Shulou(Shulou.com)06/01 Report--

Laravel framework is a development framework used by many websites and APP operators at present. Because there are many websites used, many attackers are constantly testing the website for vulnerabilities. When our SINE security tests the vulnerabilities of this system, we find that REC vulnerabilities exist. Mainly XSRF vulnerabilities, let's make a detailed analysis of vulnerabilities, as well as how to use, vulnerability repair and other three aspects of comprehensive records.

The exploitation of the Laravel REC vulnerability requires conditions, and it can only be successfully exploited and triggered in the case of APP_KEY leakage. Our SINE security technology in the overall vulnerability testing and recurrence process, found that a total of two places can lead to the occurrence of website vulnerabilities, the first is the cookies field in the Post packet, and the other is the HTTP header field can insert malicious total code into the back end of the website.

Let's build a website vulnerability testing environment, using linux centos system, PHP5.5 version, database is mysql, using apache environment to build, using Laravel version 5.6.28. First of all, let's go to the official download version and extract it to the website directory path set by apache. First of all, we can see that in our post data, more than a dozen classes are called in our code, and the objects in the class are called and parameters are assigned. However, we found that app_key can be used for vulnerability exploitation in the values of cookies and verifycsrftoken. First, we use cookies to reproduce:

The code is as follows:

POST / HTTP/1.2

Host: 127.0.0.2:80

Cookie: safe_SESSION=PHPSTORM; 5LqG5LSecretd6KroomB5omA6L6T5Ye655qE57yW56CB5L2N5Yroomv6Kroom75a2X56ym77yMQmFzZTY05Yi25a6a5LqG5LiA5Liq57yW56CB6KGo77yM5Lul5L6GG57uf5LiA6L2o244CCyW56CB6KGo55qE5aSn5bCP5Li6Ml42PTY077yM6Lmf5pivQmFzZTY05ZCN56ew55E55Sx5p244 CDCQoNCJk2Ue2U2Ue8luigee8luiAqAqA5LiA6Ml42PTY077yM5Lmf5pivQmFzZT05ZCN56ew55E55Sx5244CQoNCJk2U2Ue8lue8luiAqA5LiA6L244CCyW56CB6KGo55qE5aSn5bCP5LiMl42PTY077yM5Lmf5pivQmFzZTY05ZCN56ew55E55Sx544

Content-Type: application/x-www-form-

Connection: open

Content-Length: 1

The above code is in the cookies column. The encrypted value is the attack code we want to forge. If the POST request is submitted to the website, the APP_key will first be decrypted and assigned to it. If the decryption is successful, it will validate the value in cookies and perform anti-sequence operation on it, which will lead to the occurrence of the vulnerability and trigger the RCE vulnerability.

For exploiting vulnerabilities in http header mode, let's test the vulnerabilities. First of all, we should construct code similar to cookies, as follows:

POST / HTTP/1.2

Host: 127.0.0.2:80

X-XSRF-TOKEN: + B5omA6L6T5Ye655qE57yW56CB5L2N5Yroomv6Kroom75a2X56ym77yMQmFzZTY5Yi25a5LqG5LiA5Liq57yW56CB6KGo77yM5Lul5L6GGM57uf5LiA6L2o2i44CC57yW56CB6KGoqE5LiA6L2o2i44CC57yW56CB6KGoqE5LiA6L2o2i44CC57yW56CB6KGoqE5LiA6L2PTY077yM6LLmf5pivQmf5pivQmFzZTY05CN56ew55qE55Sx5p2l44CDoNCkJcU2U2e8lue5Lmf5pivQmf5pivQmf5pivQmFz55qE55Sx5p2lCDQNCkJcU2U2e8lueiqAqAqA6KGM57uf5LiA6L2o2i44CC57yW56CB5KGo77yGM57uf5LiA5Liq5Liq57yW56CB6KGo77yM5L5LiA5Liq57yW56CB6KGo77yM5L5LiA5Liq57yW56CB6KGo77yM5L5L5LiA5Liq57yW56CB6KGo77yM5Lul5L6Lul5L6LU5L6Lul5

Content-Type: application/x-www-form-

Connection: open

Content-Length: 1

Here look at the X-XSRF-TOKEN: value, the Laravel framework will judge and verify this value during the submission process, and deserialization will be carried out if the decryption is successful, so we will not introduce and explain them one by one here.

So how to fix the vulnerability of Laravel?

Our SINE security technology upgrades the version of Laravel and finds that the latest version 5.6.30 has fixed the rce loophole. In our comparison of the code, we can see that the decryption and parsing operation of cookies is judged, and the value of static::serialized () is overwritten, and this value is also added to X-XSRF-TOKEN. If you don't know much about the code, you can also find a professional website security company to fix it. Domestic SINESAFE, Green Alliance and Qiming Star are all quite good. This is the end of the website vulnerability detection and testing for Laravel. I also hope that through this sharing, more people will understand the website vulnerabilities, the causes of the vulnerabilities, how to fix the vulnerabilities, and the website security, so that we can open up the market. Do a good job in marketing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.