Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pwnedshell/Larascript

Laravel RCE exploit. CVE-2018-15133
https://github.com/pwnedshell/Larascript

Last synced: 3 months ago
JSON representation

Laravel RCE exploit. CVE-2018-15133

Host: GitHub
URL: https://github.com/pwnedshell/Larascript
Owner: pwnedshell
License: cc0-1.0
Created: 2020-12-21T22:02:08.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2022-03-22T17:56:41.000Z (over 2 years ago)
Last Synced: 2024-06-05T19:55:08.722Z (6 months ago)
Language: Python
Size: 112 KB
Stars: 33
Watchers: 1
Forks: 13
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - pwnedshell/Larascript - Laravel RCE exploit. CVE-2018-15133 (Python)

README

        

 _                                           _         _

| |      __ _  _ __   __ _  ___   ___  _ __ (_) _ __  | |_

| |     / _` || '__| / _` |/ __| / __|| '__|| || '_ \ | __|

| |___ | (_| || |   | (_| |\__ \| (__ | |   | || |_) || |_

|_____| \__,_||_|    \__,_||___/ \___||_|   |_|| .__/  \__|

                                               |_|

Authors: @pwnedshell & @rsgbengi 





    

    

    





    

    




 

📌 What its Larascript?

Larascript is a script which take advantage from CVE-2018-15133 and can execute remote commands if a vulnerable Laravel app is exposed. You can send commands and get response such as get cat /etc/passwd. But you also can ask for a shell so it gives you a reverse shell. It has some argument personalitation so you can specify what type of reverse shell you get (bash or sh), what reverse shell language use to retrieve the shell (php, bash, mkfifo, python...) or the laravel RCE method (1,2,3 or 4). It also provides a good shell interaction and references to the shell treatment or linux privilege escalation.

🧨 CVE-2018-15133

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

📦 Install


git clone https://github.com/PwnedShell/Larascript

pip3 install -r requirements.txt



📘 Usage

Required params are the vulnerable url and the app_key in base64. See larascript.py -h.




usage: larascript.py [-h] -k APPKEY [-c COMMAND] [-m {1,2,3,4,5}] [-s {bash,python,perl,php,ruby,nc,mkfifo,lua,java}]

                 [-t {bash,sh}] [-p PORT] [-P LPORT] [-U LHOST]

                 url



Send the command whoami









Get a reverse shell using mkfifo payload. Setting the lhost to our local machine









📎 References



 CVE-2018-15133

 Aljavier exploit

 Kozmic POC

 Phpggc

 Payload all the things