web-lnmp-php73项目整体更新

web-lnmp-php73/Dockerfile

@@ -0,0 +1,53 @@
+FROM php:7.3-fpm-alpine
+
+# 制作者信息
+LABEL auther_template="CTF-Archives"
+
+# 安装必要的软件包
+RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories && \
+    apk add --update --no-cache tar nginx mysql mysql-client bash
+
+# 配置mysql
+RUN docker-php-source extract && \
+    docker-php-ext-install pdo_mysql mysqli && \
+    docker-php-source delete && \
+    mysql_install_db --user=mysql --datadir=/var/lib/mysql && \
+    sh -c 'mysqld_safe &' && \
+    sleep 5s && \
+    mysqladmin -uroot password 'root'
+
+# 复制nginx+mysql配置文件
+COPY ./config/nginx.conf /etc/nginx/nginx.conf
+COPY ./config/docker-php-ext-mysqli.ini /usr/local/etc/php/conf.d
+COPY ./config/docker-php-ext-pdo_mysql.ini /usr/local/etc/php/conf.d
+
+# 复制web项目源码
+COPY src /var/www/html
+
+# 重新设置源码路径的用户所有权
+RUN chown -R www-data:www-data /var/www/html
+
+# 复制数据库配置文件
+COPY ./data/db.sql /var/db.sql
+
+# 拷贝容器入口点脚本
+COPY ./service/docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+
+# 配置数据库数据
+RUN sh -c 'mysqld_safe &' \
+	&& sleep 5s \
+    && mysqladmin -uroot password '123456' \ 
+    && mysql -e "source /var/db.sql;" -uroot -p123456
+
+# 设置shell的工作目录
+WORKDIR /var/www/html
+
+# [可选]指定对外暴露端口，对于GZCTF等平台，强制EXPOSE可能会造成非预期端口泄露，请酌情启用
+# EXPOSE 80
+
+# 设置nginx日志保存目录
+VOLUME ["/var/log/nginx"]
+
+# 设置容器入口点
+ENTRYPOINT [ "/docker-entrypoint.sh" ]

web-lnmp-php73/README.md

@@ -0,0 +1,40 @@
+# web-nginx-php73
+
+部分容器逻辑参考自：[CTFTraining / base_image_nginx_php_73](https://github.com/CTFTraining/base_image_nginx_php_73)，在此感谢 [陌竹 - mozhu1024](https://github.com/mozhu1024) 师傅和 [赵总 - glzjin](https://github.com/glzjin) 师傅做出的贡献
+
+## 环境说明
+
+提供 `Nginx` +`PHP 7.3.33`+`10.6.14-MariaDB` 的基础环境，默认暴露端口位于 80
+
+### Base Image LNMP
+
+- L: Linux alpine
+- N: Nginx
+- M: MySQL
+- P: PHP 7.3
+- PHP MySQL Ext
+  - mysql
+  - mysqli
+
+> 请注意 !!!
+>
+> 需要注意的是，模板默认会将 flag 保存在 数据库中，如果 需要改变flag在数据库中的存放位置，请在./service/docker-entrypoint.sh 中修改相关操作语句
+
+## 如何使用
+
+直接将 PHP 项目放入 `./src` 目录即可
+
+源码放置进 `./src` 目录之后，执行
+
+```shell
+docker build .
+```
+
+即可开始编译镜像
+
+也可以在安放好相关项目文件之后，直接使用 `./docker/docker-compose.yml` 内的 `docker-compose` 文件实现一键启动测试容器
+
+```shell
+cd ./docker
+docker-compose up -d
+```

web-lnmp-php73/config/docker-php-ext-mysqli.ini

@@ -0,0 +1,2 @@
+extension=mysqli.so
+mysqli.default_socket = /run/mysqld/mysqld.sock

web-lnmp-php73/config/docker-php-ext-pdo_mysql.ini

@@ -0,0 +1,2 @@
+extension=pdo_mysql.so
+pdo_mysql.default_socket = /run/mysqld/mysqld.sock

web-lnmp-php73/config/nginx.conf

@@ -0,0 +1,34 @@
+# daemon off;
+
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen       80;
+        server_name  localhost;
+        root         /var/www/html;
+        index index.php index.html index.htm;
+
+        location / {
+            try_files $uri  $uri/ /index.php?$args;
+        }
+
+        location ~ \.php$ {
+            try_files $uri =404;
+            fastcgi_pass   127.0.0.1:9000;
+            fastcgi_index  index.php;
+            include        fastcgi_params;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        }
+
+    }
+}

web-nginx-mysql-php73/db.sql → web-lnmp-php73/data/db.sql

@@ -19,6 +19,9 @@
 
 CREATE DATABASE ctf;
 use ctf;
+
 create table users (id varchar(300),username varchar(300),password varchar(300));
-insert into users values('1','tanji','OHHHHHHH');
-insert into users values('2','fake_flag','F1rst_to_Th3_eggggggggg!} (4/4)');
+insert into users values('1','user1','OHHHHHHH');
+insert into users values('2','user2','F1rst_to_Th3_eggggggggg!}');
+insert into users values('3','user3','Nothing!');
+insert into users values('4','user4','What are you doing?');

web-lnmp-php73/docker/docker-compose.yaml

@@ -0,0 +1,9 @@
+version: "3"
+services:
+  web:
+    build: ../
+    # image: test
+    ports:
+      - "8080:80"
+    environment:
+      - FLAG=flag{3a4cc347-8475-46cd-9f3e-64b393749fd2}

web-lnmp-php73/service/docker-entrypoint.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+
+rm -f /docker-entrypoint.sh
+
+mysqld_safe &
+
+mysql_ready() {
+	mysqladmin ping --socket=/run/mysqld/mysqld.sock --user=root --password=root > /dev/null 2>&1
+}
+
+while !(mysql_ready)
+do
+	echo "waiting for mysql ..."
+	sleep 3
+done
+
+# Check the environment variables for the flag and assign to INSERT_FLAG
+if [ "$DASFLAG" ]; then
+    INSERT_FLAG="$DASFLAG"
+elif [ "$FLAG" ]; then
+    INSERT_FLAG="$FLAG"
+elif [ "$GZCTF_FLAG" ]; then
+    INSERT_FLAG="$GZCTF_FLAG"
+else
+    INSERT_FLAG="flag{TEST_Dynamic_FLAG}"
+fi
+
+echo "Run:insert into flag values('flag','$INSERT_FLAG');"
+
+# 将FLAG写入文件 请根据需要修改
+# echo $INSERT_FLAG | tee /home/$user/flag /flag
+
+# 将FLAG写入数据库
+
+if [[ -z $FLAG_COLUMN ]]; then
+	FLAG_COLUMN="flag"
+fi
+
+if [[ -z $FLAG_TABLE ]]; then
+	FLAG_TABLE="flag"
+fi
+
+mysql -u root -p123456 -e "
+USE ctf;
+create table $FLAG_TABLE (id varchar(300),data varchar(300));
+insert into $FLAG_TABLE values('$FLAG_COLUMN','$INSERT_FLAG');
+"
+
+php-fpm & nginx &
+
+echo "Running..."
+
+tail -F /var/log/nginx/access.log /var/log/nginx/error.log

web-lnmp-php73/src/assets/source

@@ -0,0 +1,3 @@
+<?php
+$sql = "SELECT username,password FROM users WHERE id = ".$_GET["id"];
+$result = $conn->query($sql);

web-nginx-mysql-php73/src/index.php → web-lnmp-php73/src/index.php

@@ -2,22 +2,27 @@
     error_reporting(0);
   include "connect.php";
 ?>
+
 <!DOCTYPE html>
 <html>
 
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
-    <title>狠狠的注入涅~</title>
-    <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
-    <link rel="stylesheet"
-        href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&amp;display=swap">
+    <title>SQL Injection Demo</title>
+    <link rel="stylesheet" href="assets/bootstrap.min.css">
+    <style>
+        header {
+            background-color: #818181;
+            height: 50vh;
+            display: flex;
+            align-items: center;
+        }
+    </style>
 </head>
 
 <body>
-    <header class="text-center text-white masthead"
-        style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
-        <div class="overlay"></div>
+    <header class="text-center text-white">
         <div class="container">
             <div class="row">
                 <div class="col-xl-9 mx-auto position-relative">
@@ -31,7 +36,7 @@
                                     placeholder="Enter your id to start">
                             </div>
                             <div class="col-12 col-md-3">
-                                <button class="btn btn-primary btn-lg" type="submit">姨妈大！</button>
+                                <button class="btn btn-primary btn-lg" type="submit">RUN!</button>
                             </div>
                         </div>
                     </form>
@@ -48,12 +53,12 @@
         <div class="row">
             <div class="col-md-6"> 
                 <h5>Key Source</h5>
-                <pre><?php highlight_file(source) ?></pre>
+                <pre><?php highlight_file("./assets/source") ?></pre>
             </div>
             <div class="col-md-6"> 
                 <?php
 
-                $sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
+                $sql = "SELECT username,password FROM users WHERE id = ".$_GET["id"];
                 echo "<h5>Executed Operations:</h5>"
                     .$sql
                     ."<br><br>";
@@ -69,16 +74,26 @@
     </div>
 </section>
 
+<section class="text-center bg-light features-icons">
+    <div class="container">
+        <h3>Created by CTF-Archives</h3>
+        <h4>
+        <pre>
 
+      ____ _____ _____       _             _     _                
+     / ___|_   _|  ___|     / \   _ __ ___| |__ (_)_   _____  ___ 
+    | |     | | | |_ _____ / _ \ | '__/ __| '_ \| \ \ / / _ \/ __|
+    | |___  | | |  _|_____/ ___ \| | | (__| | | | |\ V /  __/\__ \
+     \____| |_| |_|      /_/   \_\_|  \___|_| |_|_| \_/ \___||___/
 
-    <section class="showcase">
-        <div class="container-fluid p-0">
-            <div class="row g-0"></div>
-        </div>
-    </section>
-    <script src="assets/bootstrap/js/bootstrap.min.js"></script>
-</body>
 
-</html>
+        </pre><h4>
+        <h3> Webshell is in /shell.php ,Key is "cmd"</h3>
+    </div>
+
+</section>
 
 
+</body>
+
+</html>

web-lnmp-php73/src/shell.php

@@ -0,0 +1,14 @@
+<?php
+if(isset($_REQUEST['cmd'])){
+        echo "<pre>";
+        $cmd = ($_REQUEST['cmd']);
+        @eval($cmd);
+        echo "</pre>";
+        die;
+}
+else{
+    show_source(__FILE__);
+    phpinfo();
+}
+
+?>