<? Php /********************** Php webshell Scanning **********************/ Error_reporting (E_ERROR ); Ini_set ('max _ execution_time ', 20000 ); Ini_set ('memory _ limit ', '12m '); Header ("content-Type: text/html; charset = gb2312 "); $ Matches = array ( '/Function \ _ exists \ s * \ (\ s * [\' | \ "] (popen | exec | proc \ _ open | system | passthru) + [\ '| \ "] \ s * \)/I ', '/(Exec | shell \ _ exec | system | passthru) + \ s * \ (\ s * \ $ \ _ (\ w + )\[(. *) \] \ s * \)/I ', '/(Udp | tcp) \: \/(. *) \;) +/I ', '/Preg \ _ replace \ s *\((. *) \/e (. *) \, \ s * \ $ \_(. *)\,(. *) \)/I ', '/Preg \ _ replace \ s * \ (. *) \ (base64 \ _ decode \ (\ $/I ', '/(Eval | assert | include | require | include \ _ once | require \ _ once) + \ s * \ (\ s * (base64 \ _ decode | str \ _ rot13 | gz (\ w +) | file \ _ (\ w +) \ _ contents | (. *) php \: \/input) +/I ', '/(Eval | assert | include | require | include \ _ once | require \ _ once | array \ _ map | array \ _ walk) + \ s * \ (\ s * \ $ \ _ (GET | POST | REQUEST | COOKIE | SERVER | SESSION) + \[(. *) \] \ s * \)/I ', '/Eval \ s * \ (\ s * \ $ (\ w +)/I ', '/(Include | require | include \ _ once | require \ _ once) + \ s * \ (\ s * [\' | \ "] (\ w + )\. (jpg | gif | ico | bmp | png | txt | zip | rar | htm | css | js) + [\ '| \ "] \ s * \)/I ', '/\ $ \ _ (\ W + )(. *) (eval | assert | include | require | include \ _ once | require \ _ once) + \ s * \ (\ s * \ $ (\ w +) \ s * \)/I ', '/\ (\ S * \ $ \ _ FILES \[(. *) \] \ [(. *) \] \ s * \, \ s * \ $ \ _ (GET | POST | REQUEST | FILES) + \[(. *) \] \ [(. *) \] \ s * \)/I ', '/(Fopen | fwrite | fputs | file \ _ put \ _ contents) + \ s *\((. *) \ $ \ _ (GET | POST | REQUEST | COOKIE | SERVER) + \[(. *) \] (. *) \)/I ', '/Echo \ s * curl \ _ exec \ s * \ (\ s * \ $ (\ w +) \ s * \)/I ', '/New com \ s * \ (\ s * [\' | \ "] shell (. *) [\ '| \"] \ s * \)/I ', '/\ $ (. *) \ S *\((. *) \/e (. *) \, \ s * \ $ \_(. *)\,(. *) \)/I ', '/\ $ \ _ \ = (. *) \ $ \ _/I ', '/\ $ \ _ (GET | POST | REQUEST | COOKIE | SERVER) + \[(. *) \] \ (\ s * \ $ (. *) \)/I ', '/\ $ (\ W +) \ s * \ (\ s * \ $ \ _ (GET | POST | REQUEST | COOKIE | SERVER) + \[(. *) \] \ s * \)/I ', '/\ $ (\ W +) \ (\ $ \ {(. *) \}/I' ); Function antivirus ($ dir, $ exs, $ matches ){ If ($ handle = @ opendir ($ dir) = NULL) return false; While (false! ==( $ Name = readdir ($ handle ))){ If ($ name = '.' | $ name = '..') continue; $ Path = $ dir. $ name; If (is_dir ($ path )){ If (is_readable ($ path) antivirus ($ path. '/', $ exs, $ matches ); } Elseif (strpos ($ name, ';')>-1 | strpos ($ name, '% 00')>-1 | strpos ($ name, '/')>-1 ){ Echo '<p> feature <input type = "text" style = "width: 218px;" value = "Resolution Vulnerability"> '. $ path. '</p>'; flush (); ob_flush (); } Else { If (! Preg_match ($ exs, $ name) continue; If (filesize ($ path)> 10000000) continue; $ Fp = fopen ($ path, 'R '); $ Code = fread ($ fp, filesize ($ path )); Fclose ($ fp ); If (empty ($ code) continue; Foreach ($ matches as $ matche ){ $ Array = array (); Preg_match ($ matche, $ code, $ array ); If (! $ Array) continue; If (strpos ($ array [0], "\ x24 \ x74 \ x68 \ x69 \ x73 \ x2d \ x3e") continue; $ Len = strlen ($ array [0]); If ($ len> 10 & $ len <1500 ){ Echo '<p> feature <input type = "text" style = "width: 218px;" value = "'.html specialchars ($ array [0]). '"> '. $ path. '</p> '; Flush (); ob_flush (); break; } } Unset ($ code, $ array ); } } Closedir ($ handle ); Return true; } Function strdir ($ str) {return str_replace (array ('\', '//', '/'), array ('/','/', '/'), chop ($ str ));} Echo '<form method = "POST"> '; Echo '<p> path: <input type = "text" name = "dir" value = "'. ($ _ POST ['dir']? Strdir ($ _ POST ['dir']. '/'): strdir ($ _ SERVER ['document _ root']. '/')). '"style =" width: 398px; "> </p> '; Echo '<p> Suffix: <input type = "text" name = "exs" value = "'. ($ _ POST ['exs']? $ _ POST ['exs']: '. php |. inc |. phtml').' "style =" width: 398px; "> </p> '; Echo '<p> operation: <input type = "submit" style = "width: 80px;" value = "scan"> </p> '; Echo '</form> '; If (file_exists ($ _ POST ['dir']) & $ _ POST ['exs']) { $ Dir = strdir ($ _ POST ['dir']. '/'); $ Exs = '/('. str_replace ('.', '\.', $ _ POST ['exs']). ')/I '; Echo antivirus ($ dir, $ exs, $ matches )? '<P> scan completed </p>': '<p> scan interrupted </p> '; } ?> |