Exploit for Deserialization of Untrusted Data in Spip

This Python script exploits CVE-2023-27372, an unauthenticated remote code execution vulnerability in SPIP CMS versions prior to 4.2.1. It leverages a cache poisoning flaw in the password reset mechanism to upload a web shell and gather basic system information.

**Author:** [@ronkkeli](https://github.com/1Ronkkeli) (Script v1.2)
**TryHackMe:** [ronkkeli](https://tryhackme.com/p/ronkkeli)
**Original PoC Concept:** nuts7

## CVE Information

* **CVE ID:** CVE-2023-27372
* **CVSS Score:** 9.8 (Critical)
* **Affected Versions:** SPIP CMS versions < 4.2.1 ## Vulnerability Description An unauthenticated RCE vulnerability exists in the `ecrire/inc/filtres.php` file within the `reset_cache` function. This function uses the `oubli` parameter from the password recovery page (`spip.php?page=spip_pass`). By sending a specially crafted serialized payload in the `oubli` parameter, an attacker can inject arbitrary PHP code into the cache file `ecrire/data/cache/reset_cache.php`. This script uses this flaw to execute `file_put_contents` and write a persistent web shell to the server. ## Script Features (v1.2) * Fetches the required Anti-CSRF token automatically. * Constructs and sends the serialized payload to upload a web shell. * Allows customization of the web shell's filename (`-f`). * Allows customization of the web shell's PHP code (`-d`). * **Enhanced Post-Exploit Check:** Verifies shell upload and attempts to gather basic system info (`whoami`, `hostname`, `uname`, `id`, `pwd`) using the shell. * Presents gathered information in a clean, aligned format. * Provides colorized output for better readability. * Includes usage examples for reverse shells. ## Requirements * Python 3.x * `requests` library * `beautifulsoup4` library ## Installation ```bash pip install requests beautifulsoup4