扫描PHP特殊一句话后门WebShell

admin
admin
admin
138658
文章
114
评论
2022年7月17日02:57:37评论113 views字数 6250阅读20分50秒阅读模式

####################
免责声明:工具本身并无好坏,希望大家以遵守《网络安全法》相关法律为前提来使用该工具,支持研究学习,切勿用于非法犯罪活动,对于恶意使用该工具造成的损失,和本人及开发者无关。
####################

可扫描 weevelyshell 生成 或加密的shell。

作者:imspider、lostwolf

<!DOCTYPE html><html><head>        <meta charset='gb2312'>        <title>PHP web shell scan</title></head><body>
</body>
<?php define("SELF",php_self());  error_reporting(E_ERROR);ini_set('max_execution_time',20000);ini_set('memory_limit','512M');header("content-Type: text/html; charset=gb2312");
function weevelyshell($file){        $content=file_get_contents($file);        if(           (          preg_match('#($w{2,4}s?=s?str_replace("w+","","[w_]+");s?)+#s',$content)&&            preg_match('#($w{2,4}s?=s?"[wd+/=]+";s?)+#',$content)&&                             preg_match('#$[w]{2,4}s?=s$[w]{2,4}('',s?$w{2,4}($w{2,4}("w{1,4}",s?"",s?$w{2,4}.$w{2,4}.$w{2,4}.$w{2,4})));s+?$w{2,4}();#',$content))              ||              (preg_match('#$w+ds?=s?str_replace("[wd]+","","[wd]+");#s',$content)&&                preg_match('#$w+s?=s?$[wd]+('',s?$[wd]+($w+($w+("[[:punct:]]+",s?"",s?$w+.$w+.$w+.$w+))));s?$w+();#s',$content))                ){                return true;        }}
function callbackshell($file){  $content=file_get_contents($file);  if(    preg_match('#$w+s?=s?$_(?:GET|POST|REQUEST|COOKIE|SERVER)[.*?]#is',$content)&&    preg_match('#$w+s?=s?(?:new)?s?arrayw*s?(.*?_(?:GET|POST|REQUEST|COOKIE|SERVER)[.*?].*?)+#is',$content)&&    preg_match('#(?:array_(?:reduce|map|udiff|walk|walk_recursive|filter)|u[ak]sort)s?(.*?)+?#is',$content)            )      return true;

}
function php_self(){    $php_self=substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1);    return $php_self;}

$matches = array(    '/mb_ereg_replace(['*s,."]+$_(?:GET|POST|REQUEST|COOKIE|SERVER)[['"].*?['"][]][,s'"]+e['"]'/is,    '/preg_filter(['"|.*e]+.*$_(?:GET|POST|REQUEST|COOKIE|SERVER)/is',    '/create_functions?(.*assert(/is',    '/ini_get('safe_mode')/i',    '/get_current_user(.*?)/i',    '/@?asserts?($.*?)/i',    '/proc_opens?(.*?pipe',s?'w')/is',  '/sTr_RepLaCes?(['"].*?['"],['"].*?['"]s?,s?'a[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?e[[:alnum:][:punct:]]+?r[[:alnum:][:punct:]]+?t[[:alnum:][:punct:]]+?)/i',    '/preg_replace_callback(.*?create_function(/is',    '/filter_var(?:_array)?s?.*?$_(?:GET|POST|REQUEST|COOKIE|SERVER)[['"][[:punct:][:alnum:]]+['"]][[:punct:][:alnum:][:space:]]+?assert['"])/is',    '/ob_start(['"]+assert['"]+)/is',    '/news?ReflectionFunction(.*?->invoke(/is',      '/PDO::FETCH_FUNC/',    '/$w+.*s?(?:=|->)s?.*?['"]assert['"])?/i',    '/$w+->(?:sqlite)?createFunction(.*?)/i',    '/eval(["']?\?$w+s?=s?.*?)/i',    '/eval(.*?gzinflate(base64_decode(/i',    '/copy($HTTP_POST_FILES['w+']s?['tmp_name']/i',    '/register_(?:shutdown|tick)_functions?($w+,s$_(?:GET|POST|REQUEST|COOKIE|SERVER)[.*?])/is',    '/register_(?:shutdown|tick)_functions?(?['"]assert["'].*?)/i',    '/call_user_func.*?(["|']assert["|'],.*$_(?:GET|POST|REQUEST|COOKIE|SERVER)[['|"].*])+/is',      '/preg_replace(.*?e.*?'s?,s?.*?w+(.*?)/i',        '/function_existss*(s*['|"](popen|exec|proc_open|system|passthru)+['|"]s*)/i',        '/(exec|shell_exec|system|passthru)+s*(s*$_(w+)[(.*)]s*)/i',        '/(exec|shell_exec|system|passthru)+s*($w+)/i',        '/(exec|shell_exec|system|passthru)s?(w+("http_.*"))/i',      '/(?:[email protected]|[email protected]|[email protected]|milw0rm.com|www.aventgrup.net|[email protected])/i',      '/Phps*?Shell/i',        '/((udp|tcp)://(.*);)+/i',        '/preg_replaces*((.*)/e(.*),s*$_(.*),(.*))/i',        '/preg_replaces*((.*)(base64_decode($/i',        '/(eval|assert|include|require|include_once|require_once)+s*(s*(base64_decode|str_rot13|gz(w+)|file_(w+)_contents|(.*)php://input)+/i',        '/(eval|assert|include|require|include_once|require_once|array_map|array_walk)+s*(.*?$_(?:GET|POST|REQUEST|COOKIE|SERVER|SESSION)+[(.*)]s*)/i',        '/evals*(s*(s*$$(w+)/i',      '/((?:include|require|include_once|require_once)+s*(?s*['|"]w+.(?!php).*['|"])/i',        '/$_(w+)(.*)(eval|assert|include|require|include_once|require_once)+s*(s*$(w+)s*)/i',        '/(s*$_FILES[(.*)][(.*)]s*,s*$_(GET|POST|REQUEST|FILES)+[(.*)][(.*)]s*)/i',        '/(fopen|fwrite|fputs|file_put_contents)+s*((.*)$_(GET|POST|REQUEST|COOKIE|SERVER)+[(.*)](.*))/i',        '/echos*curl_execs*(s*$(w+)s*)/i',        '/new coms*(s*['|"]shell(.*)['|"]s*)/i',        '/$(.*)s*((.*)/e(.*),s*$_(.*),(.*))/i',        '/$_=(.*)$_/i',        '/$_(GET|POST|REQUEST|COOKIE|SERVER)+[(.*)](s*$(.*))/i',        '/$(w+)s*(s*$_(GET|POST|REQUEST|COOKIE|SERVER)+[(.*)]s*)/i',        '/$(w+)s*(s*${(.*)}/i',        '/$(w+)s*(s*chr(d+)/i');
function antivirus($dir,$exs,$matches) {        if(($handle = @opendir($dir)) == NULL) return false;        while(false !== ($name = readdir($handle))) {                if($name == '.' || $name == '..') continue;                $path = $dir.$name;                if(strstr($name,SELF)) continue;                //$path=iconv("UTF-8","gb2312",$path);                if(is_dir($path)) {                        //chmod($path,0777);/*主要针对一些0111的目录*/                        if(is_readable($path)) antivirus($path.'/',$exs,$matches);                } elseif(strpos($name,';') > -1 || strpos($name,'%00') > -1 || strpos($name,'/') > -1) {                        echo '特征 <input type="text" style="width:250px;" value="解析漏洞">   '.$path.'<div></div>'; flush(); ob_flush();                }                 else {                        if(!preg_match($exs,$name)) continue;                        if(filesize($path) > 10000000) continue;                        $fp = fopen($path,'r');                        $code = fread($fp,filesize($path));                        fclose($fp);                        if(empty($code)) continue;                                             if(weevelyshell($path)){                        echo '特征 <input type="text" style="width:250px;" value="weevely 加密shell">   '.$path.'<div></div>'; flush(); ob_flush();
                }elseif(callbackshell($path)){                    echo '特征 <input type="text" style="width:250px;" value="Callback shell">   '.$path.'<div></div>'; flush(); ob_flush();                }                        foreach($matches as $matche) {                                $array = array();                                preg_match($matche,$code,$array);                                if(!$array) continue;                                if(strpos($array[0],"x24x74x68x69x73x2dx3e")) continue;                                $len = strlen($array[0]);                                if($len > 6 && $len < 200) {                                        echo '特征 <input type="text" style="width:250px;" value="'.htmlspecialchars($array[0]).'">  '.$path.'<div></div>';                                        flush(); ob_flush(); break;                                }                        }                        unset($code,$array);                }        }        closedir($handle);        return true;}
function strdir($str) { return str_replace(array('\','//','//'),array('/','/','/'),chop($str)); }
echo '<form method="POST">';echo '路径: <input type="text" name="dir" value="'.($_POST['dir'] ? strdir($_POST['dir'].'/') : strdir($_SERVER['DOCUMENT_ROOT'].'/')).'" style="width:398px;"><div></div>';echo '后缀: <input type="text" name="exs" value="'.($_POST['exs'] ? $_POST['exs'] : '.php|.inc|.phtml').'" style="width:398px;"><div></div>';echo '操作: <input type="submit" style="width:80px;" value="scan"><div></div>';echo '</form>';
if(file_exists($_POST['dir']) && $_POST['exs']) {        $dir = strdir($_POST['dir'].'/');        $exs = '/('.str_replace('.','\.',$_POST['exs']).')/i';        echo antivirus($dir,$exs,$matches) ? '</br ><div></div>扫描完毕!' : '</br > <div></div>扫描中断';}?></html>


原文始发于微信公众号(菜鸟小新):扫描PHP特殊一句话后门WebShell

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年7月17日02:57:37
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   扫描PHP特殊一句话后门WebShellhttp://cn-sec.com/archives/1181343.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息