Take a look at the inverted quotation marks to successfully execute the named snippet. The code is as follows:
Copy CodeThe code is as follows:
' Ls-al ';
' Ls-al ';
echo "SSS"; ' Ls-al ';
$sql = "Select ' username ' from ' table ' WHERE 1 ';
$sql = ' SELECT ' username ' from ' table ' WHERE 1 '
/*
It is nothing more than a white character in front, or after the end of a line of code, followed by the next write, the following two behavior unexpected situation, that is, the SQL command in the anti-quote, to exclude is it.
*/
How do you write regular expressions?
Analysis:
What are some of the common denominators for portability? What is the difference from other normal parts that contain anti-quotes?
They can have spaces, tabs, and other whitespace characters in front of them. You can also have program code, provided that the quotation marks (single-pair) must be closed. It is the danger that is hidden. The cfc4n given is as follows: "(?:(?: ^ (?: \ s+)?) | (?:(? P ["']) [^(? P=quote)]+? (? p=quote) [^ ']*?)] `(? P [^ ']+) '.
Explain:
"(?:(?: ^ (?: \ s+)?) | (?:(? P ["']) [^(? P=quote)]+? (? p=quote) [^ ']*?)] 】
There is a white space character after the start or start position, or there is code in front of it, and the code has a closed single double quotation mark. (This Python regular uses capture naming and reverse referencing)
"' (? P [^ ']+) ' This is relatively simple, matching the string in the middle of the anti-quote.
A Python script that detects PHP Webshell is poorly considered.
Take a look at the first element of the next list. "(System|shell_exec|exec|popen)", this regular means that as long as the string contains "system", "shell_exec", "exec", "Popen" the four sets of strings are judged to be dangerous characters. Obviously, this method is not rigorous. If the programmer writes code that contains these four sets of characters, it can be judged as a dangerous function. Very inaccurate, the rate of false positives is very high. See
A Python script that detects PHP Webshell is poorly considered.
What kind of code is suspect code? What is the key word?
The questionable code is definitely made up of functions that can perform dangerous operations, PHP functions that can perform dangerous operations, the most important of which is the "eval" function, and the "eval" function is definitely used for encrypted PHP code (only deformed strings, non-Zend, etc.). The "eval" function is definitely used for code that is used regardless of the encryption method. The second is the function that can execute the system command, such as the Four "system", "shell_exec", "exec" and "Popen" mentioned in the code of the above bull. Of course, there are other, such as PassThru and so on. PHP also supports the "•" Character (the one below the ESC key) executes the system command directly. We can write the regular as such "\b (? P Eval|proc_open|popen|shell_exec|exec|passthru|system) \b\s*\ (".
A relatively rigorous match for the Python script that detects PHP Webshell
Explain:
We all know that "\b\b" is used to match the position of the words on either side. To ensure that "\b\b" is the middle of the word, even if the function name is preceded by a special character, also by matching, such as add @ to mask the error. The following "\s*" is used to match whitespace characters, including spaces, tab keys, 0 to countless times. Front of the "(? P) "is a capturing named group. A key that is used as a Python code to directly reference a matching result.
Also some netizens mentioned, if I put the code in the image extension file? Then you only Test. php,.inc files, still can't find my ah. Well, yes, if the malicious code in GIF, JPG, PNG, AAA and other messy extension files, is not to be parsed by Apache, IIS and other Web services, must be introduced through Include/require (_once). Well, we just need to match the filename after Include/require (_once) is not a regular ". php", ". Inc" file. If it is not, it is a suspicious file. The regular is as follows "(? P \b (?: Include|require) (?: _once)? \b) \s*\ (? \s*["'] (? P .*? (?
A more rigorous approach to detecting PHP Webshell python scripts
Explain:
First Look at "(? P \b (?: Include|require) (?: _once)? \b) "," (? P "For the regular expression" named Capture ", PHP has the same usage. That is, the captured data within this parenthesis is assigned to the value of "name" in the result array of key. Then look inside the "\b (?: include|require)" (?: _once)? \b "," \b\b "does not explain, for the word boundary position. Inside "(?: Include|require)" matches the string "include", "require" two words, where the front "(?:) "Do not assign groups to improve efficiency, you can remove the"?: "into" (Include|require). " The following "(?: _once)" is also an assignment to an unassigned group, making it easier to improve the efficiency of regular expressions. Again, the following quantifier is "?" Representing this group is optional. It satisfies the four cases of "include", "include_once", "Require", "require_once". Some friends may write "(include|include_once|require|require_once)" can also achieve the purpose. However, in order to make it more efficient, we optimize this regular and make branching changes to the partial string and change it to the "\b (?: Include|require) (?: _once) \b" above.
Look at the following "\s*\ (? \s*[" ') (? P .+? (? .+? (? Described above, for named captures, put the results in Match.group ("filename"). ". *?" for any character, the following quantifier is "ignoring the priority quantifier", which is usually said to be "non-greedy". There is a minimum of 0 matches, (to prevent. AA,. htaccess, which have no filenames, only files with file extensions are introduced). Back of the "(?
In summary, finally, my humble Python code is as follows:
Copy CodeThe code is as follows:
#!/usr/bin/python
#-*-Encoding:utf-8-*-
###
# # @package
##
# # @author cfc4n
# # @copyright Copyright (c) Www.cnxct.Com
# # @Version $Id: check_php_shell.py notoginseng 2010-07-22 09:56:28z cfc4n $
###
Import OS
Import Sys
Import re
Import time
def listdir (dirs,liston= ' 0 '):
Flog = open (OS.GETCWD () + "/check_php_shell.log", "A +")
If not Os.path.isdir (dirs):
Print "Directory%s is not exist"% (dirs)
Return
Lists = Os.listdir (dirs)
For list in lists:
filepath = Os.path.join (dirs,list)
If Os.path.isdir (filepath):
If Liston = = ' 1 ':
Listdir (filepath, ' 1 ')
Elif Os.path.isfile (filepath):
filename = os.path.basename (filepath)
If Re.search (r "\. (?:p hp|inc|html?) $ ", filename, re. IGNORECASE):
i = 0
Iname = 0
f = open (filepath)
While F:
File_contents = F.readline ()
If not file_contents:
Break
i + = 1
Match = Re.search (r "" (? P \b (?: Include|require) (?: _once)? \b) \s*\ (? \s*["'] (? P .*? (? If match:
function = Match.group ("function")
filename = match.group ("filename")
If Iname = = 0:
info = ' \n[%s]: \ n '% (filepath)
Else
info = "
info + = ' \t|--[%s]-[%s] line [%d] \ n '% (function,filename,i)
Flog.write (Info)
Print Info
Iname + = 1
Match = Re.search (R ' \b (? P Eval|proc_open|popen|shell_exec|exec|passthru|system) \b\s*\ (', file_contents, re. ignorecase| Re. MULTILINE)
If match:
function = Match.group ("function")
If Iname = = 0:
info = ' \n[%s]: \ n '% (filepath)
Else
info = "
info + = ' \t|--[%s] line [%d] \ n '% (function,i)
Flog.write (Info)
Print Info
Iname + = 1
F.close ()
Flog.close ()
If ' __main__ ' = = __name__:
Argvnum = Len (SYS.ARGV)
Liston = ' 0 '
if argvnum = = 1:
Action = Os.path.basename (Sys.argv[0])
Print "Command is like:\n%s D:\wwwroot\ \ n%s D:\wwwroot\ 1--recurse subfolders"% (action,action)
Quit ()
elif Argvnum = = 2:
Path = Os.path.realpath (Sys.argv[1])
Listdir (Path,liston)
Else
Liston = sys.argv[2]
Path = Os.path.realpath (Sys.argv[1])
Listdir (Path,liston)
Flog = open (OS.GETCWD () + "/check_php_shell.log", "A +")
isotimeformat= '%y-%m-%d%x '
Now_time = Time.strftime (Isotimeformat,time.localtime ())
Flog.write ("\ n----------------------%s checked---------------------\ n"% (Now_time))
Flog.close ()
# # The latest code is given in the link at the end of the article. 2010/07/31 Update.
For reference only, welcome to treatise.
The following is a scan Discuz7.2, of course, also reported incorrectly. Compared to the online Python script, false positives are less and more accurate.
Test results of a Python script that detects PHP Webshell
Q: Is this method perfect? Can I find all the dangerous function files that are currently known?
A: No, if the file introduced by include does not have an extension, it will not match.
Q: How do I fix it?
A: Left to you to solve, smart you, certainly can be done.
PS: "'" the Anti-quote execution command has not been written yet, there is no good way. Easy to confuse with anti-quotes in SQL statements. Not very good match. If the light matches the back quotation marks, then the false positives are too large. To be determined. (The industry has specialized, do not because of a bad code, the denial of a person's ability.) You know. Again, this article is for code only and not for people. Secondly, I give the Python code casually copied, casually spread, love to leave the copyright, do not love to delete the relevant characters, that is why you love. )
I'll take a break and say it tomorrow. (the first half of the sentence for the three countries to kill Cao Ren lines, ha.) )
