This application was used in anamus' conference presentations to demonstrate the following vulnerabilities that are usually caused by poor development practises or mistakes in your code.
One of the talks recording is available at YouTube.
This application contains critical security vulnerabilities, DO NOT deploy or run this application outside of your localhost (or expose your localhost while running this)
- Docker
- Docker Compose
- PHP (>v7.1 preferably) & Composer
composer installdocker-compose up -ddocker exec vuln-app php artisan migrate --seed
- There's a vulnerable API endpoint at http://localhost:1234/api/events?sort=id (assuming you're running this in docker)
- There are many ways to exploit this, if you attended the talk you'll know one very specific tool for this
- The tool used in the presentation is PHPGGC (https://github.com/ambionics/phpggc)
- API endpoints used can be found at /api/uploads & /api/file-details?fileName=xxx
- This project's docker compose setup intentionally configures Laravel scheduler to run as root, that's all you need to know ;)