PHP Web Trojan Scanner Code v1.0 Security Test Tool_PHP Tutorial

scanner.php

Copy code The code is as follows:

/**************PHP Web Trojan Scanner***********************/
/* [+] Author: alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] First published: t00ls.net, please indicate t00ls when reprinting */
/* [+] Version: v1.0 */
/* [+] Function: web version of PHP Trojan scanning tool*/
/* [+] Note: Scanned files are not necessarily backdoors, */
/* Please judge and review by yourself , compare with the original file. */
/* If you are not sure whether the scanned file is a backdoor, */
/* You are welcome to send the file to me for analysis.*/
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器 v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>







if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '

用户名: 密码:

';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功！";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".basename($file).""");
echo file_get_contents($file);
}
exit();
}
?>

$version"?>

扫描 |
设定 |
登出

if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成！";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>

扫描设定

文件后缀:
所有文件	>
设置文件	>

}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>

扫描路径:

if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>

扫描: 文件 | 发现: 可疑文件 | 耗时: 秒

No.

文件

更新时间

原因

特征

动作

}
}
}
ob_flush();
?>


function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","n","r","t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="

$count
$current
$filetime
$reason[0]
$reason[1]
下载
";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'Backdoor Features->cha88.cn'=>'cha88.cn',
'Backdoor Features->c99shell' =>'c99shell',
'Backdoor characteristics->phpspy'=>'phpspy',
'Backdoor characteristics->Scanners'=>'Scanners',
'Backdoor characteristics- >cmd.php'=>'cmd.php',
'Backdoor Feature->str_rot13'=>'str_rot13',
'Backdoor Feature->webshell'=>'webshell' ,
'Backdoor Feature->EgY_SpIdEr'=>'EgY_SpIdEr',
'Backdoor Feature->tools88.com'=>'tools88.com',
'Backdoor Feature-> SECFORCE'=>'SECFORCE',
'Backdoor characteristics->eval("?>'=>'eval(('|")?>',
'Suspicious code characteristics-> ;system('=>'system(',
'Suspicious code characteristics->passthru('=>'passthru(',
'Suspicious code characteristics->shell_exec('=>' shell_exec(',
'Suspicious code characteristics->exec('=>'exec(',
'Suspicious code characteristics->popen('=>'popen(',
' Suspicious code characteristics->proc_open'=>'proc_open',
'Suspicious code characteristics->eval($'=>'eval(('|"|s*)\$',
'Suspicious code characteristics->assert($'=>'assert(('|"|s*)\$',
'Dangerous MYSQL code->returns string soname'=>'returnsstringsoname',
'Dangerous MYSQL code->into outfile'=>'intooutfile',
'Dangerous MYSQL code->load_file'=>'select(s+)(.*)load_file',
'Encryption backdoor characteristics->eval(gzinflate('=>'eval(gzinflate(',
'Encryption backdoor characteristics->eval(base64_decode('=>'eval(base64_decode(',
'Encryption backdoor characteristics->eval(gzuncompress('=>'eval(gzuncompress(',
'Encryption backdoor characteristics->eval(gzdecode('=>'eval(gzdecode(',
'Encryption backdoor characteristics->eval(str_rot13('=>'eval(str_rot13(',
'Encryption backdoor characteristics->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',
'Encryption backdoor characteristics->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',
'One sentence backdoor characteristics->eval($_'=>'eval(('|"|s *)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->assert($_'=>'assert(('|"|s*)\$_( POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST| COOKIE)',
'One sentence backdoor characteristics->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics ->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->call_user_func(" assert"'=>'call_user_func(("|')assert("|')',
'One sentence backdoor characteristics->call_user_func($_'=>'call_user_func(('|"|s *)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?] '=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',
'One sentence backdoor characteristics->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE )',
'Upload backdoor features->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_ (POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'Upload backdoor characteristics-> ;fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")), ('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',
'.htaccess plug-in feature->SetHandler application/x-httpd-php'=>'SetHandlerapplication/ x-httpd-php',
'.htaccess plug-in feature->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess plug-in feature->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

A tool to scan PHP Trojans in the PHP environment. Currently, the following feature codes can be scanned out

Copy code The code is as follows:

Feature code:
Backdoor Feature->cha88.cn
Backdoor Feature->c99shell
Backdoor Feature->phpspy
Backdoor Feature->Scanners
Backdoor Features->cmd.php
Backdoor Features->str_rot13
Backdoor Features->webshell
Backdoor Features->EgY_SpIdEr
Backdoor Features->tools88.com
Backdoor Features->SECFORCE
Backdoor Features->eval("?>
Suspicious Code Features->system(
Suspicious Code Features->passthru(
Suspicious Code Features-> shell_exec(
Suspicious code characteristics->exec(
Suspicious code characteristics->popen(
Suspicious code characteristics->proc_open
Suspicious code characteristics->eval($
Suspicious Code features->assert($
Dangerous MYSQL code->returns string soname
Dangerous MYSQL code->into outfile
Dangerous MYSQL code->load_file
Encryption backdoor feature-> eval(gzinflate(
Encryption backdoor characteristics->eval(base64_decode(
Encryption backdoor characteristics->eval(gzuncompress(
Encryption backdoor characteristics->gzuncompress(base64_decode(
Encryption backdoor characteristics- >base64_decode(gzuncompress(
One sentence backdoor characteristics->eval($_
One sentence backdoor characteristics->assert($_
One sentence backdoor characteristics->require($_
One sentence backdoor characteristics->require_once($_
One sentence backdoor characteristics->include($_
One sentence backdoor characteristics->include_once($_
One sentence backdoor characteristics-> call_user_func("assert"
One sentence backdoor characteristics->call_user_func($_
One sentence backdoor characteristics->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[ ?]
One sentence backdoor characteristics->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
Upload backdoor characteristics->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST /COOKIE
Upload backdoor features->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess plug-in features->SetHandler application/x-httpd -php
.htaccess horse insertion feature->php_value auto_prepend_file
.htaccess horse insertion feature->php_value auto_append_file

Lazy design, directly apply phpspy style
Note: Scan The files that come out are not necessarily backdoors. Please judge, review, and compare the original files by yourself.

http://www.bkjia.com/PHPjc/324902.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/324902.htmlTechArticlescanner.php Copy the code as follows: ?php /**************PHP Web Trojan Scanner***********************/ /* [+] Author : alibaba */ /* [+] QQ: 1499281192 */ /* [+] MSN: weeming21@h...