diff --git a/cves/2021/CVE-2021-21311.yaml b/cves/2021/CVE-2021-21311.yaml new file mode 100644 index 0000000000..031a6cae29 --- /dev/null +++ b/cves/2021/CVE-2021-21311.yaml @@ -0,0 +1,29 @@ +id: CVE-2021-21311 + +info: + name: Adminer SSRF Using Verbose Error Messages + author: Adam Crosser + severity: high + description: Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9. + reference: + - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 + - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf + metadata: + shodan-query: title:"Login - Adminer" + tags: cve,cve2021,adminer,ssrf + +requests: + - method: GET + path: + - "{{BaseURL}}/adminer?elastic=example.com&username=" + + matchers-condition: and + matchers: + - type: status + status: + - 403 + + - type: word + part: body + words: + - "<title>400 - Bad Request</title>" diff --git a/exposed-panels/adminer-panel.yaml b/exposed-panels/adminer-panel.yaml index 43d26e4ffa..b2cf28a10c 100644 --- a/exposed-panels/adminer-panel.yaml +++ b/exposed-panels/adminer-panel.yaml @@ -7,24 +7,21 @@ info: severity: info reference: - https://blog.sorcery.ie/posts/adminer/ - tags: panel,adminer,login classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0 cve-id: cwe-id: CWE-200 - -# <= 4.2.4 can have unauthenticated RCE via SQLite driver -# <= 4.6.2 can have LFI via MySQL LOAD DATA LOCAL -# Most versions have some kind of SSRF usability -# Is generally handy if you find SQL creds + metadata: + shodan-query: title:"Login - Adminer" + tags: panel,adminer requests: - method: GET path: + - '{{BaseURL}}/adminer.php' - '{{BaseURL}}/_adminer.php' - '{{BaseURL}}/adminer/' - - '{{BaseURL}}/adminer.php' - '{{BaseURL}}/editor.php' - '{{BaseURL}}/mysql.php' - '{{BaseURL}}/sql.php' @@ -36,7 +33,6 @@ requests: stop-at-first-match: true matchers-condition: and matchers: - - type: word words: - "Login - Adminer"