https://github.com/chocapikk/cve-2024-7954

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12
https://github.com/chocapikk/cve-2024-7954

Last synced: about 1 year ago
JSON representation

Unauthenticated Remote Code Execution in SPIP versions up to and including 4.2.12

• Host: GitHub
• URL: https://github.com/chocapikk/cve-2024-7954
• Owner: Chocapikk
• Created: 2024-08-10T20:15:41.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-08-12T13:46:06.000Z (almost 2 years ago)
• Last Synced: 2025-03-29T10:23:13.263Z (about 1 year ago)
• Language: Python
• Homepage: https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/
• Size: 123 KB
• Stars: 10
• Watchers: 2
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# 🚀 SPIP Unauthenticated RCE Exploit

![Exploit Execution](./img/help.png)

This repository contains a Python script that exploits a **Remote Code Execution (RCE) vulnerability** in SPIP versions up to and including **4.2.12**. The vulnerability arises from SPIP’s templating system, where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code.

## 🛠 Vulnerable Application

The vulnerability is triggered by crafting a payload that manipulates the templating data processed by the `echappe_retour()` function, which in turn invokes `traitements_previsu_php_modeles_eval()`, containing an `eval()` call.

### 🐳 Docker Setup

To set up a vulnerable environment for testing, use the following Docker Compose file:

```yaml

version: '3.8'

services:

  db:

    image: mariadb:10.5

    restart: always

    environment:

      - MYSQL_ROOT_PASSWORD=MysqlRootPassword

      - MYSQL_DATABASE=spip

      - MYSQL_USER=spip

      - MYSQL_PASSWORD=spip

    networks:

      - spip-network

  app:

    image: ipeos/spip:4.2.12

    restart: always

    depends_on:

      - db

    environment:

      - SPIP_AUTO_INSTALL=1

      - SPIP_DB_SERVER=db

      - SPIP_DB_LOGIN=spip

      - SPIP_DB_PASS=spip

      - SPIP_DB_NAME=spip

      - SPIP_SITE_ADDRESS=http://localhost:8880

    ports:

      - 8880:80

    networks:

      - spip-network

networks:

  spip-network:

    driver: bridge

```

### ✅ Verification Steps

1. 🏗 **Set up** a SPIP instance using the provided Docker Compose configuration.

2. 🌐 **Ensure** that the SPIP instance is accessible on your local network.

3. 📂 **Clone** this repository and navigate to the directory containing the Python exploit script.

## 🛠 Usage

To use the Python exploit script, follow these steps:

### 💻 Command Line Options

- `-u` or `--url`: The **🌐 target URL** that you want to scan and potentially exploit.

- `-f` or `--file`: File containing a **📂 list of URLs** to scan for vulnerabilities.

- `-t` or `--threads`: The number of **⚙️ threads** to use during scanning. Defaults to `50`.

- `-o` or `--output`: Specify an **💾 output file** to save the list of vulnerable URLs.

### 🎯 Examples

- **Single URL Exploitation:**

  ```sh

  python exploit.py -u http://localhost:8880

  ```

  This will scan and attempt to exploit the specified target URL.

- **Scanning Multiple URLs:**

  ```sh

  python exploit.py -f urls.txt -t 100 -o results.txt

  ```

  This will scan the URLs listed in `urls.txt`, using 100 threads, and save the vulnerable URLs to `results.txt`.

## 📸 Example Command Output

![Command Output](./img/spip_url_output.png)

The above screenshot demonstrates the successful execution of the exploit, displaying the resulting reverse shell or command output from a vulnerable SPIP instance.

## 🛑 _**Use this tool responsibly.**_

This exploit should only be used for educational purposes or on systems you own or have explicit permission to test. Unauthorized use of this tool is illegal and unethical.