module
PHP Laravel Framework token Unserialize Remote Command Execution
| Disclosed | Created |
|---|---|
| 2018-08-07 | 2019-07-12 |
Disclosed
2018-08-07
Created
2019-07-12
Description
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x
Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
In some cases the APP_KEY is leaked which allows for discovery and exploitation.
Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to
an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php.
Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY.
Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix.
In some cases the APP_KEY is leaked which allows for discovery and exploitation.
Authors
Ståle Pettersen
aushack patrick@osisecurity.com.au
aushack patrick@osisecurity.com.au
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.