search

suyashvsingh / rce70-lambda

Serverless files for RCE70
0 stars 0 forks source link

Shell command execution on site rce70.vercel.app, if using Python, C/C++ and Java #1

Open Reedus0 opened 11 months ago

Reedus0 commented 11 months ago

Description

Allowing users to write arbitrary code causes shell command execution.

Proof of concept

  1. Go to https://rce70.vercel.app/
  2. Chose one of the languages: Python, C/C++
  3. Use code down below for your language
  4. Run the code

    Python

    
import os

os.system("whoami")

### C/C++

include

include

int main() {

system("whoami");

return 0;

}



# Impact
 This vulnerability can cause sensitive data exposure for example AWS secret keys and tokens could be exposed. Java language is also affected by this vulnerability.
suyashvsingh commented 10 months ago

Thanks for bringing it to my notice.