Home > Backend Development > PHP Tutorial > Detailed explanation of how webshell scans files for Trojans in PHP

Detailed explanation of how webshell scans files for Trojans in PHP

墨辰丷
Release: 2023-03-26 17:44:01
Original
2260 people have browsed it

这篇文章主要介绍了PHP实现webshell扫描文件木马的方法,涉及php针对数值传输的过滤操作与文件识别等相关安全操作技巧,需要的朋友可以参考下

具体如下:

可扫描 weevelyshell 生成 或加密的shell 及各种变异webshell

目前仅支持php

支持扫描 weevelyshell 生成 或加密的shell
支持扫描callback一句话shell
支持各种php大马

代码如下:

<!DOCTYPE html>
<html>
<head>
    <meta charset=&#39;gb2312&#39;>
    <title>PHP web shell scan</title>
</head>
<body>
</body>
<?php
define("SELF",php_self());
error_reporting(E_ERROR);
ini_set(&#39;max_execution_time&#39;,20000);
ini_set(&#39;memory_limit&#39;,&#39;512M&#39;);
header("content-Type: text/html; charset=gb2312");
function weevelyshell($file){
    $content=file_get_contents($file);
    if(
        (
        preg_match(&#39;#(\$\w{2,4}\s?=\s?str_replace\("\w+","","[\w_]+"\);\s?)+#s&#39;,$content)&&
      preg_match(&#39;#(\$\w{2,4}\s?=\s?"[\w\d\+\/\=]+";\s?)+#&#39;,$content)&&               preg_match(&#39;#\$[\w]{2,4}\s?=\s\$[\w]{2,4}\(\&#39;\&#39;,\s?\$\w{2,4}\(\$\w{2,4}\("\w{1,4}",\s?"",\s?\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\)\)\);\s+?\$\w{2,4}\(\)\;#&#39;,$content))
          ||
          (preg_match(&#39;#\$\w+\d\s?=\s?str_replace\(\"[\w\d]+\",\"\",\"[\w\d]+\"\);#s&#39;,$content)&&
        preg_match(&#39;#\$\w+\s?=\s?\$[\w\d]+\(\&#39;\&#39;,\s?\$[\w\d]+\(\$\w+\(\$\w+\(\"[[:punct:]]+\",\s?\"\",\s?\$\w+\.\$\w+\.\$\w+\.\$\w+\)\)\)\);\s?\$\w+\(\);#s&#39;,$content))
        ){
        return true;
    }
}
function callbackshell($file){
    $content=file_get_contents($file);
    if(
        preg_match(&#39;#\$\w+\s?=\s?\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]#is&#39;,$content)&&
        preg_match(&#39;#\$\w+\s?=\s?(?:new)?\s?array\w*\s?\(.*?_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\].*?\)+#is&#39;,$content)&&
        preg_match(&#39;#(?:array_(?:reduce|map|udiff|walk|walk_recursive|filter)|u[ak]sort)\s?\(.*?\)+?#is&#39;,$content)
        )
            return true;
}
function php_self(){
  $php_self=substr($_SERVER[&#39;PHP_SELF&#39;],strrpos($_SERVER[&#39;PHP_SELF&#39;],&#39;/&#39;)+1);
  return $php_self;
}
$matches = array(
        &#39;/mb_ereg_replace\([\&#39;\*\s\,\.\"]+\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\&#39;\"].*?[\&#39;\"][\]][\,\s\&#39;\"]+e[\&#39;\"]&#39;/is,
        &#39;/preg_filter\([\&#39;\"\|\.\*e]+.*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)/is&#39;,
        &#39;/create_function\s?\(.*assert\(/is&#39;,
        &#39;/ini_get\(\&#39;safe_mode\&#39;\)/i&#39;,
        &#39;/get_current_user\(.*?\)/i&#39;,
        &#39;/@?assert\s?\(\$.*?\)/i&#39;,
        &#39;/proc_open\s?\(.*?pipe\&#39;,\s?\&#39;w\&#39;\)/is&#39;,
    &#39;/sTr_RepLaCe\s?\([\&#39;\"].*?[\&#39;\"],[\&#39;\"].*?[\&#39;\"]\s?,\s?\&#39;a[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?e[[:alnum:][:punct:]]+?r[[:alnum:][:punct:]]+?t[[:alnum:][:punct:]]+?\)/i&#39;,
        &#39;/preg_replace_callback\(.*?create_function\(/is&#39;,
        &#39;/filter_var(?:_array)?\s?.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\&#39;\"][[:punct:][:alnum:]]+[\&#39;\"]\][[:punct:][:alnum:][:space:]]+?assert[\&#39;\"]\)/is&#39;,
        &#39;/ob_start\([\&#39;\"]+assert[\&#39;\"]+\)/is&#39;,
        &#39;/new\s?ReflectionFunction\(.*?->invoke\(/is&#39;,
      &#39;/PDO::FETCH_FUNC/&#39;,
        &#39;/\$\w+.*\s?(?:=|->)\s?.*?[\&#39;\"]assert[\&#39;\"]\)?/i&#39;,
        &#39;/\$\w+->(?:sqlite)?createFunction\(.*?\)/i&#39;,
        &#39;/eval\([\"\&#39;]?\\\?\$\w+\s?=\s?.*?\)/i&#39;,
        &#39;/eval\(.*?gzinflate\(base64_decode\(/i&#39;,
        &#39;/copy\(\$HTTP_POST_FILES\[\&#39;\w+\&#39;\]\s?\[\&#39;tmp_name\&#39;\]/i&#39;,
        &#39;/register_(?:shutdown|tick)_function\s?\(\$\w+,\s\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]\)/is&#39;,
        &#39;/register_(?:shutdown|tick)_function\s?\(?[\&#39;\"]assert[\"\&#39;].*?\)/i&#39;,
        &#39;/call_user_func.*?\([\"|\&#39;]assert[\"|\&#39;],.*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\&#39;|\"].*\]\)+/is&#39;,
      &#39;/preg_replace\(.*?e.*?\&#39;\s?,\s?.*?\w+\(.*?\)/i&#39;,
    &#39;/function_exists\s*\(\s*[\&#39;|\"](popen|exec|proc_open|system|passthru)+[\&#39;|\"]\s*\)/i&#39;,
    &#39;/(exec|shell_exec|system|passthru)+\s*\(\s*\$_(\w+)\[(.*)\]\s*\)/i&#39;,
    &#39;/(exec|shell_exec|system|passthru)+\s*\(\$\w+\)/i&#39;,
    &#39;/(exec|shell_exec|system|passthru)\s?\(\w+\(\"http_.*\"\)\)/i&#39;,
         &#39;/(?:john\.barker446@gmail\.com|xb5@hotmail\.com|shopen@aventgrup\.net|milw0rm\.com|www\.aventgrup\.net|mgeisler@mgeisler\.net)/i&#39;,
      &#39;/Php\s*?Shell/i&#39;,
    &#39;/((udp|tcp)\:\/\/(.*)\;)+/i&#39;,
    &#39;/preg_replace\s*\((.*)\/e(.*)\,\s*\$_(.*)\,(.*)\)/i&#39;,
    &#39;/preg_replace\s*\((.*)\(base64_decode\(\$/i&#39;,
    &#39;/(eval|assert|include|require|include_once|require_once)+\s*\(\s*(base64_decode|str_rot13|gz(\w+)|file_(\w+)_contents|(.*)php\:\/\/input)+/i&#39;,
    &#39;/(eval|assert|include|require|include_once|require_once|array_map|array_walk)+\s*\(.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i&#39;,
    &#39;/eval\s*\(\s*\(\s*\$\$(\w+)/i&#39;,
      &#39;/((?:include|require|include_once|require_once)+\s*\(?\s*[\&#39;|\"]\w+\.(?!php).*[\&#39;|\"])/i&#39;,
    &#39;/\$_(\w+)(.*)(eval|assert|include|require|include_once|require_once)+\s*\(\s*\$(\w+)\s*\)/i&#39;,
    &#39;/\(\s*\$_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i&#39;,
    &#39;/(fopen|fwrite|fputs|file_put_contents)+\s*\((.*)\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i&#39;,
    &#39;/echo\s*curl_exec\s*\(\s*\$(\w+)\s*\)/i&#39;,
    &#39;/new com\s*\(\s*[\&#39;|\"]shell(.*)[\&#39;|\"]\s*\)/i&#39;,
    &#39;/\$(.*)\s*\((.*)\/e(.*)\,\s*\$_(.*)\,(.*)\)/i&#39;,
    &#39;/\$_\=(.*)\$_/i&#39;,
    &#39;/\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i&#39;,
    &#39;/\$(\w+)\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i&#39;,
    &#39;/\$(\w+)\s*\(\s*\$\{(.*)\}/i&#39;,
    &#39;/\$(\w+)\s*\(\s*chr\(\d+\)/i&#39;
);
function antivirus($dir,$exs,$matches) {
    if(($handle = @opendir($dir)) == NULL) return false;
    while(false !== ($name = readdir($handle))) {
        if($name == &#39;.&#39; || $name == &#39;..&#39;) continue;
        $path = $dir.$name;
        if(strstr($name,SELF)) continue;
        //$path=iconv("UTF-8","gb2312",$path);
        if(is_dir($path)) {
            //chmod($path,0777);/*主要针对一些0111的目录*/
            if(is_readable($path)) antivirus($path.&#39;/&#39;,$exs,$matches);
        } elseif(strpos($name,&#39;;&#39;) > -1 || strpos($name,&#39;%00&#39;) > -1 || strpos($name,&#39;/&#39;) > -1) {
            echo &#39;特征 <input type="text" style="width:250px;" value="解析漏洞">     &#39;.$path.&#39;<p></p>&#39;; flush(); ob_flush();
        }
        else {
            if(!preg_match($exs,$name)) continue;
            if(filesize($path) > 10000000) continue;
            $fp = fopen($path,&#39;r&#39;);
            $code = fread($fp,filesize($path));
            fclose($fp);
            if(empty($code)) continue;
            if(weevelyshell($path)){
            echo &#39;特征 <input type="text" style="width:250px;" value="weevely 加密shell">     &#39;.$path.&#39;<p></p>&#39;; flush(); ob_flush();
        }elseif(callbackshell($path)){
                echo &#39;特征 <input type="text" style="width:250px;" value="Callback shell">     &#39;.$path.&#39;<p></p>&#39;; flush(); ob_flush();
        }
            foreach($matches as $matche) {
                $array = array();
                preg_match($matche,$code,$array);
                if(!$array) continue;
                if(strpos($array[0],"\x24\x74\x68\x69\x73\x2d\x3e")) continue;
                $len = strlen($array[0]);
                if($len > 6 && $len < 200) {
                    echo &#39;特征 <input type="text" style="width:250px;" value="&#39;.htmlspecialchars($array[0]).&#39;">    &#39;.$path.&#39;<p></p>&#39;;
                    flush(); ob_flush(); break;
                }
            }
            unset($code,$array);
        }
    }
    closedir($handle);
    return true;
}
function strdir($str) { return str_replace(array(&#39;\\&#39;,&#39;//&#39;,&#39;//&#39;),array(&#39;/&#39;,&#39;/&#39;,&#39;/&#39;),chop($str)); }
echo &#39;<form method="POST">&#39;;
echo &#39;路径: <input type="text" name="dir" value="&#39;.($_POST[&#39;dir&#39;] ? strdir($_POST[&#39;dir&#39;].&#39;/&#39;) : strdir($_SERVER[&#39;DOCUMENT_ROOT&#39;].&#39;/&#39;)).&#39;" style="width:398px;"><p></p>&#39;;
echo &#39;后缀: <input type="text" name="exs" value="&#39;.($_POST[&#39;exs&#39;] ? $_POST[&#39;exs&#39;] : &#39;.php|.inc|.phtml&#39;).&#39;" style="width:398px;"><p></p>&#39;;
echo &#39;操作: <input type="submit" style="width:80px;" value="scan"><p></p>&#39;;
echo &#39;</form>&#39;;
if(file_exists($_POST[&#39;dir&#39;]) && $_POST[&#39;exs&#39;]) {
    $dir = strdir($_POST[&#39;dir&#39;].&#39;/&#39;);
    $exs = &#39;/(&#39;.str_replace(&#39;.&#39;,&#39;\\.&#39;,$_POST[&#39;exs&#39;]).&#39;)/i&#39;;
    echo antivirus($dir,$exs,$matches) ? &#39;</br ><p></p>扫描完毕!&#39; : &#39;</br > <p></p>扫描中断&#39;;
}
?>
</html>
Copy after login

相关推荐:

PHP webshell扫描木马文件的实现方法

详解PHP安全之webshell和后门检测示例

Webshell实现与隐藏探究

The above is the detailed content of Detailed explanation of how webshell scans files for Trojans in PHP. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template