CVE-2021-43617 PoC — Laravel Framework 代码问题漏洞

Source

https://github.com/Sybelle03/CVE-2021-43617

Associated Vulnerability

Title:Laravel Framework 代码问题漏洞 (CVE-2021-43617)
Description:Laravel Framework是Taylor Otwell个人开发者的一款基于PHP的Web应用程序开发框架。Illuminate是其中的一个组件。 Laravel Framework8.70.2之前版本存在安全漏洞，该漏洞源于框架并没有充分阻止可执行PHP内容的上传，因为Illuminate/Validation/Concerns/ValidatesAttributes.php缺少对.phar文件的检查，这些文件在基于Debian的系统上被处理为application/x-httpd-php。在某些

Description

This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

Readme

# CVE-2021-43617
This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

# Description 
The vulnerability exploits the fact that we can bypass laravel image file upload functionality to upload arbitary files on the web server which let us run arbitary javascript and bypass the csrf token

# Steps to reproduce:
* Creation of a Laravel 8.7.* application displaying an upload image file form
* Creation of a html file [csrfbypass.html](https://github.com/Sybelle03/CVE-2021-43617/blob/main/xss-csrf-vul/resources/views/csrfbypass.html) which contains the exploit to bypass form csrf token. 
* Use of HxD tool to add FF D8 FF E0 at the very begining of the file (giving the [csrfbypass_util.html](https://github.com/Sybelle03/CVE-2021-43617/blob/main/xss-csrf-vul/resources/views/csrfbypass_util.html) file)
* Upload this one on the application and try to display it. The csrf token is displayed in the alert(javascript)

File Snapshot


 [4.0K]  /data/pocs/b7d7f1c6da83c3d2ac240de4a349de515bc1d9fa
├── [ 989]  README.md
└── [4.0K]  xss-csrf-vul
    ├── [4.0K]  app
    │   ├── [4.0K]  Console
    │   │   └── [ 681]  Kernel.php
    │   ├── [4.0K]  Exceptions
    │   │   └── [ 824]  Handler.php
    │   ├── [4.0K]  Http
    │   │   ├── [4.0K]  Controllers
    │   │   │   ├── [ 361]  Controller.php
    │   │   │   └── [ 912]  ImageUploadController.php
    │   │   ├── [2.5K]  Kernel.php
    │   │   └── [4.0K]  Middleware
    │   │       ├── [ 469]  Authenticate.php
    │   │       ├── [ 307]  EncryptCookies.php
    │   │       ├── [ 366]  PreventRequestsDuringMaintenance.php
    │   │       ├── [ 877]  RedirectIfAuthenticated.php
    │   │       ├── [ 381]  TrimStrings.php
    │   │       ├── [ 372]  TrustHosts.php
    │   │       ├── [ 649]  TrustProxies.php
    │   │       └── [ 320]  VerifyCsrfToken.php
    │   ├── [4.0K]  Models
    │   │   └── [ 913]  User.php
    │   └── [4.0K]  Providers
    │       ├── [ 403]  AppServiceProvider.php
    │       ├── [ 613]  AuthServiceProvider.php
    │       ├── [ 380]  BroadcastServiceProvider.php
    │       ├── [ 725]  EventServiceProvider.php
    │       └── [1.6K]  RouteServiceProvider.php
    ├── [1.6K]  artisan
    ├── [4.0K]  bootstrap
    │   ├── [1.6K]  app.php
    │   └── [4.0K]  cache
    ├── [1.7K]  composer.json
    ├── [276K]  composer.lock
    ├── [4.0K]  config
    │   ├── [9.2K]  app.php
    │   ├── [3.6K]  auth.php
    │   ├── [1.7K]  broadcasting.php
    │   ├── [3.2K]  cache.php
    │   ├── [ 846]  cors.php
    │   ├── [4.9K]  database.php
    │   ├── [2.2K]  filesystems.php
    │   ├── [1.5K]  hashing.php
    │   ├── [3.5K]  logging.php
    │   ├── [3.5K]  mail.php
    │   ├── [2.8K]  queue.php
    │   ├── [2.2K]  sanctum.php
    │   ├── [ 950]  services.php
    │   ├── [6.9K]  session.php
    │   └── [1.0K]  view.php
    ├── [4.0K]  database
    │   ├── [4.0K]  factories
    │   │   └── [ 965]  UserFactory.php
    │   ├── [4.0K]  migrations
    │   │   ├── [ 798]  2014_10_12_000000_create_users_table.php
    │   │   ├── [ 683]  2014_10_12_100000_create_password_resets_table.php
    │   │   ├── [ 820]  2019_08_19_000000_create_failed_jobs_table.php
    │   │   └── [ 861]  2019_12_14_000001_create_personal_access_tokens_table.php
    │   └── [4.0K]  seeders
    │       └── [ 282]  DatabaseSeeder.php
    ├── [ 642]  Dockerfile
    ├── [ 473]  package.json
    ├── [1.2K]  phpunit.xml
    ├── [4.0K]  public
    │   ├── [   0]  favicon.ico
    │   ├── [4.0K]  images
    │   │   ├── [1.5K]  1686004233.html
    │   │   ├── [1.4K]  1686004958.html
    │   │   ├── [1.4K]  1686004999.html
    │   │   └── [1.4K]  1686005037.html
    │   ├── [1.7K]  index.php
    │   └── [  24]  robots.txt
    ├── [3.9K]  README.md
    ├── [4.0K]  resources
    │   ├── [4.0K]  css
    │   │   └── [   0]  app.css
    │   ├── [4.0K]  js
    │   │   ├── [  24]  app.js
    │   │   └── [ 869]  bootstrap.js
    │   ├── [4.0K]  lang
    │   │   └── [4.0K]  en
    │   │       ├── [ 674]  auth.php
    │   │       ├── [ 534]  pagination.php
    │   │       ├── [ 744]  passwords.php
    │   │       └── [8.3K]  validation.php
    │   └── [4.0K]  views
    │       ├── [1.4K]  csrfbypass.html
    │       ├── [1.4K]  csrfbypass_util.html
    │       ├── [1.6K]  imageUpload.blade.php
    │       └── [ 18K]  welcome.blade.php
    ├── [4.0K]  routes
    │   ├── [ 570]  api.php
    │   ├── [ 558]  channels.php
    │   ├── [ 592]  console.php
    │   └── [ 677]  web.php
    ├── [ 569]  server.php
    ├── [4.0K]  storage
    │   ├── [4.0K]  app
    │   │   └── [4.0K]  public
    │   ├── [4.0K]  framework
    │   │   ├── [4.0K]  cache
    │   │   │   └── [4.0K]  data
    │   │   ├── [4.0K]  sessions
    │   │   ├── [4.0K]  testing
    │   │   └── [4.0K]  views
    │   └── [4.0K]  logs
    ├── [4.0K]  tests
    │   ├── [ 380]  CreatesApplication.php
    │   ├── [4.0K]  Feature
    │   │   └── [ 339]  ExampleTest.php
    │   ├── [ 163]  TestCase.php
    │   └── [4.0K]  Unit
    │       └── [ 254]  ExampleTest.php
    └── [ 559]  webpack.mix.js

38 directories, 77 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!