hunt-laravel

Solid

Hunt Laravel specific vulnerabilities — Debug mode leakage (APP_DEBUG=true exposes full stack trace + env vars), Laravel Telescope/Horizon dashboard unauthorized access, Ignition RCE (CVE-2021-3129), Signed URL manipulation, Queue Worker abuse, mass assignment via Eloquent, deserialization via cookies, .env file exposure. Use when target runs Laravel (PHP) — detected via X-Powered-By, Laravel session cookies, or /storage/ paths.

AI & Automation 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# HUNT-LARAVEL — Laravel Specific Vulnerabilities ## Crown Jewel Targets Laravel debug mode enabled in production = instant RCE via Ignition (CVE-2021-3129). **Highest-value findings:** - **Ignition RCE (CVE-2021-3129)** — `APP_DEBUG=true` + Laravel < 8.4.2 → `/_ignition/execute-solution` RCE without auth - **Telescope dashboard** — `/telescope` exposes full request/response logs, DB queries, Redis commands, scheduled jobs, environment variables - **Horizon dashboard** — `/horizon` exposes queue job details, failed jobs with full payloads (may contain API keys, PII) - **Signed URL manipulation** — if `URL::signedRoute` validates wrong params → bypass signed URL → unauthorized actions - **.env exposure** — `APP_KEY` leaked → decrypt all encrypted cookies → forge session → ATO --- ## Phase 1 — Fingerprint Laravel ```bash # Laravel-specific indicators curl -sI https://$TARGET/ | grep -i "laravel_session\|x-powered-by.*php" curl -s https://$TARGET/ | grep -i "laravel\|Illuminate\|csrf-token" # Common Laravel paths for path in /storage /public /resources "/vendor/laravel" "/.env" "/artisan"; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" "https://$TARGET$path") [ "$STATUS" != "404" ] && echo "$path: $STATUS" done # Check error page (trigger 404) curl -s "https://$TARGET/definitely-does-not-exist-xyz" | grep -i "laravel\|Whoops\|Ignition\|symfony" ``` --- ## Phase 2 — Debug Mode & Ignition RCE (CVE-2021-3129) ```bash # Step 1: Check if debug mode is enabled (Whoo...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
1 months ago
Last Updated
3 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Redis · Database Laravel · Backend

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunt-nodejs

Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers, require() injection, environment variable exfil via /proc/self/environ. Use when target runs Node.js/Express/Fastify/NestJS/Koa.

1,912 Updated 3 days ago
elementalsouls
AI & Automation Solid

hunt-deserialization

Hunt Insecure Deserialization — Java gadget chains (ysoserial), PHP object injection (phpggc), Python pickle RCE, .NET BinaryFormatter, Ruby Marshal.load, JNDI/Log4Shell. RCE via deserialization is almost always Critical. Use when target runs Java, PHP serialization, Python pickle, .NET, or Ruby on Rails.

1,912 Updated 3 days ago
elementalsouls
Testing & QA Solid

hunt-springboot

Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring Cloud Function SPEL (CVE-2022-22963), heap dump credential extraction. Use when target runs Spring Boot — detected via X-Application-Context header, /actuator, Whitelabel Error Page, or Java stack traces.

1,912 Updated 3 days ago
elementalsouls