first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
adminer/CVE-2021-21311/1.png
Normal file
BIN
adminer/CVE-2021-21311/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 45 KiB |
29
adminer/CVE-2021-21311/README.md
Normal file
29
adminer/CVE-2021-21311/README.md
Normal file
@@ -0,0 +1,29 @@
|
||||
# Adminer Server-side Request Forgery on Error Page of Elasticsearch and ClickHouse (CVE-2021-21311)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Adminer is a tool for managing content in databases developed by PHP. It natively supports MySQL, MariaDB, PostgreSQL, SQLite, MS SQL, Oracle, Elasticsearch and MongoDB.
|
||||
|
||||
In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability on error page of Elasticsearch and ClickHouse. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.
|
||||
|
||||
References:
|
||||
|
||||
- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
|
||||
- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
|
||||
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
|
||||
|
||||
## Vulnerable environment
|
||||
|
||||
Execute following command to start a PHP server with Adminer 4.7.8:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the server is started, you can see the login page of Adminer at `http://your-ip:8080`.
|
||||
|
||||
## Exploit
|
||||
|
||||
Select the ElasticSearch as the system field, then input `example.com` into the server field. Click the login button, you will see the 400 response from `example.com`:
|
||||
|
||||
|
||||
27
adminer/CVE-2021-21311/README.zh-cn.md
Normal file
27
adminer/CVE-2021-21311/README.zh-cn.md
Normal file
@@ -0,0 +1,27 @@
|
||||
# Adminer ElasticSearch 和 ClickHouse 错误页面SSRF漏洞(CVE-2021-21311)
|
||||
|
||||
Adminer是一个PHP编写的开源数据库管理工具,支持MySQL、MariaDB、PostgreSQL、SQLite、MS SQL、Oracle、Elasticsearch、MongoDB等数据库。
|
||||
|
||||
在其4.0.0到4.7.9版本之间,连接 ElasticSearch 和 ClickHouse 数据库时存在一处服务端请求伪造漏洞(SSRF)。
|
||||
|
||||
参考连接:
|
||||
|
||||
- <https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6>
|
||||
- <https://github.com/vrana/adminer/files/5957311/Adminer.SSRF.pdf>
|
||||
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-21311.yaml>
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动一个安装了Adminer 4.7.8的PHP服务:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务启动后,在`http://your-ip:8080`即可查看到Adminer的登录页面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
在Adminer登录页面,选择ElasticSearch作为系统目标,并在server字段填写`example.com`,点击登录即可看到`example.com`返回的400错误页面展示在页面中:
|
||||
|
||||
|
||||
6
adminer/CVE-2021-21311/docker-compose.yml
Normal file
6
adminer/CVE-2021-21311/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/adminer:4.7.8
|
||||
ports:
|
||||
- "8080:80"
|
||||
Reference in New Issue
Block a user