php webshell扫描后门木马实例程序
本文章来给大家介绍一个php webshell扫描后门木马实例程序,这个可以扫描你网站上的木马程序,这个给大家找网站木马提供了很大的方便.
php webshell扫描后门木马实例程序代码如下:
<?php
/**********************
php扫描后门
**********************/
error_reporting (E_ERROR);
ini_set ( 'max_execution_time' ,20000);
ini_set ( 'memory_limit' , '512M' );
header( "content-Type: text/html; charset=gb2312" );
$matches = array (
'/function\_exists\s*\(\s*[\' |\ "](popen|exec|proc\_open|system|passthru)+[\'|\" ]\s*\)/i',
'/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*\)/i' ,
'/((udp|tcp)\:\/\/(.*)\;)+/i' ,
'/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' ,
'/preg\_replace\s*\((.*)\(base64\_decode\(\$/i' ,
'/(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*(base64\_decode|str\_rot13|gz(\w+)|file\_(\w+)\_contents|(.*)php\:\/\/input)+/i' ,
'/(eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i' ,
'/eval\s*\(\s*\(\s*\$\$(\w+)/i' ,
'/(include|require|include\_once|require\_once)+\s*\(\s*[\' |\ "](\w+)\.(jpg|gif|ico|bmp|png|txt|zip|rar|htm|css|js)+[\'|\" ]\s*\)/i',
'/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*\$(\w+)\s*\)/i' ,
'/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i' ,
'/(fopen|fwrite|fputs|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i' ,
'/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i' ,
'/new com\s*\(\s*[\' |\ "]shell(.*)[\'|\" ]\s*\)/i',
'/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i' ,
'/\$\_\=(.*)\$\_/i' ,
'/\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i' ,
'/\$(\w+)\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i' ,
'/\$(\w+)\(\$\{(.*)\}/i'
);
function antivirus( $dir , $exs , $matches ) {
if (( $handle = @opendir( $dir )) == NULL) return false;
while (false !== ( $name = readdir( $handle ))) {
if ( $name == '.' || $name == '..' ) continue ;
$path = $dir . $name ;
if ( is_dir ( $path )) {
if ( is_readable ( $path )) antivirus( $path . '/' , $exs , $matches );
} elseif ( strpos ( $name , ';' ) > -1 || strpos ( $name , '%00' ) > -1 || strpos ( $name , '/' ) > -1) {
echo '<p>特征 <input type="text" style="width:218px;" value="解析漏洞"> ' . $path . '</p>' ; flush (); ob_flush();
} else {
if (!preg_match( $exs , $name )) continue ;
if ( filesize ( $path ) > 10000000) continue ;
$fp = fopen ( $path , 'r' );
$code = fread ( $fp , filesize ( $path ));
fclose( $fp );
if ( empty empty ( $code )) continue ;
foreach ( $matches as $matche ) {
$array = array ();
preg_match( $matche , $code , $array );
if (! $array ) continue ;
if ( strpos ( $array [0], "\x24\x74\x68\x69\x73\x2d\x3e" )) continue ;
$len = strlen ( $array [0]);
if ( $len > 10 && $len < 1500) {
echo '<p>特征 <input type="text" style="width:218px;" value="' .htmlspecialchars( $array [0]). '"> ' . $path . '</p>' ;
flush (); ob_flush(); break ;
}
}
unset( $code , $array );
}
}
closedir ( $handle );
return true;
}
function strdir( $str ) { return str_replace ( array ( '\\' , '//' , '//' ), array ( '/' , '/' , '/' ), chop ( $str )); }
echo '<form method="POST">' ;
echo '<p>路径: <input type="text" name="dir" value="' .( $_POST [ 'dir' ] ? strdir( $_POST [ 'dir' ]. '/' ) : strdir( $_SERVER [ 'DOCUMENT_ROOT' ]. '/' )). '" style="width:398px;"></p>' ;
echo '<p>后缀: <input type="text" name="exs" value="' .( $_POST [ 'exs' ] ? $_POST [ 'exs' ] : '.php|.inc|.phtml' ). '" style="width:398px;"></p>' ;
echo '<p>操作: <input type="submit" style="width:80px;" value="scan"></p>' ;
echo '</form>' ;
if ( file_exists ( $_POST [ 'dir' ]) && $_POST [ 'exs' ]) {
$dir = strdir( $_POST [ 'dir' ]. '/' );
$exs = '/(' . str_replace ( '.' , '\\.' , $_POST [ 'exs' ]). ')/i' ;
echo antivirus( $dir , $exs , $matches ) ? '<p>扫描完毕</p>' : '<p>扫描中断</p>' ;
} //开源代码phpfensi.com
?>
