This allows many OWASP top 10 type attacks, and more without a rich complex application. There are enough of those IMHO. Now as a Docker Conatainer! Run it everywhere you have Docker!
So normally, mattrayners container creates a random mysql admin password but for now we'll change it to a hard coded one, one of our favourites.
Let's get our website app:
cd ~
mkdir app
git clone https://github.com/bwolmarans/simplefiringrange.git app
OK so now we've got the app installed locally, let's use docker to run a lamp stack with a little ampersand to run it in the backround:
docker run -p "80:80" -v ${PWD}/app:/app mattrayner/lamp:latest-1804 &
( and that command outputs the following )
Updating for 7.4
=> An empty or uninitialized MySQL volume is detected in /var/lib/mysql
=> Installing MySQL ...
=> Done!
=> Waiting for confirmation of MySQL service startup
=> Creating MySQL admin user with random password
ERROR 1133 (42000) at line 1: Can't find any matching row in the user table
=> Done!
========================================================================
You can now connect to this MySQL Server with 94FUwhm2la0S
mysql -uadmin -p94FUwhm2la0S -h<host> -P<port>
Please remember to change the above password as soon as possible!
MySQL user 'root' has no password but only allows local connections
enjoy!
========================================================================
/usr/lib/python2.7/dist-packages/supervisor/options.py:298: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
'Supervisord is running as root and it is searching '
2020-06-26 15:22:50,215 CRIT Supervisor running as root (no user in config file)
2020-06-26 15:22:50,215 INFO Included extra file "/etc/supervisor/conf.d/supervisord-apache2.conf" during parsing
2020-06-26 15:22:50,215 INFO Included extra file "/etc/supervisor/conf.d/supervisord-mysqld.conf" during parsing
2020-06-26 15:22:50,224 INFO RPC interface 'supervisor' initialized
2020-06-26 15:22:50,224 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2020-06-26 15:22:50,224 INFO supervisord started with pid 1
2020-06-26 15:22:51,227 INFO spawned: 'mysqld' with pid 503
2020-06-26 15:22:51,228 INFO spawned: 'apache2' with pid 504
2020-06-26 15:22:52,570 INFO success: mysqld entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2020-06-26 15:22:52,571 INFO success: apache2 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Now let's dump in some sql, you can see it will change that admin password hello123, because that's a good thing app devs should do, and let's create our db and our users table and populate it.
root@ip-10-0-4-89:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
da4fc5b552bd mattrayner/lamp:latest-1804 "/run.sh" About an hour ago Up About an hour 0.0.0.0:80->80/tcp, 3306/tcp condescending_hoover
cat app/brett.mysql | docker exec -i da4fc5b552bd mysql
Now, you can hit the site on port 80 and have at it!
for Ubuntu 16
mysqli has fixed the classic owasp top 10 attacks against mysql.
so in this firing range, for whatever reason, we're not using mysqli.
First become root on your linux box. my examples below use ubuntu 16.
apt install apache2 mysql-server php php-mysqli php-gd libapache2-mod-php git
During this fun process, mysql should pop up a big purple screen asking for root password do your thang make that password hello123 do it!
apt-get install phpmyadmin php-mbstring php-gettext
phpmyadmin will likewise ask you to input a password, using a purple page.
systemctl restart apache2
mysql --user=root --password=hello123 -e "SELECT 1+1"
+-----+
| 1+1 |
+-----+
| 2 |
+-----+
change mysql root password: mysqladmin --user=root password "hello123"
give phpmyadmin full rights:
mysql
FLUSH PRIVILEGES; GRANT ALL PRIVILEGES ON *.* TO phpmyadmin@localhost; quit;
give root all rights:
mysql
FLUSH PRIVILEGES; GRANT ALL PRIVILEGES ON *.* TO root@localhost; quit;
/phpmyadmin, login as phpmyadmin and the password from the purple page
click and make a database named brett
click and make a table ( NOT manually, copy and paste the SQL below into the SQL box in phpmyadmin ) named users with this structure:
username: varchar 111
password: varchar 111
email: varchar 111
creditcard: varchar 111
animal: varchar 111
CREATE TABLE `brett`.`users` ( `username` VARCHAR(111) NOT NULL , `password` VARCHAR(111) NOT NULL , `email` VARCHAR(111) NOT NULL , `creditcard` VARCHAR(111) NOT NULL , `animal` VARCHAR(111) NOT NULL ) ENGINE = InnoDB;
then click insert and put some users in. don't forget to click go!
you get stuff like this going on:
INSERT INTO `users` (`username`, `password`, `email`, `creditcard`, `animal`) VALUES ('miyuki', 'hello', '[email protected]', '3533497685860304', '');
INSERT INTO `users` (`username`, `password`, `email`, `creditcard`, `animal`) VALUES ('admin', 'password', '[email protected]', '4024007183948511', '');
INSERT INTO `users` (`username`, `password`, `email`, `creditcard`, `animal`) VALUES ('brett', 'Hello123!', '[email protected]', '349256618723322', '');
INSERT INTO users (username, password, email, creditcard, animal) VALUES ('[email protected]', 'hello123', '[email protected]', '349256618723322', '');
now on your ubuntu 16 box:
cd /var/www
git clone https://github.com/bwolmarans/simplefiringrange.git
mv html html_original
mv simplefiringrange html
now you should be able to browser and get stuff going
try this: enter ' or 1=1;## for the password
you want to get to this point:
sql: SELECT * FROM users WHERE username = 'brett' and password = '' or 1=1;-- '
Select returned 3 rows.
Animal:, Email: [email protected], CreditCard: 4024007183948511, Password: password
Animal:, Email: [email protected], CreditCard: 349256618723322, Password: Hello123!
Animal:, Email:[email protected], CreditCard: 3533497685860304, Password: hello
When you login, you can add an animal. Here is where you can add in some reflected and stored XSS
Try naming your animal <script>alert('hacked!');</script>
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent