//不完善,任然需要继续完善
<?php
function upbaiduscan($path)
{
$url = "https://scanner.baidu.com/enqueue";
// $upload="@".$path;
$post_data = array(
"archive" => new CURLFile(realpath($path))
);
//var_dump($post_data);exit();
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$output = curl_exec($ch);
curl_close($ch);
$duixiang = json_decode($output);
$res = getfileinfo($duixiang->url);
$res=json_decode($res);
if($res[0]->detected>=1)
{
$resarr=array('code'=>1,'info'=>$res[0]->data[0]->descr,'msg'=>"检测到病毒:".$res[0]->data[0]->descr);
ajaxdata($resarr);
}else
{
$resarr=array('code'=>0,'info'=>$res[0]->data[0]->descr,'msg'=>"该文件安全");
ajaxdata($resarr);
}
exit();
echo $res;
// echo $output;
}
/*ajaxdata 停止执行并输出ajax数据
* $data 数组
* */
function ajaxdata($data)
{
exit(json_encode($data));
}
function getfileinfo($url)
{
$res = curl_get($url, true, true);
return $res;
}
/**
* get请求
* @param $url
*/
function curl_get($url, $gzip = false, $firefox = false)
{
if ($firefox) {
//火狐浏览器
$useragent = 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0';
} else {
//谷歌浏览器
$useragent = 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36';
}
$header = FormatHeader($url, $useragent);
//var_dump($header);
$timeout = 120;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_FAILONERROR, true);
//设置请求头信息
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
//不取得返回头信息
curl_setopt($ch, CURLOPT_HEADER, 0);
if ($gzip) {
//解释gzip加密压缩
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept-Encoding: gzip, deflate'));
curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
}
// 关闭https验证
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_ENCODING, "");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
$content = curl_exec($ch);
curl_close($ch);
return $content;
}
//添加请求头
function FormatHeader($url, $useragent)
{
// 解析url
$temp = parse_url($url);
$query = isset($temp['query']) ? $temp['query'] : '';
$path = isset($temp['path']) ? $temp['path'] : '/';
$header = array(
"Host: {$temp['host']}",
"Referer: https://{$temp['host']}/",
"Content-Type: text/xml; charset=utf-8",
'Accept: application/json, text/javascript, */*; q=0.01',
'Accept-Encoding:gzip, deflate, br',
'Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection:keep-alive',
'X-Requested-With: XMLHttpRequest',
'User-Agent: ' . $useragent,
);
return $header;
}
/**
* 发送post请求
* @param string $url 请求地址
* @param array $post_data post键值对数据
* @return string
*/
function send_post($url, $post_data)
{
$postdata = http_build_query($post_data);
$options = array(
'http' => array(
'method' => 'POST',
'header' => 'Content-type:application/x-www-form-urlencoded',
'content' => $postdata,
'timeout' => 15 * 60 // 超时时间(单位:s)
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
return $result;
}
if ($_GET['canshuname'] == "baidu") {
// $path = "/www/wwwroot/www.nigcat.cn/webshell/index.php";
$path=$_POST['text'];
upbaiduscan($path);
exit();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<title>PHP web shell scan</title>
<!-- 最新版本的 Bootstrap 核心 CSS 文件 -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css"
integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">
<!-- 可选的 Bootstrap 主题文件(一般不用引入) -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap-theme.min.css"
integrity="sha384-6pzBo3FDv/PJ8r2KRkGHifhEocL+1X2rVCTTkUfGk7/0pbek5mMa1upzvWbrUbOZ" crossorigin="anonymous">
</head>
<body>
</body>
<?php
define("SELF", php_self());
error_reporting(E_ERROR);
ini_set('max_execution_time', 20000);
ini_set('memory_limit', '512M');
header("content-Type: text/html; charset=utf-8");
if ($_GET['canshuname'] == "baidu") {
echo("请求成功");
exit();
}
function weevelyshell($file)
{
$content = file_get_contents($file);
if (
(
preg_match('#(\$\w{2,4}\s?=\s?str_replace\("\w+","","[\w_]+"\);\s?)+#s', $content) &&
preg_match('#(\$\w{2,4}\s?=\s?"[\w\d\+\/\=]+";\s?)+#', $content) && preg_match('#\$[\w]{2,4}\s?=\s\$[\w]{2,4}\(\'\',\s?\$\w{2,4}\(\$\w{2,4}\("\w{1,4}",\s?"",\s?\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\.\$\w{2,4}\)\)\);\s+?\$\w{2,4}\(\)\;#', $content))
||
(preg_match('#\$\w+\d\s?=\s?str_replace\(\"[\w\d]+\",\"\",\"[\w\d]+\"\);#s', $content) &&
preg_match('#\$\w+\s?=\s?\$[\w\d]+\(\'\',\s?\$[\w\d]+\(\$\w+\(\$\w+\(\"[[:punct:]]+\",\s?\"\",\s?\$\w+\.\$\w+\.\$\w+\.\$\w+\)\)\)\);\s?\$\w+\(\);#s', $content))
) {
return true;
}
}
function callbackshell($file)
{
$content = file_get_contents($file);
if (
preg_match('#\$\w+\s?=\s?\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]#is', $content) &&
preg_match('#\$\w+\s?=\s?(?:new)?\s?array\w*\s?\(.*?_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\].*?\)+#is', $content) &&
preg_match('#(?:array_(?:reduce|map|udiff|walk|walk_recursive|filter)|u[ak]sort)\s?\(.*?\)+?#is', $content)
)
return true;
}
function php_self()
{
$php_self = substr($_SERVER['PHP_SELF'], strrpos($_SERVER['PHP_SELF'], '/') + 1);
return $php_self;
}
$matches = array(
'/mb_ereg_replace\([\'\*\s\,\.\"]+\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\'\"].*?[\'\"][\]][\,\s\'\"]+e[\'\"]' / is,
'/preg_filter\([\'\"\|\.\*e]+.*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)/is',
'/create_function\s?\(.*assert\(/is',
'/ini_get\(\'safe_mode\'\)/i',
'/get_current_user\(.*?\)/i',
'/@?assert\s?\(\$.*?\)/i',
'/proc_open\s?\(.*?pipe\',\s?\'w\'\)/is',
'/sTr_RepLaCe\s?\([\'\"].*?[\'\"],[\'\"].*?[\'\"]\s?,\s?\'a[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?s[[:alnum:][:punct:]]+?e[[:alnum:][:punct:]]+?r[[:alnum:][:punct:]]+?t[[:alnum:][:punct:]]+?\)/i',
'/preg_replace_callback\(.*?create_function\(/is',
'/filter_var(?:_array)?\s?.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\'\"][[:punct:][:alnum:]]+[\'\"]\][[:punct:][:alnum:][:space:]]+?assert[\'\"]\)/is',
'/ob_start\([\'\"]+assert[\'\"]+\)/is',
'/new\s?ReflectionFunction\(.*?->invoke\(/is',
'/PDO::FETCH_FUNC/',
'/\$\w+.*\s?(?:=|->)\s?.*?[\'\"]assert[\'\"]\)?/i',
'/\$\w+->(?:sqlite)?createFunction\(.*?\)/i',
'/eval\([\"\']?\\\?\$\w+\s?=\s?.*?\)/i',
'/eval\(.*?gzinflate\(base64_decode\(/i',
'/copy\(\$HTTP_POST_FILES\[\'\w+\'\]\s?\[\'tmp_name\'\]/i',
'/register_(?:shutdown|tick)_function\s?\(\$\w+,\s\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]\)/is',
'/register_(?:shutdown|tick)_function\s?\(?[\'\"]assert[\"\'].*?\)/i',
'/call_user_func.*?\([\"|\']assert[\"|\'],.*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[\'|\"].*\]\)+/is',
'/preg_replace\(.*?e.*?\'\s?,\s?.*?\w+\(.*?\)/i',
'/function_exists\s*\(\s*[\'|\"](popen|exec|proc_open|system|passthru)+[\'|\"]\s*\)/i',
'/(exec|shell_exec|system|passthru)+\s*\(\s*\$_(\w+)\[(.*)\]\s*\)/i',
'/(exec|shell_exec|system|passthru)+\s*\(\$\w+\)/i',
'/(exec|shell_exec|system|passthru)\s?\(\w+\(\"http_.*\"\)\)/i',
'/(?:john\.barker446@gmail\.com|xb5@hotmail\.com|shopen@aventgrup\.net|milw0rm\.com|www\.aventgrup\.net|mgeisler@mgeisler\.net)/i',
'/Php\s*?Shell/i',
'/((udp|tcp)\:\/\/(.*)\;)+/i',
'/preg_replace\s*\((.*)\/e(.*)\,\s*\$_(.*)\,(.*)\)/i',
'/preg_replace\s*\((.*)\(base64_decode\(\$/i',
'/(eval|assert|include|require|include_once|require_once)+\s*\(\s*(base64_decode|str_rot13|gz(\w+)|file_(\w+)_contents|(.*)php\:\/\/input)+/i',
'/(eval|assert|include|require|include_once|require_once|array_map|array_walk)+\s*\(.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i',
'/eval\s*\(\s*\(\s*\$\$(\w+)/i',
'/((?:include|require|include_once|require_once)+\s*\(?\s*[\'|\"]\w+\.(?!php).*[\'|\"])/i',
'/\$_(\w+)(.*)(eval|assert|include|require|include_once|require_once)+\s*\(\s*\$(\w+)\s*\)/i',
'/\(\s*\$_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i',
'/(fopen|fwrite|fputs|file_put_contents)+\s*\((.*)\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i',
'/echo\s*curl_exec\s*\(\s*\$(\w+)\s*\)/i',
'/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i',
'/\$(.*)\s*\((.*)\/e(.*)\,\s*\$_(.*)\,(.*)\)/i',
'/\$_\=(.*)\$_/i',
'/\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i',
'/\$(\w+)\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i',
'/\$(\w+)\s*\(\s*\$\{(.*)\}/i',
'/\$(\w+)\s*\(\s*chr\(\d+\)/i'
);
function antivirus($dir, $exs, $matches)
{
if (($handle = @opendir($dir)) == NULL) return false;
while (false !== ($name = readdir($handle))) {
if ($name == '.' || $name == '..') continue;
$path = $dir . $name;
if (strstr($name, SELF)) continue;
//$path=iconv("UTF-8","gb2312",$path);
if (is_dir($path)) {
//chmod($path,0777);/*主要针对一些0111的目录*/
if (is_readable($path)) antivirus($path . '/', $exs, $matches);
} elseif (strpos($name, ';') > -1 || strpos($name, '%00') > -1 || strpos($name, '/') > -1) {
$filectime = filectime($path);
echo '<tr><td>解析漏洞</td><td>' . $path . '</td><td>' . date("Y-m-d H:i:s", $filectime) . '</td><td><button type="button" class="btn btn-default" onclick="baidusd(' . "'" . $path . "'" . ')">WEBDIR扫描</button></td></tr>';
flush();
ob_flush();
} else {
if (!preg_match($exs, $name)) continue;
if (filesize($path) > 10000000) continue;
$fp = fopen($path, 'r');
$code = fread($fp, filesize($path));
fclose($fp);
if (empty($code)) continue;
if (weevelyshell($path)) {
$filectime = filectime($path);
echo '<tr><td>weevely 加密shell</td><td>' . $path . '</td><td>' . date("Y-m-d H:i:s", $filectime) . '</td><td><button type="button" class="btn btn-default" onclick="baidusd(' . "'" . $path . "'" . ')" >WEBDIR扫描</button></td></tr>';
flush();
ob_flush();
} elseif (callbackshell($path)) {
$filectime = filectime($path);
echo '<tr><td>weevely Callback shell</td><td>' . $path . '</td><td>' . date("Y-m-d H:i:s", $filectime) . '</td><td><button type="button" class="btn btn-default" onclick="baidusd(' . "'" . $path . "'" . ')" >WEBDIR扫描</button></td></tr>';
flush();
ob_flush();
}
foreach ($matches as $matche) {
$array = array();
preg_match($matche, $code, $array);
if (!$array) continue;
if (strpos($array[0], "\x24\x74\x68\x69\x73\x2d\x3e")) continue;
$len = strlen($array[0]);
if ($len > 6 && $len < 200) {
$filectime = filectime($path);
echo '<tr><td>' . htmlspecialchars($array[0]) . '</td><td>' . $path . '</td><td>' . date("Y-m-d H:i:s", $filectime) . '</td><td><button type="button" class="btn btn-default" onclick="baidusd(' . "'" . $path . "'" . ')" >WEBDIR扫描</button></td></tr>';
flush();
ob_flush();
}
}
unset($code, $array);
}
}
closedir($handle);
return true;
}
function strdir($str)
{
return str_replace(array('\\', '//', '//'), array('/', '/', '/'), chop($str));
}
echo '<form method="POST">';
echo '路径: <input type="text" name="dir" value="' . ($_POST['dir'] ? strdir($_POST['dir'] . '/') : strdir($_SERVER['DOCUMENT_ROOT'] . '/')) . '" style="width:398px;"><p></p>';
echo '后缀: <input type="text" name="exs" value="' . ($_POST['exs'] ? $_POST['exs'] : '.php|.inc|.phtml') . '" style="width:398px;"><p></p>';
echo '操作: <input type="submit" style="width:80px;" value="scan"><p></p>';
echo '</form></br>';
if (file_exists($_POST['dir']) && $_POST['exs']) {
$dir = strdir($_POST['dir'] . '/');
$exs = '/(' . str_replace('.', '\\.', $_POST['exs']) . ')/i';
echo('<table class="table table-bordered">
<tr>
<th>特征</th>
<th>路径</th>
<th>文件创建时间</th>
<th>操作</th>
</tr>');
echo antivirus($dir, $exs, $matches) ? '</table></br ><p></p>扫描完毕!' : '</br > <p></p>扫描中断';
}
?>
<!-- 最新的 Bootstrap 核心 JavaScript 文件 -->
<script src="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"
integrity="sha384-aJ21OjlMXNL5UyIl/XNwTMqvzeRMZH2w8c5cRVpzpU8Y5bApTppSuUkhZXN0VxHd"
crossorigin="anonymous"></script>
<script src="https://libs.baidu.com/jquery/2.0.0/jquery.min.js"></script>
<script type="text/javascript">function baidusd(text) {
$.post("index.php?canshuname=baidu",{
text:text
}, function (data, status) {
var jsonObject= JSON.parse(data);
if(jsonObject.code==0)
{
alert(jsonObject.msg);
}else
{
alert(jsonObject.msg);
}
});
}
</script>
</html>
甘公网安备62030002000100