From 40fe3d1307b90904a4bf95e8ef7a6368bfa5d0fe Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 21 Feb 2018 12:03:40 +0100
Subject: Some regexps are now matching on word boundaries

This should close #51
---
 php-malware-finder/php.yar  | 10 +++++-----
 php-malware-finder/tests.sh | 11 +----------
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 06713d5..b2c486c 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -59,7 +59,7 @@ rule PasswordProtection
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -81,16 +81,16 @@ rule DodgyPhp
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
 
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
-        $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
-        $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
+        $execution = /\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
+        $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
+        $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
 
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
-        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
+        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
         $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 3443cc0..5ec36cd 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -16,15 +16,6 @@ run_test(){
     CPT=$((CPT+1))
 }
 
-run_test_asp(){
-    NB_DETECTED=$(${PMF} -v -l asp "$SAMPLES"/"$1" | grep -c "$2" 2>/dev/null)
-
-    if [[ "$NB_DETECTED" != 1 ]]; then
-        echo "[-] $2 was not detected in $1, sorry"
-        exit 1
-    fi
-    CPT=$((CPT+1))
-}
 
 # Real samples
 run_test cpanel.php  '0x294d:$eval: {eval('
@@ -44,7 +35,7 @@ run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
 run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
 run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
 run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
-run_test classic/sosyete.php '0x1a0a:$execution: exec($_POST'
+run_test classic/sosyete.php '0x1a2d:$execution: shell_exec($_POST'
 run_test classic/simattacker.php '0x16e:$: fpassthru'
 run_test classic/r57.php '0x149da:$: xp_cmdshell'
 run_test classic/cyb3rsh3ll.php '0x23323:$udp_dos: fsockopen("udp://'
-- 
cgit v1.3