How I Takeover a Company Database After got Laravel .env file

4 min readFeb 25, 2020

This is my second big hack previously I posted another write up which is “ How I hacked 92k users Information using open s3 bucket ”. Two day ago I have nothing to do so I though let’s scroll Linkedin and While I am scrolling I saw a Company and Thought let find something on there.

So I download their App and Used MobSF for analysis their App, And I got few API Endpoint.

On those Endpoint I saw a URL where my eyes stuck the url looks like:

http://redacted.xyz/laravel_api/public/

As a Laravel developer I thought something is wrong here, Because normally Dev. don’t host web script like that, So I browse the URL and it showed me Laravel Stack error.

This API endpoint are in Debug Mode. Dev. forgot to set Production mode in .env file. I go the DBUsername and DBPassword from Stacks because it’s shows .env information if it is in Debug mode.

Then what I did I tried to reach .env file if I can see the APP_KEY then I can try for Token Unserialize Remote Command Execution , Previous version maybe 5.4.x < 5.5.x is vulnerable to this issue ( I forgot pardon me if I am wrong ) that anyone can see the .env file of the Laravel website.Before check the .env file I have to go one step back because the .env file are located at root path of directory.The URL look like:

http://redacted.xyz/laravel_api/.env

And tada! I can able to see all the .env information such as

APP_KEY, DB Information, Mail Information, JWT_SECRET, BUGSNAG_API_KEY

I thought let’s make it RCE, But I am too much lazy to Install Metasploit on my home desktop ( which I don’t use much only for gaming ).

Now the interesting part is here, I got DB_Username, DB_Password I tried with Mysql remote but failed, So then I go back to the website and told myself you need to recon again broo.

Then I browse the main domain http://redacted.xyz/ believe me or not I got XAMPP Dashboard on there.