summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien (jvoisin) Voisin2016-02-26 12:13:16 +0100
committerJulien (jvoisin) Voisin2016-02-26 12:13:16 +0100
commit47d86bf92eb15fe65dd4efbc04d0004856e88ddd (patch)
tree5c67a84b55006a4ab6808db9139acd6b37ce7c1f
parent31eb9ac73603ceaed92ee0de91c7e02a84511693 (diff)
Fix a really cool bypass
Diffstat
-rw-r--r--php-malware-finder/malwares.yara4
-rw-r--r--php-malware-finder/samples/artificial/bypasses.php5
-rwxr-xr-xphp-malware-finder/tests.sh2
3 files changed, 9 insertions, 2 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 5c3cc1e..4e7edea 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
57rule ObfuscatedPhp 57rule ObfuscatedPhp
58{ 58{
59 strings: 59 strings:
60 $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/ nocase // ;eval( <- this is dodgy 60 $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy
61 $b374k = "'ev'.'al'" 61 $b374k = "'ev'.'al'"
62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
63 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 63 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
@@ -109,7 +109,7 @@ rule DodgyPhp
109 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// 109 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
110 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 110 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
111 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ 111 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
112 $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase 112 $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
113 $htaccess = "SetHandler application/x-httpd-php" 113 $htaccess = "SetHandler application/x-httpd-php"
114 $iis_com = /IIS:\/\/localhost\/w3svc/ 114 $iis_com = /IIS:\/\/localhost\/w3svc/
115 $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 115 $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
diff --git a/php-malware-finder/samples/artificial/bypasses.php b/php-malware-finder/samples/artificial/bypasses.php
new file mode 100644
index 0000000..fc1c447
--- /dev/null
+++ b/php-malware-finder/samples/artificial/bypasses.php
@@ -0,0 +1,5 @@
1<?php
2
3// https://rstforums.com/forum/topic/98500-php-malware-finder/?do=findComment&comment=615687
4print_r(call_user_func_array($_POST['functie'], array($_POST['argv'])));
5
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index a0885fd..93319a0 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -74,5 +74,7 @@ run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
74run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func' 74run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
75run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd=' 75run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
76 76
77run_test artificial/bypasses.php 'DodgyPhp'
78run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
77 79
78echo "[+] Congratz, the $CPT tests succeeded!" 80echo "[+] Congratz, the $CPT tests succeeded!"