Land rapid7#19401, Add a mixin to get SPIP version and make use of it

dwelch-r7 · web-flow · commit 05cfe7c795c5 · 2024-08-30T13:07:02.000+01:00
diff --git a/lib/msf/core/exploit/remote/http/spip.rb b/lib/msf/core/exploit/remote/http/spip.rb
@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+
+module Msf
+module Exploit::Remote::HTTP::Spip
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to Spip install', '/'])
+    ])
+  end
+
+  # Determine Spip version
+  #
+  # @return [Rex::Version] Version as Rex::Version
+  def spip_version
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, "spip.php")
+    )
+
+    return unless res
+
+    version = nil
+
+    version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
+    if version_string =~ /SPIP (.*)/
+      version = ::Regexp.last_match(1)
+    end
+
+    if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*)/
+      version = ::Regexp.last_match(1)
+    end
+
+    if version.nil?
+      return nil
+    end
+
+    return Rex::Version.new(version)
+  end
+
+end
+end
diff --git a/modules/exploits/unix/webapp/spip_connect_exec.rb b/modules/exploits/unix/webapp/spip_connect_exec.rb
@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::Spip
 
   def initialize(info = {})
     super(update_info(info,
@@ -49,30 +50,19 @@ def initialize(info = {})
   end
 
   def check
-    version = nil
-    uri = normalize_uri(target_uri.path, "spip.php")
-
-    res = send_request_cgi({ 'uri' => "#{uri}" })
-
-    if res and res.code == 200 and res.body =~ /<meta name="generator" content="SPIP (.*) \[/
-      version = $1
-    end
-
-    if version.nil? and res.code == 200 and res.headers["Composed-By"] =~ /SPIP (.*) @/
-      version = $1
-    end
+    version = spip_version()
 
     if version.nil?
       return Exploit::CheckCode::Unknown
     end
 
-    vprint_status("SPIP Version detected: #{version}")
+    print_status("SPIP Version detected: #{version}")
 
-    if version =~ /^2\.0/ and version < "2.0.21"
+    if version.between?(Rex::Version::new("2.0.0"), Rex::Version::new("2.0.21"))
       return Exploit::CheckCode::Appears
-    elsif version =~ /^2\.1/ and version < "2.1.16"
+    elsif version.between?(Rex::Version::new("2.2.0"), Rex::Version::new("2.1.16"))
       return Exploit::CheckCode::Appears
-    elsif version =~ /^3\.0/ and version < "3.0.3"
+    elsif version.between?(Rex::Version::new("3.0.0"), Rex::Version::new("3.0.03"))
       return Exploit::CheckCode::Appears
     end
 
diff --git a/modules/exploits/unix/webapp/spip_rce_form.rb b/modules/exploits/unix/webapp/spip_rce_form.rb
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
   prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HTTP::Spip
 
   def initialize(info = {})
     super(
@@ -83,38 +84,20 @@ def check
     res = send_request_cgi({ 'uri' => uri.to_s })
 
     return Exploit::CheckCode::Unknown('Target is unreachable.') unless res
-    return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200
 
-    version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
-    return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/
+    rversion = spip_version
+    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion
 
-    version = ::Regexp.last_match(1)
+    print_status("SPIP Version detected: #{rversion}")
 
-    if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/
-      version = ::Regexp.last_match(1)
-    end
-
-    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version
-
-    print_status("SPIP Version detected: #{version}")
-
-    rversion = Rex::Version.new(version)
-    if rversion >= Rex::Version.new('4.2.0')
-      if rversion < Rex::Version.new('4.2.1')
-        return Exploit::CheckCode::Appears
-      end
-    elsif rversion >= Rex::Version.new('4.1.0')
-      if rversion < Rex::Version.new('4.1.18')
-        return Exploit::CheckCode::Appears
-      end
-    elsif rversion >= Rex::Version.new('4.0.0')
-      if rversion < Rex::Version.new('4.0.10')
-        return Exploit::CheckCode::Appears
-      end
-    elsif rversion >= Rex::Version.new('3.2.0')
-      if rversion < Rex::Version.new('3.2.18')
-        return Exploit::CheckCode::Appears
-      end
+    if rversion.between?(Rex::Version.new('4.2.0'), Rex::Version.new('4.2.1'))
+      return Exploit::CheckCode::Appears
+    elsif rversion.between?(Rex::Version.new('4.1.0'), Rex::Version.new('4.1.18'))
+      return Exploit::CheckCode::Appears
+    elsif rversion.between?(Rex::Version.new('4.0.0'), Rex::Version.new('4.0.10'))
+      return Exploit::CheckCode::Appears
+    elsif rversion.between?(Rex::Version.new('3.2.0'), Rex::Version.new('3.2.18'))
+      return Exploit::CheckCode::Appears
     end
 
     return Exploit::CheckCode::Safe
