šÆšš” ššš¦š¬š¤š¢Skeletor is here to help
slazer2auUse EICAR test strings as passwords so when the password is stored as plain text the antivirus software will delete the file.
Ekybio
CaptainBlagbirda computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization to test the response of computer antivirus programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use real malware.
tomiant
SabataDoesnāt have to be a binary file, toss the string in a txt file and the AV still throws a fit.
NatakuNox01001000 01100101 01101100 01101100 01101111 00101100 00100000 01110100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01101110 01101111 01110100 00100000 01100001 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101111 01100110 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01110100 01101000 01100001 01110100 00100000 01110100 01101111 01110100 01100001 01101100 01101100 01111001 00100000 01110111 01101111 01101110 00100111 01110100 00100000 01101001 01101110 01100110 01100101 01100011 01110100 00100000 01111001 01101111 01110101 01110010 00100000 01110000 01101000 01101111 01101110 01100101 00100000 01101111 01110010 00100000 01100011 01101111 01101101 01110000 01110101 01110100 01100101 01110010 00100000 01110111 01101001 01110100 01101000 00100000 01100110 01110101 01110010 01110010 01111001 00100000 01110000 01101111 01110010 01101110 00101110 00100000 01010100 01101000 01100001 01110100 00100000 01101001 01110011 00100000 01100001 01101100 01101100 00101110 00101110 00101110 00100000 01000100 01101111 01101110 00100111 01110100 00100000 01100011 01101000 01100101 01100011 01101011 00100000 01101001 01101110 01110100 01100101 01110010 01101110 01100001 01101100 00100000 01110011 01110100 01101111 01110010 01100001 01100111 01100101 00101110 00100000 01010100 01101000 01100001 01101110 01101011 00100000 01111001 01101111 01110101 00100000 01111000 01101111 01111000 01101111
henfredemarsUnfortunately there is significant overlap between plain-text-password-servers and servers that canāt be bothered to use antivirus. Also, the string may not work if itās not at the start of the file. AV often doesnāt process the whole file for efficiency purposes.
B-TR3ESadly it wouldnāt work if found in a CSV file with other records:
According to EICARās specification the antivirus detects the test file only if it starts with the 68-byte test string and is not more than 128 bytes long. As a result, antiviruses are not expected to raise an alarm on some other document containing the test string
They actually thought it through, huh?
For some reason that surprises me from the AV vendors
Lucy :3Mine is: āā; delete from clients;ā
Youāre possessed by a GrammarNazi spirit!
Donāt
An apostrophe might have an even better effect than a comma. PSA: Donāt shoot yourself in the foot by escaping commas or apostrophes! Like in passord:ā,\,',\āā!DROP TABLE(''users')ā Thatās more likely to ātrickā the log on machine that to bust a CSV file.
Interestingā¦ I wrote a gag comment about using an SQL injection as my password and crashed the Lemmy API. Using connect if that makes any difference.
Whateverā, ā
tetris11Almost line for line. A wall of XML popped up when I hit submit. Looks like yours went through.
JackbyDevTrying. Canāt seem to replicate the string. Maybe if it happens again.
Axolotl
BlessedDogSQL injection in the big 2025ā¦
Friend, weāre still seeing publicly exposed plaintext credentials in 2025ā¦
I havenāt kept up with the cybersecurity world recently. Ever since I graduated Iāve just been completely fed up with IT. Is there a story behind this? Has a major service done this lately?
I ran into it within the last month. Iām a pentester.
Sadly, no. CSV files can deal with embedded commas via quoting or escaping. Given that most of the dumps are going to be put together and consumed via common libraries (e.g.pythonās csv module), thatās all going to happen automagically.
What about quotes (single/double) and \s mixed with commas?
Everything you can use for a password can be escaped out of a csv. Partially because csvs have to be interoperable with databases for a bunch of different reasons, and databases are where your passwords are stored (though ideally not in plaintext). Thereās no way that I can think of to poison your password for a data breach that wouldnāt also poison the password database for the service youāre trying to log into.
Gotcha, thatās what I was thinking as well. I havenāt done any software development in a long time (I have a degree in it, but professional career sent me down another path in tech), so my memory on input sanitization is very rusty. Thanks for the response!
nymnympseudonymCan be != will be
Youāre looping over 50M records, extracting into your csv. Did you bother using the appropriate library, or did your little perl script just do split(/,/,$line)
Once in a while you come across fools like me who write it all from scratch cause itās fun. Live and learn
csvās are a horrible format. Tabs are superior in almost all use cases except that 0.00001% use case where someone has put a tab in their name.
LumpyPancakesMomentary flashback to when I put the bell in the command prompt format. Every time you pressed enter or a command finished, beep.
Couldnāt get it to work on Linux though.