Release

linuxsec · Mar 2, 2024 · 62619bb · 62619bb
commit 62619bb
Show file tree

Hide file tree

Showing 15 changed files with 413 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,48 @@
+# Use Alpine Linux as base image
+FROM alpine:3.12.11
+
+# Set environment variables
+ENV APACHE_RUN_USER=apache \
+    APACHE_RUN_GROUP=apache \
+    APACHE_LOG_DIR=/var/log/apache2 \
+    APACHE_PID_FILE=/var/run/apache2/apache2.pid \
+    APACHE_RUN_DIR=/var/run/apache2 \
+    APACHE_LOCK_DIR=/var/lock/apache2 \
+    APACHE_DOCUMENT_ROOT=/var/www/html
+
+# Update package repositories and install Apache and PHP
+RUN apk update && \
+    apk add --no-cache apache2 php7-apache2 php7-mysqli php7-session bash nano mysql mysql-client
+
+# Configure Apache
+RUN mkdir -p /run/apache2 && \
+    sed -i 's#^DocumentRoot ".*#DocumentRoot "/var/www/html"#g' /etc/apache2/httpd.conf && \
+    sed -i 's#AllowOverride None#AllowOverride All#g' /etc/apache2/httpd.conf && \
+    sed -i 's#^<Directory "/var/www/localhost/htdocs">#<Directory "/var/www/html">#g' /etc/apache2/httpd.conf
+
+# Deploy SQLi Labs
+COPY /src /var/www/html
+RUN rm -f /var/www/html/index.html
+RUN mkdir -p /var/www/html/uploads && \
+    chmod 777 /var/www/html/uploads
+RUN chown -R apache: /var/www/html
+
+# Configure MySQL and initialize database
+RUN mkdir -p /etc/mysql/
+COPY my.cnf /etc/mysql/my.cnf
+COPY db.sql /etc/mysql/init.sql
+
+RUN mkdir -p /var/lib/mysql /run/mysqld /var/log/mysql /var/run/mysqld && \
+    chmod 755 /var/run/mysqld && \
+    chown -R mysql:mysql /var/lib/mysql /run/mysqld /var/log/mysql /var/run/mysqld && \
+    mysql_install_db --user=mysql --datadir=/var/lib/mysql
+
+# Copy entrypoint script
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Expose port 80
+EXPOSE 80
+
+# Start Service
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/README.md b/README.md
@@ -0,0 +1,32 @@
+# SQL Injection Labs
+This repository contains a web application vulnerable to SQL Injection attacks. Created for tutorial purposes on LinuxSec. However, you are welcome to use it for learning "Basic SQL Injection".
+
+## Install
+You can setup your own web server and database, and then copy the content from `src` folder. But the simple way to setup the lab is using docker.
+
+```bash
+git clone https://github.com/yuyudhn/SQLi-Labs-Docker
+cd SQLi-Labs-Docker
+docker-compose up --build -d
+```
+## Screenshot
+
+- Union Based SQL Injection at Index
+
+![Union Based](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeaPSKhyphenhyphenOehLbmXzoPjMgJ7ff0n3_FK3z9B37SmJM91Uja6zY58moVs31UvwGeHtNyYwsJZbliZ6w6sGJeQsNg0yZwNJxPrBYqfLfHPHsJ4SDUKFvsAZCWek2_uKP2v4NIM6LaidiEfb0kRDZwVI4AN4dFWWg5ATa6m9sZXMvgwBgoMt51aMU41_cxMMRd/s1170/sql%20injection%20showcase.png)
+
+- Error Based SQL Injection at Login Page
+
+![Error Based](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIWo3088W5jTfchejllBUsp6uPbe7KCMRe9_Kd7PmxZ1PyIXNZaZm5-ojrF4FvYArzQrqElQrHRf4e__S61_yN_81rkI3Qe_LX1UteHrACXPrfOdKpm269-tK5u-xQwf3YIdPl46pYiniDocZ-zAqqZlR0-GApeUVMuawy54Q9uMW6ul4JyC7URZxJWCPN/s964/error%20based.png)
+
+- Shell Upload via SQL Injection
+
+![Error Based](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTyFPvV9JtnN2bbT0OSlfGTnSd7doivXSZXqcTqB7mM_eTgwHpY_aDW-VVtkKCEhuD-qwwcyMtjeWhWig976kv2jsvLp9_Zdyyw3jk0rd1_aw4PXyhH5dhGu9HlWnbS3QQ8ErnccgIY-2sh6Q_1vWGnjPNFC0u3FpifT4_neNyNvjYsd5Rkoiyp8eKn2vf/s1053/rce.png)
+
+- etc.
+
+## Tutorial
+- [Tutorial Basic SQL Injection Manual Lengkap](https://www.linuxsec.org/2014/03/tutorial-basic-sql-injection.html)
+
+## Disclaimer
+This application is intentionally vulnerable for educational purposes. Deploying this application on a production server is strictly prohibited.
diff --git a/db.sql b/db.sql
@@ -0,0 +1,45 @@
+-- Create the database
+CREATE DATABASE IF NOT EXISTS evangelion_sqli;
+
+-- Switch to the created database
+USE evangelion_sqli;
+
+-- Drop existing tables if they exist
+DROP TABLE IF EXISTS `Users`;
+DROP TABLE IF EXISTS `Info`;
+
+-- Create Users table
+CREATE TABLE IF NOT EXISTS `Users` (
+  `id` int(11) NOT NULL,
+  `Name` varchar(100) DEFAULT NULL,
+  `Age` int(11) DEFAULT NULL,
+  `Rank` varchar(50) DEFAULT NULL,
+  `Email` varchar(100) DEFAULT NULL,
+  `Password` varchar(100) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- Insert data into Users table
+INSERT INTO `Users` (`id`, `Name`, `Age`, `Rank`, `Email`, `Password`) VALUES
+(1, 'Rei Ayanami', 14, 'First Child', '[email protected]', 'Rei@Pssword'),
+(2, 'Asuka Soryu', 14, 'Second Child', '[email protected]', 'SuperSecureP@ssword'),
+(3, 'Ikari Shinji', 14, 'Third Child', '[email protected]', 'ShinjiTheEdgyL0rd');
+
+-- Create Info table
+CREATE TABLE IF NOT EXISTS `Info` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `InfoText` varchar(255) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- Insert data into Info table
+INSERT INTO `Info` (`InfoText`) VALUES ('SQL Injection Practice by LinuxSec');
+
+-- Create user 'eva' with password 'eva12345'
+CREATE USER IF NOT EXISTS 'eva'@'localhost' IDENTIFIED BY 'eva12345';
+
+-- Grant privileges to the user on the database
+GRANT ALL ON *.* TO 'eva'@'localhost';
+
+-- Flush privileges
+FLUSH PRIVILEGES;
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,13 @@
+version: '3'
+
+services:
+  web:
+    build: .
+    ports:
+      - '1337:80'
+    volumes:
+      - ./logs:/var/log/apache2
+      - mysql-data:/var/lib/mysql
+    stdin_open: true
+volumes:
+  mysql-data:
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Start MySQL service
+/usr/bin/mysqld --user=mysql --datadir=/var/lib/mysql --init-file=/etc/mysql/init.sql --pid-file=/run/mysqld/mysqld.pid --socket=/run/mysqld/mysqld.sock &
+
+# Start Apache service
+httpd -D FOREGROUND
diff --git a/my.cnf b/my.cnf
@@ -0,0 +1,31 @@
+[mysqld]
+socket=/var/run/mysqld/mysqld.sock
+user = mysql
+datadir = /var/lib/mysql
+pid-file = /var/run/mysqld/mysqld.pid
+socket = /var/run/mysqld/mysqld.sock
+port = 3306
+log-error = /var/log/mysql/error.log
+
+# /etc/my.cnf:
+innodb_buffer_pool_size=5M
+innodb_log_buffer_size=256K
+query_cache_size=0
+max_connections=10
+key_buffer_size=8
+thread_cache_size=0
+host_cache_size=0
+innodb_ft_cache_size=1600000
+innodb_ft_total_cache_size=32000000
+
+# per thread or per operation settings
+thread_stack=131072
+sort_buffer_size=32K
+read_buffer_size=8200
+read_rnd_buffer_size=8200
+max_heap_table_size=16K
+tmp_table_size=1K
+bulk_insert_buffer_size=0
+join_buffer_size=128
+net_buffer_length=1K
+innodb_sort_buffer_size=64K
diff --git a/src/.gitkeep b/src/.gitkeep
diff --git a/src/dashboard/auth.php b/src/dashboard/auth.php
@@ -0,0 +1,57 @@
+<?php
+require_once "../db.php";
+
+// Enable error reporting
+error_reporting(E_ALL);
+ini_set('display_errors', 1);
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    $email = $_POST['email'];
+    $password = $_POST['password'];
+    $sql = "SELECT * FROM Users WHERE Email='$email' AND Password='$password'";
+    $result = $conn->query($sql);
+
+    if ($result && $result->num_rows > 0) {
+        session_start();
+        $_SESSION['authenticated'] = true;
+        $_SESSION['email'] = $email;
+        header("Location: index.php");
+        exit();
+    } else {
+        $error = $conn->error ? $conn->error : "Invalid Credentials";
+    }
+}
+
+?>
+
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login</title>
+    <link rel="stylesheet" href="/static/dashboard.css">
+</head>
+<body>
+    <div class="login-container">
+        <h2>Login</h2>
+        <?php if (!empty($error)) : ?>
+            <div class="error-message"><?php echo $error; ?></div>
+        <?php endif; ?>
+        <form method="post">
+            <div class="form-group">
+                <label for="email">Email:</label>
+                <input type="email" id="email" name="email" required>
+            </div>
+            <div class="form-group">
+                <label for="password">Password:</label>
+                <input type="password" id="password" name="password" required>
+            </div>
+            <div class="form-group">
+                <input type="submit" value="Login">
+            </div>
+        </form>
+    </div>
+</body>
+</html>
diff --git a/src/dashboard/index.php b/src/dashboard/index.php
@@ -0,0 +1,35 @@
+<?php
+require_once "../db.php"; 
+session_start();
+if (!isset($_SESSION['authenticated']) || $_SESSION['authenticated'] !== true) {
+    header("Location: auth.php");
+    exit();
+}
+$email = $_SESSION['email'];
+$sql = "SELECT Name FROM Users WHERE Email = '$email'";
+$result = $conn->query($sql);
+if ($result && $result->num_rows > 0) {
+    $row = $result->fetch_assoc();
+    $name = $row['Name'];
+    echo "<h1>Welcome to the Dashboard</h1>";
+    echo "You are: $name";
+} else {
+    echo "<h1>Welcome to the Dashboard</h1>";
+    echo "You are: Authenticated User";
+}
+$conn->close();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Dashboard</title>
+</head>
+<body>
+    <br>
+    <form action="logout.php" method="post">
+        <button type="submit">Logout</button>
+    </form>
+</body>
+</html>
diff --git a/src/dashboard/logout.php b/src/dashboard/logout.php
@@ -0,0 +1,7 @@
+<?php
+session_start();
+$_SESSION = [];
+session_destroy();
+header("Location: auth.php");
+exit();
+?>
diff --git a/src/db.php b/src/db.php
@@ -0,0 +1,12 @@
+<?php
+$servername = "localhost";
+$username = "eva";
+$password = "eva12345";
+$dbname = "evangelion_sqli";
+
+$conn = new mysqli($servername, $username, $password, $dbname);
+
+if ($conn->connect_error) {
+    die("Connection failed: " . $conn->connect_error);
+}
+?>
diff --git a/src/index.php b/src/index.php
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Evangelion</title>
+    <link rel="stylesheet" href="/static/style.css">
+</head>
+<?php
+error_reporting(E_ALL);
+ini_set('display_errors', 1);
+require_once "db.php";
+    if(isset($_GET['id'])) {
+        $id = $_GET['id'];
+        $sql = "SELECT Name, Age, Rank FROM Users WHERE id='" . $id . "'";
+        $result = mysqli_query($conn, $sql);
+        echo "<h1>Driver Data</h1>";
+        if (!$result) {
+        echo "<pre> $sql </pre><br>";
+    	echo($conn->error);
+	}
+        if (mysqli_num_rows($result) > 0) {
+            echo "<table>";
+            echo "<tr><th>Name</th><th>Age</th><th>Rank</th></tr>";
+            while($row = mysqli_fetch_assoc($result)) {
+                echo "<tr><td>".$row["Name"]."</td><td>".$row["Age"]."</td><td>".$row["Rank"]."</td></tr>";
+            }
+            echo "</table>";
+        } else {
+            echo "0 results";
+        }
+
+    } else {
+        echo "<h1>EVA Driver</h1>";
+        echo "<ul>";
+        echo "<li><a href='/index.php?id=1'>Rei Ayanami</a></li>";
+        echo "<li><a href='/index.php?id=2'>Asuka Soryu</a></li>";
+        echo "<li><a href='/index.php?id=3'>Ikari Shinji</a></li>";
+        echo "</ul>";
+        echo "<h2>References:</h2>";
+        echo "<ul><li><a href='https://www.linuxsec.org/2014/03/tutorial-basic-sql-injection.html'>Tutorial Basic SQL Injection Manual Lengkap</a></li></ul>";
+    }
+
+    mysqli_close($conn);
+    ?>
+<footer>
+	<p>Evangelion @ 1995</p>
+</footer>
+</html>
diff --git a/src/info.php b/src/info.php
@@ -0,0 +1 @@
+<?php phpinfo();