本文以xshell进行远程控制
1.以ssh连接云服务器
ssh 服务器名@公网ip[D:\~]$ ssh root@47.99.138.9在弹框中输入密码
2.安装docker
curl -s http://get.docker.com/ | shroot@iZbp1fm14idjlfp53akni8Z:~# curl -s https://get.docker.com/ | sh
# Executing docker install script, commit: 6d9743e9656cc56f699a64800b098d5ea5a60020
+ sh -c apt-get update -qq >/dev/null
+ sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq apt-transport-https ca-certificates curl >/dev/null
+ sh -c install -m 0755 -d /etc/apt/keyrings
+ sh -c curl -fsSL "https://download.docker.com/linux/ubuntu/gpg" -o /etc/apt/keyrings/docker.asc
+ sh -c chmod a+r /etc/apt/keyrings/docker.asc
+ sh -c echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu jammy stable" > /etc/apt/sources.list.d/docker.list
+ sh -c apt-get update -qq >/dev/null
+ sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-compose-plugin docker-ce-rootless-extras docker-buildx-plugin >/dev/null
+ sh -c docker version
Client: Docker Engine - Community
Version: 26.1.3
API version: 1.45
Go version: go1.21.10
Git commit: b72abbb
Built: Thu May 16 08:33:29 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.3
API version: 1.45 (minimum version 1.24)
Go version: go1.21.10
Git commit: 8e96db1
Built: Thu May 16 08:33:29 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.32
GitCommit: 8b3b7ca2e5ce38e8f31a34f35b2b68ceb8470d89
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
================================================================================
To run Docker as a non-privileged user, consider setting up the
Docker daemon in rootless mode for your user:
dockerd-rootless-setuptool.sh install
Visit https://docs.docker.com/go/rootless/ to learn about rootless mode.
To run the Docker daemon as a fully privileged service, but granting non-root
users access, refer to https://docs.docker.com/go/daemon-access/
WARNING: Access to the remote API on a privileged Docker daemon is equivalent
to root access on the host. Refer to the 'Docker daemon attack surface'
documentation for details: https://docs.docker.com/go/attack-surface/
================================================================================
3.运行systemctl服务
systemctl start dockerroot@iZbp1fm14idjlfp53akni8Z:~# systemctl start docker4.下载vulhub
wget https://github.com/vulhub/vulhub/archive/master.zip -o vulhub-master.zip
root@iZbp1fm14idjlfp53akni8Z:~# wget https://github.com/vulhub/vulhub/archive/master.zip -o vulhub-master.zip
5.解压master.zip
unzip master.ziproot@iZbp1fm14idjlfp53akni8Z:~# unzip master.zip
若unzip找不到先用apt install unzip下载unzip
root@iZbp1fm14idjlfp53akni8Z:~# unzip vulhub-master.zip
Command 'unzip' not found, but can be installed with:
apt install unzip
root@iZbp1fm14idjlfp53akni8Z:~# apt install unzip
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
zip
The following NEW packages will be installed:
unzip
0 upgraded, 1 newly installed, 0 to remove and 240 not upgraded.
Need to get 175 kB of archives.
After this operation, 386 kB of additional disk space will be used.
Get:1 http://mirrors.cloud.aliyuncs.com/ubuntu jammy-updates/main amd64 unzip amd64 6.0-26ubuntu3.2 [175 kB]
Fetched 175 kB in 0s (4,798 kB/s)
Selecting previously unselected package unzip.
(Reading database ... 80607 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-26ubuntu3.2_amd64.deb ...
Unpacking unzip (6.0-26ubuntu3.2) ...
Setting up unzip (6.0-26ubuntu3.2) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.
到此以全部下载完成,以下为应用实例
6.进入vulhub-master文件夹
cd vulhub-masterroot@iZbp1fm14idjlfp53akni8Z:~# cd vulhub-master/7.展示所有文件
lsroot@iZbp1fm14idjlfp53akni8Z:~/vulhub-master# ls
activemq h2database opentsdb
adminer hadoop pdfjs
airflow httpd pgadmin
aj-report imagemagick php
apache-druid influxdb phpmailer
apereo-cas jackson phpmyadmin
apisix java phpunit
appweb jboss polkit
aria2 jeecg-boot postgres
base jenkins python
bash jetty rails
cacti jimureport README.md
celery jira README.zh-cn.md
cgi jmeter redis
cmsms joomla rocketchat
coldfusion jumpserver rocketmq
confluence jupyter rsync
contributors.md kafka ruby
contributors.zh-cn.md kibana saltstack
couchdb kkfileview samba
discuz laravel scrapy
django librsvg shiro
dns libssh showdoc
docker LICENSE skywalking
drupal liferay-portal solr
dubbo log4j spark
ecshop magento spring
elasticsearch metabase struts2
electron metersphere supervisor
elfinder mini_httpd teamcity
environments.toml minio tests
fastjson mojarra thinkphp
ffmpeg mongo-express tikiwiki
flask mysql tomcat
flink nacos unomi
geoserver neo4j uwsgi
ghostscript nexus v2board
git nginx weblogic
gitea node webmin
gitlab ntopng wordpress
gitlist ofbiz xstream
glassfish openfire xxl-job
goahead opensmtpd yapi
gogs openssh zabbix
grafana openssl
8.这里以thinkphp为例进行演示
进入thinkphp文件夹
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master# cd thinkphp查看所有文件
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp# ls
2-rce 5.0.23-rce 5-rce in-sqlinjection lang-rce
进入5.0.23-rce
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp# cd 5.0.23-rce
重新构建容器的镜像
docker compose buildroot@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp/5.0.23-rce# docker compose build
WARN[0000] /root/vulhub-master/thinkphp/5.0.23-rce/docker-compose.yml: `version` is obsolete
启动已定义在docker-compose.yml文件中的服务容器,并以守护进程的方式在后台运行。
docker compose up -droot@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp/5.0.23-rce# docker compose up -d
WARN[0000] /root/vulhub-master/thinkphp/5.0.23-rce/docker-compose.yml: `version` is obsolete
[+] Running 19/1
✔ web Pulled 21.2s
[+] Running 2/2
✔ Network 5023-rce_default Created 0.1s
✔ Container 5023-rce-web-1 Started 0.8s
查看端口号
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp/5.0.23-rce# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
194393918b40 vulhub/thinkphp:5.0.23 "docker-php-entrypoi…" 10 seconds ago Up 8 seconds 0.0.0.0:8080->80/tcp, :::8080->80/tcp 5023-rce-web-1
端口号为8080
用公网ip进行访问
https://github.com/vulhub/vulhub?tab=readme-ov-file
https://vulhub.org/#/docs/
彩蛋:
查询dvwa
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp/5.0.23-rce# docker search dvwa
NAME DESCRIPTION STARS OFFICIAL
sagikazarmark/dvwa DVWA (Damn Vulnerable Web Application) Docke… 28
cytopia/dvwa DVWA (Damn Vulnerable Web Application) with … 17
astronaut1712/dvwa Docker for DVWA LAB: https://github.com/Rand… 5
citizenstig/dvwa Docker container for Damn Vulnerable Web App… 73
cyberxsecurity/dvwa 2
santosomar/dvwa DVWA Container for Cybersecurity Training 2
infoslack/dvwa 11
c0ny1/dvwa dvwa镜像 0
scotty2hotty/dvwa 0
pmuench/dvwa-container-escape DVWA with CVE-2021-4034 for Demo 0
howiehowerton/dvwa-howie 0
mlinarik/dvwa 0
imfht/dvwa-nologin dvwa without login 1
adrianaues/dvwa-esagent cytopia/dvwa with ES Agent pre-installed 0
kaakaww/dvwa-docker DVWA. No setup needed, just log in. Built fr… 2
vladvantaroo/dvwa just dvwa 0
frez0234/dvwa 0
rajvanshi/dvwa 0
utspark/dvwa_frontend 3
waiyanwinhtain/dvwa 0
bennalp/dvwa 0
acgpiano/dvwa latest dvwa 2
qeaccelerators/dvwa_app_dockerized 0
vulfocus/dvwa 0
rbenavente/dvwa-fargate 0
查询upload-labs
root@iZbp1fm14idjlfp53akni8Z:~/vulhub-master/thinkphp/5.0.23-rce# docker sea
rch upload-labs
NAME DESCRIPTION STARS OFFICIAL
c0ny1/upload-labs upload-labs靶场docker镜像 16
cuer/upload-labs upload-labs 文件上传靶场 0
monstertsl/upload-labs upload-labs靶场镜像,并修复了一些不足! 1
glzjin/upload-labs 0
tanyiqu/upload-labs 0
gfattf1/upload-labs File upload vulnerability 0
flalucifer/upload-labs 0
hominsu/upload-labs upload-labs pre-built docker environments, s… 0
tavenli/upload-labs 靶机 upload-labs 0
anthem9/upload-labs 0
drunkbamboo/upload-labs upload-labs for test 0
8evan8/upload-labs 修复c0ny1的pass-03,pass-04上传失败 0
tuyiqiang/upload-labs 0
dockerpentest/upload-labs-kr Upload-labs for Korean. Forked from github.c… 0
howhacker/upload-labs upload-labs靶场 0
745184472/upload-labs upload-labs 0
1518299439/upload-labs21 0
flalucifer/upload-labs-bases 0
caketi/upload-labs 0
alexanso/upload-labs 0
wxixw/upload-labs 0
spaceskynet/upload-labs 0
81286980/upload-labs-test 0
vulshare/upload-labs 0
nudttan91/upload-labs 0