Created and tested on Ubuntu 20.04.6 LTS Focal.
K.I.S.S
Keep
It
Simple
Stupid
A simple file transfer and download application. Built with security in mind. Less functionality, smaller attack surface, more secure. Slap TLS on it and you'll be good to go.
Tested for the following:
- SQLi; both manual testing and with sqlmap up to level/risk 3.
- LFI and Path Traversal.
- XSS.
- HTTP Verb Tampering.
- PHP Wrappers and Filters.
- OS commands through PHP webshell; get Permission Denied page code 403. Attempted to write /tmp/test.txt with no luck.
- No IDOR since everyone can access the same pool of files.
- Not using JSON or XML, so no XXE.
- No CGIs.
MySQL is running as an unprivileged user with only SELECT rights on the database "db1". The setup.sh file will move config.php into /var/www, outside the webroot with 600 permissions for www-data. This contains the MySQL database information such as user, password, db name, and host.
The functionality is pretty simple. The login mechanism is simple. No registration function == Less functionality == Smaller attack surface == Happy cybersecurity practitioner
Right!?
Using Docker:
git clone https://github.com/Business1sg00d/harambo_app.git
cd harambo_app
docker build -t image_name .
docker run -p 80:80 -v /mnt/host_directory/:/mnt -di image_id
The install assumes mysql is running on the default TCP port 3306. It's recommended to run setup.sh as root.
If spinning up a container or new VM, you'll need the following:
apt-get install apache2 mysql-server php libapache2-mod-php zip unzip php-mysqlnd net-tools
Move the zip file and setup.sh to /var/www then execute setup.sh
./setup.sh
"setup.sh" will make the following changes to the file system:
- Backup apache2.conf to /etc/apache2/apache2.conf.bak_1
- Backup dir.conf to /etc/apache2/mods-available/dir.conf.bak_1
- Move config.php to /var/www/config.php
- Back up the original html/ directory
Adding the following PHP functions to your php.ini files "disable_functions" array will prevent the process from executing them, minimizing access to Operating System commands:
system
popen
passthru
exec
shell_exec
Want to change the default user password? You should. (tester:password123)
- Do it manually using php:
└─$ php -a
Interactive shell
php > $plain_password = "mySecretPassword";
php > $hashed_password = password_hash($plain_password, PASSWORD_BCRYPT);
php > echo $hashed_password;
- Clear the php command line history:
cp /dev/null ~/.php_history
- Copy the output of the above, and update it into the mysql table 'member':
mysql> UPDATE member SET pwd="hashed_pass_from_php" WHERE userid=1;
- Change the user name as well with:
mysql> UPDATE member SET user="new_username" WHERE userid=1;
Want to run it with HTTPS?
- Run the following command to generate certificate and key:
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
- Enable TLS for apache:
a2enmod ssl
- Ensure /var/run/apache2/ exists with www-data as the owner:
chown www-data: /var/run/apache2
- Add the following lines to /etc/apache2/apache2.conf (Change the IP address shown to the one for the server):
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL:!MD5
SSLUseStapling on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
SSLStaplingCache "shmcb:/var/run/apache2/ssl_stapling(32768)"
ErrorLog ${APACHE_LOG_DIR}/error.log
<VirtualHost *:80>
Redirect permanent / https://10.0.0.2
</VirtualHost>
- Restart the server:
systemctl restart apache2.service