6.8 KiB
insecure.newploit.com — PocketPentester Vuln Lab
Deliberately vulnerable PHP target for shaking down every arsenal module in PocketPentester. Runs as a local docker-compose stack.
Warning
Do NOT expose this to the public internet. It has intentional RCE, SQLi, LFI, SSRF, open redirect, CORS misconfig, weak JWT, leaked secrets and more. Keep it on a private bridge network only.
Quick start
cd vuln-lab
docker compose up --build -d
Add the hostname to your hosts file so the insecure.newploit.com SNI /
Host header works:
Linux / macOS → /etc/hosts
127.0.0.1 insecure.newploit.com
Windows → C:\Windows\System32\drivers\etc\hosts
127.0.0.1 insecure.newploit.com
Android (testing from PocketPentester on device) — set your phone's Wi-Fi DNS to the dev machine, or just use the host's LAN IP directly:
http://192.168.x.x:8080/ (or whatever your dev box IP is)
Smoke-test from the host:
curl http://insecure.newploit.com:8080/
curl http://insecure.newploit.com:8080/.env
curl "http://insecure.newploit.com:8080/search.php?q=<svg/onload=alert(1)>"
Open ports
| Host port | Service | Notes |
|---|---|---|
| 8080 | Apache 2.4 + PHP | main web app (→ container 80) |
| 8443 | Apache TLS | snakeoil cert for ssl_scan (→ 443) |
| 3306 | MariaDB 10.11 | root:toor, also dbuser:dbpass123 |
Module → endpoint map
Everything below is already wired. Point the tool at insecure.newploit.com
(or http://<host>) and it should fire.
RECON
| Arsenal module | Where it hits |
|---|---|
port_scan |
3306 / 8080 / 8443 open (host-mapped ports) |
httpx |
Title Newploit :: insecure test lab, Server Apache/2.4.57 … |
banner |
Apache + MySQL banners expose full version |
ssl_scan |
Self-signed CN=insecure.newploit.com on :443 |
dns_tools |
(local hosts entry) |
EXPLOIT
| Arsenal module | Endpoint(s) that fire |
|---|---|
sqli |
/search.php?q=…, /profile.php?id=…, /login.php POST |
xss |
/search.php?q=<payload> (reflected, unescaped) |
jwt |
/api/auth.php — alg:none accepted, HS256 secret = secret |
xploiter |
see template-by-template table below |
autopwn |
runs the whole chain on http://insecure.newploit.com/ |
MANUAL
| repeater | any of the URLs above — try ?q= with crafted payloads |
| dirfuzz | common wordlist hits /admin, /wp-admin, /backup.sql, … |
| admin_finder | /admin/, /administrator/, /wp-admin/, /wp-login.php |
| form_brute | POST /login.php — admin:admin123, root:toor, … |
UTILITY
| domain_grabber | not relevant to a single host |
| subdomain | not relevant to a single host (add wildcard DNS if desired) |
| takeover | not relevant |
| lan_map | scan your local net and this container IP will show up |
Xploiter bundled templates
| Template YAML | Vuln endpoint | Trigger |
|---|---|---|
xpl-env-leak |
/.env, .env.local, .env.production |
APP_KEY=, DB_PASSWORD= |
xpl-git-config |
/.git/config |
[core] + remote URL |
xpl-phpinfo |
/phpinfo.php |
<title>phpinfo() |
xpl-lfi-basic |
/page.php?page=… |
../../../../etc/passwd |
xpl-rce-shellshock |
/cgi-bin/test.cgi etc |
() { :; }; echo marker |
xpl-ssti-jinja2 |
/?name=xplZZZ{{999*777}}ssti |
math eval inside {{ }} |
xpl-ssti-twig |
POST / body=name=…{{'x'|upper}}… |
filter pipe eval |
xpl-open-redirect |
/redirect.php?url=, /go.php?to=, … |
Location: evil.example |
xpl-ssrf-basic |
/fetch.php?url=…169.254.169.254/… |
canned AWS metadata reply |
xpl-wp-debug |
/wp-content/debug.log |
PHP error lines |
xpl-cors-misconfig |
/ and /api/* |
Origin reflection + creds |
xpl-backup-files |
/backup.sql, /backup.zip, /db.sql, … |
>512B, non-HTML ctype |
xpl-rce-log4shell |
(not applicable — no JVM) | won't fire |
Creds cheatsheet (for form_brute / sqli bypass testing)
admin / admin123
root / toor
user / password
test / test
imtaqin / newploit2024
guest / guest
Also in the DB: api_tokens.token column has sk_* values matching the
ones in /.env so the leak-correlation story is consistent.
Layout
vuln-lab/
├── docker-compose.yml
├── db/init.sql
└── web/
├── Dockerfile
├── apache.conf
├── cgi-bin/ # shellshock targets
└── www/
├── index.php # landing + SSTI + CORS
├── search.php # XSS + SQLi
├── profile.php # integer SQLi
├── login.php # SQLi login + form_brute target
├── page.php # LFI
├── fetch.php # SSRF (reflects AWS metadata)
├── redirect.php # open redirect
├── api/ # JWT + CORS endpoints
├── admin/ # admin panel
├── wp-login.php # wordpress decoy
├── wp-content/debug.log
├── .env, .env.local, .env.production
├── .git/config, .git/HEAD
├── .bash_history, .DS_Store
├── backup.sql, backup.zip, backup.tar.gz
├── db.sql, dump.sql, site.zip, www.zip, public_html.zip
└── robots.txt
Teardown
docker compose down -v
Built for PocketPentester by imtaqin / tegalsec. Have fun. Don't ship this.