This application was used in my Laracon EU 2019 Amsterdam presentation to demonstrate the following vulnerabilities that are usually caused by poor development practises or mistakes in your code.
This application contains critical security vulnerabilities, DO NOT deploy or run this application outside of your localhost (or expose your localhost while running this)
- Docker
- Docker Compose
- PHP (>v7.1 preferably) & Composer
composer installdocker-compose up -ddocker exec laracon-app php artisan migrate --seed
- There's a vulnerable API endpoint at http://localhost:1234/api/events?sort=id (assuming you're running this in docker)
- There are many ways to exploit this, if you attended the talk you'll know one very specific tool for this
- The tool used in the presentation is PHPGGC (https://github.com/ambionics/phpggc)
- API endpoints used can be found at /api/uploads & /api/file-details?fileName=xxx
- This project's docker compose setup intentionally configures Laravel scheduler to run as root, that's all you need to know ;)