来源

关联漏洞

描述

Exploit for Laravel Remote Code Execution with API_KEY (CVE-2018-15133)

介绍

# Laravel exploit for CVE-2018-15133

This code exploit [CVE-2018-15133](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15133) and it is based on [kosmiz's PoC](https://github.com/kozmic/laravel-poc-CVE-2018-15133) and [Metasploit's exploit](https://www.exploit-db.com/exploits/47129) for this vulnerability. I pretty much just did this for a box in [Hack The Box](https://www.hackthebox.eu/), because I did not want to use Metasploit at the moment and as a excuse for practicing Python.

From the CVE's Description:

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Install dependencies:

```
pip install -r requirements.txt
```

### Usage

```
usage: pwn_laravel.py [-h] [-c COMMAND] [-m {1,2,3,4}] [-i] URL API_KEY
```

![Demo](pwn.png)

## IMPORTANT

This code was created for educational use not anything illegal. Whatever you do it's your own responsibility.

### References

* [kozmic's PoC in PHP](https://github.com/kozmic/laravel-poc-CVE-2018-15133)
* [Metasploit exploit in Ruby](https://www.exploit-db.com/exploits/47129)
* [Pull request of fix by Laravel](https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0)
* [CVE-2018-15133](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15133)

文件快照

 [4.0K]  /data/pocs/feda8771e9438377102505046935630ba0cb785f
├── [4.8K]  pwn_laravel.py
├── [240K]  pwn.png
├── [1.7K]  README.md
└── [ 126]  requirements.txt

0 directories, 4 files

备注