diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/php.yar | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/data/php.yar b/data/php.yar index 4470e1b..1b120fc 100644 --- a/data/php.yar +++ b/data/php.yar | |||
| @@ -100,6 +100,7 @@ rule DodgyPhp | |||
| 100 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 100 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 101 | $at_eval = /@eval\s*\(/ nocase | 101 | $at_eval = /@eval\s*\(/ nocase |
| 102 | $double_var = /\${\s*\${/ | 102 | $double_var = /\${\s*\${/ |
| 103 | $username = /getenv(['"]username["'])/ | ||
| 103 | $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/ | 104 | $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/ |
| 104 | $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase | 105 | $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase |
| 105 | $silenced_include =/@\s*include\s*/ nocase | 106 | $silenced_include =/@\s*include\s*/ nocase |
| @@ -322,7 +323,7 @@ rule DodgyStrings | |||
| 322 | $ = "slowloris" fullword nocase | 323 | $ = "slowloris" fullword nocase |
| 323 | $ = "suhosin" fullword | 324 | $ = "suhosin" fullword |
| 324 | $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. | 325 | $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. |
| 325 | $ = /trojan (payload)?/ | 326 | $ = /trojan (payload)?/ |
| 326 | $ = "uname -a" fullword | 327 | $ = "uname -a" fullword |
| 327 | $ = "visbot" nocase fullword | 328 | $ = "visbot" nocase fullword |
| 328 | $ = "warez" fullword nocase | 329 | $ = "warez" fullword nocase |