Exact search for php webshell Trojan corrected version

First, we can check the reverse quotation marks to successfully execute the code snippet named. The Code is as follows:
Copy codeThe Code is as follows:
'LS-al ';
'LS-al ';
Echo "sss"; 'LS-al ';

$ SQL = "SELECT 'username' FROM 'table' WHERE 1 ";

$ SQL = 'select' username' FROM 'table' WHERE 1'
/*
It is nothing more than a blank character in front, or after the end of a line of code, followed by writing, the following two behavior accidents, that is, the anti-quotation marks in the SQL command, should be excluded.
*/

How to Write a regular expression?
Analysis:
What do portability have in common? What is the difference between it and other normal parts that contain backquotes?
They can have leading spaces, tab keys, and other blank characters. You can also have program code, provided that the quotation marks (single and double) must be closed. It is dangerous and hidden. Then the regular expression given by CFC4N is as follows :【(? :(? : ^ (? : \ S + )?) | (? :(? P <quote> ["']) [^ (? P = quote)] +? (? P = quote) [^ '] *?) '(? P <shell> [^ '] + )'].

Explanations:

【(? :(? : ^ (? : \ S + )?) | (? :(? P <quote> ["']) [^ (? P = quote)] +? (? P = quote) [^ '] *?)] Match the starting position or starting position with a blank character or code in front, and the code has a closed single double quotation mark. (Capture naming and reverse reference are used in this PYTHON regular expression)

【'(? P <shell> [^ '] +)': This is relatively simple. It matches the string in the middle of the backquotes.

Python script detection PHP WEBSHELL
Then I wrote the code into the program and ran the discuz program. A false positive is reported. Where is the false positive reported "define ('uc _ dbtablepre', 'ucenter'. UC _ ');" in "config. inc. php"? Why? This line of code conforms to the closed quotation marks and the use of reverse quotation marks. Therefore, it is detected that it meets the requirements. How can this problem be ruled out? What's special about this? There is a comma ","? What if it is the dot "." of the string connection? Then exclude the comma?

Well, I am wrong. I shouldn't mislead you with my thoughts. Change your mind. Find the strings in front of the code that can be executed with backquotes. They can only start with a line or contain blank characters (including spaces and tab keys ), you can also see a semicolon (;) at the end of the Code. In other cases, the Code cannot be executed? Well, it should be like this. (If there is any error, welcome to axe Zheng.) since there is a train of thought, it is better to write the regular code. The following [(^ | (? <=;) \ S * '[^'] + '. To explain, [(^ | (? <=;)] Match position, which is the beginning of a row or a semicolon (;) in front. [\ S * '[^'] + '] any blank character, then .... (You know ). OK. After writing it, check and find another problem.

Matching the regular expression of the introduced file also matches "require_once '. /include/db _'. $ database. '. class. php'; "for the reason of this Code, analyze it yourself.
The repaired python code is as follows:
Copy codeThe Code is as follows:
#! /Usr/bin/python
#-*-Encoding: UTF-8 -*-
###
##@ Package
##
##@ Author CFC4N <cfc4nphp@gmail.com>
##@ Copyright (c) Www. cnxct. Com
##@ Version $ Id: check_php_shell.py 37 2010-07-22 09: 56: 28Z cfc4n $
###
Import OS
Import sys
Import re
Import time
Def listdir (dirs, liston = '0 '):
Flog = open (OS. getcwd () + "/check_php_shell.log", "a + ")
If not OS. path. isdir (dirs ):
Print "directory % s is not exist" % (dirs)
Return
Lists = OS. listdir (dirs)
For list in lists:
Filepath = OS. path. join (dirs, list)
If OS. path. isdir (filepath ):
If liston = '1 ':
Listdir (filepath, '1 ')
Elif OS. path. isfile (filepath ):
Filename = OS. path. basename (filepath)
If re. search (r "\.(? : Php | inc | html ?) $ ", Filename, re. IGNORECASE ):
I = 0
Iname = 0
F = open (filepath)
While f:
File_contents = f. readline ()
If not file_contents:
Break
I + = 1
Match = re. search (r '''(? P <function> \ B (? : Include | require )(? : _ Once )? \ B) \ s *\(? \ S * ["'] (? P <filename> [^;] * (? <! \.(? : Php | inc) ["'] \)? \ S *; ''', file_contents, re. IGNORECASE | re. MULTILINE)
If match:
Function = match. group ("function ")
Filename = match. group ("filename ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [% s]-[% s] line [% d] \ n' % (function, filename, I)
Flog. write (info)
Print info
Iname + = 1
Match = re. search (R' \ B (? P <function> eval | proc_open | popen | shell_exec | exec | passthru | system) \ B \ s * \ (', file_contents, re. IGNORECASE | re. MULTILINE)
If match:
Function = match. group ("function ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [% s] line [% d] \ n' % (function, I)
Flog. write (info)
Print info
Iname + = 1
Match = re. search (R' (^ | (? <=;) \ S *'(? P <shell> [^ '] +)' \ s *; ', file_contents, re. IGNORECASE)
If match:
Shell = match. group ("shell ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [''] command is [% s] in line [% d] \ n' % (shell, I)
Flog. write (info)
Print info
Iname + = 1
F. close ()
Flog. close ()
If '_ main _' = _ name __:
Argvnum = len (sys. argv)
Liston = '0'
If argvnum = 1:
Action = OS. path. basename (sys. argv [0])
Print "Command is like: \ n % s D: \ wwwroot \ 1 -- recurse subfolders" % (action, action)
Quit ()
Elif argvnum = 2:
Path = OS. path. realpath (sys. argv [1])
Listdir (path, liston)
Else:
Liston = sys. argv [2]
Path = OS. path. realpath (sys. argv [1])
Listdir (path, liston)
Flog = open (OS. getcwd () + "/check_php_shell.log", "a + ")
ISOTIMEFORMAT = '% Y-% m-% d % x'
Now_time = time. strftime (ISOTIMEFORMAT, time. localtime ())
Flog. write ("\ n ---------------------- % s checked ------------------- \ n" % (now_time ))
Flog. close ()

The Discuz7.2 code is slightly detected, and there is a false positive. The false positive is the code containing SQL:
Copy codeThe Code is as follows:
$ Query = $ db-> query ("SELECT 'status', 'threads', 'posts'
FROM '{$ tablepre} forums' WHERE
'Status' = '1 ';
");

The Discuz7.2 code is slightly detected, and there is a false positive. The false positive is the code containing SQL:
Copy codeThe Code is as follows:
$ Query = $ db-> query ("SELECT 'status', 'threads', 'posts'
FROM '{$ tablepre} forums' WHERE
'Status' = '1 ';
");

This script is handled according to a line of code, so there is such a false positive. You can fix it yourself. It is more accurate than the scripts circulating on the Internet.
Reprinted. For reprinting, please indicate the source and leave a blog link. At the same time, it cannot be used for commercial purposes. (Fixed. added the [\ s *;] judgment after the backticks. )

PS: if uploading a file is a dangerous and noteworthy operation, we recommend that you add the move_uploaded_file function. You know where to add it. Pai_^

These codes have been put on google's code hosting. SVN address for http://code.google.com/p/cnxct/ everybody get the latest version.

I am a PHPer. The python I write is a little cool and a little lazy. please be sure to give suggestions to the experts in the security field. Thank you. Write the php version later. At the same time, you are also welcome to feedback the latest web shell feature code. I will try my best to add it to the program area.
Complete code
Copy codeThe Code is as follows:
#! /Usr/bin/python
#-*-Encoding: UTF-8 -*-
###
##@ Package
##
##@ Author CFC4N <cfc4nphp@gmail.com>
##@ Copyright (c) Www. cnxct. Com
##@ Version $ Id $
###
Import OS
Import sys
Import re
Import time
Def listdir (dirs, liston = '0 '):
Flog = open (OS. getcwd () + "/check_php_shell.log", "a + ")
If not OS. path. isdir (dirs ):
Print "directory % s is not exist" % (dirs)
Return
Lists = OS. listdir (dirs)
For list in lists:
Filepath = OS. path. join (dirs, list)
If OS. path. isdir (filepath ):
If liston = '1 ':
Listdir (filepath, '1 ')
Elif OS. path. isfile (filepath ):
Filename = OS. path. basename (filepath)
If re. search (r "\.(? : Php | inc | html ?) $ ", Filename, re. IGNORECASE ):
I = 0
Iname = 0
F = open (filepath)
While f:
File_contents = f. readline ()
If not file_contents:
Break
I + = 1
Match = re. search (r '''(? P <function> \ B (? : Include | require )(? : _ Once )? \ B) \ s *\(? \ S * ["'] (? P <filename> [^;] * (? <! \.(? : Php | inc) ["'] \)? \ S *; ''', file_contents, re. IGNORECASE | re. MULTILINE)
If match:
Function = match. group ("function ")
Filename = match. group ("filename ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [% s]-[% s] line [% d] \ n' % (function, filename, I)
Flog. write (info)
Print info
Iname + = 1
Match = re. search (R' \ B (? P <function> eval | proc_open | popen | shell_exec | exec | passthru | system | assert | fwrite | create_function) \ B \ s * \ (', file_contents, re. IGNORECASE | re. MULTILINE)
If match:
Function = match. group ("function ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [% s] line [% d] \ n' % (function, I)
Flog. write (info)
Print info
Iname + = 1
Match = re. search (R' (^ | (? <=;) \ S *'(? P <shell> [^ '] +)' \ s *; ', file_contents, re. IGNORECASE)
If match:
Shell = match. group ("shell ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [''] command is [% s] in line [% d] \ n' % (shell, I)
Flog. write (info)
Print info
Iname + = 1
Match = re. search (R '(? P <shell >\$ _(? : POS | GE | REQUES) T) \ s * \ [[^ \] + \] \ s * \ (', file_contents, re. IGNORECASE)
If match:
Shell = match. group ("shell ")
If iname = 0:
Info = '\ n [% s]: \ n' % (filepath)
Else:
Info =''
Info + = '\ t | -- [''] command is [% s] in line [% d] \ n' % (shell, I)
Flog. write (info)
Print info
Iname + = 1
F. close ()
Flog. close ()
If '_ main _' = _ name __:
Argvnum = len (sys. argv)
Liston = '0'
If argvnum = 1:
Action = OS. path. basename (sys. argv [0])
Print "Command is like: \ n % s D: \ wwwroot \ 1 -- recurse subfolders" % (action, action)
Quit ()
Elif argvnum = 2:
Path = OS. path. realpath (sys. argv [1])
Listdir (path, liston)
Else:
Liston = sys. argv [2]
Path = OS. path. realpath (sys. argv [1])
Listdir (path, liston)
Flog = open (OS. getcwd () + "/check_php_shell.log", "a + ")
ISOTIMEFORMAT = '% Y-% m-% d % x'
Now_time = time. strftime (ISOTIMEFORMAT, time. localtime ())
Flog. write ("\ n ---------------------- % s checked ------------------- \ n" % (now_time ))
Flog. close ()