diff options
| author | jvoisin | 2018-02-21 12:03:40 +0100 |
|---|---|---|
| committer | jvoisin | 2018-02-21 12:03:40 +0100 |
| commit | 40fe3d1307b90904a4bf95e8ef7a6368bfa5d0fe (patch) | |
| tree | 60faa0fecdd9865228cebf6dad4266b0fa5aaea7 | |
| parent | ac22d1eb137a0ad9a04192b3f86044493de54f9e (diff) | |
Some regexps are now matching on word boundaries
This should close #51
| -rw-r--r-- | php-malware-finder/php.yar | 10 | ||||
| -rwxr-xr-x | php-malware-finder/tests.sh | 11 |
2 files changed, 6 insertions, 15 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 06713d5..b2c486c 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -59,7 +59,7 @@ rule PasswordProtection | |||
| 59 | rule ObfuscatedPhp | 59 | rule ObfuscatedPhp |
| 60 | { | 60 | { |
| 61 | strings: | 61 | strings: |
| 62 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | 62 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 63 | $b374k = "'ev'.'al'" | 63 | $b374k = "'ev'.'al'" |
| 64 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 64 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 65 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 65 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| @@ -81,16 +81,16 @@ rule DodgyPhp | |||
| 81 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 | 81 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 |
| 82 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase | 82 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase |
| 83 | 83 | ||
| 84 | $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter | 84 | $execution = /\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter |
| 85 | $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter | 85 | $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter |
| 86 | $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter | 86 | $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter |
| 87 | 87 | ||
| 88 | $htaccess = "SetHandler application/x-httpd-php" | 88 | $htaccess = "SetHandler application/x-httpd-php" |
| 89 | $iis_com = /IIS:\/\/localhost\/w3svc/ | 89 | $iis_com = /IIS:\/\/localhost\/w3svc/ |
| 90 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 90 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
| 91 | $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase | 91 | $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase |
| 92 | $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php | 92 | $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php |
| 93 | $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 | 93 | $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 |
| 94 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 94 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |
| 95 | $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/ | 95 | $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/ |
| 96 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase | 96 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase |
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 3443cc0..5ec36cd 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh | |||
| @@ -16,15 +16,6 @@ run_test(){ | |||
| 16 | CPT=$((CPT+1)) | 16 | CPT=$((CPT+1)) |
| 17 | } | 17 | } |
| 18 | 18 | ||
| 19 | run_test_asp(){ | ||
| 20 | NB_DETECTED=$(${PMF} -v -l asp "$SAMPLES"/"$1" | grep -c "$2" 2>/dev/null) | ||
| 21 | |||
| 22 | if [[ "$NB_DETECTED" != 1 ]]; then | ||
| 23 | echo "[-] $2 was not detected in $1, sorry" | ||
| 24 | exit 1 | ||
| 25 | fi | ||
| 26 | CPT=$((CPT+1)) | ||
| 27 | } | ||
| 28 | 19 | ||
| 29 | # Real samples | 20 | # Real samples |
| 30 | run_test cpanel.php '0x294d:$eval: {eval(' | 21 | run_test cpanel.php '0x294d:$eval: {eval(' |
| @@ -44,7 +35,7 @@ run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'" | |||
| 44 | run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func(' | 35 | run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func(' |
| 45 | run_test classic/b374k.php '0xd6:$align: ;$b374k=$func(' | 36 | run_test classic/b374k.php '0xd6:$align: ;$b374k=$func(' |
| 46 | run_test classic/b374k.php '0x43:$: github.com/b374k/b374k' | 37 | run_test classic/b374k.php '0x43:$: github.com/b374k/b374k' |
| 47 | run_test classic/sosyete.php '0x1a0a:$execution: exec($_POST' | 38 | run_test classic/sosyete.php '0x1a2d:$execution: shell_exec($_POST' |
| 48 | run_test classic/simattacker.php '0x16e:$: fpassthru' | 39 | run_test classic/simattacker.php '0x16e:$: fpassthru' |
| 49 | run_test classic/r57.php '0x149da:$: xp_cmdshell' | 40 | run_test classic/r57.php '0x149da:$: xp_cmdshell' |
| 50 | run_test classic/cyb3rsh3ll.php '0x23323:$udp_dos: fsockopen("udp://' | 41 | run_test classic/cyb3rsh3ll.php '0x23323:$udp_dos: fsockopen("udp://' |