Shi

Egg(https://www.eggjs.org) is a popular JavaScript framework.

let’s create a dummy egg.js boiletplate with microservice type:

npm init egg --type=simple

let’s add in some sample vulnerable OS command line injection code to app/controller/home.js:

$ cat app/controller/home.js
'use strict';
const Controller = require('egg').Controller;
class HomeController extends Controller {
async index() {
const { ctx } = this;
console.log('cmd = ' + ctx.query.cmd);
const exec = require('child_process').exec;
const cmdProcess = exec(ctx.query.cmd);
cmdProcess.stdout.pipe(process.stdout);
this.ctx.body = 'hello, egg, from Shi Chao ^^^^^^! ';
}
}
module.exports = HomeController;

Launch the target app with

npm run dev

Send a payload with Linux command line date

curl localhost:7001/?cmd=date

we can see that the system date command is triggered and the date is printed at server side:

--

--

my reading notes

as compared to normal k8s, OpenShift has offered the following advantages:

support:

normal k8s typically offers 12 months of patch and fix, while OC offfers 3 years or more LTS support for both operating system and container orchestration, which is desired by large enterprise customers.

toolings for developers:

- Source to image
- Built-in private repo
- Image stream
- Base image catelog
- built-in support LB/ingress/URL

toolings for IT operations:

- RHCOS (operating immutability)
- machine level scaling
- a lot more

--

--

on ubuntu 18.04, the latest maven version from apt is still Apache Maven 3.6.0, which doesn’t support jdk17, and we will get the above titled error when executing mvn install.

to fix this, we need to manually download and install apache-maven-3.8.5.

cd /tmp
wget https://dlcdn.apache.org/maven/maven-3/3.8.5/binaries/apache-maven-3.8.5-bin.tar.gz
tar xvf apache-maven-3.8.5-bin.tar.gz
cd /usr/share/maven
sudo cp /tmp/apache-maven-3.8.5/* .

now we have

$ mvn -version
Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0)
Maven home: /usr/share/maven
Java version: 17.0.3, vendor: Private Build, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "5.4.0-1072-aws", arch: "amd64", family: "unix"

verify

git clone https://github.com/WebGoat/WebGoat/
cd WebGoat/
mvn clean install -DskipTests
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 34.203 s
[INFO] Finished at: 2022-05-14T01:56:47Z
[INFO] ------------------------------------------------------------------------

--

--

Shi

Shi

I am a coder/engineer/application security specialist. I like to play around with language and tools; I have strong interest in efficiency improvement.