## https://sploitus.com/exploit?id=C454F4FD-1F94-5EBF-A82C-1300447BEA01
# CVE-2023-27372 — SPIP Unauthenticated remote code execution vulnerability in SPIP before 4.2.1. The `oubli` parameter in the password reset form is vulnerable to PHP object injection due to mishandled deserialization. A crafted serialized payload is executed server-side as the web user, and the output is reflected back in the response inside the `oubli` input field value.
---
## How it works
1. Fetches the anti-CSRF token from `/spip.php?page=spip_pass`.
2. Sends a POST request with a PHP serialized payload injected into the `oubli` parameter.
3. Extracts the command output from the reflected `value` attribute in the response.
4. Loops for interactive command execution, refreshing the CSRF token on each request.
## Requirements
- Python 3
- Install dependencies:
```bash
python3 -m venv venv
source venv/bin/activate
python3 -m pip install requests beautifulsoup4 prompt_toolkit
```
## Usage
```bash
python3 exploit.py -u http://TARGET/spip
```
**Example:**
```
$ python3 exploit.py -u http://10.10.10.10/spip
[*] Fetching anti-CSRF token...
[*] Testing command execution...
[+] Target is vulnerable! Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Shell opened. Type 'exit' or Ctrl+C to quit.
Shell> whoami
www-data
```
## References
- [CVE-2023-27372](https://nvd.nist.gov/vuln/detail/CVE-2023-27372)
- [Original PoC by nuts7](https://github.com/nuts7/CVE-2023-27372)
- [SPIP release notes](https://blog.spip.net/)
## Credits
- **Discovery & original exploit:** [nuts7](https://github.com/nuts7)
- **Cleanup & interactive shell:** [Esteban Zárate](https://github.com/estebanzarate)