CVE-2018-15133

This Metasploit module exploits a deserialization vulnerability in Laravel Framework versions 5.5.40 and 5.6.x <= 5.6.29 via an insecure unserialize call in the decrypt method, allowing remote command execution through a crafted X-XSRF-TOKEN header. It requires knowledge of the Laravel APP_KEY, which can sometimes be leaked.

This repository contains a functional Proof of Concept (PoC) exploit for CVE-2018-15133, a deserialization vulnerability in Laravel Framework versions <= 5.6.29 and <= 5.5.40. The exploit leverages a leaked APP_KEY to encrypt a malicious payload and execute arbitrary commands via a POST request header.

This is a Python-based exploit for CVE-2018-15133, a Laravel Framework deserialization vulnerability leading to remote code execution. It leverages multiple gadget chains to achieve RCE via crafted X-XSRF-TOKEN values.

This repository contains a functional exploit for CVE-2018-15133, a Laravel framework deserialization vulnerability. The script generates malicious payloads to achieve remote code execution (RCE) and can establish a reverse shell on vulnerable Laravel applications.

This PoC exploits CVE-2018-15133, a remote code execution vulnerability in Laravel applications with exposed PHPUnit files. It uploads a malicious PHP file via a crafted request to the vulnerable endpoint.

This repository contains a scanner for CVE-2018-15133, which targets Laravel applications by checking for exposed .env files and attempting to exploit unserialize vulnerabilities. It uses multithreading to scan multiple targets and sends data to an external exploit server.

This repository contains a functional PoC for CVE-2018-15133, a Laravel APP_KEY deserialization vulnerability. The exploit leverages a known APP_KEY to craft a malicious serialized payload, which is then encrypted and sent to the target server to achieve remote code execution.

This repository provides a Docker-based lab environment to demonstrate CVE-2018-15133, a Laravel Framework RCE vulnerability via token unserialize when the APP_KEY is known. It includes a simple POST route to trigger CSRF handling and validate exploitation using tools like Nuclei.

This PoC exploits CVE-2018-15133, a Laravel deserialization vulnerability, by crafting a malicious serialized payload encrypted with the target's APP_KEY and sending it via a session cookie to achieve remote code execution.

This repository contains a functional exploit for CVE-2018-15133, a deserialization vulnerability in Laravel Framework. The exploit leverages a crafted X-XSRF-TOKEN header to achieve remote code execution (RCE) on vulnerable Laravel applications.

This is a functional exploit for CVE-2018-15133, a Laravel deserialization vulnerability leading to remote code execution. It generates malicious payloads, encrypts them using the target's API key, and sends them via HTTP headers to execute arbitrary commands.

This is a functional exploit for CVE-2018-15133, targeting Laravel applications with insecure deserialization. It generates a malicious payload to achieve remote command execution by leveraging Laravel's encryption and deserialization mechanisms.

This repository contains an automated proof-of-concept for CVE-2018-15133, a deserialization vulnerability in Laravel Framework. The PoC leverages phpggc to generate malicious serialized objects and automates the exploitation process via a shell script.

This repository contains a functional exploit for CVE-2018-15133, a Laravel RCE vulnerability leveraging deserialization via the APP_KEY. It includes multiple gadget chains for different Laravel versions and a web interface to execute commands.

This Python script automates the exploitation of CVE-2018-15133 by sending a malicious curl request to a target Laravel site, attempting to write a PHP shell via a vulnerable endpoint. The script appends the exploit command to a file for batch execution.

This Metasploit module exploits a PHP Laravel Framework vulnerability (CVE-2018-15133) via insecure unserialize in the decrypt method, allowing remote command execution through crafted X-XSRF-TOKEN headers. It includes multiple payload generation methods and checks for APP_KEY leaks.