Nuclei Templates 연습문제 - level 2

아래 문제 내용에서 취약점 원인을 찾고 Nuclei Templates을 작성하시오.

문제 내용

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URI;

public class OLevel1Classic {
    public static void main(String[] args) throws IOException {
        HttpServer server = HttpServer.create(new InetSocketAddress(8080), 0);
        server.createContext("/redirect", new RedirectHandler());
        server.setExecutor(null);
        server.start();
        System.out.println("Server started on port 8080.");
    }

    static class RedirectHandler implements HttpHandler {
        @Override
        public void handle(HttpExchange t) throws IOException {
            String query = t.getRequestURI().getQuery();
            String redirectTo = query != null && query.startsWith("url=") ? query.substring(4) : "/";
            t.getResponseHeaders().add("Location", redirectTo);
            t.sendResponseHeaders(302, -1);
            t.close();
        }
    }
}

환경 구축하기

• docker-compose.yml:

version: '3.8'
services:
    java:
        container_name: vsnippet-o-level1-classic
        build:
            context: .
            dockerfile: Dockerfile
        ports:
            - 8080:8080

• Dockerfile

FROM openjdk:11

RUN apt update -y; apt install -y supervisor

RUN mkdir -p /app

WORKDIR /app

COPY vsnippet .
COPY config/supervisord.conf /etc/supervisord.conf

EXPOSE 8080

ENTRYPOINT [ "/usr/bin/supervisord", "-c", "/etc/supervisord.conf" ]

• supervisord.conf

[supervisord]
user=root
nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
pidfile=/run/supervisord.pid

[program:java]
command=java /app/o-level1-classic.java
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0