PHP Web Trojan Scanner Code v1.0 Security Test Tool_PHP Tutorial

WBOY
Release: 2016-07-21 15:21:19
Original
1271 people have browsed it

scanner.php

Copy code The code is as follows:

/**************PHP Web Trojan Scanner***********************/
/* [+] Author: alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] First published: t00ls.net, please indicate t00ls when reprinting */
/* [+] Version: v1.0 */
/* [+] Function: web version of PHP Trojan scanning tool*/
/* [+] Note: Scanned files are not necessarily backdoors, */
/* Please judge and review by yourself , compare with the original file. */
/* If you are not sure whether the scanned file is a backdoor, */
/* You are welcome to send the file to me for analysis.*/
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器 v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>


<?php echo $version?>




if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '
用户名: 密码:
';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".basename($file).""");
echo file_get_contents($file);
}
exit();
}
?>







$version"?>

扫描 |
设定 |
登出



if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成!";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>


扫描设定

















文件后缀:
>
>
 




}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>






扫描路径:

  


if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
扫描: 文件 | 发现: 可疑文件 | 耗时:











No. 文件 更新时间 原因 特征 动作

}
}
}
ob_flush();
?>


function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","n","r","t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="

$count
$current
$filetime
$reason[0]
$reason[1]
下载
";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'Backdoor Features->cha88.cn'=>'cha88.cn',
'Backdoor Features->c99shell' =>'c99shell',
'Backdoor characteristics->phpspy'=>'phpspy',
'Backdoor characteristics->Scanners'=>'Scanners',
'Backdoor characteristics- >cmd.php'=>'cmd.php',
'Backdoor Feature->str_rot13'=>'str_rot13',
'Backdoor Feature->webshell'=>'webshell' ,
'Backdoor Feature->EgY_SpIdEr'=>'EgY_SpIdEr',
'Backdoor Feature->tools88.com'=>'tools88.com',
'Backdoor Feature-> SECFORCE'=>'SECFORCE',
'Backdoor characteristics->eval("?>'=>'eval(('|")?>',
'Suspicious code characteristics-> ;system('=>'system(',
'Suspicious code characteristics->passthru('=>'passthru(',
'Suspicious code characteristics->shell_exec('=>' shell_exec(',
'Suspicious code characteristics->exec('=>'exec(',
'Suspicious code characteristics->popen('=>'popen(',
' Suspicious code characteristics->proc_open'=>'proc_open',
'Suspicious code characteristics->eval($'=>'eval(('|"|s*)\$',
'Suspicious code characteristics->assert($'=>'assert(('|"|s*)\$',
'Dangerous MYSQL code->returns string soname'=>'returnsstringsoname',
'Dangerous MYSQL code->into outfile'=>'intooutfile',
'Dangerous MYSQL code->load_file'=>'select(s+)(.*)load_file',
'Encryption backdoor characteristics->eval(gzinflate('=>'eval(gzinflate(',
'Encryption backdoor characteristics->eval(base64_decode('=>'eval(base64_decode(',
'Encryption backdoor characteristics->eval(gzuncompress('=>'eval(gzuncompress(',
'Encryption backdoor characteristics->eval(gzdecode('=>'eval(gzdecode(',
'Encryption backdoor characteristics->eval(str_rot13('=>'eval(str_rot13(',
'Encryption backdoor characteristics->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',
'Encryption backdoor characteristics->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',
'One sentence backdoor characteristics->eval($_'=>'eval(('|"|s *)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->assert($_'=>'assert(('|"|s*)\$_( POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST| COOKIE)',
'One sentence backdoor characteristics->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics ->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->call_user_func(" assert"'=>'call_user_func(("|')assert("|')',
'One sentence backdoor characteristics->call_user_func($_'=>'call_user_func(('|"|s *)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?] '=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',
'One sentence backdoor characteristics->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE )',
'Upload backdoor features->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_ (POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'Upload backdoor characteristics-> ;fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")), ('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',
'.htaccess plug-in feature->SetHandler application/x-httpd-php'=>'SetHandlerapplication/ x-httpd-php',
'.htaccess plug-in feature->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess plug-in feature->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

A tool to scan PHP Trojans in the PHP environment. Currently, the following feature codes can be scanned out
Copy code The code is as follows:

Feature code:
Backdoor Feature->cha88.cn
Backdoor Feature->c99shell
Backdoor Feature->phpspy
Backdoor Feature->Scanners
Backdoor Features->cmd.php
Backdoor Features->str_rot13
Backdoor Features->webshell
Backdoor Features->EgY_SpIdEr
Backdoor Features->tools88.com
Backdoor Features->SECFORCE
Backdoor Features->eval("?>
Suspicious Code Features->system(
Suspicious Code Features->passthru(
Suspicious Code Features-> shell_exec(
Suspicious code characteristics->exec(
Suspicious code characteristics->popen(
Suspicious code characteristics->proc_open
Suspicious code characteristics->eval($
Suspicious Code features->assert($
Dangerous MYSQL code->returns string soname
Dangerous MYSQL code->into outfile
Dangerous MYSQL code->load_file
Encryption backdoor feature-> eval(gzinflate(
Encryption backdoor characteristics->eval(base64_decode(
Encryption backdoor characteristics->eval(gzuncompress(
Encryption backdoor characteristics->gzuncompress(base64_decode(
Encryption backdoor characteristics- >base64_decode(gzuncompress(
One sentence backdoor characteristics->eval($_
One sentence backdoor characteristics->assert($_
One sentence backdoor characteristics->require($_
One sentence backdoor characteristics->require_once($_
One sentence backdoor characteristics->include($_
One sentence backdoor characteristics->include_once($_
One sentence backdoor characteristics-> call_user_func("assert"
One sentence backdoor characteristics->call_user_func($_
One sentence backdoor characteristics->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[ ?]
One sentence backdoor characteristics->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
Upload backdoor characteristics->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST /COOKIE
Upload backdoor features->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess plug-in features->SetHandler application/x-httpd -php
.htaccess horse insertion feature->php_value auto_prepend_file
.htaccess horse insertion feature->php_value auto_append_file

Lazy design, directly apply phpspy style
Note: Scan The files that come out are not necessarily backdoors. Please judge, review, and compare the original files by yourself.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/324902.htmlTechArticlescanner.php Copy the code as follows: ?php /**************PHP Web Trojan Scanner***********************/ /* [+] Author : alibaba */ /* [+] QQ: 1499281192 */ /* [+] MSN: weeming21@h...
Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template