From 525fe93f94b3fcececfdd3891c8649bcf159a09d Mon Sep 17 00:00:00 2001 From: JT Date: Mon, 26 Jan 2015 19:21:22 +0800 Subject: [PATCH 1/4] Update PHP.fuzz.txt Adding more payloads for PHP.fuzz.txt --- Discovery/PHP.fuzz.txt | 89 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 86 insertions(+), 3 deletions(-) diff --git a/Discovery/PHP.fuzz.txt b/Discovery/PHP.fuzz.txt index af024b4a069..9b86b3fa7e6 100755 --- a/Discovery/PHP.fuzz.txt +++ b/Discovery/PHP.fuzz.txt @@ -15,9 +15,92 @@ /php /phpsecinfo /phpinfo -/phpmyadmin/ -/phpMyAdmin/ -/mysqladmin/ +/phpMyAdmin +/phpmyadmin +/PMA +/admin +/dbadmin +/mysql +/myadmin +/phpmyadmin2 +/phpMyAdmin2 +/phpMyAdmin-2 +/php-my-admin +/phpMyAdmin-2.2.3 +/phpMyAdmin-2.2.6 +/phpMyAdmin-2.5.1 +/phpMyAdmin-2.5.4 +/phpMyAdmin-2.5.5-rc1 +/phpMyAdmin-2.5.5-rc2 +/phpMyAdmin-2.5.5 +/phpMyAdmin-2.5.5-pl1 +/phpMyAdmin-2.5.6-rc1 +/phpMyAdmin-2.5.6-rc2 +/phpMyAdmin-2.5.6 +/phpMyAdmin-2.5.7 +/phpMyAdmin-2.5.7-pl1 +/phpMyAdmin-2.6.0-alpha +/phpMyAdmin-2.6.0-alpha2 +/phpMyAdmin-2.6.0-beta1 +/phpMyAdmin-2.6.0-beta2 +/phpMyAdmin-2.6.0-rc1 +/phpMyAdmin-2.6.0-rc2 +/phpMyAdmin-2.6.0-rc3 +/phpMyAdmin-2.6.0 +/phpMyAdmin-2.6.0-pl1 +/phpMyAdmin-2.6.0-pl2 +/phpMyAdmin-2.6.0-pl3 +/phpMyAdmin-2.6.1-rc1 +/phpMyAdmin-2.6.1-rc2 +/phpMyAdmin-2.6.1 +/phpMyAdmin-2.6.1-pl1 +/phpMyAdmin-2.6.1-pl2 +/phpMyAdmin-2.6.1-pl3 +/phpMyAdmin-2.6.2-rc1 +/phpMyAdmin-2.6.2-beta1 +/phpMyAdmin-2.6.2-rc1 +/phpMyAdmin-2.6.2 +/phpMyAdmin-2.6.2-pl1 +/phpMyAdmin-2.6.3 +/phpMyAdmin-2.6.3-rc1 +/phpMyAdmin-2.6.3 +/phpMyAdmin-2.6.3-pl1 +/phpMyAdmin-2.6.4-rc1 +/phpMyAdmin-2.6.4-pl1 +/phpMyAdmin-2.6.4-pl2 +/phpMyAdmin-2.6.4-pl3 +/phpMyAdmin-2.6.4-pl4 +/phpMyAdmin-2.6.4 +/phpMyAdmin-2.7.0-beta1 +/phpMyAdmin-2.7.0-rc1 +/phpMyAdmin-2.7.0-pl1 +/phpMyAdmin-2.7.0-pl2 +/phpMyAdmin-2.7.0 +/phpMyAdmin-2.8.0-beta1 +/phpMyAdmin-2.8.0-rc1 +/phpMyAdmin-2.8.0-rc2 +/phpMyAdmin-2.8.0 +/phpMyAdmin-2.8.0.1 +/phpMyAdmin-2.8.0.2 +/phpMyAdmin-2.8.0.3 +/phpMyAdmin-2.8.0.4 +/phpMyAdmin-2.8.1-rc1 +/phpMyAdmin-2.8.1 +/phpMyAdmin-2.8.2 +/sqlmanager +/mysqlmanager +/p/m/a +/PMA2005 +/pma2005 +/phpmanager +/php-myadmin +/phpmy-admin +/webadmin +/sqlweb +/websql +/webdb +/mysqladmin +/mysql-admin /MySQLadmin /MySQLAdmin /login.php From 472ab129188711ed3ec421324712def83d4e31d2 Mon Sep 17 00:00:00 2001 From: JT Date: Mon, 26 Jan 2015 19:22:28 +0800 Subject: [PATCH 2/4] Update PHP.fuzz.txt --- Discovery/PHP.fuzz.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/Discovery/PHP.fuzz.txt b/Discovery/PHP.fuzz.txt index 9b86b3fa7e6..c66c3ed92c4 100755 --- a/Discovery/PHP.fuzz.txt +++ b/Discovery/PHP.fuzz.txt @@ -63,7 +63,6 @@ /phpMyAdmin-2.6.2-pl1 /phpMyAdmin-2.6.3 /phpMyAdmin-2.6.3-rc1 -/phpMyAdmin-2.6.3 /phpMyAdmin-2.6.3-pl1 /phpMyAdmin-2.6.4-rc1 /phpMyAdmin-2.6.4-pl1 From 061ccbde9fde9d14ca74e215d568b6dc6cc0dc67 Mon Sep 17 00:00:00 2001 From: JT Date: Mon, 26 Jan 2015 20:45:53 +0800 Subject: [PATCH 3/4] Create malicious.txt Adding strings for finding backdoor shells, rootkits, botnets, and exploitable functions --- GrepStrings/malicious.txt | 94 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 GrepStrings/malicious.txt diff --git a/GrepStrings/malicious.txt b/GrepStrings/malicious.txt new file mode 100644 index 00000000000..f5e258ff6d8 --- /dev/null +++ b/GrepStrings/malicious.txt @@ -0,0 +1,94 @@ +# strings for finding backdoor shells, rootkits, botnets, and exploitable functions +# grep -Rn "shell *(" /var/www + +passthru +shell_exec +system +phpinfo +base64_decode +chmod +mkdir +fopen +fclose +readfile +php_uname +eval +edoced_46esab +popen +include +create_function +mysql_execute +php_uname +proc_open +pcntl_exec +`` +include_once +require +require_once +posix_mkfifo +posix_getlogin +posix_ttyname +getenv +get_current_user +proc_get_status +get_cfg_var +disk_free_space +disk_total_space +diskfreespace +getcwd +getlastmo +getmygid +getmyinode +getmypid +getmyuid +assert +extract +parse_str +putenv +ini_set +pfsockopen +fsockopen +apache_child_terminate +posix_kill +posix_setpgid +posix_setsid +posix_setuid +tmpfile +bzopen +gzopen +chgrp +chown +copy +file_put_contents +lchgrp +lchown +link +mkdir +move_uploaded_file +symlink +tempnam +imagecreatefromgif +imagecreatefromjpeg +imagecreatefrompng +imagecreatefromwbmp +imagecreatefromxbm +imagecreatefromxpm +ftp_put +ftp_nb_put +exif_read_data +read_exif_data +exif_thumbnail +exif_imagetype +hash_file +hash_hmac_file +hash_update_file +md5_file +sha1_file +highlight_file +show_source +php_strip_whitespace +get_meta_tags +str_repeat +unserialize +register_tick_function +register_shutdown_function From 84f0001241d720d90b0efb82196d5b8fa43817af Mon Sep 17 00:00:00 2001 From: JT Date: Tue, 27 Jan 2015 14:38:48 +0800 Subject: [PATCH 4/4] Create ASP_CommonBackdoors.fuzz.txt Common backdoors for ASP --- Discovery/ASP_CommonBackdoors.fuzz.txt | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 Discovery/ASP_CommonBackdoors.fuzz.txt diff --git a/Discovery/ASP_CommonBackdoors.fuzz.txt b/Discovery/ASP_CommonBackdoors.fuzz.txt new file mode 100644 index 00000000000..e5044178dad --- /dev/null +++ b/Discovery/ASP_CommonBackdoors.fuzz.txt @@ -0,0 +1,23 @@ +3fexe.asp +ASpy.asp +EFSO.asp +RemExp.asp +aspxSH.asp +aspxshell.aspx +aspydrv.asp +cmd.asp +cmd.aspx +cmdexec.aspx +elmaliseker.asp +filesystembrowser.aspx +fileupload.aspx +ntdaddy.asp +spexec.aspx +sql.aspx +tool.asp +toolaspshell.asp +up.asp +zehir.asp +zehir.aspx +zehir4.asp +zehir4.aspx