Larascript
Larascript copied to clipboard
PwnedShell
Laravel RCE exploit. CVE-2018-15133
_ _ _
| | __ _ _ __ __ _ ___ ___ _ __ (_) _ __ | |_
| | / _` || '__| / _` |/ __| / __|| '__|| || '_ \ | __|
| |___ | (_| || | | (_| |\__ \| (__ | | | || |_) || |_
|_____| \__,_||_| \__,_||___/ \___||_| |_|| .__/ \__|
|_|
Authors: @pwnedshell & @rsgbengi
๐ What its Larascript?
Larascript is a script which take advantage fromCVE-2018-15133 and can execute remote commands if a vulnerable Laravel app is exposed. You can send commands and get response such as get cat /etc/passwd. But you also can ask for a shell so it gives you a reverse shell. It has some argument personalitation so you can specify what type of reverse shell you get (bash or sh), what reverse shell language use to retrieve the shell (php, bash, mkfifo, python...) or the laravel RCE method (1,2,3 or 4). It also provides a good shell interaction and references to the shell treatment or linux privilege escalation.
๐งจ CVE-2018-15133
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.๐ฆ Install
git clone https://github.com/PwnedShell/Larascript pip3 install -r requirements.txt
๐ Usage
Required params are the vulnerable url and the app_key in base64. Seelarascript.py -h.
usage: larascript.py [-h] -k APPKEY [-c COMMAND] [-m {1,2,3,4,5}] [-s {bash,python,perl,php,ruby,nc,mkfifo,lua,java}]
[-t {bash,sh}] [-p PORT] [-P LPORT] [-U LHOST]
url
Send the command whoami
PwnedShell