From fcd5832e53cb8317c441047200cb5d7e4d6d40ec Mon Sep 17 00:00:00 2001 From: Julien (jvoisin) Voisin Date: Fri, 26 Feb 2016 17:11:10 +0100 Subject: Add yet another cool bypass, thanks to @badluck81 --- php-malware-finder/malwares.yara | 1 + php-malware-finder/samples/artificial/bypasses.php | 2 ++ php-malware-finder/tests.sh | 1 + 3 files changed, 4 insertions(+) diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 4e7edea..b47dce3 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara @@ -65,6 +65,7 @@ rule ObfuscatedPhp $variable_variable = /\${\$[0-9a-zA-z]+}/ $too_many_chr = /(chr\([\d]+\)\.){2,}?/ // concatenation of more than two `chr()` $concat = /(\$[^\n\r]+\.){5,}?/ // concatenation of more than 5 words + $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ $gif = /^GIF89/ condition: any of them and not IsWhitelisted diff --git a/php-malware-finder/samples/artificial/bypasses.php b/php-malware-finder/samples/artificial/bypasses.php index fc1c447..9d849a4 100644 --- a/php-malware-finder/samples/artificial/bypasses.php +++ b/php-malware-finder/samples/artificial/bypasses.php @@ -3,3 +3,5 @@ // https://rstforums.com/forum/topic/98500-php-malware-finder/?do=findComment&comment=615687 print_r(call_user_func_array($_POST['functie'], array($_POST['argv']))); +// https://github.com/nbs-system/php-malware-finder/commit/47d86bf92eb15fe65dd4efbc04d0004856e88ddd#commitcomment-16355734 +print_r($_POST['funct']($_POST['argv'])); diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 93319a0..7566e89 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh @@ -76,5 +76,6 @@ run_test artificial/dodgy.php '0x1fd:$various: