README
¶
app-env-docker
基于 Docker 的真实应用测试环境。我们构建这个仓库是为了验证防护效果,并补充到 CVE 漏洞覆盖说明 里。和网上已有的 vulhub、vulapps 相比,我们不同之处在于:
- 下载的资源存储在 https://packages.baidu.com/app/,国内下载快
- 完全基于
Dockerfile,执行make启动环境,可定制化强但是首次安装慢 - 专注 Web 漏洞,覆盖漏洞更多;可用于扫描器开发或者 OpenRASP 漏洞测试
- 使用改造过的 socks5 代理自动转发请求,比修改DNS方式安全
其他说明文档
使用方法
构建,并启动指定应用,e.g
make -C src/zzcms/8.2
启动后,会直接进入一个 bash shell,可以使用 curl 测试应用是否正常,e.g
[ubuntu-server: /share/docker]
# make -C src/seacms/6.45/
make: Entering directory '/share/docker/src/seacms/6.45'
docker build -t openrasp/seacms:6.45 .
Sending build context to Docker daemon 23.04 kB
Step 1/14 : FROM openrasp/php5.4
---> 0c8fc9d4a64a
-- 精简掉的内容 --
Step 14/14 : RUN chown mysql -R /var/lib/mysql
---> Running in 586aa2f25f15
---> 2bc8468709c0
Removing intermediate container 586aa2f25f15
Successfully built 2bc8468709c0
docker run --rm -it openrasp/seacms:6.45
[-] Starting Apache
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[-] Starting MariaDB
[-] Waiting for MySQL to start ...
[-] Accessing 127.0.0.1 for the first time
[-] Dropping shell
- HostName: f615004ffa66
- IP address: 172.17.0.2
[OpenRASP] root@f615004ffa66:/var/www/html #
自动化代理方案
方案1 - nginx proxy_pass 方式
需要设置转发IP,适合每次只运行一个镜像的场景
server {
listen 81;
location / {
proxy_set_header Host $http_host;
proxy_pass http://172.17.0.2;
}
}
方案2 - PAC + xip.io 自动化代理方案
具体请参考 socks5/readme.md
界面截屏如下
Directories
¶
| Path | Synopsis |
|---|---|
|
src/golang.org/x/net/bpf
Package bpf implements marshaling and unmarshaling of programs for the Berkeley Packet Filter virtual machine, and provides a Go implementation of the virtual machine.
|
Package bpf implements marshaling and unmarshaling of programs for the Berkeley Packet Filter virtual machine, and provides a Go implementation of the virtual machine. |
|
src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
|
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes. |
|
src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
|
Package ctxhttp provides helper functions for performing context-aware HTTP requests. |
|
src/golang.org/x/net/dict
Package dict implements the Dictionary Server Protocol as defined in RFC 2229.
|
Package dict implements the Dictionary Server Protocol as defined in RFC 2229. |
|
src/golang.org/x/net/dns/dnsmessage
Package dnsmessage provides a mostly RFC 1035 compliant implementation of DNS message packing and unpacking.
|
Package dnsmessage provides a mostly RFC 1035 compliant implementation of DNS message packing and unpacking. |
|
src/golang.org/x/net/html
Package html implements an HTML5-compliant tokenizer and parser.
|
Package html implements an HTML5-compliant tokenizer and parser. |
|
src/golang.org/x/net/html/atom
Package atom provides integer codes (also known as atoms) for a fixed set of frequently occurring HTML strings: tag names and attribute keys such as "p" and "id".
|
Package atom provides integer codes (also known as atoms) for a fixed set of frequently occurring HTML strings: tag names and attribute keys such as "p" and "id". |
|
src/golang.org/x/net/html/charset
Package charset provides common text encodings for HTML documents.
|
Package charset provides common text encodings for HTML documents. |
|
src/golang.org/x/net/http/httpproxy
Package httpproxy provides support for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function.
|
Package httpproxy provides support for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function. |
|
src/golang.org/x/net/http2
Package http2 implements the HTTP/2 protocol.
|
Package http2 implements the HTTP/2 protocol. |
|
src/golang.org/x/net/http2/h2i
The h2i command is an interactive HTTP/2 console.
|
The h2i command is an interactive HTTP/2 console. |
|
src/golang.org/x/net/http2/hpack
Package hpack implements HPACK, a compression format for efficiently representing HTTP header fields in the context of HTTP/2.
|
Package hpack implements HPACK, a compression format for efficiently representing HTTP header fields in the context of HTTP/2. |
|
src/golang.org/x/net/icmp
Package icmp provides basic functions for the manipulation of messages used in the Internet Control Message Protocols, ICMPv4 and ICMPv6.
|
Package icmp provides basic functions for the manipulation of messages used in the Internet Control Message Protocols, ICMPv4 and ICMPv6. |
|
src/golang.org/x/net/idna
Package idna implements IDNA2008 using the compatibility processing defined by UTS (Unicode Technical Standard) #46, which defines a standard to deal with the transition from IDNA2003.
|
Package idna implements IDNA2008 using the compatibility processing defined by UTS (Unicode Technical Standard) #46, which defines a standard to deal with the transition from IDNA2003. |
|
src/golang.org/x/net/internal/iana
Package iana provides protocol number resources managed by the Internet Assigned Numbers Authority (IANA).
|
Package iana provides protocol number resources managed by the Internet Assigned Numbers Authority (IANA). |
|
src/golang.org/x/net/internal/nettest
Package nettest provides utilities for network testing.
|
Package nettest provides utilities for network testing. |
|
src/golang.org/x/net/internal/socket
Package socket provides a portable interface for socket system calls.
|
Package socket provides a portable interface for socket system calls. |
|
src/golang.org/x/net/internal/socks
Package socks provides a SOCKS version 5 client implementation.
|
Package socks provides a SOCKS version 5 client implementation. |
|
src/golang.org/x/net/internal/sockstest
Package sockstest provides utilities for SOCKS testing.
|
Package sockstest provides utilities for SOCKS testing. |
|
src/golang.org/x/net/internal/timeseries
Package timeseries implements a time series structure for stats collection.
|
Package timeseries implements a time series structure for stats collection. |
|
src/golang.org/x/net/ipv4
Package ipv4 implements IP-level socket options for the Internet Protocol version 4.
|
Package ipv4 implements IP-level socket options for the Internet Protocol version 4. |
|
src/golang.org/x/net/ipv6
Package ipv6 implements IP-level socket options for the Internet Protocol version 6.
|
Package ipv6 implements IP-level socket options for the Internet Protocol version 6. |
|
src/golang.org/x/net/lex/httplex
Package httplex contains rules around lexical matters of various HTTP-related specifications.
|
Package httplex contains rules around lexical matters of various HTTP-related specifications. |
|
src/golang.org/x/net/nettest
Package nettest provides utilities for network testing.
|
Package nettest provides utilities for network testing. |
|
src/golang.org/x/net/netutil
Package netutil provides network utility functions, complementing the more common ones in the net package.
|
Package netutil provides network utility functions, complementing the more common ones in the net package. |
|
src/golang.org/x/net/proxy
Package proxy provides support for a variety of protocols to proxy network data.
|
Package proxy provides support for a variety of protocols to proxy network data. |
|
src/golang.org/x/net/publicsuffix
Package publicsuffix provides a public suffix list based on data from http://publicsuffix.org/.
|
Package publicsuffix provides a public suffix list based on data from http://publicsuffix.org/. |
|
src/golang.org/x/net/route
Package route provides basic functions for the manipulation of packet routing facilities on BSD variants.
|
Package route provides basic functions for the manipulation of packet routing facilities on BSD variants. |
|
src/golang.org/x/net/trace
Package trace implements tracing of requests and long-lived objects.
|
Package trace implements tracing of requests and long-lived objects. |
|
src/golang.org/x/net/webdav
Package webdav provides a WebDAV server implementation.
|
Package webdav provides a WebDAV server implementation. |
|
src/golang.org/x/net/webdav/internal/xml
Package xml implements a simple XML 1.0 parser that understands XML name spaces.
|
Package xml implements a simple XML 1.0 parser that understands XML name spaces. |
|
src/golang.org/x/net/websocket
Package websocket implements a client and server for the WebSocket protocol as specified in RFC 6455.
|
Package websocket implements a client and server for the WebSocket protocol as specified in RFC 6455. |
|
src/golang.org/x/net/xsrftoken
Package xsrftoken provides methods for generating and validating secure XSRF tokens.
|
Package xsrftoken provides methods for generating and validating secure XSRF tokens. |
Click to show internal directories.
Click to hide internal directories.