Personal summary of the project

Contact the instructor from the winter vacation , Choose a topic , To this day （6.10 Number ）, It took four months , Our team through very good cooperation , Completed the project . After the preliminary planning and analysis of the project in March , Start the opening defense , After passing the oral defense, the overall system architecture will be reviewed 、 The main technical points involved will be discussed and studied in detail , Then the division of labor within the group , Research through continuous discussion within the group , And with the help of the instructor , We finally overcame one technical difficulty after another , Finally, the goal beyond the plan was achieved , When the system starts to reply , Make a plan to achieve 10 A loophole , Our last system , Realized 12 A loophole , total 28 A shooting range , It's also achieved 12 A tool ,7 Code audit , as well as WriteUp、 The teacher side has the functions of course experiment management .

The Cyberspace Security Vulnerability shooting range used in this project training Java As the main development language , It uses the most common in the current engineering environment Springboot + vue + mybaits The front and rear ends of the separation frame . And integrated NodeJS Services and elementUI etc. css Style development front-end interface . On the server deployment , Used docker Packaging . The server uses Tencent cloud 2 nucleus 4G、6M Broadband ,CentOS 7.6 operating system , Database used MySQL 5.6,JDK Use 1.8 edition ,Docker It uses Community 20.10.17.

Because each target aircraft in the project is a web interface with loopholes , Therefore, it is necessary to take precautions consciously , Otherwise, the attacker can exploit these vulnerable environments to attack our host server , Make the system crash . To avoid this happening , As a result of the discussion , We proposed be based on Docker Dynamic deployment range The plan , Every user is doing experiments , Experiment topic for this user , Dynamically create a target container , Submit in user flag in the future , You can choose whether to destroy the range , But a user can only create one container at a time , Therefore, if the user does not destroy the container of this topic , Then he will not be able to create a new container environment for other topics . In order to prevent criminals from using the loopholes reproduced on the platform as a springboard to attack the server . The security of the whole system is guaranteed .

In this project , I am mainly responsible for the development of some vulnerability target aircraft , contain ：RCE Loophole 、SQL Inject holes （ Include parentheses SQL Inject 、 Unsafe filtering SQL Inject 、 Not circularly filtered SQL Inject ）、 Upload files 、 File download vulnerability 、xxe Loophole 、java Deserialization vulnerability 、 Redirection vulnerability 、 Logic is beyond authority . as well as writeup Module development , Development of some tools , contain ：CMS Fingerprint identification tools 、 Subdomain query tool 、ip Query tools 、 Port scan tool .Docker Dynamic creation and destruction of containers , Overall project deployment, etc . The total number of code lines reached 10000 Row or so .

Through this project training , Gain a lot . First of all The improvement of learning ability . In the original development project , I can hardly read official documents , The basic problem is to search for solutions on the Internet . After this project training , Learned to view some official documents , At the same time, I realized the efficiency of viewing official documents to solve problems . The second is The improvement of communication ability . This project training , Our team consists of five members , There may be some communication between every two people . And I deploy as a project 、 The principal responsible for the dynamic creation and destruction of containers , There may be a lot of communication with each member . Recognize the importance of communication in team development . And finally Technical improvements . After this project training , Learned to VUE、SpringBoot、MyBaits、Docker And other mainstream frameworks and technologies . Learned most common basic vulnerability principles , for example ：XSS Loophole 、XXE Loophole 、RCE Loophole 、 Arbitrary file upload vulnerability 、 Arbitrary file download vulnerability 、 Logic is beyond authority 、URL Redirection vulnerability 、Java Deserialization vulnerability 、SQL Injection holes, etc , And it can build a target environment with various vulnerabilities by itself . Learned the principles of relevant Cyberspace Security tools , for example ：CMS fingerprint identification 、IP Inquire about 、 Port scanning 、 Subdomain name query, etc , And can independently complete the implementation of the tool . Through this project training, we have a deeper understanding of the relevant knowledge in the field of Cyberspace Security .

Finally, this project has great practical significance , As a complete project , The network security range system can be used as an experimental platform for the relevant professional courses of the Cyberspace Security experiment class , And our team has worked with the responsible Professor “ System security ”、“ Network attack and prevention ” Mr. Lin of the two courses had a discussion and exchange , Mr. Lin agrees with our project very much , And it promises to be a platform for experiment and practice of system security , Among them, the completion of students can be included in the final examination as their usual grades .

With the end of the project defense , The main development work of the project has been completed , The system will be further maintained according to the needs of teachers .