A dedicated exploitation toolkit built for hacking websites. It automates scanning, extracting sensitive data (SMTP, DB, API keys), and compromising admin panels.
🔎 Auto-Detection & Scanning
- Scans bulk targets (domain lists or IPs) to identify Laravel-based applications.
- Detects Laravel signatures, version numbers, and possible misconfigurations.
- Quickly filters vulnerable sites to save time.
🗄 Database Cracking & Dumping
- Uses DB credentials from
.envto connect and dump full databases. - Supports MySQL, PostgreSQL, and other DB backends supported by Laravel.
- Automates extraction of user info, login credentials, and financial records.
🔑 SMTP / Webmail Grabber
- Automatically pulls SMTP creds from
.envor DB. - Verifies SMTP logins for bulk mailing campaigns.
- Supports multi-threaded SMTP checking for speed.
🛠 Admin Panel Takeover
- Finds and brute-forces default Laravel
/adminor custom login routes. - Token manipulation to bypass login protection.
- Grants full access to web app dashboards (upload shells, edit configs, etc.).
💻 Remote Code Execution (RCE)
- Exploits weak routes and misconfigured Laravel debug modes.
- Uploads and executes custom PHP shells.
- Allows persistent server access after compromise.
🧹 Cleaned Version
- Lightweight, stripped-down version.
- Keeps only core features:
.envgrabber, DB dumper, SMTP extractor. - Faster execution, avoids unnecessary modules that might trigger detection.
Mechanism
- Scan Targets → Detect sites.
- Exploit Exposed Files → Grab
.envand sensitive configs. - Harvest Credentials → Extract DB, SMTP, API, and admin logins.
- Take Control → Log into admin panels or upload shells for full access.
- Monetize → Sell SMTPs, DB dumps, or use access for spam/phishing campaigns.
