PHP Web木馬スキャナーコードv 1.0セキュリティテストツール

17958 ワード

scanner.php
 
  
/**************PHP Web ************************/
/* [+] : alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: [email protected] */
/* [+] : t00ls.net , t00ls */
/* [+] : v1.0 */
/* [+] : web php */
/* [+] : , */
/* 、 、 。 */
/* , */
/* 。 */
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //
$password = "t00ls"; //
$md5 = md5(md5($username).md5($password));
$version = "PHP Web v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>


<?php echo $version??>




if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '
: :
';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo " !";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
?>







$version"?>
=date("Y-m-d H:i:s",mktime())?>
スキャン |
|
ログアウト



if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo " !";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>




















:
>
>
 




}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>






:

  


if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
: | : | :











No.

}
}
}
ob_flush();
?>


function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","
","\r","\t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="

$count
$current
$filetime
$reason[0]
$reason[1]
ダウンロード
";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
' ->cha88.cn'=>'cha88\.cn',
' ->c99shell'=>'c99shell',
' ->phpspy'=>'phpspy',
' ->Scanners'=>'Scanners',
' ->cmd.php'=>'cmd\.php',
' ->str_rot13'=>'str_rot13',
' ->webshell'=>'webshell',
' ->EgY_SpIdEr'=>'EgY_SpIdEr',
' ->tools88.com'=>'tools88\.com',
' ->SECFORCE'=>'SECFORCE',
' ->eval("?>'=>'eval\((\'|")\?>',
' ->system('=>'system\(',
' ->passthru('=>'passthru\(',
' ->shell_exec('=>'shell_exec\(',
' ->exec('=>'exec\(',
' ->popen('=>'popen\(',
' ->proc_open'=>'proc_open',
' ->eval($'=>'eval\((\'|"|\s*)\\$',
' ->assert($'=>'assert\((\'|"|\s*)\\$',
' MYSQL ->returns string soname'=>'returnsstringsoname',
' MYSQL ->into outfile'=>'intooutfile',
' MYSQL ->load_file'=>'select(\s+)(.*)load_file',
' ->eval(gzinflate('=>'eval\(gzinflate\(',
' ->eval(base64_decode('=>'eval\(base64_decode\(',
' ->eval(gzuncompress('=>'eval\(gzuncompress\(',
' ->eval(gzdecode('=>'eval\(gzdecode\(',
' ->eval(str_rot13('=>'eval\(str_rot13\(',
' ->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(',
' ->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(',
' ->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')',
' ->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
' ->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' ->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'.htaccess ->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php',
'.htaccess ->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess ->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

php環境でphp木馬をスキャンするツールで、現在以下の特徴コードをスキャンすることができます.
 
  

->cha88.cn
->c99shell
->phpspy
->Scanners
->cmd.php
->str_rot13
->webshell
->EgY_SpIdEr
->tools88.com
->SECFORCE
->eval("?>
->system(
->passthru(
->shell_exec(
->exec(
->popen(
->proc_open
->eval($
->assert($
MYSQL ->returns string soname
MYSQL ->into outfile
MYSQL ->load_file
->eval(gzinflate(
->eval(base64_decode(
->eval(gzuncompress(
->gzuncompress(base64_decode(
->base64_decode(gzuncompress(
->eval($_
->assert($_
->require($_
->require_once($_
->include($_
->include_once($_
->call_user_func("assert"
->call_user_func($_
->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess ->SetHandler application/x-httpd-php
.htaccess ->php_value auto_prepend_file
.htaccess ->php_value auto_append_file

怠惰なデザイン、直接phpspyスタイル
注意:スキャンされたファイルは必ずしもバックドアではありません.自分で判断し、審査し、元のファイルを比較してください.