Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27372 PoC — SPIP 安全漏洞

Source
https://github.com/1Ronkkeli/spip-cve-2023-27372-rce
Associated Vulnerability
Title:SPIP 安全漏洞 (CVE-2023-27372)
Description:SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
Description
SPIP CVE-2023-27372 Unauthenticated RCE Exploit (Web Shell Upload)
Readme
# SPIP CVE-2023-27372 Unauthenticated RCE Exploit (Web Shell Upload)

This Python script exploits CVE-2023-27372, an unauthenticated remote code execution vulnerability in SPIP CMS versions prior to 4.2.1. It leverages a cache poisoning flaw in the password reset mechanism to upload a web shell and gather basic system information.

**Author:** [@ronkkeli](https://github.com/1Ronkkeli) (Script v1.2)
**TryHackMe:** [ronkkeli](https://tryhackme.com/p/ronkkeli)
**Original PoC Concept:** nuts7

## CVE Information

* **CVE ID:** CVE-2023-27372
* **CVSS Score:** 9.8 (Critical)
* **Affected Versions:** SPIP CMS versions < 4.2.1

## Vulnerability Description

An unauthenticated RCE vulnerability exists in the `ecrire/inc/filtres.php` file within the `reset_cache` function. This function uses the `oubli` parameter from the password recovery page (`spip.php?page=spip_pass`). By sending a specially crafted serialized payload in the `oubli` parameter, an attacker can inject arbitrary PHP code into the cache file `ecrire/data/cache/reset_cache.php`. This script uses this flaw to execute `file_put_contents` and write a persistent web shell to the server.

## Script Features (v1.2)

* Fetches the required Anti-CSRF token automatically.
* Constructs and sends the serialized payload to upload a web shell.
* Allows customization of the web shell's filename (`-f`).
* Allows customization of the web shell's PHP code (`-d`).
* **Enhanced Post-Exploit Check:** Verifies shell upload and attempts to gather basic system info (`whoami`, `hostname`, `uname`, `id`, `pwd`) using the shell.
* Presents gathered information in a clean, aligned format.
* Provides colorized output for better readability.
* Includes usage examples for reverse shells.

## Requirements

* Python 3.x
* `requests` library
* `beautifulsoup4` library

## Installation

```bash
pip install requests beautifulsoup4
File Snapshot

 [4.0K]  /data/pocs/588e8358c586fa6caeb75e4c7262886dfb723dd3
├── [ 14K]  cve.py
└── [1.8K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →