mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
20 lines
743 B
Java
20 lines
743 B
Java
// Command injection — positive fixture.
|
|
// Vulnerable: passes user input to /bin/sh -c via Runtime.exec.
|
|
// Entry: Entry.runPing(String) Cap: CODE_EXEC
|
|
// Expected verdict: Confirmed ("; echo NYX_PWN_CMDI" echoes the marker)
|
|
|
|
import java.io.*;
|
|
|
|
public class Entry {
|
|
public static void runPing(String host) throws Exception {
|
|
System.out.print("__NYX_SINK_HIT__\n");
|
|
String[] cmd = {"/bin/sh", "-c", "echo hello " + host};
|
|
Process p = Runtime.getRuntime().exec(cmd);
|
|
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
|
|
String line;
|
|
while ((line = reader.readLine()) != null) {
|
|
System.out.println(line);
|
|
}
|
|
p.waitFor();
|
|
}
|
|
}
|