/** * OWASP Benchmark Project v1.2 * * This file is part of the Open Web Application Security Project (OWASP) * Benchmark Project. For details, please see * <a href="https://www.owasp.org/index.php/Benchmark">https://www.owasp.org/index.php/Benchmark</a>. * * The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software Foundation, version 2. * * The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * @author Nick Sanidas <a href="https://www.aspectsecurity.com">Aspect Security</a> * @created 2015 */ package org.owasp.benchmark.testcode; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @WebServlet(value="/cmdi-00/BenchmarkTest00305") public class BenchmarkTest00305 extends HttpServlet { private static final long serialVersionUID = 1L; @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request, response); } @Override public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); String param = ""; java.util.Enumeration<String> headers = request.getHeaders("BenchmarkTest00305"); if (headers != null && headers.hasMoreElements()) { param = headers.nextElement(); // just grab first element } // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters(). param = java.net.URLDecoder.decode(param, "UTF-8"); // Chain a bunch of propagators in sequence String a99928 = param; //assign StringBuilder b99928 = new StringBuilder(a99928); // stick in stringbuilder b99928.append(" SafeStuff"); // append some safe content b99928.replace(b99928.length()-"Chars".length(),b99928.length(),"Chars"); //replace some of the end content java.util.HashMap<String,Object> map99928 = new java.util.HashMap<String,Object>(); map99928.put("key99928", b99928.toString()); // put in a collection String c99928 = (String)map99928.get("key99928"); // get it back out String d99928 = c99928.substring(0,c99928.length()-1); // extract most of it String e99928 = new String( org.apache.commons.codec.binary.Base64.decodeBase64( org.apache.commons.codec.binary.Base64.encodeBase64( d99928.getBytes() ) )); // B64 encode and decode it String f99928 = e99928.split(" ")[0]; // split it on a space org.owasp.benchmark.helpers.ThingInterface thing = org.owasp.benchmark.helpers.ThingFactory.createThing(); String g99928 = "barbarians_at_the_gate"; // This is static so this whole flow is 'safe' String bar = thing.doSomething(g99928); // reflection String cmd = ""; String a1 = ""; String a2 = ""; String[] args = null; String osName = System.getProperty("os.name"); if (osName.indexOf("Windows") != -1) { a1 = "cmd.exe"; a2 = "/c"; cmd = "echo "; args = new String[]{a1, a2, cmd, bar}; } else { a1 = "sh"; a2 = "-c"; cmd = org.owasp.benchmark.helpers.Utils.getOSCommandString("ls "); args = new String[]{a1, a2, cmd + bar}; } String[] argsEnv = { "foo=bar" }; Runtime r = Runtime.getRuntime(); try { Process p = r.exec(args, argsEnv, new java.io.File(System.getProperty("user.dir"))); org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response); } catch (IOException e) { System.out.println("Problem executing cmdi - TestCase"); response.getWriter().println( org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()) ); return; } } }