WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

其它

关于博客

面试

杂谈

AWD环境搭建

0x01 老版

https://github.com/zhl2008/awd-platform

首先把文件下载下来

网速快的可以用git,网速慢得话建议直接下载下来再传到服务器上

1
2
docker pull zhl2008/web_14.04		#下载镜像
docker tag zhl2008/web_14.04 web_14.04 #重命名镜像

修改check.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python
# -*- coding:utf8 -*-
'''

'''
import hashlib
import base64

sleep_time = 300
debug = True
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"}

import time
import httplib
import urllib2
import ssl

my_time = 'AAAA'
__doc__ = 'http(method,host,port,url,data,headers)'
flag_server = '172.17.0.1'
key = '744def038f39652db118a68ab34895dc'
hosts = open('host.lists','r').readlines()
user_id = [host.split(':')[0] for host in hosts]
hosts = [host.split(':')[1] for host in hosts]
port = 80

def http(method,host,port,url,data,headers):
con=httplib.HTTPConnection(host,port,timeout=2)
if method=='post' or method=='POST':
headers['Content-Length']=len(data)
headers['Content-Type']='application/x-www-form-urlencoded'
con.request("POST",url,data,headers=headers)
else:
headers['Content-Length'] = 0
con.request("GET",url,headers=headers)
res = con.getresponse()
if res.getheader('set-cookie'):
#headers['Cookie'] = res.getheader('set-cookie')
pass
if res.getheader('Location'):
print "Your 302 direct is: "+res.getheader('Location')
a = res.read()
con.close()
return a


def https(method,host,port,url,data,headers):
url = 'https://' + host + ":" + str(port) + url
req = urllib2.Request(url,data,headers)
response = urllib2.urlopen(req)
return response.read()

def get_score():
res = http('get',flag_server,8080,'/score.php?key=%s'%key,'',headers)
print res
user_scores = res.split('|')
print "******************************************************************"
res = ''

print res
print "******************************************************************"
return user_scores

def write_score(scores):
scores = '|'.join(scores)
res = http('get',flag_server,8080,'/score.php?key=%s&write=1&score=%s'%(key,scores),'',headers)
if res == "success":
return True
else:
print res
raise ValueError

class check():

def index_check(self):
res = http('get',host,port,'/index.php?file=%s'%str(my_time),'',headers)
if 'perspi' in res:
return True
if debug:
print "[fail!] index_fail"
return False

def server_check():
try:
a = check()
if not a.index_check():
return False
return True
except Exception,e:
print e
return False

game_round = 0
while True:

scores = get_score()
scores = []
print "--------------------------- round %d -------------------------------"%game_round
for host in hosts:
print "---------------------------------------------------------------"
host = host[:-1]
if server_check():
print "Host: "+host+" seems ok"
scores.append("0")
else:
print "Host: "+host+" seems down"
scores.append("-10")
game_round += 1
write_score(scores)
time.sleep(sleep_time)

可以通过修改sleep_time设置每轮时间

flag_server的ip需要注意,docker的段有可能不是172.17(之前踩过这个坑)

1
2
python batch.py web_yunnan_simple 3
python start.py ./ 3

启动环境

1
python stop_clean.py

结束退出

1
2
3
http://ip:8080/flag_file.php?token=队伍token&flag=flag		#提交flag
http://ip:8080/result.txt #队伍攻击情况
http://ip:8080/score.txt #得分情况

进入check_server容器启动check

1
python check.py

check的规则可以改,看了一下代码,判断服务器是否正常运行是让check去访问一个页面如访问正常就判断运行正常

具体在check类下,可自行添加方法

0x02 新版

https://gitee.com/jikemofan/awd-platform

这个是大佬修改过的,加了提交flag的页面,修复了一些bug,下载下来可以直接用

flag_server/static/js/postflag.js

需要修改一下上面js文件里面提交flag的ip地址, 修改成自己服务器的ip即可