## https://sploitus.com/exploit?id=55FB0B2A-A7C3-561B-B018-F37F13559B7F
# SPIP CVE-2023-27372 Unauthenticated RCE Exploit (Web Shell Upload)
This Python script exploits CVE-2023-27372, an unauthenticated remote code execution vulnerability in SPIP CMS versions prior to 4.2.1. It leverages a cache poisoning flaw in the password reset mechanism to upload a web shell and gather basic system information.
**Author:** [@ronkkeli](https://github.com/1Ronkkeli) (Script v1.2)
**TryHackMe:** [ronkkeli](https://tryhackme.com/p/ronkkeli)
**Original PoC Concept:** nuts7
## CVE Information
* **CVE ID:** CVE-2023-27372
* **CVSS Score:** 9.8 (Critical)
* **Affected Versions:** SPIP CMS versions < 4.2.1
## Vulnerability Description
An unauthenticated RCE vulnerability exists in the `ecrire/inc/filtres.php` file within the `reset_cache` function. This function uses the `oubli` parameter from the password recovery page (`spip.php?page=spip_pass`). By sending a specially crafted serialized payload in the `oubli` parameter, an attacker can inject arbitrary PHP code into the cache file `ecrire/data/cache/reset_cache.php`. This script uses this flaw to execute `file_put_contents` and write a persistent web shell to the server.
## Script Features (v1.2)
* Fetches the required Anti-CSRF token automatically.
* Constructs and sends the serialized payload to upload a web shell.
* Allows customization of the web shell's filename (`-f`).
* Allows customization of the web shell's PHP code (`-d`).
* **Enhanced Post-Exploit Check:** Verifies shell upload and attempts to gather basic system info (`whoami`, `hostname`, `uname`, `id`, `pwd`) using the shell.
* Presents gathered information in a clean, aligned format.
* Provides colorized output for better readability.
* Includes usage examples for reverse shells.
## Requirements
* Python 3.x
* `requests` library
* `beautifulsoup4` library
## Installation
```bash
pip install requests beautifulsoup4