PHP Web木马扫描器代码 v1.0 安全测试工具
scanner.php <?php if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))) { echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: 密码: '; } elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)) { setcookie("t00ls",$md5,time()+606024365,"/"); echo "登陆成功!"; header( 'refresh: 1; url='.MYFILE.'?action=scan' ); exit(); } else { setcookie("t00ls","/"); $setting = getSetting(); $action = isset($_GET['action'])?$_GET['action']:""; if($action=="logout") { setcookie ("t00ls","",time() - 3600); Header("Location: ".MYFILE); exit(); } if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="") { $file = $_GET['file']; ob_clean(); if (@file_exists($file)) { header("Content-type: application/octet-stream"); header("Content-Disposition: filename="".basename($file)."""); echo file_get_contents($file); } exit(); } ?> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tr class="head"> <td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "$version"?></td> </tr> <tr class="alt1"> <td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?> <a href="?action=scan">扫描 | <a href="?action=setting">设定 | <a href="?action=logout">登出 </td> </tr> </table> <?php if($action=="setting") { if(isset($_POST['btnsetting'])) { $Ssetting = array(); $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml"; $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0; $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0; setcookie("t00ls_s",base64_encode(serialize($Ssetting)),"/"); echo "设置完成!"; header( 'refresh: 1; url='.MYFILE.'?action=setting' ); exit(); } ?> <form name="frmSetting" method="post" action="?action=setting"> <FIELDSET style="width:400px"> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="60">文件后缀:</td> <td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td> </tr> <tr> <td><label for="checkall">所有文件</td> <td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td> </tr> <tr> <td><label for="checkhta">设置文件</td> <td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td> </tr> <tr> <td></td> <td> <input type="submit" name="btnsetting" id="btnsetting" value="提交"> </td> </tr> </table> <?php } else { $dir = isset($_POST['path'])?$_POST['path']:MYPATH; $dir = substr($dir,-1)!="/"?$dir."/":$dir; ?> <form name="frmScan" method="post" action=""> <table width="100%%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td> <td width="690"> <input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>"> <input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td> </tr> </table> <?php if(isset($_POST['btnScan'])) { $start=mktime(); $is_user = array(); $is_ext = ""; $list = ""; if(trim($setting['user'])!="") { $is_user = explode("|",$setting['user']); if(count($is_user)>0) { foreach($is_user as $key=>$value) $is_user[$key]=trim(str_replace("?","(.)",$value)); $is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))"; } } if($setting['hta']==1) { $is_hta=1; $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext; $is_ext.="(^.htaccess$)"; } if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)) { $is_ext="(.+)"; } $php_code = getCode(); if(!is_readable($dir)) $dir = MYPATH; $count=$scanned=0; scan($dir,$is_ext); $end=mktime(); $spent = ($end - $start); ?> <div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 可疑文件 | 耗时: <?php echo $spent?> 秒 <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr class="head"> <td width="15" align="center">No.</td> <td width="48%">文件</td> <td width="12%">更新时间</td> <td width="10%">原因</td> <td width="20%">特征</td> <td>动作</td> </tr> <?php echo $list?> </table> <?php } } } ob_flush(); ?> <?php function scan($path = '.',$is_ext){ global $php_code,$count,$scanned,$list; $ignore = array('.','..' ); $replace=array(" ","n","r","t"); $dh = @opendir( $path ); while(false!==($file=readdir($dh))){ if( !in_array( $file,$ignore ) ){ if( is_dir( "$path$file" ) ){ scan("$path$file/",$is_ext); } else { $current = $path.$file; if(MYFULLPATH==$current) continue; if(!preg_match("/$is_ext/i",$file)) continue; if(is_readable($current)) { $scanned++; $content=file_get_contents($current); $content= str_replace($replace,$content); foreach($php_code as $key => $value) { if(preg_match("/$value/i",$content)) { $count++; $j = $count % 2 + 1; $filetime = date('Y-m-d H:i:s',filemtime($current)); $reason = explode("->",$key); $url = str_replace(REALPATH,HOST,$current); preg_match("/$value/i",$content,$arr); $list.=" <td>$count</td> <td>$current</td> <td>$filetime</td> <td>$reason[0]</td> <td>$reason[1]</td> <td>下载</td> </tr>"; //echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ." "; //echo $path . $file ." "; break; } } } } } } closedir( $dh ); } function getSetting() { $Ssetting = array(); if(isset($_COOKIE['t00ls_s'])) { $Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s'])); $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml"; $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0; $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1; } else { $Ssetting['user']="php | php? | phtml | shtml"; $Ssetting['all']=0; $Ssetting['hta']=1; setcookie("t00ls_s","/"); } return $Ssetting; } function getCode() { return array( '后门特征->cha88.cn'=>'cha88.cn', '后门特征->c99shell'=>'c99shell', '后门特征->phpspy'=>'phpspy', '后门特征->Scanners'=>'Scanners', '后门特征->cmd.php'=>'cmd.php', '后门特征->str_rot13'=>'str_rot13', '后门特征->webshell'=>'webshell', '后门特征->EgY_SpIdEr'=>'EgY_SpIdEr', '后门特征->tools88.com'=>'tools88.com', '后门特征->SECFORCE'=>'SECFORCE', '后门特征->eval("?>'=>'eval(('|")?>', '可疑代码特征->system('=>'system(', '可疑代码特征->passthru('=>'passthru(', '可疑代码特征->shell_exec('=>'shell_exec(', '可疑代码特征->exec('=>'exec(', '可疑代码特征->popen('=>'popen(', '可疑代码特征->proc_open'=>'proc_open', '可疑代码特征->eval($'=>'eval(('|"|s)$', '可疑代码特征->assert($'=>'assert(('|"|s)$', '危险MYSQL代码->returns string soname'=>'returnsstringsoname', '危险MYSQL代码->into outfile'=>'intooutfile', '危险MYSQL代码->load_file'=>'select(s+)(.)load_file', '加密后门特征->eval(gzinflate('=>'eval(gzinflate(', '加密后门特征->eval(base64_decode('=>'eval(base64_decode(', '加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(', '加密后门特征->eval(gzdecode('=>'eval(gzdecode(', '加密后门特征->eval(str_rot13('=>'eval(str_rot13(', '加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(', '加密后门特征->base64_decode(gzuncompress('=>'base64decode(gzuncompress(', '一句话后门特征->eval($'=>'eval(('|"|s)$(POST|GET|REQUEST|COOKIE)', '一句话后门特征->assert($'=>'assert(('|"|s)$(POST|GET|REQUEST|COOKIE)', '一句话后门特征->require($'=>'require(('|"|s)$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->requireonce($'=>'require_once(('|"|s)$(POST|GET|REQUEST|COOKIE)', '一句话后门特征->include($'=>'include(('|"|s)$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->includeonce($'=>'include_once(('|"|s)$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')', '一句话后门特征->call_userfunc($'=>'call_userfunc(('|"|s*)$(POST|GET|REQUEST|COOKIE)', '一句话后门特征->$_POST/GET/REQUEST/COOKIE?,('|"|s*)$_(POST|GET|REQUEST|COOKIE)[', '.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php', '.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file', '.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file' ); } ?> 一个在php环境下扫描php木马的工具,目前可扫出以下特征码 <div class="codetitle"><a style="CURSOR: pointer" data="20682" class="copybut" id="copybut20682" onclick="doCopy('code20682')"> 代码如下:<div class="codebody" id="code20682"> 特征码: 后门特征->cha88.cn 后门特征->c99shell 后门特征->phpspy 后门特征->Scanners 后门特征->cmd.php 后门特征->str_rot13 后门特征->webshell 后门特征->EgY_SpIdEr 后门特征->tools88.com 后门特征->SECFORCE 后门特征->eval("?> 可疑代码特征->system( 可疑代码特征->passthru( 可疑代码特征->shell_exec( 可疑代码特征->exec( 可疑代码特征->popen( 可疑代码特征->proc_open 可疑代码特征->eval($ 可疑代码特征->assert($ 危险MYSQL代码->returns string soname 危险MYSQL代码->into outfile 危险MYSQL代码->load_file 加密后门特征->eval(gzinflate( 加密后门特征->eval(base64_decode( 加密后门特征->eval(gzuncompress( 加密后门特征->gzuncompress(base64_decode( 加密后门特征->base64decode(gzuncompress( 一句话后门特征->eval($ 一句话后门特征->assert($ 一句话后门特征->require($ 一句话后门特征->requireonce($ 一句话后门特征->include($_ 一句话后门特征->includeonce($ 一句话后门特征->call_user_func("assert" 一句话后门特征->call_userfunc($ 一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?] 一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE 上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE 上传后门特征->fputs(fopen("?",$_POST/GET/REQUEST/COOKIE[ .htaccess插马特征->SetHandler application/x-httpd-php .htaccess插马特征->php_value auto_prepend_file .htaccess插马特征->php_value auto_append_file 懒惰设计,直接套用phpspy样式 注意: 扫描出来的文件并不一定就是后门,请自行判断、审核、对比原文件。 (编辑:安卓应用网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |