From af0c39a3f7d665ff3f545110296383ac96c5ad59 Mon Sep 17 00:00:00 2001 From: Julien (jvoisin) Voisin Date: Fri, 4 Nov 2016 15:56:32 +0100 Subject: `SERVER['HTTP_*` is user-controllable. --- php-malware-finder/php.yar | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 536d880..309af01 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -36,8 +36,8 @@ global private rule IsPhp rule PasswordProtection { strings: - $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase - $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase + $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase + $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase condition: (any of them) and not IsWhitelisted } @@ -54,7 +54,7 @@ rule ObfuscatedPhp $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words $concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces - $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ + $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/ $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) condition: (any of them) and not IsWhitelisted @@ -66,9 +66,9 @@ rule DodgyPhp $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ - $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // function that takes a callback as 1st parameter - $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // functions that takes a callback as 2nd parameter - $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter + $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter + $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter + $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter $htaccess = "SetHandler application/x-httpd-php" $iis_com = /IIS:\/\/localhost\/w3svc/ -- cgit v1.3