nyx/tests/dynamic_fixtures/java/servlet_doget/Vuln.java

// Phase 14 — servlet doGet, vulnerable.
//
// Reads the `payload` query parameter from the request stub and feeds
// it through `/bin/sh -c` — payload `; echo NYX_PWN_CMDI` fires the
// cmdi oracle marker.

import java.io.BufferedReader;
import java.io.InputStreamReader;

public class Vuln {
    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
        System.out.print("__NYX_SINK_HIT__\n");
        String input = req.getParameter("payload");
        if (input == null) input = "";
        String[] cmd = {"/bin/sh", "-c", "echo hello " + input};
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = reader.readLine()) != null) {
            resp.write(line + "\n");
        }
        p.waitFor();
    }
}
Dynamic (#77) 2026-06-05 10:16:30 -05:00			`// Phase 14 — servlet doGet, vulnerable.`
			`//`
			// Reads the `payload` query parameter from the request stub and feeds
			// it through `/bin/sh -c` — payload `; echo NYX_PWN_CMDI` fires the
			`// cmdi oracle marker.`

			`import java.io.BufferedReader;`
			`import java.io.InputStreamReader;`

			`public class Vuln {`
			`public void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {`
			`System.out.print("__NYX_SINK_HIT__\n");`
			`String input = req.getParameter("payload");`
			`if (input == null) input = "";`
			`String[] cmd = {"/bin/sh", "-c", "echo hello " + input};`
			`Process p = Runtime.getRuntime().exec(cmd);`
			`BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));`
			`String line;`
			`while ((line = reader.readLine()) != null) {`
			`resp.write(line + "\n");`
			`}`
			`p.waitFor();`
			`}`
			`}`