diff options
| -rw-r--r-- | php-malware-finder/malwares.yara | 4 | ||||
| -rw-r--r-- | php-malware-finder/samples/artificial/bypasses.php | 5 | ||||
| -rwxr-xr-x | php-malware-finder/tests.sh | 2 |
3 files changed, 9 insertions, 2 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 5c3cc1e..4e7edea 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/ nocase // ;eval( <- this is dodgy | 60 | $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 61 | $b374k = "'ev'.'al'" | 61 | $b374k = "'ev'.'al'" |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| @@ -109,7 +109,7 @@ rule DodgyPhp | |||
| 109 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// | 109 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// |
| 110 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 | 110 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 |
| 111 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ | 111 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ |
| 112 | $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase | 112 | $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase |
| 113 | $htaccess = "SetHandler application/x-httpd-php" | 113 | $htaccess = "SetHandler application/x-httpd-php" |
| 114 | $iis_com = /IIS:\/\/localhost\/w3svc/ | 114 | $iis_com = /IIS:\/\/localhost\/w3svc/ |
| 115 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 115 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
diff --git a/php-malware-finder/samples/artificial/bypasses.php b/php-malware-finder/samples/artificial/bypasses.php new file mode 100644 index 0000000..fc1c447 --- /dev/null +++ b/php-malware-finder/samples/artificial/bypasses.php | |||
| @@ -0,0 +1,5 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | // https://rstforums.com/forum/topic/98500-php-malware-finder/?do=findComment&comment=615687 | ||
| 4 | print_r(call_user_func_array($_POST['functie'], array($_POST['argv']))); | ||
| 5 | |||
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index a0885fd..93319a0 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh | |||
| @@ -74,5 +74,7 @@ run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e' | |||
| 74 | run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func' | 74 | run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func' |
| 75 | run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd=' | 75 | run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd=' |
| 76 | 76 | ||
| 77 | run_test artificial/bypasses.php 'DodgyPhp' | ||
| 78 | run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST' | ||
| 77 | 79 | ||
| 78 | echo "[+] Congratz, the $CPT tests succeeded!" | 80 | echo "[+] Congratz, the $CPT tests succeeded!" |