Heim  >  Artikel  >  Backend-Entwicklung  >  PHP Web木马扫描器代码 v10 安全测试工具

PHP Web木马扫描器代码 v10 安全测试工具

WBOY
WBOYOriginal
2016-07-29 08:47:441773Durchsuche

scanner.php

复制代码 代码如下:


/**************PHP Web木马扫描器************************/
/* [+] 作者: alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] 首发: t00ls.net , 转载请注明t00ls */
/* [+] 版本: v1.0 */
/* [+] 功能: web版php木马扫描工具 */
/* [+] 注意: 扫描出来的文件并不一定就是后门, */
/* 请自行判断、审核、对比原文件。 */
/* 如果你不确定扫出来的文件是否为后门, */
/* 欢迎你把该文件发给我进行分析。 */
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器 v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>


<?php echo $version?>




if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '
用户名: 密码:
';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
?>







$version"?>
=date("Y-m-d H:i:s",mktime())?>
扫描 |
设定 |
登出



if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成!";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>


扫描设定

















文件后缀:
>
>
 




}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>






扫描路径:

  


if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
扫描: 文件 | 发现: 可疑文件 | 耗时:











No. 文件 更新时间 原因 特征 动作

}
}
}
ob_flush();
?>


function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","\n","\r","\t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$c
$c
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="
$current
$filetime
$reason[0]
$reason[1]
下载
";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'后门特征->cha88.cn'=>'cha88\.cn',
'后门特征->c99shell'=>'c99shell',
'后门特征->phpspy'=>'phpspy',
'后门特征->Scanners'=>'Scanners',
'后门特征->cmd.php'=>'cmd\.php',
'后门特征->str_rot13'=>'str_rot13',
'后门特征->webshell'=>'webshell',
'后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',
'后门特征->tools88.com'=>'tools88\.com',
'后门特征->SECFORCE'=>'SECFORCE',
'后门特征->eval("?>'=>'eval\((\'|")\?>',
'可疑代码特征->system('=>'system\(',
'可疑代码特征->passthru('=>'passthru\(',
'可疑代码特征->shell_exec('=>'shell_exec\(',
'可疑代码特征->exec('=>'exec\(',
'可疑代码特征->popen('=>'popen\(',
'可疑代码特征->proc_open'=>'proc_open',
'可疑代码特征->eval($'=>'eval\((\'|"|\s*)\\$',
'可疑代码特征->assert($'=>'assert\((\'|"|\s*)\\$',
'危险MYSQL代码->returns string soname'=>'returnsstringsoname',
'危险MYSQL代码->into outfile'=>'intooutfile',
'危险MYSQL代码->load_file'=>'select(\s+)(.*)load_file',
'加密后门特征->eval(gzinflate('=>'eval\(gzinflate\(',
'加密后门特征->eval(base64_decode('=>'eval\(base64_decode\(',
'加密后门特征->eval(gzuncompress('=>'eval\(gzuncompress\(',
'加密后门特征->eval(gzdecode('=>'eval\(gzdecode\(',
'加密后门特征->eval(str_rot13('=>'eval\(str_rot13\(',
'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(',
'加密后门特征->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(',
'一句话后门特征->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')',
'一句话后门特征->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php',
'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

一个在php环境下扫描php木马的工具,目前可扫出以下特征码

复制代码 代码如下:


特征码:
后门特征->cha88.cn
后门特征->c99shell
后门特征->phpspy
后门特征->Scanners
后门特征->cmd.php
后门特征->str_rot13
后门特征->webshell
后门特征->EgY_SpIdEr
后门特征->tools88.com
后门特征->SECFORCE
后门特征->eval("?>
可疑代码特征->system(
可疑代码特征->passthru(
可疑代码特征->shell_exec(
可疑代码特征->exec(
可疑代码特征->popen(
可疑代码特征->proc_open
可疑代码特征->eval($
可疑代码特征->assert($
危险MYSQL代码->returns string soname
危险MYSQL代码->into outfile
危险MYSQL代码->load_file
加密后门特征->eval(gzinflate(
加密后门特征->eval(base64_decode(
加密后门特征->eval(gzuncompress(
加密后门特征->gzuncompress(base64_decode(
加密后门特征->base64_decode(gzuncompress(
一句话后门特征->eval($_
一句话后门特征->assert($_
一句话后门特征->require($_
一句话后门特征->require_once($_
一句话后门特征->include($_
一句话后门特征->include_once($_
一句话后门特征->call_user_func("assert"
一句话后门特征->call_user_func($_
一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess插马特征->SetHandler application/x-httpd-php
.htaccess插马特征->php_value auto_prepend_file
.htaccess插马特征->php_value auto_append_file


懒惰设计,直接套用phpspy样式
注意: 扫描出来的文件并不一定就是后门, 请自行判断、审核、对比原文件。

以上就介绍了 PHP Web木马扫描器代码 v10 安全测试工具,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。

Stellungnahme:
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn