_ _ _
| | __ _ _ __ __ _ ___ ___ _ __ (_) _ __ | |_
| | / _` || '__| / _` |/ __| / __|| '__|| || '_ \ | __|
| |___ | (_| || | | (_| |\__ \| (__ | | | || |_) || |_
|_____| \__,_||_| \__,_||___/ \___||_| |_|| .__/ \__|
|_|
Authors: @pwnedshell & @rsgbengi
Larascript is a script which take advantage from
CVE-2018-15133 and can execute remote commands if a vulnerable Laravel app is exposed. You can send commands and get response such as get cat /etc/passwd. But you also can ask for a shell so it gives you a reverse shell. It has some argument personalitation so you can specify what type of reverse shell you get (bash or sh), what reverse shell language use to retrieve the shell (php, bash, mkfifo, python...) or the laravel RCE method (1,2,3 or 4). It also provides a good shell interaction and references to the shell treatment or linux privilege escalation.
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
git clone https://github.com/PwnedShell/Larascript pip3 install -r requirements.txtRequired params are the vulnerable url and the app_key in base64. See
larascript.py -h.usage: larascript.py [-h] -k APPKEY [-c COMMAND] [-m {1,2,3,4,5}] [-s {bash,python,perl,php,ruby,nc,mkfifo,lua,java}]
[-t {bash,sh}] [-p PORT] [-P LPORT] [-U LHOST]
url
Send the command whoami
