SPIP CMS BigUp插件未授权远程代码执行漏洞
漏洞信息
漏洞名称: SPIP CMS BigUp插件未授权远程代码执行漏洞
漏洞编号:
- CVE: CVE-2024-8517
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: SPIP CMS(Système de Publication pour l’Internet Partagé)是一个广泛使用的开源内容管理系统,特别在法语社区中流行。BigUp插件是SPIP CMS的一个组件,用于文件上传和管理功能。该插件在多个版本的SPIP CMS中存在严重的安全漏洞,允许攻击者无需认证即可执行远程代码。
漏洞存在于BigUp插件的lister_fichiers_par_champs函数中,该函数未能正确验证bigup_retrouver_fichiers参数的输入。攻击者可以通过设置该参数为1,上传恶意的PHP文件,进而在服务器上执行任意代码。这种漏洞的利用不需要任何形式的认证,使得攻击门槛极低。
此漏洞的影响极为严重,攻击者可以利用它完全控制受影响的服务器,执行任意命令,访问敏感数据,甚至利用服务器作为跳板攻击内网其他系统。由于漏洞利用无需认证,且可以自动化执行,因此所有运行受影响版本SPIP CMS和BigUp插件的系统都应立即更新或采取其他缓解措施。
产品厂商: SPIP
产品名称: SPIP CMS BigUp插件
影响版本: ≤ 4.3.1, ≤ 4.2.15, ≤ 4.1.17
来源: https://github.com/saadhassan77/SPIP-BigUp-Unauthenticated-RCE-Exploit-CVE-2024-8517
类型: CVE-2024:github search
仓库文件
- LICENSE
- Readme.md
- exploit.py
来源概述
SPIP BigUp Unauthenticated RCE Exploit (CVE-2024-8517)
Description
This Python script exploits an unauthenticated Remote Code Execution (RCE) vulnerability in the BigUp plugin of the SPIP CMS (Système de Publication pour l’Internet Partagé). The flaw lies in the lister_fichiers_par_champs function, which fails to properly validate input when the bigup_retrouver_fichiers parameter is set to 1. This allows an attacker to upload a malicious PHP payload and achieve arbitrary code execution on the server without authentication.
Affected SPIP versions:
- ≤ 4.3.1
- ≤ 4.2.15
- ≤ 4.1.17
About This Script
This version of the exploit was written to work in restricted lab environments (like Guacamole-based virtual labs used in some pentesting platforms), where:
- Internet access is blocked
- You cannot install external Python packages via
pip
Unlike the original public version, this script does not require libraries such as rich_click,alive_progress, prompt_toolkit ,beautifulsoup4, or random_user_agent. It uses only standard Python libraries, making it more portable and usable in air-gapped or locked-down environments.
Key Features
- No external Python dependencies
- Works in offline lab environments (e.g., eJPTv2/ecpptv3 Guacamole labs)
- Uploads a basic web shell or command-execution payload
- Exploits the vulnerability without authentication
Usage
python3 exploit.py http://10.5.29.66 #target IP
### Credits
This script was adapted from a publicly available exploit originally posted at:
- https://github.com/Chocapikk/CVE-2024-8517