-
Notifications
You must be signed in to change notification settings - Fork 117
/
Copy pathCVE-2018-15133-Laravel RCE.bcheck
35 lines (31 loc) · 1.64 KB
/
CVE-2018-15133-Laravel RCE.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
metadata:
language: v2-beta
name: "[CVE-2018-15133] PHP Laravel Framework token Unserialize Remote Command Execution"
description: "Laravel RCE"
#there are many writeups and PoC of CVE-2018-15133. I didn't have anything with the original research, just writing this BCheck.
author: "Andrej Šimko @ Accenture"
tags: "CVE-2018-15133", "Laravel", "RCE", "Remote Code Execution"
# HTTP/2 needs to be disabled in Settings>Network>HTTP>HTTP/2. This is because the HTTP header in question (X-XSRF-TOKEN) needs to be all upper-case, where HTTP/2 does not nativly support different case sensitivity for header names. See "Header capitalization" on https://portswigger.net/burp/documentation/desktop/http2/http2-basics-for-burp-users.
define:
payload = "xxxx"
response_payload1 = "laravel"
response_payload2 = "Encrypter.php"
given host then
send request called try:
#as of BCheck v2-beta it is not possible to create an HTTP/1.1 request, even in this way when HTTP/2 is enabled.
`POST / HTTP/1.1
Host: {base.request.url.host}
Referer: {base.request.url.host}
Content-Type: application/x-www-form-urlencoded
Origin: {base.request.url.host}
X-XSRF-TOKEN: {payload}
Content-Length: 0
`
if ({response_payload1} in {try.response.body}) and
({response_payload2} in {try.response.body}) then
report issue:
severity: high
confidence: firm
detail: "The PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29 is vulnerable to RCE through deserialization. To exploit further you would need to obtain APP_KEY."
remediation: "Update Laravel to the latest version."
end if