Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.
PoC代码[已公开]
id: drupal7-elfinder-rce
info:
name: Drupal 7 Elfinder - Remote Code Execution
author: 1337kro
severity: critical
description: |
Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.
reference:
- https://github.com/Kro0oz/drupal-7-elfinder
remediation: |
Remove the elfinder library if not needed, or implement proper file upload restrictions and input validation. Additionally, consider implementing Web Application Firewall rules to block access to the connector.php file.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-434
metadata:
verified: true
fofa-query: app="drupal"
product: Drupal
vendor: Drupal
tags: drupal,elfinder,filemanager,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/sites/all/libraries/elfinder/connectors/php/connector.php"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"cwd":'
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4b0a00483046022100d0788225f302d9ea33a67ae8d552784dfd1510474f274bf20abaaf74914f93b1022100efca50658114af29c68e367a15777af80e7647961e4b9c71443276dfc8b7a93b:922c64590222798bb761d5b6d8e72950