From 48936efa96ae17295be4e0a71be3294f0ec6aef8 Mon Sep 17 00:00:00 2001
From: Mathieu Deous
Date: Mon, 2 May 2022 20:18:23 +0200
Subject: Make application go-install-able and create a docker image

---
 tests.sh | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100755 tests.sh

(limited to 'tests.sh')

diff --git a/tests.sh b/tests.sh
new file mode 100755
index 0000000..a302031
--- /dev/null
+++ b/tests.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+PMF=./php-malware-finder
+SAMPLES=./data/samples
+
+type yara 2>/dev/null 1>&2 || (echo "[-] Please make sure that yara is installed" && exit 1)
+
+CPT=0
+run_test(){
+    NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 | grep -c "$2" 2>/dev/null)
+
+    if [[ "$NB_DETECTED" != 1 ]]; then
+        echo "[-] $2 was not detected in $1, sorry"
+        exit 1
+    fi
+    CPT=$((CPT+1))
+}
+
+
+# Real samples
+run_test cpanel.php  '0x294d:$eval: {eval('
+run_test freepbx.php 'ObfuscatedPhp'
+run_test freepbx.php '0x72:$eval: { system('
+run_test freepbx.php 'DodgyPhp'
+run_test freepbx.php '0x31d:$execution: system(base64_decode'
+
+# Classic shells
+run_test classic/ajaxshell.php 'DodgyStrings'
+run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
+run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
+run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
+run_test classic/angel.php '0x1b:$disable_magic_quotes:'
+run_test classic/b374k.php 'ObfuscatedPhp'
+run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
+run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
+run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
+run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
+run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST'
+run_test classic/simattacker.php '0x158:$: fpassthru'
+run_test classic/r57.php '0x142a2:$: xp_cmdshell'
+run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://'
+run_test classic/c99.php '0x3bb4:$eval: {exec('
+run_test classic/c100.php '0x4f8d:$eval: {eval('
+
+# Obfuscated php
+run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
+run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
+run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
+run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
+run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
+run_test obfuscators/phpencode.php "ObfuscatedPhp"
+run_test obfuscators/phpencode.php "DodgyPhp"
+
+# Artificial samples to test some rules
+run_test artificial/obfuscated.php '0x0:$eval: <?php@eval('
+run_test artificial/obfuscated.php '0x17:$eval: <?php'
+run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
+run_test artificial/obfuscated.php '0xf0:$weevely3:'
+run_test artificial/obfuscated.php '0x103:$c99_launcher:'
+run_test artificial/obfuscated.php '0x117:$variable_variable:'
+run_test artificial/dodgy.php '$basedir_bypass:'
+run_test artificial/dodgy.php '$basedir_bypass2:'
+run_test artificial/dodgy.php '$disable_magic_quotes:'
+run_test artificial/dodgy.php '$execution: eval(base64_decode'
+run_test artificial/dodgy.php '$execution: base64_decode($_GET'
+run_test artificial/dodgy.php '$htaccess:'
+run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
+run_test artificial/dodgy.php "0xef:\$include: include  ( 'lol.png"
+run_test artificial/dodgy.php "\$ini_get: ini_get (  'disable_functions"
+run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
+run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
+run_test artificial/dodgy.php '$shellshock: () { :;};'
+run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
+run_test artificial/dodgy.php '$various: <!--#exec cmd='
+run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'
+
+run_test artificial/bypasses.php 'DodgyPhp'
+run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
+run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
+
+# real
+run_test real/sucuri_2014_04.php '0x67:$execution3:'
+run_test real/novahot.php 'DodgyStrings'
+run_test real/guidtz.php '0x286:$non_printables:'
+run_test real/ice.php 'double_var'
+run_test real/srt.php '$register_function'
+run_test real/awvjtnz.php '$reversed:'
+run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
+run_test real/nano.php '$nano: $x\[f\]('
+run_test real/ninja.php '$nano: $x\[0\]('
+run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
+run_test real/include.php ':$silenced_include: @include'
+
+run_test undetected/smart.php '0x6:$extract:'
+
+echo "[+] Congratz, the $CPT tests succeeded!"
-- 
cgit v1.3