Unauthenticated RCE in Laravel Livewire v3 Hydration

Single-file Python exploit tool targeting CVE-2025-54068 against Laravel Livewire applications. The repository contains one substantial script, CVE-2025-54068.py, which implements an end-to-end exploitation workflow rather than a simple detector. The code imports requests, BeautifulSoup, AES/Crypto primitives, threading, subprocess, and concurrent execution modules, indicating automated HTTP interaction, HTML parsing, Laravel-style cryptographic payload handling, and mass exploitation support. The script structure includes: large constant tables for Livewire version fingerprinting (mapping many Livewire 3.x versions to identifiers), default .env discovery paths for APP_KEY harvesting, candidate writable directories for file-drop/web-shell placement, dangerous constructor metadata, and multiple gadget-chain templates for PHP object deserialization. The visible menu logic shows three operating modes: exploit a single URL, exploit targets from file(s) in bulk, and APP_KEY discovery only. It also supports non-interactive/automated execution via environment-driven configuration and can spawn multiple processes for mass exploitation. Primary capabilities inferred from the code are: fingerprinting Livewire versions, probing common Laravel .env locations to recover APP_KEY values, generating encrypted/signed Laravel-compatible payloads, selecting among several gadget chains, and attempting RCE or file-write outcomes on vulnerable targets. The writable-directory list strongly suggests support for dropping a shell or other attacker-controlled file into web-accessible locations. Because the exploit includes actual payload construction and operational workflow, it is best classified as an operational exploit rather than a proof-of-concept. Fingerprintable observables in the code are mostly target-side file paths rather than hardcoded remote infrastructure: numerous .env probe paths and common Laravel writable/public directories. No fixed attacker-controlled IPs or domains are visible in the provided content. The script appears intended for arbitrary operator-supplied target URLs over HTTP/HTTPS rather than a single hardcoded endpoint.

Repository purpose: an enhanced Python exploit tool for CVE-2025-54068 targeting Laravel Livewire, enabling remote command execution by sending crafted Livewire component update requests. It is based on Synacktiv's Livepyre concept and adds usability features (auto URL formatting, custom payload generation, and mass scanning). Key components: - gas.py: main CLI entry point. Supports single-target exploitation, payload-only generation, and mass checking. Can switch to a custom payload mode that base64-encodes a locally generated serialized PHP object and sets function=unserialize to execute it remotely. - exploit/exploit.py: shared base class providing URL normalization, session setup (optional proxy/headers), HTML parsing helpers to extract CSRF token and Livewire update URI, snapshot extraction, and version fingerprinting using versions.json. - exploit/exploit_appkey.py: exploit path when APP_KEY is known. Recomputes Livewire snapshot checksum (HMAC-SHA256 using parsed APP_KEY) after injecting a gadget chain into snapshot data, then POSTs to the update endpoint. - exploit/exploit_wappkey.py: exploit path without APP_KEY. Performs a two-stage approach: (1) attempts to coerce a chosen snapshot parameter into an array/object form via an update request, then (2) sends a second request using payload.json with placeholders replaced to trigger the gadget chain and execute the chosen PHP function/parameter. Includes a version check (<3.6.4) with optional --force. - exploit/laravel_crypto/*: Laravel-compatible AES/HMAC helpers used for APP_KEY parsing and checksum/signing logic. - exploit/payload_generator.py: generates serialized PHP payloads locally (via running php) for richer post-exploitation primitives (shell/file read/write/list/phpinfo/config/eval, multi-command). Used by gas.py custom payload mode. - exploit/mass.py: multi-threaded Livewire presence/version/vulnerability checker with optional realtime result saving. Exploit capabilities: - Detects Livewire presence and extracts wire:snapshot values from HTML. - Discovers Livewire update endpoint (relative or absolute) and CSRF token. - Executes arbitrary PHP functions with attacker-controlled parameters (default system('id')). - Optional custom payload mode: delivers attacker-defined serialized PHP object and triggers it via unserialize(), enabling multi-function command execution and file operations. - Mass scanning/checking of multiple targets with threading and output to JSON/CSV. Notable observables: - Network behavior: HEAD/GET to the provided target URL, then POST JSON to the discovered Livewire update URI. - Local artifacts: versions.json and payload.json templates; optional dependency on local 'php' binary for payload generation.

This repository provides a minimal, reproducible lab environment for CVE-2025-54068, a critical remote code execution vulnerability in Livewire v3.6.3 (used with Laravel 11.0.0). The structure includes Docker and docker-compose files to build and run the vulnerable application, a sample Livewire component (Counter) intentionally left untyped to facilitate exploitation, and a Python proof-of-concept exploit (scripts/poc.py). The exploit works in two stages: first, it manipulates a Livewire component parameter to trigger a type confusion, then it sends a crafted PHP object injection payload to achieve RCE. The PoC confirms exploitation by echoing a marker string and checking for its presence in the HTTP response. The main endpoints involved are the web interface at http://localhost:18081/ and the Livewire update endpoint discovered dynamically by the exploit script. The repository is well-structured for security researchers to reproduce and validate the vulnerability, with clear separation between application code, configuration, and exploit logic. No fake or destructive payloads are present; the exploit is a safe, operational PoC for RCE.

This repository, 'Livepyre', is a Python-based exploit tool targeting CVE-2025-54068, a remote command execution (RCE) vulnerability in Laravel Livewire versions prior to 3.6.4. The tool is structured with a main entry point (Livepyre.py) that orchestrates exploitation using two main strategies: with and without knowledge of the Laravel APP_KEY. The 'exploit' directory contains the core logic, including modules for cryptographic operations compatible with Laravel's encryption scheme, payload construction, and version detection. The exploit works by sending specially crafted HTTP POST requests to Livewire endpoints, abusing the snapshot mechanism to trigger PHP object injection and execute arbitrary system commands. The tool can automatically detect vulnerable versions, enumerate exploitable parameters, and adapt its payloads based on the target's configuration. The repository includes example usage, payload templates, and a comprehensive version hash list for Livewire. No hardcoded IPs or domains are present, but the tool requires the attacker to specify the target URL. The exploit is operational and provides direct RCE if successful.