{"id":22799794,"url":"https://github.com/chocapikk/cve-2024-7954","last_synced_at":"2025-04-19T16:44:05.762Z","repository":{"id":253382980,"uuid":"840829976","full_name":"Chocapikk/CVE-2024-7954","owner":"Chocapikk","description":"Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12","archived":false,"fork":false,"pushed_at":"2024-08-12T13:46:06.000Z","size":126,"stargazers_count":10,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-29T10:23:13.263Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Chocapikk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-10T20:15:41.000Z","updated_at":"2024-12-25T19:00:23.000Z","dependencies_parsed_at":"2024-08-16T11:20:31.436Z","dependency_job_id":null,"html_url":"https://github.com/Chocapikk/CVE-2024-7954","commit_stats":null,"previous_names":["chocapikk/spip_rce"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-7954","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-7954/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-7954/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-7954/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Chocapikk","download_url":"https://codeload.github.com/Chocapikk/CVE-2024-7954/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249740845,"owners_count":21318710,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T07:09:58.799Z","updated_at":"2025-04-19T16:44:05.742Z","avatar_url":"https://github.com/Chocapikk.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🚀 SPIP Unauthenticated RCE Exploit\n\n![Exploit Execution](./img/help.png)\n\nThis repository contains a Python script that exploits a **Remote Code Execution (RCE) vulnerability** in SPIP versions up to and including **4.2.12**. The vulnerability arises from SPIP’s templating system, where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code.\n\n## 🛠 Vulnerable Application\n\nThe vulnerability is triggered by crafting a payload that manipulates the templating data processed by the `echappe_retour()` function, which in turn invokes `traitements_previsu_php_modeles_eval()`, containing an `eval()` call.\n\n### 🐳 Docker Setup\n\nTo set up a vulnerable environment for testing, use the following Docker Compose file:\n\n```yaml\nversion: '3.8'\n\nservices:\n  db:\n    image: mariadb:10.5\n    restart: always\n    environment:\n      - MYSQL_ROOT_PASSWORD=MysqlRootPassword\n      - MYSQL_DATABASE=spip\n      - MYSQL_USER=spip\n      - MYSQL_PASSWORD=spip\n    networks:\n      - spip-network\n\n  app:\n    image: ipeos/spip:4.2.12\n    restart: always\n    depends_on:\n      - db\n    environment:\n      - SPIP_AUTO_INSTALL=1\n      - SPIP_DB_SERVER=db\n      - SPIP_DB_LOGIN=spip\n      - SPIP_DB_PASS=spip\n      - SPIP_DB_NAME=spip\n      - SPIP_SITE_ADDRESS=http://localhost:8880\n    ports:\n      - 8880:80\n    networks:\n      - spip-network\n\nnetworks:\n  spip-network:\n    driver: bridge\n```\n\n### ✅ Verification Steps\n\n1. 🏗 **Set up** a SPIP instance using the provided Docker Compose configuration.\n2. 🌐 **Ensure** that the SPIP instance is accessible on your local network.\n3. 📂 **Clone** this repository and navigate to the directory containing the Python exploit script.\n\n## 🛠 Usage\n\nTo use the Python exploit script, follow these steps:\n\n### 💻 Command Line Options\n\n- `-u` or `--url`: The **🌐 target URL** that you want to scan and potentially exploit.\n- `-f` or `--file`: File containing a **📂 list of URLs** to scan for vulnerabilities.\n- `-t` or `--threads`: The number of **⚙️ threads** to use during scanning. Defaults to `50`.\n- `-o` or `--output`: Specify an **💾 output file** to save the list of vulnerable URLs.\n\n### 🎯 Examples\n\n- **Single URL Exploitation:**\n\n  ```sh\n  python exploit.py -u http://localhost:8880\n  ```\n\n  This will scan and attempt to exploit the specified target URL.\n\n- **Scanning Multiple URLs:**\n\n  ```sh\n  python exploit.py -f urls.txt -t 100 -o results.txt\n  ```\n\n  This will scan the URLs listed in `urls.txt`, using 100 threads, and save the vulnerable URLs to `results.txt`.\n\n## 📸 Example Command Output\n\n![Command Output](./img/spip_url_output.png)\n\nThe above screenshot demonstrates the successful execution of the exploit, displaying the resulting reverse shell or command output from a vulnerable SPIP instance.\n\n## 🛑 _**Use this tool responsibly.**_\n\nThis exploit should only be used for educational purposes or on systems you own or have explicit permission to test. Unauthorized use of this tool is illegal and unethical.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2024-7954","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchocapikk%2Fcve-2024-7954","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2024-7954/lists"}