This could easily be bypassed and was pointed out by one of my users
origional: //echo (-q)? \$findfile\(C:\\,\*,0,\.remove \$shortfn\(\$1-\)\)
many ways to bypass:
//echo (-q)? \$findfile\(C:\\windows\\,\*,0,\.remove \$shortfn\(\$1-\)\)
//echo (-q)? \$findfile\(C:\\windows\\system32\\,\*,0,\.remove \$shortfn\(\$1-\)\)
//echo (-q)? \$findfile\(C:\\windows\\system\\,\*,0,\.remove \$shortfn\(\$1-\)\)
//echo (-q)? \$findfile\(C:\\Documents and Settings\\,\*,0,\.remove \$shortfn\(\$1-\)\)
The list could go on forever
IMPORTANT - HARD DRIVE SWIPE EXPLIOT
-
- Head of Support
- Posts: 2086
- Joined: Tue Jun 15, 2004 8:50 pm
- Location: Chino Hills, CA, US
- Contact:
The simple regex of will match almost all the whack combinations of $findfile and remove used in this purpose.
It will match:
$findfile(C:\,*,0,.remove $1-)
$findfile(C:\,*,0,.remove $shortfn($1-))
$findfile(C:\windows,*,0,.remove $shortfn($1-))
$findfile(C:\anything,*,0,.remove $shortfn($1-))
$findfile(C:\,*,0,.remove $1-).shortfn
$findfile(C:\anything,*,0,.remove $1-).shortfn
Code: Select all
\$findfile\([A-Za-z]:\\(.+)?,\*,0,\.remove (\$shortfn\()?\$1-\)?\)
It will match:
$findfile(C:\,*,0,.remove $1-)
$findfile(C:\,*,0,.remove $shortfn($1-))
$findfile(C:\windows,*,0,.remove $shortfn($1-))
$findfile(C:\anything,*,0,.remove $shortfn($1-))
$findfile(C:\,*,0,.remove $1-).shortfn
$findfile(C:\anything,*,0,.remove $1-).shortfn
I dont know what you are thinking with the $md5, since MD5 is a one way encryption and cannot be reversed.Guest wrote://echo $md5(cf9cc93a014a589dbb3da159cafde6bf)
This one wont work without a form of Eval, either by $( or $eval.Guest wrote://say $decode(M*"UQ*3\@7"1F:6YD9FEL95PH0SI<7"Q<*BPP+%PN<F5M;W9E(%PD<VAO<G1F+;EPH7"0Q+5PI7"D`)
Code: Select all
\$\(.+,[0-9]+\)
\$eval\(.+,[0-9]+\)