完美扫描PHP特殊一句话后门
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | <?php /********************** 作者 Spider 网上公布的各种PHP后门全军覆没 针对一些特殊变形的后门需要自己添加特征 误报率不到百分之一 **********************/ error_reporting (E_ERROR); ini_set ( 'max_execution_time' ,20000); ini_set ( 'memory_limit' , '512M' ); header( "content-Type: text/html; charset=gb2312" ); $matches = array ( '/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i' , '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*\)/i' , '/((udp|tcp)\:\/\/(.*)\;)+/i' , '/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' , '/preg\_replace\s*\((.*)\(base64\_decode\(\$/i' , '/(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*(base64\_decode|str\_rot13|gz(\w+)|file\_(\w+)\_contents|(.*)php\:\/\/input)+/i' , '/(eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i' , '/eval\s*\(\s*\(\s*\$\$(\w+)/i' , '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+)\.(jpg|gif|ico|bmp|png|txt|zip|rar|htm|css|js)+[\'|\"]\s*\)/i' , '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*\$(\w+)\s*\)/i' , '/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i' , '/(fopen|fwrite|fputs|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i' , '/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i' , '/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i' , '/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' , '/\$\_\=(.*)\$\_/i' , '/\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i' , '/\$(\w+)\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i' , '/\$(\w+)\s*\(\s*\$\{(.*)\}/i' , '/\$(\w+)\s*\(\s*chr\(\d+\)/i' ); function antivirus( $dir , $exs , $matches ) { if (( $handle = @opendir( $dir )) == NULL) return false; while (false !== ( $name = readdir( $handle ))) { if ( $name == '.' || $name == '..' ) continue ; $path = $dir . $name ; if ( is_dir ( $path )) { //chmod($path,0777);/*主要针对一些0111的目录*/ if ( is_readable ( $path )) antivirus( $path . '/' , $exs , $matches ); } elseif ( strpos ( $name , ';' ) > -1 || strpos ( $name , '%00' ) > -1 || strpos ( $name , '/' ) > -1) { echo '特征 <input type="text" style="width:218px;" value="解析漏洞"> ' . $path . '<div></div>' ; flush (); ob_flush(); } else { if (!preg_match( $exs , $name )) continue ; if ( filesize ( $path ) > 10000000) continue ; $fp = fopen ( $path , 'r' ); $code = fread ( $fp , filesize ( $path )); fclose( $fp ); if ( empty ( $code )) continue ; foreach ( $matches as $matche ) { $array = array (); preg_match( $matche , $code , $array ); if (! $array ) continue ; if ( strpos ( $array [0], "\x24\x74\x68\x69\x73\x2d\x3e" )) continue ; $len = strlen ( $array [0]); if ( $len > 6 && $len < 200) { echo '特征 <input type="text" style="width:218px;" value="' .htmlspecialchars( $array [0]). '"> ' . $path . '<div></div>' ; flush (); ob_flush(); break ; } } unset( $code , $array ); } } closedir ( $handle ); return true; } function strdir( $str ) { return str_replace ( array ( '\\' , '//' , '//' ), array ( '/' , '/' , '/' ), chop ( $str )); } echo '<form method="POST">' ; echo '路径: <input type="text" name="dir" value="' .( $_POST [ 'dir' ] ? strdir( $_POST [ 'dir' ]. '/' ) : strdir( $_SERVER [ 'DOCUMENT_ROOT' ]. '/' )). '" style="width:398px;"><div></div>' ; echo '后缀: <input type="text" name="exs" value="' .( $_POST [ 'exs' ] ? $_POST [ 'exs' ] : '.php|.inc|.phtml' ). '" style="width:398px;"><div></div>' ; echo '操作: <input type="submit" style="width:80px;" value="scan"><div></div>' ; echo '</form>' ; if ( file_exists ( $_POST [ 'dir' ]) && $_POST [ 'exs' ]) { $dir = strdir( $_POST [ 'dir' ]. '/' ); $exs = '/(' . str_replace ( '.' , '\\.' , $_POST [ 'exs' ]). ')/i' ; echo antivirus( $dir , $exs , $matches ) ? '<div></div>扫描完毕' : '<div></div>扫描中断' ; } ?> |
另外一个版本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | <!DOCTYPE html> <html> <head> <meta charset= 'gb2312' > <title>PHP web shell scan</title> </head> <body> </body> <?php error_reporting (E_ERROR); ini_set ( 'max_execution_time' ,20000); ini_set ( 'memory_limit' , '512M' ); header( "content-Type: text/html; charset=gb2312" ); function weevelyshell( $file ){ $content = file_get_contents ( $file ); if ( ( preg_match( '#(\$\w{2,4}\s?=\s?str_replace\("\w+","","[\w\_]+"\);\s?)+#s' , $content )&& preg_match( '#(\$\w{2,4}\s?=\s?"[\w\d\+\/\=]+";\s?)+#' , $content )&& preg_match( '#\$[\w]{2,4}\s?=\s\$[\w]{2,4}\(\'\',\s?\$\w{2,4}\(\$\w{2,4}\("\w{2,4}",\s?"",\s?\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\)\)\);\s+?\$\w{2,4}\(\)\;#' , $content )) || (preg_match( '#\$\w+\d\s?=\s?str_replace\(\"[\w\d]+\",\"\",\"[\w\d]+\"\);#s' , $content )&& preg_match( '#\$\w+\s?=\s?\$[\w\d]+\(\'\',\s?\$[\w\d]+\(\$\w+\(\$\w+\(\"[[:punct:]]+\",\s?\"\",\s?\$\w+\.\$\w+\.\$\w+\.\$\w+\)\)\)\);\s?\$\w+\(\);#s' , $content )) ){ return true; } } $matches = array ( '/preg_replace\(.*?e.*?\',[eval\.\'\"]+\(/' , '/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i' , '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*\)/i' , '/(exec|shell\_exec|system|passthru)+\s*\(\$\w+\)/i' , '/john\.barker446@gmail\.com/i' , '/((udp|tcp)\:\/\/(.*)\;)+/i' , '/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' , '/preg\_replace\s*\((.*)\(base64\_decode\(\$/i' , '/(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*(base64\_decode|str\_rot13|gz(\w+)|file\_(\w+)\_contents|(.*)php\:\/\/input)+/i' , '/(eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i' , '/eval\s*\(\s*\(\s*\$\$(\w+)/i' , '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+)\.(jpg|gif|ico|bmp|png|txt|zip|rar|htm|css|js)+[\'|\"]\s*\)/i' , '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*\$(\w+)\s*\)/i' , '/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i' , '/(fopen|fwrite|fputs|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i' , '/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i' , '/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i' , '/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' , '/\$\_\=(.*)\$\_/i' , '/\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i' , '/\$(\w+)\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i' , '/\$(\w+)\s*\(\s*\$\{(.*)\}/i' , '/\$(\w+)\s*\(\s*chr\(\d+\)/i' ); function antivirus( $dir , $exs , $matches ) { if (( $handle = @opendir( $dir )) == NULL) return false; while (false !== ( $name = readdir( $handle ))) { if ( $name == '.' || $name == '..' ) continue ; $path = $dir . $name ; //$path=iconv("UTF-8","gb2312",$path); if ( is_dir ( $path )) { //chmod($path,0777);/*主要针对一些0111的目录*/ if ( is_readable ( $path )) antivirus( $path . '/' , $exs , $matches ); } elseif ( strpos ( $name , ';' ) > -1 || strpos ( $name , '%00' ) > -1 || strpos ( $name , '/' ) > -1) { echo '特征 <input type="text" style="width:218px;" value="解析漏洞"> ' . $path . '<div></div>' ; flush (); ob_flush(); } elseif (weevelyshell( $path )){ echo '特征 <input type="text" style="width:218px;" value="weevely 加密shell"> ' . $path . '<div></div>' ; flush (); ob_flush(); } else { if (!preg_match( $exs , $name )) continue ; if ( filesize ( $path ) > 10000000) continue ; $fp = fopen ( $path , 'r' ); $code = fread ( $fp , filesize ( $path )); fclose( $fp ); if ( empty ( $code )) continue ; foreach ( $matches as $matche ) { $array = array (); preg_match( $matche , $code , $array ); if (! $array ) continue ; if ( strpos ( $array [0], "\x24\x74\x68\x69\x73\x2d\x3e" )) continue ; $len = strlen ( $array [0]); if ( $len > 6 && $len < 200) { echo '特征 <input type="text" style="width:218px;" value="' .htmlspecialchars( $array [0]). '"> ' . $path . '<div></div>' ; flush (); ob_flush(); break ; } } unset( $code , $array ); } } closedir ( $handle ); return true; } function strdir( $str ) { return str_replace ( array ( '\\' , '//' , '//' ), array ( '/' , '/' , '/' ), chop ( $str )); } echo '<form method="POST">' ; echo '路径: <input type="text" name="dir" value="' .( $_POST [ 'dir' ] ? strdir( $_POST [ 'dir' ]. '/' ) : strdir( $_SERVER [ 'DOCUMENT_ROOT' ]. '/' )). '" style="width:398px;"><div></div>' ; echo '后缀: <input type="text" name="exs" value="' .( $_POST [ 'exs' ] ? $_POST [ 'exs' ] : '.php|.inc|.phtml' ). '" style="width:398px;"><div></div>' ; echo '操作: <input type="submit" style="width:80px;" value="scan"><div></div>' ; echo '</form>' ; if ( file_exists ( $_POST [ 'dir' ]) && $_POST [ 'exs' ]) { $dir = strdir( $_POST [ 'dir' ]. '/' ); $exs = '/(' . str_replace ( '.' , '\\.' , $_POST [ 'exs' ]). ')/i' ; echo antivirus( $dir , $exs , $matches ) ? '<div></div>扫描完毕' : '<div></div>扫描中断' ; } ?> </html> |
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 用 C# 插值字符串处理器写一个 sscanf
· Java 中堆内存和栈内存上的数据分布和特点
· 开发中对象命名的一点思考
· .NET Core内存结构体系(Windows环境)底层原理浅谈
· C# 深度学习:对抗生成网络(GAN)训练头像生成模型
· 趁着过年的时候手搓了一个低代码框架
· 本地部署DeepSeek后,没有好看的交互界面怎么行!
· 为什么说在企业级应用开发中,后端往往是效率杀手?
· 用 C# 插值字符串处理器写一个 sscanf
· 乌龟冬眠箱湿度监控系统和AI辅助建议功能的实现