├── Dockerfile ├── README.md ├── apache.conf ├── docker-compose.yml ├── idor.php ├── php.ini ├── rce.php ├── sqli-error.php ├── sqli-login.php └── xss.php /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8.1-apache 2 | 3 | # Enable PHP errors 4 | RUN echo "display_errors=On\nerror_reporting=E_ALL" > /usr/local/etc/php/conf.d/errors.ini 5 | 6 | # Install mysqli + MySQL client 7 | RUN docker-php-ext-install mysqli 8 | 9 | # Copy your vulnerable PHP files 10 | COPY . /var/www/html/ 11 | 12 | # Give permissions if needed 13 | RUN chown -R www-data:www-data /var/www/html 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploit Development Lab (Docker-based) 2 | 3 | A pre-configured Linux environment for practicing exploit development, shellcode, buffer overflows, reverse shells, and more. 4 | 5 | ## 🔧 Features 6 | 7 | - Based on `ubuntu:20.04` (x86_64) 8 | - Includes: 9 | - `gcc`, `gdb`, `netcat`, `strace`, `ltrace`, `python3`, etc. 10 | - Non-root `user` preconfigured 11 | - Preloaded with vulnerable C programs for practicing 12 | 13 | ## 🐳 Usage 14 | 15 | ```bash 16 | ./run.sh 17 | ``` 18 | 19 | Or manually: 20 | 21 | ```bash 22 | docker build --platform linux/amd64 -t exploit-lab . 23 | docker run -it --rm --platform linux/amd64 --hostname exploit-lab --privileged exploit-lab 24 | ``` 25 | 26 | ## 📁 vulnerable/ 27 | 28 | Contains practice C programs (e.g., stack overflows, shellcode loaders, etc.). Modify or add your own for custom scenarios. 29 | 30 | ## 🛠 Default Credentials 31 | 32 | Username: user 33 | Password: user 34 | -------------------------------------------------------------------------------- /apache.conf: -------------------------------------------------------------------------------- 1 | 2 | DocumentRoot /var/www/html 3 | 4 | Options Indexes FollowSymLinks 5 | AllowOverride All 6 | Require all granted 7 | 8 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.8" 2 | 3 | services: 4 | web: 5 | build: . 6 | ports: 7 | - "8080:80" 8 | depends_on: 9 | - db 10 | 11 | db: 12 | image: mysql:8.0 13 | platform: linux/amd64 14 | environment: 15 | MYSQL_ROOT_PASSWORD: root 16 | MYSQL_DATABASE: vuln_lab 17 | 18 | volumes: 19 | db_data: 20 | -------------------------------------------------------------------------------- /idor.php: -------------------------------------------------------------------------------- 1 | ['name' => 'Alice', 'email' => 'alice@example.com'], 6 | 2 => ['name' => 'Bob', 'email' => 'bob@example.com'], 7 | 3 => ['name' => 'Charlie', 'email' => 'charlie@example.com'] 8 | ]; 9 | 10 | // Simulate login as user ID 1 11 | $_SESSION['user_id'] = 1; 12 | 13 | if (isset($_GET['id'])) { 14 | $requested_id = (int) $_GET['id']; 15 | 16 | if (isset($users[$requested_id])) { 17 | $user = $users[$requested_id]; 18 | echo "

User Info

"; 19 | echo "Name: " . htmlspecialchars($user['name']) . "
"; 20 | echo "Email: " . htmlspecialchars($user['email']) . "
"; 21 | } else { 22 | echo "User not found."; 23 | } 24 | } else { 25 | echo "No user ID specified."; 26 | } 27 | ?> 28 | -------------------------------------------------------------------------------- /php.ini: -------------------------------------------------------------------------------- 1 | display_errors = On 2 | display_startup_errors = On 3 | error_reporting = E_ALL 4 | -------------------------------------------------------------------------------- /rce.php: -------------------------------------------------------------------------------- 1 | $output"; 7 | } 8 | ?> 9 | -------------------------------------------------------------------------------- /sqli-error.php: -------------------------------------------------------------------------------- 1 | connect_error) { 10 | die("Connection failed: " . $conn->connect_error); 11 | } 12 | 13 | // Create table if not exists 14 | $conn->query("CREATE TABLE IF NOT EXISTS products ( 15 | id INT PRIMARY KEY AUTO_INCREMENT, 16 | name VARCHAR(255), 17 | title VARCHAR(255), 18 | price DECIMAL(10,2), 19 | discount DECIMAL(5,2), 20 | status VARCHAR(50) 21 | )"); 22 | 23 | // Insert dummy products (only once) 24 | $result = $conn->query("SELECT COUNT(*) as count FROM products"); 25 | $row = $result->fetch_assoc(); 26 | if ($row['count'] == 0) { 27 | $conn->query("INSERT INTO products (name, title, price, discount, status) VALUES 28 | ('Laptop', 'Gaming Laptop', 1200.00, 0.00, 'active'), 29 | ('Phone', 'Smartphone X', 800.00, 0.00, 'active'), 30 | ('TV', '4K Smart TV', 1500.00, 0.00, 'inactive') 31 | "); 32 | } 33 | 34 | // Unsafe user input (SQLi vulnerable) 35 | $id = $_GET['id'] ?? ''; 36 | $query = "SELECT name, price FROM products WHERE id = '$id' AND status = 'active'"; 37 | $result = $conn->query($query); 38 | 39 | if ($row = $result->fetch_assoc()) { 40 | echo "

Product Info

"; 41 | echo "Product Name: " . htmlspecialchars($row['name']) . "
"; 42 | echo "Price: $" . htmlspecialchars($row['price']); 43 | } else { 44 | echo "No product found or inactive."; 45 | } 46 | ?> 47 | -------------------------------------------------------------------------------- /sqli-login.php: -------------------------------------------------------------------------------- 1 | exec("CREATE TABLE IF NOT EXISTS users ( 9 | id INTEGER PRIMARY KEY AUTOINCREMENT, 10 | username TEXT, 11 | password TEXT 12 | )"); 13 | 14 | // Insert test user (only if not already there) 15 | $result = $db->querySingle("SELECT COUNT(*) as count FROM users WHERE username = 'admin'"); 16 | if ($result == 0) { 17 | $db->exec("INSERT INTO users (username, password) VALUES ('admin', 'password123')"); 18 | } 19 | 20 | $message = ''; 21 | 22 | 23 | 24 | 25 | 26 | 27 | // 28 | 29 | if ($_SERVER['REQUEST_METHOD'] === 'POST') { 30 | $username = $_POST['username']; 31 | $password = $_POST['password']; 32 | 33 | // 🚨 Vulnerable to SQLi 🚨 34 | $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'"; 35 | $result = $db->query($query); 36 | 37 | if ($result->fetchArray()) { 38 | $message = "✅ Login successful as $username"; 39 | } else { 40 | $message = "❌ Invalid credentials."; 41 | } 42 | } 43 | 44 | 45 | // 46 | 47 | 48 | 49 | ?> 50 | 51 | 52 | 53 | SQLi Lab 54 | 55 |

Login

56 |
57 | Username:
58 | Password:
59 | 60 |
61 |

62 | 63 | 64 | -------------------------------------------------------------------------------- /xss.php: -------------------------------------------------------------------------------- 1 | Hello, $name!"; // No sanitization — XSS vulnerable 7 | } 8 | ?> 9 | --------------------------------------------------------------------------------