Summary The folder /.pyload/scripts has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved. A file can be downloaded to such a folder by changing the download folder to a folder in /scripts path and using the /flashgot API to download the file. Details Configuration changes 1. Change the download folder to /home/<user>/.pyload/scripts 2. Change permissions for downloaded files: 1. Change permissions of downloads: on 2. Permission mode for downloaded files: 0744 Making the request to download files The flashgot API provides functionality to download files from a provided URL. Although pyload tries to prevent non-local requests from being able to reach this API, it relies on checking the Host header and the Referer header of the incoming request. Both of these can be set by an attacker to arbitrary values, thereby bypassing these checks. Referer header check def flashgot(): if flask.request.referrer not in ( "https://localhost:9666/flashgot", "https://127.0.0.1:9666/flashgot", ): flask.abort(500) … Host header check for local check “` def local_check(func): @wraps(func) def wrapper(args, *kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in…Read More