本文实例讲述了PHP实现webshell扫描文件木马的方法。分享给大家供大家参考,具体如下:
可扫描 weevelyshell 生成 或加密的shell 及各种变异webshell
目前仅支持php
支持扫描 weevelyshell 生成 或加密的shell
支持扫描callback一句话shell
支持各种php大马
PHP web shell scan
invoke(/is',
'/PDO::FETCH_FUNC/',
'/$w+.*s?(?:=|->)s?.*?['"]assert['"])?/i',
'/$w+->(?:sqlite)?createFunction(.*?)/i',
'/eval(["']?\?$w+s?=s?.*?)/i',
'/eval(.*?gzinflate(base64_decode(/i',
'/copy($HTTP_POST_FILES['w+']s?['tmp_name']/i',
'/register_(?:shutdown|tick)_functions?($w+,s$_(?:GET|POST|REQUEST|cookie|SERVER)[.*?])/is',
'/register_(?:shutdown|tick)_functions?(?['"]assert["'].*?)/i',
'/call_user_func.*?(["|']assert["|'],.*$_(?:GET|POST|REQUEST|cookie|SERVER)[['|"].*])+/is',
'/preg_replace(.*?e.*?'s?,s?.*?w+(.*?)/i',
'/function_existss*(s*['|"](popen|exec|proc_open|system|passthru)+['|"]s*)/i',
'/(exec|shell_exec|system|passthru)+s*(s*$_(w+)[(.*)]s*)/i',
'/(exec|shell_exec|system|passthru)+s*($w+)/i',
'/(exec|shell_exec|system|passthru)s?(w+("http_.*"))/i',
'/(?:john.barker446@gmail.com|xb5@hotmail.com|shopen@aventgrup.net|milw0rm.com|www.aventgrup.net|mgeisler@mgeisler.net)/i',
'/Phps*?Shell/i',
'/((udp|tcp)://(.*);)+/i',
'/preg_replaces*((.*)/e(.*),s*$_(.*),(.*))/i',
'/preg_replaces*((.*)(base64_decode($/i',
'/(eval|assert|include|require|include_once|require_once)+s*(s*(base64_decode|str_rot13|gz(w+)|file_(w+)_contents|(.*)php://input)+/i',
'/(eval|assert|include|require|include_once|require_once|array_map|array_walk)+s*(.*?$_(?:GET|POST|REQUEST|cookie|SERVER|SESSION)+[(.*)]s*)/i',
'/evals*(s*(s*$$(w+)/i',
'/((?:include|require|include_once|require_once)+s*(?s*['|"]w+.(?!php).*['|"])/i',
'/$_(w+)(.*)(eval|assert|include|require|include_once|require_once)+s*(s*$(w+)s*)/i',
'/(s*$_FILES[(.*)][(.*)]s*,s*$_(GET|POST|REQUEST|FILES)+[(.*)][(.*)]s*)/i',
'/(fopen|fwrite|fputs|file_put_contents)+s*((.*)$_(GET|POST|REQUEST|cookie|SERVER)+[(.*)](.*))/i',
'/echos*curl_execs*(s*$(w+)s*)/i',
'/new coms*(s*['|"]shell(.*)['|"]s*)/i',
'/$(.*)s*((.*)/e(.*),s*$_(.*),(.*))/i',
'/$_=(.*)$_/i',
'/$_(GET|POST|REQUEST|cookie|SERVER)+[(.*)](s*$(.*))/i',
'/$(w+)s*(s*$_(GET|POST|REQUEST|cookie|SERVER)+[(.*)]s*)/i',
'/$(w+)s*(s*${(.*)}/i',
'/$(w+)s*(s*chr(d+)/i'
);
function antivirus($dir,$exs,$matches) {
if(($handle = @opendir($dir)) == NULL) return false;
while(false !== ($name = readdir($handle))) {
if($name == '.' || $name == '..') continue;
$path = $dir.$name;
if(strstr($name,SELF)) continue;
//$path=iconv("UTF-8","gb2312",$path);
if(is_dir($path)) {
//chmod($path,0777);
if(is_readable($path)) antivirus($path.'/',$exs,$matches);
} elseif(strpos($name,';') > -1 || strpos($name,'%00') > -1 || strpos($name,'/') > -1) {
echo '特征 '.$path.''; flush(); ob_flush();
}
else {
if(!preg_match($exs,$name)) continue;
if(filesize($path) > 10000000) continue;
$fp = fopen($path,'r');
$code = fread($fp,filesize($path));
fclose($fp);
if(empty($code)) continue;
if(weevelyshell($path)){
echo '特征 '.$path.''; flush(); ob_flush();
}elseif(callbackshell($path)){
echo '特征 '.$path.''; flush(); ob_flush();
}
foreach($matches as $matche) {
$array = array();
preg_match($matche,$code,$array);
if(!$array) continue;
if(strpos($array[0],"x24x74x68x69x73x2dx3e")) continue;
$len = strlen($array[0]);
if($len > 6 && $len < 200) {
echo '特征 '.$path.'';
flush(); ob_flush(); break;
}
}
unset($code,$array);
}
}
closedir($handle);
return true;
}
function strdir($str) { return str_replace(array('\','//','//'),array('/','/','/'),chop($str)); }
echo '';
if(file_exists($_POST['dir']) && $_POST['exs']) {
$dir = strdir($_POST['dir'].'/');
$exs = '/('.str_replace('.','\.',$_POST['exs']).')/i';
echo antivirus($dir,$exs,$matches) ? '扫描完毕!' : ' 扫描中断';
}
?>
更多关于PHP相关内容感兴趣的读者可查看本站专题:《php程序设计安全教程》、《php安全过滤技巧总结》、《PHP运算与运算符用法总结》、《PHP网络编程技巧总结》、《PHP基本语法入门教程》、《php面向对象程序设计入门教程》、《php字符串(string)用法总结》、《php+mysql数据库操作入门教程》及《php常见数据库操作技巧汇总》
希望本文所述对大家PHP程序设计有所帮助。
