From 6b55cfd8b38e8210168b297dfaebdddfb5102388 Mon Sep 17 00:00:00 2001 From: nichogenius Date: Mon, 24 Jul 2017 12:23:39 -0600 Subject: [PATCH] Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches. --- patterns_raw.txt | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/patterns_raw.txt b/patterns_raw.txt index f100684..e91ed6b 100644 --- a/patterns_raw.txt +++ b/patterns_raw.txt @@ -2,27 +2,43 @@ uname -a /etc/shadow /etc/passwd WSOstripslashes -PD9waHA +PD9waH +w/cGhw +8P3Boc c3lzdGVt +N5c3Rlb +zeXN0ZW \x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system cHJlZ19yZXBsYWNl +ByZWdfcmVwbGFjZ +wcmVnX3JlcGxhY2 \x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace -ZXhlYyg +ZXhlYy +V4ZWMo +leGVjK \x65\x78\x65\x63' /* dec/hex issue? */, // exec ='base'.(32*2).'_de'.'code' "base64_decode" YmFzZTY0X2RlY29kZ +Jhc2U2NF9kZWNvZG +iYXNlNjRfZGVjb2Rl "p"."r"."e"."g"."_" eval("?> ev\x61l \x65\166\x61\154\x28' /* dec/hex issue? */, \x65\x76\x61\x6C' /* case, dec/hex issue? */, -ZXZhbCg +ZXZhbC +V2YWwo +ldmFsK 'ev'.'al'.' eval(base64_decode( \x47\x4c\x4f\x42\x41LS SFRUUF9VU0VSX0FHRU5U +hUVFBfVVNFUl9BR0VOV +IVFRQX1VTRVJfQUdFTl YWxsb3dfdXJsX2ZvcGVu +FsbG93X3VybF9mb3Blb +hbGxvd191cmxfZm9wZW ${${ file_get_contents('http://codepad.org PHPJiaMi @@ -45,7 +61,9 @@ base=base64_encode 1@1.com META http-equiv="refresh" content="0; ="create_";global -YW55cmVzdWx0cy5uZXQ= +YW55cmVzdWx0cy5uZX +FueXJlc3VsdHMubmV0 +hbnlyZXN1bHRzLm5ld ZOBUGTEL MagelangCyber //rasta// @@ -76,7 +94,9 @@ ayu pr1 pr2 pr3 pr4 pr5 pr6 f0VMRgEBAQA 0d0a0d0a676c6f62616c20246d795f736d7 etalfnizg -JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV +JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfVf +R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX +kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV edoced_46esab VOBRA GANGO itsoknoproblembro @@ -151,4 +171,4 @@ Dr.abolalh C0derz.com Mr.HiTman \x47\x4c\x4f\x42\x41\x4c\x53 -@eval($_POST[' \ No newline at end of file +@eval($_POST['