Grep (global search regular expression (RE) and print out the line, full search for regular expressions and print out rows) is a powerful text search tool, it can use regular expressions to search for text and print matching rows.
Unix grep families include grep, egrep, and fgrep.
Using the grep command, we can find common vulnerabilities, webshells, and other malicious files.
The grep version used in this article is 2.9. If you use a grep lower than 2.5.4, some commands in this article may not work properly.
You can use grep-v or grep-version to determine the version.
You can also use grep-help to view more information. For example:
Common Methods for discovering vulnerabilities:
Why do most web applications discover Insecure code because they call insecure functions without filtering them. For example, commands injection or remote code execution can execute parameters passed by the client. The shell_exec function is often used here.
We can use the grep command to search for the shell_exec function in the file, as shown below:
Grep-Rn "shell_exec * ("/var/www
.
Another example:
Include require include_once and require_once
It may cause local file inclusion vulnerabilities.
We can use grep to find the place where the function appears and then test and judge it, as shown below:
Grep-Rn "include * ("/var/www
Grep-Rn "require * ("/var/www
Grep-Rn "include_once * ("/var/www
Grep-Rn "require_once * ("/var/www
The above two simple examples can be used as a reference for white box mining vulnerabilities. The following describes how to find webshell and other malicious files:
Common webshells include some functions, such as executing commands, downloading files, editing files, and rebounding connections.
In addition to common shell_exec, base64_decode and eval, there are also some other features, such as phpspy2006 will contain "Version: 2006, proxycontents", phpspy2008 will contain "phpspypass, goaction ('backconnect "and so on.
There are also some common features:
Phpinfo
System
Php_uname
Chmod
Fopen
Flclose
Readfile
Edoced_46esab
Passthru we can use grep to search for files containing these functions, as shown below:
Grep-Rn "shell_exec * ("/var/www
Grep-Rn "base64_decode * ("/var/www
Grep-Rn "phpinfo * ("/var/www
Grep-Rn "system * ("/var/www
Grep-Rn "php_uname * ("/var/www
Grep-Rn "chmod * ("/var/www
Grep-Rn "fopen * ("/var/www
Grep-Rn "fclose * ("/var/www
Grep-Rn "readfile * ("/var/www
Grep-Rn "edoced_46esab * ("/var/www
Grep-Rn "eval * ("/var/www
Grep-Rn "passthru * ("/var/www
Www.2cto.com
Of course, these can be combined into a command, as shown below:
Grep-RPn "(passthru | shell_exec | system | phpinfo | base64_decode | chmod | mkdir | fopen | fclose | readfile | php_uname
| Eval | tcpflood | udpflood | edoced_46esab) * \ ("/var/www
Original article: http://www.freebuf.com/articles/4074.html