From 5a8f30ff2f5b93793305e46015097d822d8846c6 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Wed, 3 Feb 2016 10:47:05 +0100
Subject: Add some bad_php rules

---
 php-malware-finder/bad_php.yara | 48 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 php-malware-finder/bad_php.yara

diff --git a/php-malware-finder/bad_php.yara b/php-malware-finder/bad_php.yara
new file mode 100644
index 0000000..e3bdb76
--- /dev/null
+++ b/php-malware-finder/bad_php.yara
@@ -0,0 +1,48 @@
+rule Sqli
+{
+    strings:
+        $mysql = /mysqli?_.*[[:space:]]*\(.*\$.*\)/
+        $pg = /pg_.*[[:space:]]*\(.*\$.*\)/
+        $sqlite = /sqlite_.*[[:space:]]*\(.*\$.*\)/
+    condition:
+        any of them
+}
+
+rule Xss
+{
+    strings:
+        $xss1 = /(echo|print(_r)?)([[:space:]]|\()+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*/
+    condition:
+        any of them
+}
+
+rule CodeExec
+{
+    strings:
+        $eval = /eval\s*\(\s*.\$.*\s*\)/
+        $file = /(readfile|fopen|file(_get_contents)?)\s*\(.\$.*\)/
+        $include = /(include|require)(_once)?\s*\(.*\$.*\)/
+        $system = /(system|shell_exec)([[:space:]]*\(|[[:space:]]+).*\)?/
+    condition:
+        any of them
+}
+
+
+rule Misc
+{
+    strings:
+        $header_splitting = /header\s*\(.*\$_(GET|POST|REQUEST|COOKIE).*\)/
+        $serialize = /unserialize\s*\(.*\)|unserialize_callback_func/
+    condition:
+        any of them
+}
+
+rule Infoleak
+{
+    strings:
+        $php = /php(info|credits|version|_logo_guid|_uname)\s*\(.*\)/
+        $zend = /zend(_logo_guid|_version)\s*\(.*\)/
+        $extensions = /get_loaded_extensions\s*\(.*\)/
+    condition:
+        any of them
+}
-- 
cgit v1.3