本文实例讲述了PHP实现webshell扫描文件木马的方法。分享给大家供大家参考,具体如下:
可扫描 weevelyshell 生成 或加密的shell 及各种变异webshell
支持扫描 weevelyshell 生成 或加密的shell 支持扫描callback一句话shell 支持各种PHP大马
rush:PHP;">
<a href="https://www.jb51.cc/tag/PHP/" target="_blank" class="keywords">PHP</a> web shell scan
invoke\(/is','/PDO::FETCH_FUNC/','/\$\w+.*\s?(?:=|->)\s?.*?[\'\"]assert[\'\"]\)?/i','/\$\w+->(?:sqlite)?createFunction\(.*?\)/i','/eval\([\"\']?\\\?\$\w+\s?=\s?.*?\)/i','/eval\(.*?gzinflate\(base64_decode\(/i','/copy\(\$HTTP_POST_FILES\[\'\w+\'\]\s?\[\'tmp_name\'\]/i','/register_(?:shutdown|tick)_function\s?\(\$\w+,\s\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]\)/is','/register_(?:shutdown|tick)_function\s?\(?[\'\"]assert[\"\'].*?\)/i','/call_user_func.*?\([\"|\']assert[\"|\'],.*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\'|\"].*\]\)+/is','/preg_replace\(.*?e.*?\'\s?,\s?.*?\w+\(.*?\)/i','/function_exists\s*\(\s*[\'|\"](popen|exec|proc_open|system|passthru)+[\'|\"]\s*\)/i','/(exec|shell_exec|system|passthru)+\s*\(\s*\$_(\w+)\[(.*)\]\s*\)/i','/(exec|shell_exec|system|passthru)+\s*\(\$\w+\)/i','/(exec|shell_exec|system|passthru)\s?\(\w+\(\"http_.*\"\)\)/i','/(?:john\.barker446@gmail\.com|xb5@hotmail\.com|shopen@aventgrup\.net|milw0rm\.com|www\.aventgrup\.net|mgeisler@mgeisler\.net)/i','/PHP\s*?Shell/i','/((udp|tcp)\:\/\/(.*)\;)+/i','/preg_replace\s*\((.*)\/e(.*)\,\s*\$_(.*)\,(.*)\)/i','/preg_replace\s*\((.*)\(base64_decode\(\$/i','/(eval|assert|include|require|include_once|require_once)+\s*\(\s*(base64_decode|str_rot13|gz(\w+)|file_(\w+)_contents|(.*)PHP\:\/\/input)+/i','/(eval|assert|include|require|include_once|require_once|array_map|array_walk)+\s*\(.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i','/eval\s*\(\s*\(\s*\$\$(\w+)/i','/((?:include|require|include_once|require_once)+\s*\(?\s*[\'|\"]\w+\.(?!PHP).*[\'|\"])/i','/\$_(\w+)(.*)(eval|assert|include|require|include_once|require_once)+\s*\(\s*\$(\w+)\s*\)/i','/\(\s*\$_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i','/(fopen|fwrite|fputs|file_put_contents)+\s*\((.*)\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i','/echo\s*curl_exec\s*\(\s*\$(\w+)\s*\)/i','/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i','/\$(.*)\s*\((.*)\/e(.*)\,'/\$_\=(.*)\$_/i','/\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i','/\$(\w+)\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i','/\$(\w+)\s*\(\s*\$\{(.*)\}/i','/\$(\w+)\s*\(\s*chr\(\d+\)/i'
);
function antivirus($dir,$exs,$matches) {
if(($handle = @opendir($dir)) == NULL) return false;
while(false !== ($name = readdir($handle))) {
if($name == '.' || $name == '..') continue;
$path = $dir.$name;
if(strstr($name,SELF)) continue;
//$path=iconv("UTF-8","gb2312",$path);
if(is_dir($path)) {
//chmod($path,0777);/*主要针对一些0111的目录*/
if(is_readable($path)) antivirus($path.'/',$matches);
} elseif(strpos($name,';') > -1 || strpos($name,'%00') > -1 || strpos($name,'/') > -1) {
echo '特征
'; flush(); ob_flush();
}
else {
if(!preg_match($exs,$name)) continue;
if(filesize($path) > 10000000) continue;
$fp = fopen($path,'r');
$code = fread($fp,filesize($path));
fclose($fp);
if(empty($code)) continue;
if(weevelyshell($path)){
echo '特征 
