Skip to content
Nuclei Templates

Drupal 7 Elfinder - Remote Code Execution

ID: drupal7-elfinder-rce

Severity: critical

Author: 1337kro

Tags: drupal,elfinder,filemanager,exposure

Description

Section titled “Description”

Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.

YAML Source

Section titled “YAML Source”
id: drupal7-elfinder-rce


info:
  name: Drupal 7 Elfinder - Remote Code Execution
  author: 1337kro
  severity: critical
  description: |
    Identifies Drupal sites with the elfinder library installed, which could be vulnerable to unrestricted file upload through the connector.php file.When this component is detected, the site may be vulnerable to remote code execution attacks via PHP file uploads.This template only detects the presence of the vulnerable component and does not perform any exploitation.
  reference:
    - https://github.com/Kro0oz/drupal-7-elfinder
  remediation: |
    Remove the elfinder library if not needed, or implement proper file upload restrictions and input validation. Additionally, consider implementing Web Application Firewall rules to block access to the connector.php file.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-434
  metadata:
    verified: true
    fofa-query: app="drupal"
    product: Drupal
    vendor: Drupal
  tags: drupal,elfinder,filemanager,exposure


http:
  - method: GET
    path:
      - "{{BaseURL}}/sites/all/libraries/elfinder/connectors/php/connector.php"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"cwd":'


      - type: word
        part: content_type
        words:
          - 'application/json'


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100b37d98c5276413f62b1fbef683732a44c8d438cba5e4db0ea593f0e74728d6c3022079e7bd1997bb8d771d8d56395f15cee885cdcd149367f00ec93f33ded6ee426b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/drupal/drupal7-elfinder-rce.yaml"

View on Github