Merge pull request #2 from nichogenius/master

Added some base64 samples and an entry to the whitelist
2026-06-16 12:30:35 +00:00 · 2017-07-25 20:53:35 +02:00
parent 00bc3c1336 9931821ec5
commit 2eedd69580
2 changed files with 31 additions and 9 deletions
--- a/patterns_raw.txt
+++ b/patterns_raw.txt
@@ -2,27 +2,43 @@ uname -a
 /etc/shadow
 /etc/passwd
 WSOstripslashes
-PD9waHA
+PD9waH
+w/cGhw
+8P3Boc
 c3lzdGVt
+N5c3Rlb
+zeXN0ZW
 \x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-cHJlZ19yZXBsYWNl
+cmVwbGFjZ
+JlcGxhY2
+yZXBsYWNl
 \x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-ZXhlYyg
+ZXhlYy
+V4ZWMo
+leGVjK
 \x65\x78\x65\x63' /* dec/hex issue? */, // exec
 ='base'.(32*2).'_de'.'code'
 "base64_decode"
 YmFzZTY0X2RlY29kZ
+Jhc2U2NF9kZWNvZG
+iYXNlNjRfZGVjb2Rl
 "p"."r"."e"."g"."_"
 eval("?>
 ev\x61l
 \x65\166\x61\154\x28' /* dec/hex issue? */,
 \x65\x76\x61\x6C' /* case, dec/hex issue? */,
-ZXZhbCg
+ZXZhbC
+V2YWwo
+ldmFsK
 'ev'.'al'.'
 eval(base64_decode(
 \x47\x4c\x4f\x42\x41LS
 SFRUUF9VU0VSX0FHRU5U
+hUVFBfVVNFUl9BR0VOV
+IVFRQX1VTRVJfQUdFTl
 YWxsb3dfdXJsX2ZvcGVu
+FsbG93X3VybF9mb3Blb
+hbGxvd191cmxfZm9wZW
 ${${
 file_get_contents('http://codepad.org
 PHPJiaMi
@@ -45,7 +61,9 @@ base=base64_encode
 1@1.com
 META http-equiv="refresh" content="0;
 ="create_";global
-YW55cmVzdWx0cy5uZXQ=
+YW55cmVzdWx0cy5uZX
+FueXJlc3VsdHMubmV0
+hbnlyZXN1bHRzLm5ld
 ZOBUGTEL
 MagelangCyber
 //rasta//
@@ -76,7 +94,9 @@ ayu pr1 pr2 pr3 pr4 pr5 pr6
 f0VMRgEBAQA
 0d0a0d0a676c6f62616c20246d795f736d7
 etalfnizg
-JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV
+JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
+R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
+kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
 edoced_46esab
 VOBRA GANGO
 itsoknoproblembro
@@ -151,4 +171,4 @@ Dr.abolalh
 C0derz.com
 Mr.HiTman
 \x47\x4c\x4f\x42\x41\x4c\x53
-@eval($_POST['
+@eval($_POST['
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -54,7 +54,9 @@ d77cecbe949c76a1d54a70cba5bf8df0 wp-includes/formatting.php -> (chr\(\d+\)\.){4,
 edd1548e1908e445eeae6ca465d1c259 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 
 7f95646cc4c16b9b5e1c1d3f7e6bb1df wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
 124ee8826072a166503ccca21b954e48 wp-content/plugins/ultimate-security-checker/securitycheck.class.php -> uname -a
-380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace  
+380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
+241ea527ed67992dd4a19d274a1403c3 wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
 b2f59fc0fcc1e40561e3ca485d5569a2 wp-content/plugins/s2member/includes/classes/tracking-codes.inc.php -> eval("?> 
 0af39249db48e6c5c274cb0a085b530d wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.formatting.php -> (chr\(\d+\)\.){4,} 
-db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode 
+db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode
+62300c057b53b6fc5ff8cf7ebe210c44 wp-content/plugins/contact-form-7/admin/includes/welcome-panel.php -> Spammer