scanner.php
Copy the code The code is as follows:
/**************PHP Web Trojan Scanner***********************/
/* [+] Author: alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] First published: t00ls.net, please indicate t00ls when reprinting */
/* [+] Version: v1.0 */
/* [+] Function: web version of php Trojan scanning tool*/
/* [+] Note: Scanned files are not necessarily backdoors, */
/* Please judge, review and compare the original files by yourself. */
/* If you are not sure whether the scanned file is a backdoor, */
/* You are welcome to send the file to me for analysis.*/
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器 v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '
';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".basename($file).""");
echo file_get_contents($file);
}
exit();
}
?>
$version"?> |
=date("Y-m-d H:i:s",mktime())?> 扫描 | 设定 | 登出
|
if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成!";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>
}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>
if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
扫描: 文件 | 发现: 可疑文件 | 耗时: 秒
}
}
}
ob_flush();
?>
function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","n","r","t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$c
$c
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="
$current
$filetime |
$reason[0] |
$reason[1] |
下载 |
";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'Backdoor characteristics->cha88.cn'=>'cha88.cn',
'Backdoor characteristics->c99shell'=>'c99shell',
'Backdoor Features->phpspy'=>'phpspy',
'Backdoor Features->Scanners'=>'Scanners',
'Backdoor Features->cmd.php'=>'cmd.php',
'Backdoor characteristics->str_rot13'=>'str_rot13',
'Backdoor characteristics->webshell'=>'webshell',
'Backdoor characteristics->EgY_SpIdEr'=>'EgY_SpIdEr',
'Backdoor Features->tools88.com'=>'tools88.com',
'Backdoor Feature->SECFORCE'=>'SECFORCE',
'Backdoor Feature->eval("?>'=> 'eval(('|")?>',
'Suspicious code characteristics->system('=>'system(',
'Suspicious code characteristics->passthru('=>'passthru(' ,
'Suspicious code characteristics->shell_exec('=>'shell_exec(',
'Suspicious code characteristics->exec('=>'exec(',
'Suspicious code characteristics->popen(' =>'popen(',
'Suspicious code characteristics->proc_open'=>'proc_open',
'Suspicious code characteristics->eval($'=>'eval(('|"|s* )\$',
'Suspicious code characteristics->assert($'=>'assert(('|"|s*)\$',
'Dangerous MYSQL code->returns string soname'=> 'returnsstringsoname',
'Dangerous MYSQL code->into outfile'=>'intooutfile',
'Dangerous MYSQL code->load_file'=>'select(s+)(.*)load_file',
'Encryption Backdoor characteristics->eval(gzinflate('=>'eval(gzinflate(',
'Encryption backdoor characteristics->eval(base64_decode('=>'eval(base64_decode(',
'Encryption backdoor characteristics-> ;eval(gzuncompress('=>'eval(gzuncompress(',
'Encryption backdoor characteristics->eval(gzdecode('=>'eval(gzdecode(',
'Encryption backdoor characteristics->eval(str_rot13 ('=>'eval(str_rot13(',
'Encryption backdoor characteristics->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',
'Encryption backdoor characteristics->base64_decode(gzuncompress('=> ;'base64_decode(gzuncompress(',
'One sentence backdoor characteristics->eval($_'=>'eval(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->assert($_'=>'assert(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics-> ;require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->require_once($_'=> ;'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->include($_'=>'include(('|" |s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->include_once($_'=>'include_once(('|"|s*)\$_( POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->call_user_func("assert"'=>'call_user_func(("|')assert("|')',
'One sentence backdoor characteristics ->call_user_func($_'=>'call_user_func(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',
'One sentence backdoor characteristics->$_POST/GET/ REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s *)\$_(POST|GET|REQUEST|COOKIE)[',
'One sentence backdoor characteristics->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('| "|s*)\$_(POST|GET|REQUEST|COOKIE)',
'Upload backdoor characteristics->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=> 'file_put_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST |COOKIE)',
'Upload backdoor features->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),( '|")w('|")),('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',
'.htaccess plug-in feature->SetHandler application/x- httpd-php'=>'SetHandlerapplication/x-httpd-php',
'.htaccess plug-in feature->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess plug-in feature->php_value auto_append_file' =>'php_valueauto_append_file'
);
}
?>
A tool for scanning PHP Trojans in the PHP environment. Currently, the following feature codes can be scanned
Copy the code The code is as follows:
Feature codes:
Backdoor features->cha88.cn
Backdoor features->c99shell
Backdoor features->phpspy
Backdoor features->Scanners
Backdoor features->cmd.php
Backdoor features-> str_rot13
Backdoor characteristics->webshell
Backdoor characteristics->EgY_SpIdEr
Backdoor characteristics->tools88.com
Backdoor characteristics->SECFORCE
Backdoor characteristics->eval("?>
Suspicious code characteristics-> system(
Suspicious code characteristics->passthru(
Suspicious code characteristics->shell_exec(
Suspicious code characteristics->exec(
Suspicious code characteristics->popen(
Suspicious code characteristics->proc_open
Suspicious code characteristics ->eval($
Suspicious code signature->assert($
Dangerous MYSQL code->returns string soname
Dangerous MYSQL code->into outfile
Dangerous MYSQL code->load_file
Encryption backdoor signature-> eval(gzinflate(
Encryption backdoor characteristics->eval(base64_decode(
Encryption backdoor characteristics->eval(gzuncompress(
Encryption backdoor characteristics->gzuncompress(base64_decode(
Encryption backdoor characteristics->base64_decode(gzuncompress(
One sentence Backdoor features->eval($_
Backdoor features in one sentence->assert($_
Backdoor features in one sentence->require($_
Backdoor features in one sentence->require_once($_
Backdoor in one sentence) Features->include($_
One sentence backdoor feature->include_once($_
One sentence backdoor feature->call_user_func("assert"
One sentence backdoor feature->call_user_func($_
One sentence backdoor feature ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
Backdoor characteristics in one sentence->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
Upload backdoor characteristics ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
Upload backdoor features->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE [
.htaccess plug-in feature->SetHandler application/x-httpd-php
.htaccess plug-in feature->php_value auto_prepend_file
.htaccess plug-in feature->php_value auto_append_file
Lazy design, directly apply phpspy style
Note: The scanned files are not necessarily backdoors. Please judge, review and compare the original files by yourself.
The above introduces the PHP Web Trojan Scanner Code v10 security testing tool, including the relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.