How I Takeover a Company Database After got Laravel .env file

Rudra Sarkar
4 min readFeb 25, 2020

--

This is my second big hack previously I posted another write up which is “ How I hacked 92k users Information using open s3 bucket ”. Two day ago I have nothing to do so I though let’s scroll Linkedin and While I am scrolling I saw a Company and Thought let find something on there.

So I download their App and Used MobSF for analysis their App, And I got few API Endpoint.

On those Endpoint I saw a URL where my eyes stuck the url looks like:

http://redacted.xyz/laravel_api/public/

As a Laravel developer I thought something is wrong here, Because normally Dev. don’t host web script like that, So I browse the URL and it showed me Laravel Stack error.

Forgot to take Screenshot

This API endpoint are in Debug Mode. Dev. forgot to set Production mode in .env file. I go the DBUsername and DBPassword from Stacks because it’s shows .env information if it is in Debug mode.

Then what I did I tried to reach .env file if I can see the APP_KEY then I can try for Token Unserialize Remote Command Execution , Previous version maybe 5.4.x < 5.5.x is vulnerable to this issue ( I forgot pardon me if I am wrong ) that anyone can see the .env file of the Laravel website.Before check the .env file I have to go one step back because the .env file are located at root path of directory.The URL look like:

http://redacted.xyz/laravel_api/.env

And tada! I can able to see all the .env information such as

APP_KEY, DB Information, Mail Information, JWT_SECRET, BUGSNAG_API_KEY

I thought let’s make it RCE, But I am too much lazy to Install Metasploit on my home desktop ( which I don’t use much only for gaming ).

Lazyyyyyyyyyy

Now the interesting part is here, I got DB_Username, DB_Password I tried with Mysql remote but failed, So then I go back to the website and told myself you need to recon again broo.

Then I browse the main domain http://redacted.xyz/ believe me or not I got XAMPP Dashboard on there.

XAMPP Dashboard

I was like

Brooooooooo!

So, I clicked in PHPMyAdmin and I got Used the Username and Password and Clicked on Login.

PHPMyAdmin Login

And then I am success to login into PHPMyAdmin.

PHPMyAdmin Tables
I feel like xD

Is it over no way I found a subdomain where I seen directory listing and I saw a file called ctg.zip which is the Admin Panel Script of Them.

What! Seriously ???

Instantly I message the CEO of the Website in Linkedin.He replied me to send the report to him.

# Reported at: Monday
# Fixed: Tuesday
# Status: Maybe busy on work, Will get back to me soon ;-;

Thanks for reading, Hope you enjoy it, Pardon me if I mistake in spelling.

--

--