-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module to CVE-2021-3129 #16159
Add module to CVE-2021-3129 #16159
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
As we can't determine with certainly whether the target is vulnerable the check method should return appear instead of vulnerable. Co-authored-by: Simon Janusz <85949464+sjanusz-r7@users.noreply.github.com>
Cases [x] User defined wrong log file [-] Exploit aborted due to failure: unexpected-reply: Log file /var/www/log.log seems doesn't exit [x] module doesnt detect the log file [-] Log file does not exist /var/www/storage/logs/laravel.log [-] Exploit aborted due to failure: bad-config: Log file is required, however it was defined nor it was not automatically detecte [x] site doesnt respond with error, module unable to find the log directoy [-] Unable to automatically find the log file. To continue set LOGPATH manually [-] Exploit aborted due to failure: bad-config: Log file is required, however it was defined nor it was not automatically detected [x] site with debug mode false [-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result
Update option name from LOGPATH to LOGFILE to become more intuitive.
- Removed else statements from check in favor of implicit return - Added comment explaining the check strategy (to be less intrusive)
Test
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey there- thanks so much for your submission! I only have a few minor suggestions.
Fix typos Co-authored-by: Brendan <bwatters@rapid7.com>
Fix typos Co-authored-by: Brendan <bwatters@rapid7.com>
Co-authored-by: Brendan <bwatters@rapid7.com>
Co-authored-by: Brendan <bwatters@rapid7.com>
Co-authored-by: Brendan <bwatters@rapid7.com>
Release NotesThis module exploits a vulnerability in Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). |
This module exploits a vulnerability in Ignition before 2.5.2,
as used in Laravel and other products, allows unauthenticated
remote attackers to execute arbitrary code because of insecure
usage of file_get_contents() and file_put_contents().
This is exploitable on sites using debug mode with Laravel before 8.4.2.
This module has been tested successfully on Debian 10.7 (x86_64) with
kernel version 5.10.60.
Verification
List the steps needed to make sure this thing works
/var/www/storage/logs/laravel.log
if using the bellow mentioned container
msfconsole
use exploit/multi/php/ignition_laravel_debug_rc
set RHOSTS
set RPORT
set LHOST
exploit
Environment
This module was tested using a vulnerable docker container
as available on the vulnhub project. However this container doesn't come
with the required log file created. It needs to be created
manually in the path
/var/www/storage/logs/laravel.log
.Even though the compose file from this container says
laravel:8.4.2
onmy environment it was deployed with the version
8.26.1
. I also didn't find therelease 8.4.2 in the Laravel repository.
Software versions
PHP 7.4.1
Laravel Framework 8.26.1
Ignition 2.5.1
Debian 10.7
Output