A vulnerable Dockerfile for containerizing a university business.
This Dockerfile consists of Docker XML files for ease of use, readily deployable on your own environment.
Hosting an FTP server, a vulnerable SSH service and an insecure website.
Vulnerabilities include:
- https://www.cvedetails.com/cve/CVE-2018-1000300/
- https://www.cvedetails.com/cve/CVE-2018-17456/
- https://www.cvedetails.com/cve/CVE-2018-15473/
- https://www.cvedetails.com/cve/CVE-2019-9851/
This is an insecure Docker container which should only be used for local environments.
This application is for academic and educational purposes.
VulnerableDockerfile.Setup.mp4
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes.
To configure your own environment will require a virtual machine or a local environment.
A step-by-step series of examples to recreate on your own env.
Update your system packages:
sudo apt-get update && upgrade
For most downloads follow to the docker download page DOCKER. To download Docker via the command line, run:
sudo apt-get install docker
Check whether it is installed:
sudo systemctl status docker
Add your default user to the Docker group to execute Docker commands without sudo.
sudo usermod -aG docker ${USER}
This Dockerfile requires the addition of Docker Compose, a separate package which needs to be pulled using the curl tool.
sudo apt-get install curl
Download Docker Compose:
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
Change file permission to be executable:
sudo chmod +x /usr/local/bin/docker-compose
In order to run the Dockerfile, first pull the repository from GitHub using Git:
sudo apt-get install git
Use Git to pull the repository:
git clone https://github.com/SamP10/VulnerableDockerfile.git
When the download has completed, change directory to that of vulnContainer within VulnerableDockerfile.
The directory consists of userfiles, dockerfiles, sql script and a docker compose file.
cd VulnerableDockerfile/vulnContainer
In order to install the insecure website, you will need to pull the UniVulnerableWebsite repository using git:
git clone https://github.com/SamP10/UniVulnerableWebsite.git
Docker Compose creates all networks and images just through one file. Use the docker-compose command to build the environment as follows:
docker-compose up -d
This will create 3 images: httpd apache server, mariadb server and the vulnerable container.
It will copy the sql file into the tmp. In order to import the database for the webserver, you must interact with the live container with the following command:
docker exec -it container_id /bin/bash
Once interacting with the container, simply running the next few commands should import the SQL database which the website uses.
user@container:>mysql -u root -p
mysql> CREATE DATABASE university;
mysql> exit;
user@container:>cd /tmp
user@container:/tmp>mysql -u root -p university<uni.sql
This will preserve in a volume created and only needs setting up once. To power down the containers, use:
docker compose down
Navigate to ipaddress:8080/login.php
Voila! Installation of working environment completed.
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.
We use SemVer for versioning. For the versions available, see the tags on this repository.
-
Sam Plant - Code work - Sam Plant
-
Billie Thompson - Initial work - PurpleBooth
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE.md file for details.
- Hat tip to anyone whose code was used.