├── .gitignore ├── Everything定位Webshell.docx ├── LICENSE ├── README.md ├── ScanWebShell ├── ScanWebShell.pl └── readme ├── core.py ├── dictionaries └── rule.txt ├── findWebshell ├── createHtml.py ├── directory │ ├── sensitiveWord.py │ └── webshell.py ├── filterShell.py ├── getFileTime.py ├── main.py ├── plugins │ ├── php_array_map-plugin.py │ ├── php_array_map.py │ ├── php_call_user_func.py │ ├── php_ddos_cc-plugin.py │ ├── php_dynamic_function.py │ ├── php_eval_assert-plugin.py │ ├── php_include_file-plugin.py │ ├── php_packshell-plugin.py │ ├── php_preg_replace-plugin.py │ └── php_zendencode-plugin.py ├── readme.md ├── report.html └── scanShell.py ├── result └── result.txt ├── scan.py └── util ├── operation.py └── traversal_dir.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # PyInstaller 28 | # Usually these files are written by a python script from a template 29 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 30 | *.manifest 31 | *.spec 32 | 33 | # Installer logs 34 | pip-log.txt 35 | pip-delete-this-directory.txt 36 | 37 | # Unit test / coverage reports 38 | htmlcov/ 39 | .tox/ 40 | .coverage 41 | .coverage.* 42 | .cache 43 | nosetests.xml 44 | coverage.xml 45 | *,cover 46 | .hypothesis/ 47 | 48 | # Translations 49 | *.mo 50 | *.pot 51 | 52 | # Django stuff: 53 | *.log 54 | 55 | # Sphinx documentation 56 | docs/_build/ 57 | 58 | # PyBuilder 59 | target/ 60 | 61 | #Ipython Notebook 62 | .ipynb_checkpoints 63 | -------------------------------------------------------------------------------- /Everything定位Webshell.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ym2011/ScanBackdoor/3a10de49c3ebd90c2f0eb62304877e00d2a52396/Everything定位Webshell.docx -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | {one line to give the program's name and a brief idea of what it does.} 635 | Copyright (C) {year} {name of author} 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | {project} Copyright (C) {year} {fullname} 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## scaing-backdoor 2 | 3 | 4 | Webshell扫描工具,通过各种规则和算法实现服务器脚本后门查杀。 5 | 6 | 目前已实现功能: 7 | 8 | + 根据关键字静态扫描webshell 9 | 10 | 11 | ### 使用说明 12 | 13 | ➜ python scan.py -h 14 | scan usage: 15 | 简单使用:scan.py filepath 16 | -h,--help: 获取帮助信息. 17 | -v, --version: 获取scan版本 18 | -p,--path: 指定将要扫描的路径 19 | -l,--low: 系统/数据库弱密码扫描 20 | 21 | ### TODO 22 | 23 | + 文件大小判断(可配置选项) 24 | + 支持多命令选项 25 | + 动态扫描 26 | + 十六进制度读取文件 27 | + 提取webshell关键字 28 | + 弱密码提示/潜在威胁提示 29 | + 提供多系统支持 30 | + 特征库包含各种木马/病毒/文件路径/cms/shell/框架信息等特征码为各个平台提供特征码支持 31 | -------------------------------------------------------------------------------- /ScanWebShell/ScanWebShell.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | #Scan WebShell for LAKE2 3 | #Desc: A small tools that find webshell with perl, it can check ASP/PHP/JSP/ASP.Net script, enjoy hacking :-) 4 | #Author: lakehu[TSRC] 5 | #Date: 2013-10-30 6 | #Version: 1.1.1 7 | 8 | use File::Find; 9 | 10 | #php webshell str 11 | @php_code_array = ( 12 | '\beval(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 13 | '\bassert(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 14 | '\bsystem(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 15 | '\bpassthru(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 16 | '\bexec(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 17 | '\bpcntl_exec(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 18 | '\bshell_exec(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 19 | '\bpopen(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 20 | '\bproc_open(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 21 | '\bpreg_replace(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 22 | '\bcreate_function(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 23 | '\bob_start(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 24 | '\barray_map(\s|\/\*.*?\*\/)*\(\s*.*?\s*\)', 25 | '`.*?`', 26 | '(include|include_once|require|require_once)(\s|\/\*.*?\*\/)*\(\s*.*?\$.*?\)', 27 | '(include|include_once|require|require_once)(\s|\/\*.*?\*\/)*\(?\s*[\'"].*?\.[^p][^h][^p]\w*?[\'"].*?\s*?;', 28 | '(phpspy|4ngel|wofeiwo|c99shell|webshell|php_nst|reDuh)', 29 | '\$[\w-_\'\\[\\]{}\.\$\*/|]+(\s|\/\*.*?\*\/)*\(.*?\)' 30 | ); 31 | 32 | @asp_code_array = ( 33 | '' 34 | ); 35 | 36 | #asp.net webshell str 37 | @aspx_code_array = ( 38 | '' 39 | ); 40 | 41 | #jsp webshell str 42 | @jsp_code_array = ( 43 | '' 44 | ); 45 | 46 | if(@ARGV!=2){ 47 | print "\n"; 48 | print "* Simple Scan WebShell by lake2 [ TSRC ] \n"; 49 | print "* know it then hack it !\n"; 50 | print "* Usage: ScanWebShell.pl \n"; 51 | print "* Type: 1 - PHP\n"; 52 | print " 2 - ASP\n"; 53 | print " 3 - ASP.Net\n"; 54 | print " 4 - JSP\n"; 55 | print "* TSRC Website: http:\\\\security.tencent.com\n"; 56 | exit; 57 | } 58 | 59 | my $postfix; 60 | $postfix = ''; 61 | my @str_code; 62 | if($ARGV[1]==1) 63 | { 64 | $postfix = '\.php$';push(@str_code, @php_code_array); 65 | } 66 | elsif($ARGV[1]==2) 67 | { 68 | print "NO PUBLIC! Do you used ASPSecurity ?\n";exit; 69 | } 70 | elsif($ARGV[1]==3) 71 | { 72 | print "NO PUBLIC!\n";exit; 73 | } 74 | elsif($ARGV[1]==4) 75 | { 76 | print "NO PUBLIC!\n";exit; 77 | } 78 | else 79 | { 80 | print "ERROR: unkown type !\n";exit; 81 | } 82 | #old Perl is not Switch -_-!! FucK !!!! 83 | #switch($ARGV[1]){ 84 | # case 0 { print "get out!\n";exit; } 85 | # case 1 { $postfix = '\.php$';push(@str_code, @php_code_array); } 86 | # case 2 { $postfix = '\.(asp|cdx|cer)$';push(@str_code, @asp_code_array); } 87 | # case 3 { $postfix = '\.aspx$';push(@str_code, @aspx_code_array); } 88 | # case 4 { $postfix = '\.jsp$';push(@str_code, @jsp_code_array); } 89 | # else { print "ERROR: unkown type !\n";exit; } 90 | #} 91 | print "start scanning ..... \n-----------------\n"; 92 | $scan_path = $ARGV[0]; 93 | if(substr($scan_path, length($scan_path)-1, 1) ne "/"){$scan_path.="/";} 94 | find(\&wanted, $scan_path); 95 | print "----------------\ndone !\n "; 96 | 97 | sub wanted { 98 | if (-f $File::Find::name) { 99 | if ($File::Find::name=~/$postfix/i) { 100 | checkfile($File::Find::name); 101 | } 102 | } 103 | } 104 | 105 | sub checkfile{ 106 | my($filepath) = @_; 107 | my($content); 108 | $content = openfile($filepath); 109 | if($content ne ""){ 110 | foreach $item (@str_code){ 111 | if($content =~ /$item/is){ # fix bug : ig -> is, \s will contain \r\n 112 | print $filepath." -> ".$&."\n"; 113 | } 114 | } 115 | } 116 | } 117 | 118 | sub openfile{ 119 | my($filepath) = @_; 120 | my(@string); 121 | unless (open (MYFILE, $filepath)) { 122 | print ("[-]ERROR: open file $filepath fail !\n"); 123 | return ""; 124 | } 125 | @string= ; 126 | close(MYFILE); 127 | return join("", @string); 128 | } -------------------------------------------------------------------------------- /ScanWebShell/readme: -------------------------------------------------------------------------------- 1 | # a script writed by perl 2 | -------------------------------------------------------------------------------- /core.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | #Version: 0.02 5 | #Create: 2016-06-13 6 | #ym2011 7 | 8 | import array 9 | import sys 10 | 11 | from util import traversal_dir 12 | from util import operation 13 | 14 | #木马特征,目前只是从CMD的执行上分析. 15 | def start(param): 16 | print "scaninng now....." 17 | ls = operation.readRetList("dictionaries/rule.txt")#TODO 读取方式升级为用户自定义 18 | cmp(param, ls) 19 | 20 | print "result.txt 结果已保存到result目录" 21 | 22 | #查看后门 23 | def cmp(dir, features): 24 | suspicious = [] 25 | file_list = traversal_dir.traversal_dir(dir) 26 | for filepath in file_list: 27 | if operation.findListStr(filepath, features):#TODO 根据查找到的特征数量定义优先级 28 | suspicious.append(filepath + "\n") 29 | operation.writeList("result/result.txt", suspicious,'w')#TODO 写入方式升级为用户自定义路径 30 | 31 | #检测服务器系统文件 32 | def chkSysFile(): 33 | 34 | 35 | 36 | 37 | if __name__ == '__main__': 38 | start(sys.argv[1]) 39 | 40 | -------------------------------------------------------------------------------- /dictionaries/rule.txt: -------------------------------------------------------------------------------- 1 | ## 2 | .exec( 3 | 4 | ## 5 | .cmd( 6 | -------------------------------------------------------------------------------- /findWebshell/createHtml.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | head = '

webshell后门报告

' + \ 5 | '
' 6 | 7 | def createHtml(resList): 8 | tr = '' 9 | for res in resList: 10 | tmp = '' 11 | for ele in res: 12 | tmp += '' 13 | tr += '' + tmp + '' 14 | html = head + tr + '
路径类型修改时间
' + ele +'
' 15 | return html 16 | -------------------------------------------------------------------------------- /findWebshell/directory/sensitiveWord.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | """ 5 | 后门中包含的特有敏感字符 6 | 自行手动添加各个类型后门到字典中,格式{"关键字":"类型"} 7 | """ 8 | 9 | #php敏感字符列表 10 | php_sensitive_words = { 11 | "www.phpdp.org":"PHP神盾加密后门", 12 | "www.phpjm.net":"PHP加密后门" 13 | } 14 | 15 | asp_sensitive_words = { 16 | } 17 | 18 | apsx_sensitive_words = { 19 | } 20 | 21 | jsp_sensitive_words = [ 22 | ] 23 | -------------------------------------------------------------------------------- /findWebshell/directory/webshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | """ 5 | 文件名包含明显的木马名字和已知webshell名列表 6 | """ 7 | 8 | php_webshell = [ 9 | "phpspy.php", 10 | "yijuhua.php", 11 | "houmeng.php", 12 | "backdoor.php", 13 | "后门.php", 14 | "xxoo.php", 15 | "一句话.php" 16 | ] 17 | 18 | asp_webshell = [ 19 | ] 20 | 21 | aspx_webshell = [ 22 | ] 23 | 24 | jsp_webshell = [ 25 | ] 26 | -------------------------------------------------------------------------------- /findWebshell/filterShell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | from directory.sensitiveWord import * 5 | from directory.webshell import * 6 | 7 | #过滤类 8 | class FilterShell: 9 | #基于敏感文件名过滤 10 | def filename(self, ext, name): 11 | if ext == "php": 12 | if name in php_webshell: 13 | return True 14 | else: 15 | return False 16 | elif ext == "asp": 17 | if name in asp_webshell: 18 | return True 19 | else: 20 | return False 21 | elif ext == "apsx": 22 | if name in aspx_webshell: 23 | return True 24 | else: 25 | return False 26 | elif ext == "jsp": 27 | if name in jsp_webshell: 28 | return True 29 | else: 30 | return False 31 | elif ext == "all": 32 | if name in (php_webshell + asp_webshell + aspx_webshell + jsp_webshell): 33 | return True 34 | else: 35 | return False 36 | else: 37 | print "args error!" 38 | exit(0) 39 | 40 | #基于敏感内容过滤 41 | def content(self, ext, ctent): 42 | if ext == "php": 43 | for word in php_sensitive_words.keys(): 44 | if word in ctent: 45 | return php_sensitive_words.get(word) 46 | else: 47 | continue 48 | return False 49 | elif ext == "asp": 50 | for word in asp_sensitive_words.keys(): 51 | if word in ctent: 52 | return asp_sensitive_words.get(word) 53 | else: 54 | return False 55 | elif ext == "aspx": 56 | for word in aspx_sensitive_words.keys(): 57 | if word in ctent: 58 | return aspx_sensitive_words.get(word) 59 | else: 60 | return False 61 | elif ext == "jsp": 62 | for word in jsp_sensitive_words.keys(): 63 | if word in ctent: 64 | return jsp_sensitive_words.get(word) 65 | else: 66 | return False 67 | elif ext == "all": 68 | all_sensitive_words = php_sensitive_words + asp_sensitive_words + asp_sensitive_words + jsp_sensitive_words 69 | for word in all_sensitive_words.keys(): 70 | return all_sensitive_words.get(word) 71 | else: 72 | return False 73 | else: 74 | print "args error!" 75 | exit(0) -------------------------------------------------------------------------------- /findWebshell/getFileTime.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | import os 5 | import time 6 | 7 | def getFileTime(filepath): 8 | fileModifyTime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(os.path.getmtime(filepath))) 9 | return fileModifyTime 10 | -------------------------------------------------------------------------------- /findWebshell/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | import glob, os 5 | from optparse import OptionParser 6 | from filterShell import FilterShell 7 | from getFileTime import getFileTime 8 | from scanShell import * 9 | from createHtml import createHtml 10 | 11 | if __name__ == '__main__': 12 | parser = OptionParser() 13 | parser.add_option("-p", "--path", dest="path", 14 | help="input web directory filepath", metavar="PATH") 15 | parser.add_option("-o", "--output", dest="output", 16 | help="create a html report") 17 | parser.add_option("-e", "--ext", dest="ext", 18 | help="define what's file format to scan", metavar="php|asp|aspx|jsp|all") 19 | 20 | (options, args) = parser.parse_args() 21 | 22 | #黑名单列表 23 | blackList = [] 24 | #名字字典 25 | fileList = {} 26 | #结果列表 27 | resList = [] 28 | 29 | #检测是否输入合法的路径和要扫描的类型 30 | if options.ext == None or options.path == None: 31 | parser.error("输入的参数不正确!") 32 | 33 | #获取文件绝对路径 34 | for root, dirs, files in os.walk(options.path): 35 | for filename in files: 36 | fullpath = os.path.join(root, filename) 37 | fileList[filename] = fullpath 38 | 39 | #过滤类 40 | FilterShell = FilterShell() 41 | 42 | #文件名过滤 43 | for filename in fileList.keys(): 44 | res = FilterShell.filename(options.ext, filename) 45 | if res: 46 | #获取后门类型,文件修改时间,文件路径 47 | fullpath = fileList.get(filename) 48 | mtime = getFileTime(fullpath) 49 | filemode = "一般类型" 50 | resList.append([fullpath, filemode, mtime]) 51 | blackList.append(fullpath) 52 | else: 53 | pass 54 | 55 | #根据后门特征码过滤 56 | for filename in fileList.keys(): 57 | fullpath = fileList.get(filename) 58 | if fullpath not in blackList: 59 | with open(fullpath, "rb") as fp: 60 | ctent = fp.read() 61 | filemode = FilterShell.content(options.ext, ctent) 62 | #获取后门类型,文件修改时间,文件路径 63 | if filemode: 64 | mtime = getFileTime(fullpath) 65 | resList.append([fullpath, filemode, mtime]) 66 | blackList.append(fullpath) 67 | else: 68 | pass 69 | else: 70 | pass 71 | 72 | #正则匹配后门语法 73 | scan(options.path, options.ext, blackList, resList) 74 | 75 | #处理后门列表 76 | l = len(resList) 77 | for i in xrange(l): 78 | resList[i][0] = os.path.abspath(resList[i][0]) 79 | 80 | #生成报告 81 | if options.output: 82 | fp = open(options.output + '.html', 'w') 83 | else: 84 | fp = open('report.html', 'w') 85 | html = createHtml(resList) 86 | fp.write(html) -------------------------------------------------------------------------------- /findWebshell/plugins/php_array_map-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule=r'(array_map[\s\n]{0,20}\(.{1,5}(eval|assert|ass\\x65rt).{1,20}\$_(GET|POST|REQUEST).{0,15})' 7 | 8 | def judgeBackdoor(fileCtent): 9 | if 'array_map' in fileCtent: 10 | result = re.compile(rule).findall(fileCtent) 11 | if len(result) > 0: 12 | return 'array_map后门' 13 | else: 14 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_array_map.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule=r'(array_map[\s\n]{0,20}\(.{1,5}(eval|assert|ass\\x65rt).{1,20}\$_(GET|POST|REQUEST).{0,15})' 7 | 8 | def judgeBackdoor(fileCtent): 9 | if 'array_map' in fileCtent: 10 | result = re.compile(rule).findall(fileCtent) 11 | if len(result) > 0: 12 | return 'array_map后门' 13 | else: 14 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_call_user_func.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule='(call_user_func[\s\n]{0,25}\(.{0,25}\$_(GET|POST|REQUEST).{0,15})' 7 | 8 | def judgeBackdoor(fileCtent): 9 | if 'call_user_func' in fileCtent: 10 | result = re.compile(rule).findall(fileCtent) 11 | if len(result) > 0: 12 | return 'call_user_func后门' 13 | return None 14 | else: 15 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_ddos_cc-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | import os 6 | 7 | keywords = [ 8 | '启动自动攻击', 9 | 'xxddos', 10 | 'phpddos', 11 | 'fsockopen("udp:', 12 | 'fsockopen("tcp:', 13 | '$_get["moshi"]=="udp"' 14 | ] 15 | 16 | #此插件白名单列表 (['文件路径'],['误报特征码']) 17 | whitefilter = [ 18 | (['install/svinfo.php'], ['fsockopen("tcp:']), 19 | ] 20 | 21 | def judgeBackdoor(fileCtent): 22 | fileCtent = fileCtent.lower() 23 | #纯关键词查找-暂不确定后门 24 | for key in keywords: 25 | if key in fileCtent: 26 | isok = 1 27 | for white in whitefilter: 28 | if os.path.exists(white[0][0]) and white[1][0] in key: 29 | isok = 0 30 | if isok: 31 | return 'PHP ddos_cc攻击脚本' 32 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_dynamic_function.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | import os 6 | 7 | rule1='(\$_(GET|POST|REQUEST)\[.{0,15}\]\s{0,10}\(\s{0,10}\$_(GET|POST|REQUEST).{0,15})' 8 | rule2='((\$(_(GET|POST|REQUEST|SESSION|SERVER)(\[[\'"]{0,1})\w{1,12}([\'"]{0,1}\])|\w{1,10}))[\s\n]{0,20}\([\s\n]{0,20}(@{0,1}\$(_(GET|POST|REQUEST|SESSION|SERVER)(\[[\'"]{0,1})\w{1,12}([\'"]{0,1}\])|\w{1,10}))[\s\n]{0,5}\))' 9 | rule3='\s{0,10}=\s{0,10}[{@]{0,2}(\$_(GET|POST|REQUEST)|file_get_contents|str_replace|["\']a["\']\.["\']s["\']\.|["\']e["\']\.["\']v["\']\.|["\']ass["\']\.).{0,10}' 10 | vararr=['$_GET','$_POST','$_REQUEST','$_SESSION','$_SERVER'] 11 | 12 | #此插件白名单列表 (['文件路径'],['误报特征码']) 文件路径最好用绝对路径表示或者将本程序放在网站根目录 13 | whitefilter=[ 14 | (['integrate.php'],['$code ($_POST[\'cfg\'])']), 15 | (['Lib/Action/IntegrateAction.class.php'],['$code ($_POST[\'cfg\'])']), 16 | (['phpcms/modules/template/file.php'],['$_GET[\'action\']($_GET[\'html\']']) 17 | ] 18 | 19 | def judgeBackdoor(fileCtent): 20 | result = re.compile(rule1).findall(fileCtent) 21 | if len(resullt) > 0: 22 | isok = 1 23 | for white in whitefilter: 24 | if os.path.exists(white[0][0]) and white[1][0] in result[0][0]: 25 | isok = 0 26 | if isok: 27 | return '$_GET[a]($_POST[b])动态函数后门' 28 | else: 29 | result = re.compile(rule2).findall(fileCtent) 30 | finalresult = result 31 | if len(result) > 0: 32 | for group in result: 33 | for var in vararr: 34 | if var in group[1]: 35 | resultson = re.search('\\'+group[6]+rule3,fileCtent) 36 | try: 37 | if len(resultson.groups()) > 0: 38 | isok = 1 39 | for white in whitefilter: 40 | if os.path.exists(white[0][0]) and white[1][0] in result[0][0]: 41 | isok = 0 42 | if isok: 43 | return '$a($b)动态函数后门' 44 | except: 45 | pass 46 | for var in vararr: 47 | if var in group[6]: 48 | resultson= re.search('\\'+group[1]+rule3,fileCtent) 49 | try: 50 | if len(resultson.groups()) > 0: 51 | isok = 1 52 | for white in whitefilter: 53 | if os.path.exists(white[0][0]) and white[1][0] in result[0][0]: 54 | isok = 0 55 | if isok: 56 | return '$a($b)动态函数后门' 57 | except: 58 | pass 59 | 60 | result1= re.search('\\'+group[1]+rule3,fileCtent) 61 | result2= re.search('\\'+group[6]+rule3,fileCtent) 62 | try: 63 | if len(result1.groups()) > 0 and len(result2.groups()) > 0: 64 | isok = 1 65 | for white in whitefilter: 66 | if os.path.exists(white[0][0]) and white[1][0] in result[0] 67 | isok = 0 68 | if isok: 69 | return '$a($b)动态函数后门' 70 | except: 71 | continue 72 | return None 73 | else: 74 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_eval_assert-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule='((eval|assert)[\s|\n]{0,30}\([\s|\n]{0,30}(\\\\{0,1}\$((_(GET|POST|REQUEST|SESSION|SERVER)(\[[\'"]{0,1})[\w\(\)]{0,15}([\'"]{0,1}\]))|\w{1,10}))\s{0,5}\))' 7 | rule1='((eval|assert)[\s|\n]{0,30}\((gzuncompress|gzinflate\(){0,1}[\s|\n]{0,30}base64_decode.{0,100})' 8 | rule2='\s{0,10}=\s{0,10}([{@]{0,2}\\\\{0,1}\$_(GET|POST|REQUEST)|file_get_contents|["\']a["\']\.["\']s["\']\.|["\']e["\']\.["\']v["\']\.|["\']ass["\']\.).{0,20}' 9 | vararr=['$_GET','$_POST','$_REQUEST','$_SESSION','$_SERVER'] 10 | 11 | def judgeBackdoor(fileCtent): 12 | if 'eval' in fileCtent or 'assert' in fileCtent: 13 | result = re.compile(rule).findall(fileCtent) 14 | if len(result) > 0: 15 | for group in result: 16 | for var in vararr: 17 | if var in group[2]: 18 | return "eval|assert后门" 19 | resultson = re.search('\\' + group[2] + rule2, filestr) 20 | try: 21 | if len(resultson.groups()) > 0: 22 | return "eval|assert($a)动态eval|assert后门" 23 | except: 24 | continue 25 | else: 26 | result = re.compile(rule1).findall(fileCtent) 27 | if len(result) > 0: 28 | return "eval|assert(base64)加密后门" 29 | return None 30 | -------------------------------------------------------------------------------- /findWebshell/plugins/php_include_file-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule1='([^\'"](include|require)(_once){0,1}\s{0,5}(\s{0,5}|\(\s{0,5})["\']([\.\w\,/\\\+-_]{1,60})["\']\s*\){0,1})' 7 | rule2='((include|require)(_once){0,1}(\s{0,5}|\s{0,5}\(\s{0,5})[\'"]{0,1}(\$(_(GET|POST|REQUEST|SERVER)(\[[\'"]{0,1})\w{0,8}([\'"]{0,1}\])|[\w]{1,15}))[\'"]{0,1})' 8 | rule3='\s{0,10}=\s{0,10}([{@]{0,2}\$_(GET|POST|REQUEST)|[\'"]{0,1}php://input[\'"]{0,1}|file_get_contents).{0,20}' 9 | vararr=['$_GET','$_POST','$_REQUEST','$_SERVER'] 10 | Whiterule = ['.php','$','templates','.html'] 11 | 12 | def judgeBackdoor(fileCtent): 13 | if 'include' in fileCtent or 'require' in fileCtent: 14 | result = re.compile(rule1).findall(fileCtent) 15 | if len(result) > 0: 16 | resultlist = [] 17 | for key in result: 18 | isok = 1 19 | for Whitestr in Whiterule: 20 | if Whitestr in key[4].lower(): 21 | isok = 0 22 | if isok == 1: 23 | resultlist.append(key) 24 | if len(resultlist) > 0: 25 | return 'include|require(_once)非法引用后门' 26 | 27 | result = re.compile(rule2).findall(fileCtent) 28 | if len(result) > 0: 29 | varlist = '' 30 | for group in result: 31 | if group[4] in varlist: 32 | continue 33 | else: 34 | varlist += group[4] + '--' 35 | for var in vararr: 36 | if var in group[4]: 37 | return 'include|require(_once)非法引用动态参数后门' 38 | resultson = re.search('\\'+group[4]+rule3,fileCtent) 39 | try: 40 | if len(resultson.groups()) > 0: 41 | return 'include|require(_once)非法引用动态参数后门' 42 | except: 43 | continue 44 | return None 45 | else: 46 | return None 47 | -------------------------------------------------------------------------------- /findWebshell/plugins/php_packshell-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | rule='gzdeflate|gzcompress|gzencode' 7 | 8 | #此插件白名单列表 (['文件路径'],['误报特征码']) 9 | whitefilter=[] 10 | 11 | def judgeBackdoor(fileCtent): 12 | result = re.search(rule, fileCtent) 13 | try: 14 | if result.group(): 15 | if '打包' in fileCtent and 'unix2DosTime' in fileCtent: 16 | isok = 1 17 | for white in whitefilter: 18 | if white[0][0] in filepath.replace('\\', '/') and white[1][0] in key: 19 | isok = 0 20 | if isok: 21 | return 'PHP 文件打包后门程序' 22 | except: 23 | pass 24 | return None 25 | -------------------------------------------------------------------------------- /findWebshell/plugins/php_preg_replace-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | keyword = "preg_replace" 7 | rule = '(preg_replace[\s\n]{0,10}\([\s\n]{0,10}((["\'].{0,15}[/@\'][is]{0,2}e[is]{0,2}["\'])|\$[a-zA-Z_][\w"\'\[\]]{0,15})\s{0,5},\s{0,5}.{0,40}(\$_(GET|POST|REQUEST|SESSION|SERVER)|str_rot13|urldecode).{0,30})' 8 | backdoorType = "preg_replace后门" 9 | 10 | #判断是否存在后门函数 11 | def judgeBackdoor(fileCtent): 12 | if keyword in fileCtent: 13 | result = re.compile(rule).findall(fileCtent) 14 | if len(result) > 0: 15 | return backdoorType 16 | else: 17 | return None -------------------------------------------------------------------------------- /findWebshell/plugins/php_zendencode-plugin.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/env python 2 | #coding=utf8 3 | 4 | import re 5 | 6 | def judgeBackdoor(fileCtent): 7 | if fileCtent[:-4] == 'Zend': 8 | if os.path.getsize(filepath) == 178: 9 | return 'zend加密php一句话后门' 10 | return None 11 | return None -------------------------------------------------------------------------------- /findWebshell/readme.md: -------------------------------------------------------------------------------- 1 | ##工具简介 2 | findWebshell是一款基于python开发的webshell检查工具,可以检查任意类型的webshell后门。 3 | 4 | ##使用说明 5 | Usage: main.py [options] 6 | 7 | Options: 8 | -h, --help show this help message and exit 9 | -p PATH, --path=PATH input web directory filepath 10 | -o OUTPUT, --output=OUTPUT 11 | create a html report 12 | -e php|asp|aspx|jsp|all, --ext=php|asp|aspx|jsp|all 13 | define what's file format to scan 14 | 15 | 示例 16 | 17 | python main.py -e php -p /var/www/test -o output 18 | -e 网页格式 19 | -p 扫描的路径 20 | -o 生成的html文件名,默认生成report.html 21 | 22 | ##开发文档 23 | ###字典添加 24 | - directory目录下的sensitiveWord.py定义的是后门中的敏感关键字,可以手动添加,格式为{"关键字":"类型"} 25 | 26 | ``` 27 | php_sensitive_words = { 28 | "www.phpdp.org":"PHP神盾加密后门", 29 | "www.phpjm.net":"PHP加密后门" 30 | } 31 | ``` 32 | 33 | - directory目录下的webshell.py定义的是webshell列表,直接添加webshell到列表里 34 | ``` 35 | php_webshell = [ 36 | "后门.php", 37 | "xxoo.php", 38 | "一句话.php" 39 | ] 40 | ``` 41 | ###插件开发 42 | - 命令规范 43 | 44 | 插件命名格式:网页类型_后门类型-plugin.py 45 | 46 | **示例** 47 | ``` 48 | php_eval_assert-plugin.py 49 | php_preg_replace-plugin.py 50 | asp_execute-plugin.py 51 | ``` 52 | - 函数规范和返回值 53 | 54 | 函数格式 55 | 56 | def judgeBackdoor(fileCtent) 57 | 成功返回后门类型,失败返回None 58 | 59 | **示例** 60 | ``` 61 | def judgeBackdoor(fileCtent): 62 | if keyword in fileCtent: 63 | result = re.compile(rule).findall(fileCtent) 64 | if len(result) > 0: 65 | return backdoorType 66 | else: 67 | return None 68 | ``` 69 | 70 | [插件规则参考](http://www.oschina.net/p/seayfindshell) 71 | -------------------------------------------------------------------------------- /findWebshell/report.html: -------------------------------------------------------------------------------- 1 |

webshell后门报告

路径类型修改时间
/home/he1m4n6a/workstation/pyProject/findWebshell/xxx/yijuhua.php一般类型2015-05-05 22:56:41
/home/he1m4n6a/workstation/pyProject/findWebshell/xxx/test.phpPHP神盾加密后门2015-04-18 21:23:16
/home/he1m4n6a/workstation/pyProject/findWebshell/xxx/aa.phppreg_replace后门2015-05-07 21:06:14
/home/he1m4n6a/workstation/pyProject/findWebshell/xxx/fuck/hh.phpeval|assert后门2015-05-05 22:06:05
-------------------------------------------------------------------------------- /findWebshell/scanShell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=utf8 3 | 4 | import os, glob, sys 5 | import time 6 | from filterShell import FilterShell 7 | from getFileTime import getFileTime 8 | 9 | #插件列表 10 | plusArr = [] 11 | 12 | #加载插件 13 | def loadPlus(ext="all"): 14 | plusTmp = glob.glob('plugins/*-plugin.py') 15 | if ext == "all": 16 | for plus in plusTmp: 17 | plusname = plus.split('/')[-1][:-3] 18 | __import__("plugins." + plusname) 19 | plusArr.append(plusname) 20 | elif ext == "php": 21 | for plus in plusTmp: 22 | plusname = plus.split('/')[-1][:-3] 23 | if plusname.find("php") == 0: 24 | __import__("plugins." + plusname) 25 | plusArr.append(plusname) 26 | elif ext == "asp": 27 | for plus in plusTmp: 28 | plusname = plus.split('/')[-1][:-3] 29 | if plusname.find("aps") == 0: 30 | __import__("plugins." + plusname) 31 | plusArr.append(plusname) 32 | elif ext == "aspx": 33 | for plus in plusTmp: 34 | plusname = plus.split('/')[-1][:-3] 35 | if plusname.find("apsx") == 0: 36 | __import__("plugins." + plusname) 37 | plusArr.append( plusname) 38 | elif ext == "jsp": 39 | for plus in plusTmp: 40 | plusname = plus.split('/')[-1][:-3] 41 | if plusname.find("jps") == 0: 42 | __import__("plugins." + plusname) 43 | plusArr.append(plusname) 44 | else: 45 | print "error args!" 46 | exit() 47 | 48 | #通过加载插件扫描 49 | def scan(path, ext, blackList, resList): 50 | loadPlus(ext) 51 | #获取绝对路径 52 | for root, dirs, files in os.walk(path): 53 | for filename in files: 54 | filepath = os.path.join(root, filename) 55 | if filepath not in blackList: 56 | #判断文件大小 57 | if os.path.getsize(filepath) < 500000: 58 | for plus in plusArr: 59 | fp = open(filepath, "rb") 60 | fileCtent = fp.read() 61 | fp.close() 62 | res = sys.modules["plugins." + plus].judgeBackdoor(fileCtent) 63 | filetime = getFileTime(filepath) 64 | if res: 65 | resList.append([filepath, res, filetime]) 66 | break 67 | else: 68 | pass 69 | else: 70 | pass -------------------------------------------------------------------------------- /result/result.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | #Version: 0.02 5 | #Create: 2016-06-13 6 | #Authoruis: ym2011 7 | 8 | import sys 9 | import getopt 10 | import core 11 | 12 | def Usage(): 13 | print 'scan usage:' 14 | print '使用:scan.py filepath' 15 | print '-h,--help: 获取帮助信息.' 16 | print '-v, --version: 获取scan版本' 17 | print '-p,--path: 指定将要扫描的路径' 18 | print '-l,--low: 系统/数据库弱密码扫描' 19 | def Version(): 20 | print 'scan 0.02 BASE' 21 | def OutPut(args): 22 | print 'Hello, %s'%args 23 | def main(argv): 24 | try: 25 | opts, args = getopt.getopt(argv[1:], 'hvp:', ['path=']) 26 | except getopt.GetoptError, err: 27 | print str(err) 28 | Usage() 29 | sys.exit(2) 30 | if len(opts) == 0: 31 | if len(args): 32 | core.start(args[0]) 33 | else: 34 | print "scanning [options] [param]" 35 | for o, a in opts: 36 | if o in ('-h', '--help'): 37 | Usage() 38 | sys.exit(1) 39 | elif o in ('-v', '--version'): 40 | Version() 41 | sys.exit(0) 42 | elif o in ('-p',): 43 | core.start(a) 44 | sys.exit(0) 45 | else: 46 | Usage() 47 | sys.exit(3) 48 | 49 | if __name__ == '__main__': 50 | main(sys.argv) 51 | -------------------------------------------------------------------------------- /util/operation.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | #Version: 0.02 5 | #Create: 2016-06-12 6 | #Authoruis: ym2011 7 | 8 | import array 9 | import os 10 | import re 11 | 12 | #读取文件 返回值:整个文件内容 13 | def read(filepath): 14 | text = '' 15 | try: 16 | file_object = open(filepath) 17 | text = file_object.read() 18 | file_object.close() 19 | except IOError: 20 | pass 21 | print filepath, "\topen fail !" 22 | text = -1 23 | return text 24 | 25 | #读取文件 返回值:list 26 | def readRetList(filepath): 27 | ls = [] 28 | try: 29 | file_object = open(filepath) 30 | except IOError: 31 | pass 32 | while 1: 33 | line = file_object.readline() 34 | if not len(line): 35 | break 36 | ls.append(line.strip("\n")) 37 | file_object.close() 38 | return ls 39 | 40 | 41 | #将text写入文件 42 | def write(filepath, text, type): 43 | file_object = open(filepath, type) 44 | try: 45 | file_object.write(text) 46 | finally: 47 | file_object.close() 48 | 49 | #将一个list写入文件,无换行 50 | def writeList(filepath, list, type): 51 | file_object = open(filepath, type) 52 | try: 53 | file_object.writelines(list) 54 | finally: 55 | file_object.close() 56 | 57 | 58 | 59 | #查找filepath文件内容是否包含str字符串 60 | #不包含返回 -1 61 | def find(filepath, str): 62 | file_text = read(filepath) 63 | return file_text.lower().find(str.lower()) 64 | 65 | #文件中查找集合中的字符串,返回值:strList中字符串在文件中存在的数量 66 | def findListStr(filepath, strList): 67 | flag = 0 68 | file_text = read(filepath) 69 | if file_text != -1: 70 | for str in strList: 71 | if file_text.lower().find(str.lower()) != -1: 72 | print str , "\t\t==>",filepath 73 | if flag: 74 | flag += flag 75 | else: 76 | flag = 1 77 | file_text.lower().find(str.lower()) 78 | return flag 79 | 80 | def test(): 81 | print read("../dictionaries/rule.txt") 82 | 83 | 84 | if __name__ == '__main__': 85 | test(); 86 | -------------------------------------------------------------------------------- /util/traversal_dir.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | 4 | #Version: 0.02 5 | #Create: 2016-06-13 6 | #Authoruis: ym2011 7 | 8 | import os 9 | 10 | 11 | list = [] 12 | #遍历目录 13 | def traversal_dir(filepath, prin=False): 14 | #遍历filepath下所有文件,包括子目录 15 | files = [] 16 | try: 17 | files = os.listdir(filepath) 18 | except OSError: 19 | pass 20 | print filepath,"\t The folder does not exist!" 21 | if len(files): 22 | for fi in files: 23 | fi_d = os.path.join(filepath,fi) 24 | if os.path.isdir(fi_d): 25 | traversal_dir(fi_d, prin) 26 | else: 27 | if prin : 28 | print os.path.join(filepath,fi_d) 29 | list.append(os.path.join(filepath,fi_d))#添加遍历到的文件 30 | return list 31 | 32 | def print_files(self): 33 | for ls in list: 34 | print ls 35 | 36 | 37 | def test(): 38 | #递归遍历所有文件 39 | traversal_dir('Desktop') 40 | print_files() 41 | 42 | 43 | if __name__ == '__main__': 44 | test() 45 | --------------------------------------------------------------------------------