
}

function __query($sql, $back=true) {
$result = @mysql_query($sql);
if ($back) {
return @mysql_fetch_object($result);
}
}

function login() {
list($username, $password) = func_get_args();
$sql = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'", $username, md5($password));
$obj = $this->__query($sql);

if ( $obj != false ) {
define('IN_FLAG', TRUE);
$this->loadData($obj->role);
}
else {
$this->__die("sorry!");
}
}

function loadData($data) {
if (substr($data, 0, 2) !== 'O:' && !preg_match('/O:\d:/', $data)) {
return unserialize($data);
}
return [];
}

function __die($msg) {
$this->__close();
header("Content-Type: application/json");
die( json_encode( array("msg"=> $msg) ) );
}

function __close() {
mysql_close($this->conn);
}

function source() {
highlight_file(__FILE__);
}

function __destruct() {
$this->__conn();
if (in_array($this->method, array("login", "source"))) {
@call_user_func_array(array($this, $this->method), $this->args);
}
else {
$this->__die("What do you do?");
}
$this->__close();
}

function __wakeup() {
foreach($this->args as $k => $v) {
$this->args[$k] = strtolower(trim(mysql_escape_string($v)));
}
}
}
class SoFun{
public $file='index.php';

function __destruct(){
if(!empty($this->file)) {
include $this->file;
}
}
function __wakeup(){
$this-> file='index.php';
}
}
if(isset($_GET["data"])) {
@unserialize($_GET["data"]);
}
else {
new HITCON("source", array());
}

?>
31 changes: 31 additions & 0 deletions PHP-Audit-Labs CTF-Docker环境/dockerfile_day11/day11/run.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash
set -e

#查看mysql服务的状态,方便调试,这条语句可以删除
echo `service mysql status`
chown -R mysql:mysql /var/lib/mysql

echo '1.启动mysql....'
#启动mysql
service mysql start
sleep 3
echo `service mysql status`
mysql -uroot -proot
echo '2.开始导入数据....'
#导入数据
mysql < /var/www/html/sql.sql
echo '3.导入数据完毕....'

sleep 3
echo `service mysql status`


#sleep 3
echo `service mysql status`
echo 'mysql容器启动完毕,且数据导入成功'
/usr/sbin/apache2ctl -D FOREGROUND

echo `service apache2 satus`

tail -f /dev/null

Loading

0 comments on commit 6bbfcfc

Please sign in to comment.