apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/dynamic_fixtures/java/servlet_dopost/Vuln.java
Eli Peter 991c84a1eb
Dynamic (#77)
2026-06-05 10:16:30 -05:00

23 lines
796 B
Java
Raw Blame History

// Phase 14 — servlet doPost, vulnerable.
//
// Reads the POST body from the request stub and feeds it through
// `/bin/sh -c`.
import java.io.BufferedReader;
import java.io.InputStreamReader;
public class Vuln {
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws Exception {
System.out.print("__NYX_SINK_HIT__\n");
String input = req.getBody();
if (input == null) input = "";
String[] cmd = {"/bin/sh", "-c", "echo hello " + input};
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
resp.write(line + "\n");
}
p.waitFor();
}
}
Reference in a new issue View git blame Copy permalink