How I Takeover a Company Database After got Laravel .env file
This is my second big hack previously I posted another write up which is “ How I hacked 92k users Information using open s3 bucket ”. Two day ago I have nothing to do so I though let’s scroll Linkedin and While I am scrolling I saw a Company and Thought let find something on there.
So I download their App and Used MobSF for analysis their App, And I got few API Endpoint.
On those Endpoint I saw a URL where my eyes stuck the url looks like:
As a Laravel developer I thought something is wrong here, Because normally Dev. don’t host web script like that, So I browse the URL and it showed me Laravel Stack error.
This API endpoint are in Debug Mode. Dev. forgot to set Production mode in .env file. I go the DBUsername and DBPassword from Stacks because it’s shows .env information if it is in Debug mode.
Then what I did I tried to reach .env file if I can see the APP_KEY then I can try for Token Unserialize Remote Command Execution , Previous version maybe 5.4.x < 5.5.x is vulnerable to this issue ( I forgot pardon me if I am wrong ) that anyone can see the .env file of the Laravel website.Before check the .env file I have to go one step back because the .env file are located at root path of directory.The URL look like:
And tada! I can able to see all the .env information such as
APP_KEY, DB Information, Mail Information, JWT_SECRET, BUGSNAG_API_KEY
I thought let’s make it RCE, But I am too much lazy to Install Metasploit on my home desktop ( which I don’t use much only for gaming ).
Now the interesting part is here, I got DB_Username, DB_Password I tried with Mysql remote but failed, So then I go back to the website and told myself you need to recon again broo.
Then I browse the main domain http://redacted.xyz/ believe me or not I got XAMPP Dashboard on there.
I was like
So, I clicked in PHPMyAdmin and I got Used the Username and Password and Clicked on Login.
And then I am success to login into PHPMyAdmin.
Is it over no way I found a subdomain where I seen directory listing and I saw a file called ctg.zip which is the Admin Panel Script of Them.
Instantly I message the CEO of the Website in Linkedin.He replied me to send the report to him.
# Reported at: Monday
# Fixed: Tuesday
# Status: Maybe busy on work, Will get back to me soon ;-;
Thanks for reading, Hope you enjoy it, Pardon me if I mistake in spelling.