[Emerging-Sigs] StillSecure: 10 New Signatures - Oct 15th, 2010

Matthew Jonkman jonkman at emergingthreatspro.com
Sun Oct 24 09:46:15 EDT 2010


Also posting these, sorry for the delay. Thanks!!

Matt

On Oct 15, 2010, at 6:28 AM, signatures wrote:

> Hi Matt,
> 
> Please find 10 New Signatures below:
> 
> 1. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101062; rev:1;)
> 
> 2. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101063; rev:1;)
> 
> 3. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101064; rev:1;)
> 
> 4. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101065; rev:1;)
> 
> 5. WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; uricontent:"album_user_id="; nocase; uricontent:"album_id="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; sid:20101066; rev:1;)
> 
> 6. WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/baconmap/admin/updatelist.php?"; nocase; uricontent:"filepath="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; sid:20101069; rev:1;)
> 
> 7. WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/com_rwcards/rwcards.advancedate.php?"; nocase; uricontent:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; sid:20101061; rev:1;)
> 
> 8. WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/html/11-login.asp?"; nocase; uricontent:"intPassedLocationID="; nocase; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:bugtraq,43865; sid:20101058; rev:1;)
> 
> 9. WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"uniqcode=KPI"; nocase; uricontent:"menu_no_top=performance"; nocase; uricontent:"uri="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15232; sid:20101056; rev:1;)
> 
> 10. WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/real_estate/index.php?"; nocase; uricontent:"option=com_jomestate"; nocase; uricontent:"task="; nocase; pcre:"/task=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/12835; sid:11501; rev:1;)
> 
> Looking forward your comments, if any.
> 
> Thanks & Regards,
> StillSecure
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101024/11e2521c/attachment.html


More information about the Emerging-sigs mailing list