This is a simple repository to demonstrate the effects of java source invocation.
Start the server by running either ./run or by building the docker file and running in the current directory.
This will host the server on port 8000 and allow you to interact with the source invocation directly to try and hack the server:
mirror> curl http://127.0.0.1:8000/HelloWorld
Hello world!!!You can upload files and try to by pass the security:
mirror> curl http://127.0.0.1:8000/WriteFile -X GET -d "file.txt
asdf"
Got filepath: file.txtBut the real trick is uploading a pure java file and watching the beauty of executing it:
mirror> curl http://127.0.0.1:8000/WriteFile -d "hello.java
public class Demo { public static void main(String[] args) { System.out.println(\"Demo hacked!!!\"); }}"
Got filepath: hello.java
mirror> curl http://127.0.0.1:8000/hello
Demo hacked!!!Notice that the file upload will not accept .class files, and thus forces you to use source-file execution.
Also notice that the Dockerfile doesn't even have a JDK installed! How is it even compiling these Java files?!