Sweet Orange v2

I love this kit.

SO v2 Gates < Will have FPs HTTP Request Method = GET HTTP URI contains ".php?" Regex HTTP URI for \/[a-z]+?\.php\?([a-z_]+?=[0-9]{2,5}&){3,}[a-z_]+?=[0-9]{2,5}$ Thanks to @Set_Abominae for helping to keep this updated!

Examples:

/mysqladmin/online/finance/shows.php?thumbs=378&speakers=100&soft=39&pipermail=621&training=757&index=536
/roman/photo/servlet.php?serial=195&misc=395&config=56&join=698&promos=262&cialis=253&vendor=161
/svc/command/entry.php?journals=135&documents=522&sales=56&mature=960&linux=714

SO v2 JARs

HTTP Request Method = GET
Content Type = application/x-java-archive
HTTP URI != *.jar
Regex HTTP URI for \/[a-zA-Z]{5,10}$

Examples:

/roman/photo/urbjuPS
/roman/photo/DkTUKYm
/mysqladmin/online/finance/imHoXAej
/mysqladmin/online/finance/BqHCJUak

SO v2 PDFs

HTTP Request Method = GET
Content Type = application/pdf
HTTP URI != *.pdf
Regex HTTP URI for \/[a-zA-Z]{5,10}$ + Regex for NOT \/[a-z]{5,10}$

Examples:

/mysqladmin/online/finance/WGFhK
/roman/photo/fHICO

SO v2 EXEs

HTTP Request Method = GET
HTTP URI contains “.php?”
Content Type = application/octet-stream
Regex HTTP URI for \/[a-z]+?\.php\?([a-z]+?=[0-9]{1,3}&){3,}[a-z]+?=[0-9]{1,3}$

Examples:

/demos.php?nav_m=234&book=4&issue=546&fedora=171&play=634&stats=576&entry=168&warez=644&apply=472&access=263
/visits.php?index=605&left=456&special=4&audit=38&paper=171&stats=256&thumb=62&files=316&demos=538&rfid=791
/keygen.php?radio=242&special=4&paper=151&talks=248

Reference: http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

Comments are closed.