POC详情: 588e8358c586fa6caeb75e4c7262886dfb723dd3

来源
https://github.com/1Ronkkeli/spip-cve-2023-27372-rce
关联漏洞
标题: SPIP 安全漏洞 (CVE-2023-27372)
描述:SPIP是SPIP的一个用于创建 Internet 站点的免费软件。 SPIP 4.2.1之前版本存在安全漏洞,该漏洞源于序列化处理不当,攻击者利用该漏洞可以远程执行代码。
描述
SPIP CVE-2023-27372 Unauthenticated RCE Exploit (Web Shell Upload)
介绍
# SPIP CVE-2023-27372 Unauthenticated RCE Exploit (Web Shell Upload)

This Python script exploits CVE-2023-27372, an unauthenticated remote code execution vulnerability in SPIP CMS versions prior to 4.2.1. It leverages a cache poisoning flaw in the password reset mechanism to upload a web shell and gather basic system information.

**Author:** [@ronkkeli](https://github.com/1Ronkkeli) (Script v1.2)
**TryHackMe:** [ronkkeli](https://tryhackme.com/p/ronkkeli)
**Original PoC Concept:** nuts7

## CVE Information

* **CVE ID:** CVE-2023-27372
* **CVSS Score:** 9.8 (Critical)
* **Affected Versions:** SPIP CMS versions < 4.2.1

## Vulnerability Description

An unauthenticated RCE vulnerability exists in the `ecrire/inc/filtres.php` file within the `reset_cache` function. This function uses the `oubli` parameter from the password recovery page (`spip.php?page=spip_pass`). By sending a specially crafted serialized payload in the `oubli` parameter, an attacker can inject arbitrary PHP code into the cache file `ecrire/data/cache/reset_cache.php`. This script uses this flaw to execute `file_put_contents` and write a persistent web shell to the server.

## Script Features (v1.2)

* Fetches the required Anti-CSRF token automatically.
* Constructs and sends the serialized payload to upload a web shell.
* Allows customization of the web shell's filename (`-f`).
* Allows customization of the web shell's PHP code (`-d`).
* **Enhanced Post-Exploit Check:** Verifies shell upload and attempts to gather basic system info (`whoami`, `hostname`, `uname`, `id`, `pwd`) using the shell.
* Presents gathered information in a clean, aligned format.
* Provides colorized output for better readability.
* Includes usage examples for reverse shells.

## Requirements

* Python 3.x
* `requests` library
* `beautifulsoup4` library

## Installation

```bash
pip install requests beautifulsoup4
文件快照

 [4.0K]  /data/pocs/588e8358c586fa6caeb75e4c7262886dfb723dd3
├── [ 14K]  cve.py
└── [1.8K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。