Skip to content

Commit

Permalink
添加了一个基础环境
Browse files Browse the repository at this point in the history
  • Loading branch information
@0xs1riu5
0xs1riu5 committed Sep 30, 2018
1 parent 7c89cd8 commit 3ebc5a2
Show file tree
Hide file tree
Showing 40 changed files with 1,203 additions and 0 deletions.
31 changes: 31 additions & 0 deletions phpmvc/1.0/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# php MVC环境



## 0x01 Poc1
._Upload_index.php

![](README/E1824D20-553E-48E1-A2BD-9DE3EE778560.png)

http://127.0.0.1/Upload/index.php abcde10db05bd4f6a24c94d7edde441d18545

![](README/E742BF5A-8219-4E81-8421-9F1532B8419F.png)

0x02 Poc2

后台sql注入漏洞
http://127.0.0.1//?p=admin&a=login
拼接后的语句是
SELECT email, password FROM Admins WHERE email = 'admin' and 1=1 -- @qq.com' LIMIT 0,1

也可以直接用sqlmap注入
![](README/90374552-4DDE-46A8-B6FE-60A5E5D0A7AA.png)


![](README/7C7D1344-6039-4324-824D-981C92FA71E6.png)





[CTF线下赛writeup&tinyblog代码审计](https://zhuanlan.zhihu.com/p/34552875)
Binary file added phpmvc/1.0/README/7C7D1344-6039-4324-824D-981C92FA71E6.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phpmvc/1.0/README/90374552-4DDE-46A8-B6FE-60A5E5D0A7AA.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phpmvc/1.0/README/E1824D20-553E-48E1-A2BD-9DE3EE778560.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added phpmvc/1.0/README/E742BF5A-8219-4E81-8421-9F1532B8419F.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 7 additions & 0 deletions phpmvc/1.0/docker-compose.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
version: '2'
services:
php5-phpmvc_1.0:
build: ./phpmvc
image: s1riu5/phpmvc:1.0
ports:
- 80:80
7 changes: 7 additions & 0 deletions phpmvc/1.0/phpmvc/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM s1riu5/lnmp:5.6

COPY www /www
COPY db.sql /docker-entrypoint-initdb.d/

RUN chmod -R 777 /www

47 changes: 47 additions & 0 deletions phpmvc/1.0/phpmvc/db.sql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
--
--
-- Author Pierre-Henry Soria <[email protected]>
-- Copyright (c) 2015-2017, Pierre-Henry Soria. All Rights Reserved.
-- License Lesser General Public License <http://www.gnu.org/copyleft/lesser.html>
-- Link http://hizup.uk
--
--

--
-- Set some SQL Variables --
--

CREATE DATABASE IF NOT EXISTS `cp` default charset utf8 COLLATE utf8_general_ci;

use cp;

set sql_mode="ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION";

SET @sAdminEmail = '[email protected]';
SET @sAdminPassword = '$2y$14$kefF6aqkuOEWo7CIFduNf.7O8BuGR4uWrIAFcHWm2u99OcLPDFWOe';
SET @sPostTitle = 'My First Post';
SET @sPostBody = 'Hello! Here is my first blog post!!\r\n\r\n\r\nLorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor. Aenean massa. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim.\r\n\r\nDonec pede justo, fringilla vel, aliquet nec, vulputate eget, arcu. In enim justo, rhoncus ut, imperdiet a, venenatis vitae, justo. Nullam dictum felis eu pede mollis pretium. Integer tincidunt. Cras dapibus. Vivamus elementum semper nisi. Aenean vulputate eleifend tellus.\r\n\r\nAenean leo ligula, porttitor eu, consequat vitae, eleifend ac, enim. Aliquam lorem ante, dapibus in, viverra quis, feugiat a, tellus. Phasellus viverra nulla ut metus varius laoreet. Quisque rutrum. Aenean imperdiet. Etiam ultricies nisi vel augue. Curabitur ullamcorper ultricies nisi. Nam eget dui.\r\n\r\nEtiam rhoncus. Maecenas tempus, tellus eget condimentum rhoncus, sem quam semper libero, sit amet adipiscing sem neque sed ipsum. Nam quam nunc, blandit vel, luctus pulvinar, hendrerit id, lorem. Maecenas nec odio et ante tincidunt tempus. Donec vitae sapien ut libero venenatis faucibus. Nullam quis ante.\r\n\r\nEtiam sit amet orci eget eros faucibus tincidunt. Duis leo. Sed fringilla mauris sit amet nibh. Donec sodales sagittis magna. Sed consequat, leo eget bibendum sodales, augue velit cursus nunc, quis gravida magna mi a libero. Fusce vulputate eleifend sapien. Vestibulum purus quam, scelerisque ut, mollis sed, nonummy id, metus.\r\n\r\nNullam accumsan lorem in dui. Cras ultricies mi eu turpis hendrerit fringilla. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; In ac dui quis mi consectetuer lacinia. Nam pretium turpis et arcu. Duis arcu tortor, suscipit eget, imperdiet nec, imperdiet iaculis, ipsum. Sed aliquam ultrices mauris. Integer ante arcu, accumsan a, consectetuer eget, posuere ut, mauris. Praesent adipiscing. Phasellus ullamcorper ipsum rutrum nunc. Nunc nonummy metus. Vestibulum volutpat pretium libero. Cras id dui.';
SET @sPostDate = NOW();


CREATE TABLE IF NOT EXISTS Posts (
id int(10) unsigned NOT NULL AUTO_INCREMENT,
title varchar(50) DEFAULT NULL,
body longtext NOT NULL,
createdDate datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
PRIMARY KEY (id)
) DEFAULT CHARSET=utf8;

INSERT INTO Posts (title, body, createdDate) VALUES
(@sPostTitle, @sPostBody, @sPostDate);


CREATE TABLE IF NOT EXISTS Admins (
id int(10) unsigned NOT NULL AUTO_INCREMENT,
email varchar(120) NOT NULL,
password char(60) NOT NULL,
PRIMARY KEY (id)
) DEFAULT CHARSET=utf8;

INSERT INTO Admins (email, password) VALUES
(@sAdminEmail, @sAdminPassword); -- The admin password is: pwd123
Binary file added phpmvc/1.0/phpmvc/www/.DS_Store
View file
Binary file not shown.
12 changes: 12 additions & 0 deletions phpmvc/1.0/phpmvc/www/.htaccess
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
54 changes: 54 additions & 0 deletions phpmvc/1.0/phpmvc/www/Controller/Admin.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
<?php
/**
* @author Pierre-Henry Soria <[email protected]>
* @copyright (c) 2015, Pierre-Henry Soria. All Rights Reserved.
* @license Lesser General Public License <http://www.gnu.org/copyleft/lesser.html>
* @link http://hizup.uk
*/

namespace TestProject\Controller;

class Admin extends Blog
{

public function login()
{
if ($this->isLogged())
header('Location: ' . ROOT_URL . '?p=blog&a=all');

if (isset($_POST['email'], $_POST['password']))
{
$this->oUtil->getModel('Admin');
$this->oModel = new \TestProject\Model\Admin;

if ($this->oModel->login($_POST['email'], $_POST['password']))
{
$_SESSION['is_logged'] = 1; // Admin is logged now
header('Location: ' . ROOT_URL . '?p=blog&a=all');
exit;
}
else
$this->oUtil->sErrMsg = 'Incorrect Login!';
}

$this->oUtil->getView('login');
}

public function logout()
{
if (!$this->isLogged()) exit;

// If there is a session, destroy it to disconnect the admin
if (!empty($_SESSION))
{
$_SESSION = array();
session_unset();
session_destroy();
}

// Redirect to the homepage
header('Location: ' . ROOT_URL);
exit;
}

}
173 changes: 173 additions & 0 deletions phpmvc/1.0/phpmvc/www/Controller/Blog.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
<?php
/**
* @author Pierre-Henry Soria <[email protected]>
* @copyright (c) 2015, Pierre-Henry Soria. All Rights Reserved.
* @license Lesser General Public License <http://www.gnu.org/copyleft/lesser.html>
* @link http://hizup.uk
*/

namespace TestProject\Controller;

class Blog
{

protected $oUtil, $oModel;
private $_iId;

public function __construct()
{
// Enable PHP Session
if (empty($_SESSION))
@session_start();

$this->oUtil = new \TestProject\Engine\Util;

/** Get the Model class in all the controller class **/
$this->oUtil->getModel('Blog');
$this->oModel = new \TestProject\Model\Blog;

/** Get the Post ID in the constructor in order to avoid the duplication of the same code **/
$this->_iId = (int) (!empty($_GET['id']) ? $_GET['id'] : 0);
}


/***** Front end *****/
// Homepage
public function index()
{
$this->oUtil->oPosts = $this->oModel->get(0, 5); // Get only the latest 5 posts

$this->oUtil->getView('index');

}

public function post()
{
$this->oUtil->oPost = $this->oModel->getById($this->_iId); // Get the data of the post

$this->oUtil->getView('post');
}

public function notFound()
{
$this->oUtil->getView('not_found');
}


/***** For Admin (Back end) *****/
public function all()
{
if (!$this->isLogged()) exit;

$this->oUtil->oPosts = $this->oModel->getAll();

$this->oUtil->getView('index');
}


public function add()
{
if (!$this->isLogged()) exit;

if ($_SERVER['CONTENT_TYPE'] === 'text/xml') {
$content = simplexml_load_string(file_get_contents("php://input"));
print_r($content);
}else{
if (!empty($_POST['add_submit']))
{
if (isset($_POST['title'], $_POST['body']) && mb_strlen($_POST['title']) <= 50) // Allow a maximum of 50 characters
{
$aData = array('title' => $_POST['title'], 'body' => $_POST['body'], 'created_date' => date('Y-m-d H:i:s'));

if ($this->oModel->add($aData))
$this->oUtil->sSuccMsg = 'Hurray!! The post has been added.';
else
$this->oUtil->sErrMsg = 'Whoops! An error has occurred! Please try again later.';
}
else
{
$this->oUtil->sErrMsg = 'All fields are required and the title cannot exceed 50 characters.';
}
}
}

$this->oUtil->getView('add_post');
}

public function edit()
{
if (!$this->isLogged()) exit;

if (!empty($_POST['edit_submit']))
{
if (isset($_POST['title'], $_POST['body']))
{
$aData = array('post_id' => $this->_iId, 'title' => $_POST['title'], 'body' => $_POST['body']);

if ($this->oModel->update($aData))
$this->oUtil->sSuccMsg = 'Hurray! The post has been updated.';
else
$this->oUtil->sErrMsg = 'Whoops! An error has occurred! Please try again later';
}
else
{
$this->oUtil->sErrMsg = 'All fields are required.';
}
}

/* Get the data of the post */
$this->oUtil->oPost = $this->oModel->getById($this->_iId);

$this->oUtil->getView('edit_post');
}

public function delete()
{
if (!$this->isLogged()) exit;

if (!empty($_POST['delete']) && $this->oModel->delete($this->_iId))
header('Location: ' . ROOT_URL);
else
exit('Whoops! Post cannot be deleted.');
}

public function upload()
{
if (!empty($_FILES)) {

if ($_FILES["file"]["error"] > 0 || $_FILES["file"]["size"] > 20000)
{
die("Error, maybe the file size is too large.");
}
else
{
$arr = explode(".", $_FILES["file"]["name"]);
if ($arr[count($arr) - 1] !== 'png') {
die("Wrong ! You must upload a png file.");
}
echo "Upload: " . $_FILES["file"]["name"] . "<br />";
echo "Type: " . $_FILES["file"]["type"] . "<br />";
echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
echo "Stored in: " . $_FILES["file"]["tmp_name"];
if (file_exists(ROOT_PATH . 'Upload/' . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
move_uploaded_file($_FILES["file"]["tmp_name"], ROOT_PATH . 'Upload/' . $_FILES["file"]["name"]);
echo "Stored in: " . ROOT_PATH . 'Upload/' . $_FILES["file"]["name"];
#system("convert " . ROOT_PATH . 'Upload/' . $_FILES["file"]["name"] . " " . ROOT_PATH . 'Upload/' . $_FILES["file"]["name"] . ".convert");
}
}
}else{
$this->oUtil->getView('upload');
}
}

protected function isLogged()
{
return !empty($_SESSION['is_logged']);
}

}
23 changes: 23 additions & 0 deletions phpmvc/1.0/phpmvc/www/Engine/Config.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<?php
/**
* @author Pierre-Henry Soria <[email protected]>
* @copyright (c) 2015, Pierre-Henry Soria. All Rights Reserved.
* @license Lesser General Public License <http://www.gnu.org/copyleft/lesser.html>
* @link http://hizup.uk
*/

namespace TestProject\Engine;
final class Config
{

// Database info (if you want to test the script, please edit the below constants with yours)
const
DB_HOST = 'localhost',
DB_NAME = 'cp',
DB_USR = 'root',
DB_PWD = 'shadow',

// Title of the site
SITE_NAME = 'My Simple Blog!';

}
21 changes: 21 additions & 0 deletions phpmvc/1.0/phpmvc/www/Engine/Db.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
<?php
/**
* @author Pierre-Henry Soria <[email protected]>
* @copyright (c) 2015, Pierre-Henry Soria. All Rights Reserved.
* @license Lesser General Public License <http://www.gnu.org/copyleft/lesser.html>
* @link http://hizup.uk
*/

namespace TestProject\Engine;

class Db extends \PDO
{

public function __construct()
{
$aDriverOptions[\PDO::MYSQL_ATTR_INIT_COMMAND] = 'SET NAMES UTF8';
parent::__construct('mysql:host=' . Config::DB_HOST . ';dbname=' . Config::DB_NAME . ';', Config::DB_USR, Config::DB_PWD, $aDriverOptions);
$this->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
}

}
Loading

0 comments on commit 3ebc5a2

Please sign in to comment.