Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-43617 PoC — Laravel Framework 代码问题漏洞

Source
https://github.com/Sybelle03/CVE-2021-43617
Associated Vulnerability
Title:Laravel Framework 代码问题漏洞 (CVE-2021-43617)
Description:Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Description
This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability
Readme
# CVE-2021-43617
This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

# Description 
The vulnerability exploits the fact that we can bypass laravel image file upload functionality to upload arbitary files on the web server which let us run arbitary javascript and bypass the csrf token

# Steps to reproduce:
* Creation of a Laravel 8.7.* application displaying an upload image file form
* Creation of a html file [csrfbypass.html](https://github.com/Sybelle03/CVE-2021-43617/blob/main/xss-csrf-vul/resources/views/csrfbypass.html) which contains the exploit to bypass form csrf token. 
* Use of HxD tool to add FF D8 FF E0 at the very begining of the file (giving the [csrfbypass_util.html](https://github.com/Sybelle03/CVE-2021-43617/blob/main/xss-csrf-vul/resources/views/csrfbypass_util.html) file)
* Upload this one on the application and try to display it. The csrf token is displayed in the alert(javascript)
File Snapshot

 [4.0K]  /data/pocs/b7d7f1c6da83c3d2ac240de4a349de515bc1d9fa
├── [ 989]  README.md
└── [4.0K]  xss-csrf-vul
    ├── [4.0K]  app
    │   ├── [4.0K]  Console
    │   │   └── [ 681]  Kernel.php
    │   ├── [4.0K]  Exceptions
    │   │   └── [ 824]  Handler.php
    │   ├── [4.0K]  Http
    │   │   ├── [4.0K]  Controllers
    │   │   │   ├── [ 361]  Controller.php
    │   │   │   └── [ 912]  ImageUploadController.php
    │   │   ├── [2.5K]  Kernel.php
    │   │   └── [4.0K]  Middleware
    │   │       ├── [ 469]  Authenticate.php
    │   │       ├── [ 307]  EncryptCookies.php
    │   │       ├── [ 366]  PreventRequestsDuringMaintenance.php
    │   │       ├── [ 877]  RedirectIfAuthenticated.php
    │   │       ├── [ 381]  TrimStrings.php
    │   │       ├── [ 372]  TrustHosts.php
    │   │       ├── [ 649]  TrustProxies.php
    │   │       └── [ 320]  VerifyCsrfToken.php
    │   ├── [4.0K]  Models
    │   │   └── [ 913]  User.php
    │   └── [4.0K]  Providers
    │       ├── [ 403]  AppServiceProvider.php
    │       ├── [ 613]  AuthServiceProvider.php
    │       ├── [ 380]  BroadcastServiceProvider.php
    │       ├── [ 725]  EventServiceProvider.php
    │       └── [1.6K]  RouteServiceProvider.php
    ├── [1.6K]  artisan
    ├── [4.0K]  bootstrap
    │   ├── [1.6K]  app.php
    │   └── [4.0K]  cache
    ├── [1.7K]  composer.json
    ├── [276K]  composer.lock
    ├── [4.0K]  config
    │   ├── [9.2K]  app.php
    │   ├── [3.6K]  auth.php
    │   ├── [1.7K]  broadcasting.php
    │   ├── [3.2K]  cache.php
    │   ├── [ 846]  cors.php
    │   ├── [4.9K]  database.php
    │   ├── [2.2K]  filesystems.php
    │   ├── [1.5K]  hashing.php
    │   ├── [3.5K]  logging.php
    │   ├── [3.5K]  mail.php
    │   ├── [2.8K]  queue.php
    │   ├── [2.2K]  sanctum.php
    │   ├── [ 950]  services.php
    │   ├── [6.9K]  session.php
    │   └── [1.0K]  view.php
    ├── [4.0K]  database
    │   ├── [4.0K]  factories
    │   │   └── [ 965]  UserFactory.php
    │   ├── [4.0K]  migrations
    │   │   ├── [ 798]  2014_10_12_000000_create_users_table.php
    │   │   ├── [ 683]  2014_10_12_100000_create_password_resets_table.php
    │   │   ├── [ 820]  2019_08_19_000000_create_failed_jobs_table.php
    │   │   └── [ 861]  2019_12_14_000001_create_personal_access_tokens_table.php
    │   └── [4.0K]  seeders
    │       └── [ 282]  DatabaseSeeder.php
    ├── [ 642]  Dockerfile
    ├── [ 473]  package.json
    ├── [1.2K]  phpunit.xml
    ├── [4.0K]  public
    │   ├── [   0]  favicon.ico
    │   ├── [4.0K]  images
    │   │   ├── [1.5K]  1686004233.html
    │   │   ├── [1.4K]  1686004958.html
    │   │   ├── [1.4K]  1686004999.html
    │   │   └── [1.4K]  1686005037.html
    │   ├── [1.7K]  index.php
    │   └── [  24]  robots.txt
    ├── [3.9K]  README.md
    ├── [4.0K]  resources
    │   ├── [4.0K]  css
    │   │   └── [   0]  app.css
    │   ├── [4.0K]  js
    │   │   ├── [  24]  app.js
    │   │   └── [ 869]  bootstrap.js
    │   ├── [4.0K]  lang
    │   │   └── [4.0K]  en
    │   │       ├── [ 674]  auth.php
    │   │       ├── [ 534]  pagination.php
    │   │       ├── [ 744]  passwords.php
    │   │       └── [8.3K]  validation.php
    │   └── [4.0K]  views
    │       ├── [1.4K]  csrfbypass.html
    │       ├── [1.4K]  csrfbypass_util.html
    │       ├── [1.6K]  imageUpload.blade.php
    │       └── [ 18K]  welcome.blade.php
    ├── [4.0K]  routes
    │   ├── [ 570]  api.php
    │   ├── [ 558]  channels.php
    │   ├── [ 592]  console.php
    │   └── [ 677]  web.php
    ├── [ 569]  server.php
    ├── [4.0K]  storage
    │   ├── [4.0K]  app
    │   │   └── [4.0K]  public
    │   ├── [4.0K]  framework
    │   │   ├── [4.0K]  cache
    │   │   │   └── [4.0K]  data
    │   │   ├── [4.0K]  sessions
    │   │   ├── [4.0K]  testing
    │   │   └── [4.0K]  views
    │   └── [4.0K]  logs
    ├── [4.0K]  tests
    │   ├── [ 380]  CreatesApplication.php
    │   ├── [4.0K]  Feature
    │   │   └── [ 339]  ExampleTest.php
    │   ├── [ 163]  TestCase.php
    │   └── [4.0K]  Unit
    │       └── [ 254]  ExampleTest.php
    └── [ 559]  webpack.mix.js

38 directories, 77 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →