4b0a402a4e
- Changed base URLs and targets in multiple modules to point to insecure.newploit.com for testing purposes. - Updated README.md to reflect the new domain and provide instructions for setting up the reverse proxy. - Adjusted configurations in AdminFinder, AutoPwn, Banner, DirFuzz, DnsTools, FormBrute, HttpProbe, PortScan, Repeater, Sqli, SslScan, SubEnum, Xploiter, and Xss components.
7.3 KiB
insecure.newploit.com — PocketPentester Vuln Lab
Deliberately vulnerable PHP target for shaking down every arsenal module in PocketPentester. Runs as a local docker-compose stack.
Warning
Do NOT expose this to the public internet. It has intentional RCE, SQLi, LFI, SSRF, open redirect, CORS misconfig, weak JWT, leaked secrets and more. Keep it on a private bridge network only.
Quick start
cd vuln-lab
docker compose up --build -d
Add the hostname to your hosts file so the insecure.newploit.com SNI /
Host header works:
Exposing it
The lab is designed to be run on a home server / LAN box behind a reverse
proxy (cloud VPS, Cloudflare Tunnel, ngrok, tailscale funnel, etc). The
public domain insecure.newploit.com then terminates on :80/:443 on the
VPS and forwards to the home container's 8080/8443.
Container mapping:
| Host port (home) | Container | Use |
|---|---|---|
| 8080 | 80 | reverse-proxy HTTP → insecure.newploit.com |
| 8443 | 443 | reverse-proxy HTTPS → insecure.newploit.com |
| 3306 | 3306 | MariaDB (root:toor / dbuser:dbpass123) |
Sample nginx on the VPS:
server {
listen 80;
listen [::]:80;
server_name insecure.newploit.com;
location / { proxy_pass http://<home-ip>:8080; proxy_set_header Host $host; }
}
server {
listen 443 ssl;
server_name insecure.newploit.com;
ssl_certificate /etc/letsencrypt/live/insecure.newploit.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/insecure.newploit.com/privkey.pem;
location / { proxy_pass https://<home-ip>:8443; proxy_ssl_verify off; proxy_set_header Host $host; }
}
Or if you just want to hit it locally, add to /etc/hosts:
127.0.0.1 insecure.newploit.com
and use http://insecure.newploit.com:8080/ directly.
Smoke-test from anywhere (once reverse-proxy is live):
curl https://insecure.newploit.com/
curl https://insecure.newploit.com/.env
curl "https://insecure.newploit.com/search.php?q=<svg/onload=alert(1)>"
Module → endpoint map
Everything below is already wired. Point the tool at insecure.newploit.com
(or http://<host>) and it should fire.
RECON
| Arsenal module | Where it hits |
|---|---|
port_scan |
via reverse-proxy: 80/443 public · 3306 only on home LAN |
httpx |
Title Newploit :: insecure test lab, Server Apache/2.4.57 … |
banner |
Apache + MySQL banners expose full version |
ssl_scan |
Self-signed CN=insecure.newploit.com on :443 |
dns_tools |
(local hosts entry) |
EXPLOIT
| Arsenal module | Endpoint(s) that fire |
|---|---|
sqli |
/search.php?q=…, /profile.php?id=…, /login.php POST |
xss |
/search.php?q=<payload> (reflected, unescaped) |
jwt |
/api/auth.php — alg:none accepted, HS256 secret = secret |
xploiter |
see template-by-template table below |
autopwn |
runs the whole chain on http://insecure.newploit.com/ |
MANUAL
| repeater | any of the URLs above — try ?q= with crafted payloads |
| dirfuzz | common wordlist hits /admin, /wp-admin, /backup.sql, … |
| admin_finder | /admin/, /administrator/, /wp-admin/, /wp-login.php |
| form_brute | POST /login.php — admin:admin123, root:toor, … |
UTILITY
| domain_grabber | not relevant to a single host |
| subdomain | not relevant to a single host (add wildcard DNS if desired) |
| takeover | not relevant |
| lan_map | scan your local net and this container IP will show up |
Xploiter bundled templates
| Template YAML | Vuln endpoint | Trigger |
|---|---|---|
xpl-env-leak |
/.env, .env.local, .env.production |
APP_KEY=, DB_PASSWORD= |
xpl-git-config |
/.git/config |
[core] + remote URL |
xpl-phpinfo |
/phpinfo.php |
<title>phpinfo() |
xpl-lfi-basic |
/page.php?page=… |
../../../../etc/passwd |
xpl-rce-shellshock |
/cgi-bin/test.cgi etc |
() { :; }; echo marker |
xpl-ssti-jinja2 |
/?name=xplZZZ{{999*777}}ssti |
math eval inside {{ }} |
xpl-ssti-twig |
POST / body=name=…{{'x'|upper}}… |
filter pipe eval |
xpl-open-redirect |
/redirect.php?url=, /go.php?to=, … |
Location: evil.example |
xpl-ssrf-basic |
/fetch.php?url=…169.254.169.254/… |
canned AWS metadata reply |
xpl-wp-debug |
/wp-content/debug.log |
PHP error lines |
xpl-cors-misconfig |
/ and /api/* |
Origin reflection + creds |
xpl-backup-files |
/backup.sql, /backup.zip, /db.sql, … |
>512B, non-HTML ctype |
xpl-rce-log4shell |
(not applicable — no JVM) | won't fire |
Creds cheatsheet (for form_brute / sqli bypass testing)
admin / admin123
root / toor
user / password
test / test
imtaqin / newploit2024
guest / guest
Also in the DB: api_tokens.token column has sk_* values matching the
ones in /.env so the leak-correlation story is consistent.
Layout
vuln-lab/
├── docker-compose.yml
├── db/init.sql
└── web/
├── Dockerfile
├── apache.conf
├── cgi-bin/ # shellshock targets
└── www/
├── index.php # landing + SSTI + CORS
├── search.php # XSS + SQLi
├── profile.php # integer SQLi
├── login.php # SQLi login + form_brute target
├── page.php # LFI
├── fetch.php # SSRF (reflects AWS metadata)
├── redirect.php # open redirect
├── api/ # JWT + CORS endpoints
├── admin/ # admin panel
├── wp-login.php # wordpress decoy
├── wp-content/debug.log
├── .env, .env.local, .env.production
├── .git/config, .git/HEAD
├── .bash_history, .DS_Store
├── backup.sql, backup.zip, backup.tar.gz
├── db.sql, dump.sql, site.zip, www.zip, public_html.zip
└── robots.txt
Teardown
docker compose down -v
Built for PocketPentester by imtaqin / tegalsec. Have fun. Don't ship this.