D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
PHP-Antimalware-Scanner
/
src
/
Filename :
Exploits.php
back
Copy
<?php /** * PHP Antimalware Scanner. * * @author Marco Cesarato <cesarato.developer@gmail.com> * @license http://opensource.org/licenses/gpl-3.0.html GNU Public License * * @see https://github.com/marcocesarato/PHP-Antimalware-Scanner */ namespace AMWScan; class Exploits { /** * Default exploits definitions. * * @var array */ protected static $default = [ 'eval_chr' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eval[\s]*\([\s]*chr[\s]*\(.*?[\s]*\)/i', ], 'eval_chr_obf' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/chr[\s]*\([\s]*101[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*118[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*97[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*108[\s]*\)/i', ], 'eval_preg' => [ 'description' => 'RCE (Remote Code Execution), through PCRE (Perl compatible Regular Expression), allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(preg_replace(_callback)?|mb_ereg_replace|preg_filter)[\s]*\([^)]*(\/|\\\\x2f)(e|\\\\x65)[\\\'\"].*?(?=\))\)/i', ], 'eval_base64' => [ 'description' => 'RCE (Remote Code Execution), through Base64 text, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eval[\s]*\([\s]*base64_decode[\s]*\((?<=\().*?(?=\))\)/i', ], 'eval_comment' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\((?<=\().*?(?=\))\)/', ], 'eval_execution' => [ 'description' => 'RCE (Remote Code Execution) and Code Injection allow remote attackers to execute arbitrary commands or code on the target machine via HTTP request', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(eval[\s]*\([\s]*\$[a-z0-9_]+[\s]*\([\s]*(?<=\()@?\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', ], 'align' => [ 'description' => 'Code alignment technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/(\$\w+=[^;]*)*;\$\w+=@?\$\w+\((?<=\().*?(?=\))\)/si', ], // b374k shell 'b374k' => [ 'description' => 'Web shell (b374k) for the remote management', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/[\'"]ev[\'"]\.[\'"]al[\'"]\.[\'"][\s]*\([\s]*("|\\\')[\s]*\?>/i', 'link' => 'https://github.com/b374k/b374k', ], // weevely3 launcher 'weevely3' => [ 'description' => 'Web shell (Weevely) for post-exploitation purposes that can be extended over the network at runtime', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i', 'link' => 'https://github.com/epinna/weevely3', ], 'c99_launcher' => [ 'description' => 'Web Shell (C99) designed for post-exploitation purposes that can be extended over the network at runtime', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i', 'link' => 'https://github.com/4Hackerz/C99-Shell', ], // concatenation of more than eight `chr()` 'too_many_chr' => [ 'description' => 'Concatenation of `chr` technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/(chr\([\d]+\)\.){8}/i', ], // concatenation of vars array 'concat' => [ 'description' => 'Concatenation of arrays technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i', ], // concatenation of more than 6 words, with spaces 'concat_vars_with_spaces' => [ 'description' => 'Concatenation of vars technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/(\$([a-zA-Z0-9]+)[\s]*\.[\s]*){6}/', ], // concatenation of more than 6 words, with spaces 'concat_vars_array' => [ 'description' => 'Concatenation of arrays technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s]*\.[\s]*){6}.*?(?=\})\}/i', ], 'var_as_func' => [ 'description' => 'RCE (Remote Code Execution) and Code Injection, through global vars used as PHP function, allow remote attackers to execute PHP code on the target machine via HTTP request', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$_(GET|POST|COOKIE|REQUEST|SERVER)[\s]*\[[^\]]+\][\s]*\((?<=\().*?(?=\))\)/i', ], 'global_var_string' => [ 'description' => 'Code Injection, through escaped global vars, allow inject attackers to execute PHP code on the target machine via HTTP request', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\{[\s]*[\'"]_(GET|POST|COOKIE|REQUEST|SERVER)[\'"][\s]*\}/i', ], 'extract_global' => [ 'description' => 'Code Injection, extracting global var arrays, allow remote attackers to inject PHP code on the target machine via HTTP request', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/extract\([\s]*\$_(GET|POST|COOKIE|REQUEST|SERVER).*?(?=\))\)/i', ], 'escaped_path' => [ 'description' => 'Escaped path technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\\\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}/i', ], 'include_icon' => [ 'description' => 'LFI (Local File Inclusion), including `.ico` file, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi', ], 'backdoor_code' => [ 'description' => 'Backdoor that checks to see if the user is a web spider and if not, retrieves data from another webserver and displays it to the visitor', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eva1fYlbakBcVSir/i', ], 'infected_comment' => [ 'description' => 'Comments composed by 5 random chars usually used to detect if a file is infected yet', 'level' => CodeMatch::WARNING, 'pattern' => '/\/\*[a-z0-9]{5}\*\//i', ], 'hex_char' => [ 'description' => 'Hex char is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\\\\[Xx](5[Ff])/i', ], 'hacked_by' => [ 'description' => 'Hacker credits', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/hacked[\s]*by/i', ], 'killall' => [ 'description' => 'RCE (Remote Code Execution) that allow remote attackers to kill processes on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/killall[\s]*\-9/i', ], 'globals_concat' => [ 'description' => 'Concatenation of globals vars technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$GLOBALS\[[\s]*\$GLOBALS[\\\'[a-z0-9]{4,}\\\'\]/i', ], 'globals_assign' => [ 'description' => 'Global vars assignment is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$GLOBALS\[\\\'[a-z0-9]{5,}\\\'\][\s]*=[\s]*\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\./i', ], 'base64_long' => [ 'description' => 'Long Base64 encoded text is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/[\\\'\"][A-Za-z0-9+\/]{260,}={0,3}[\\\'\"]/', ], 'base64_inclusion' => [ 'description' => 'LFI (Local File Inclusion), through a Base64 inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')data\:text/plain;base64[\s]*\,[\s]*\$_GET\[[^\]]+\](\\\'|")[\s]*((?=\))\))?/si', ], 'clever_include' => [ 'description' => 'LFI (Local File Inclusion), through a image inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')[\s]*[^\.]+\.(png|jpe?g|gif|bmp|ico).*?("|\\\')[\s]*((?=\))\))?/i', ], 'basedir_bypass' => [ 'description' => 'Basedir bypass used for manipulate files or execute code outside the base directory set on the server configuration', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/curl_init[\s]*\([\s]*[\"\\\']file:\/\/.*?(?=\))\)/i', ], 'basedir_bypass2' => [ 'description' => 'Basedir bypass used for manipulate files or execute code outside the base directory set on the server configuration', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/file\:file\:\/\//i', ], 'non_printable' => [ 'description' => 'Non printable technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(function|return|base64_decode).{,256}[^\\x00-\\x1F\\x7F-\\xFF]{3}/i', ], 'double_var' => [ 'description' => 'Double var technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/\${[\s]*\${.*?}(.*)?}/i', ], 'double_var2' => [ 'description' => 'Double var technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/\${\$[0-9a-zA-z]+}/i', ], 'global_save' => [ 'description' => 'Globals assignment technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\[\s]*=[\s]*\$GLOBALS[\s]*\;[\s]*\$[\s]*\{/i', ], // Check for ${"\xFF"}, IonCube use this method ${"\x 'hex_var' => [ 'description' => 'Hex var technique is usually used for the obfuscation of malicious code, it is also used by IonCube', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\{[\s]*[\'"]\\\\x.*?(?=\})\}/i', ], 'register_function' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/register_[a-z]+_function[\s]*\([\s]*[\\\'\"][\s]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i', ], 'safemode_bypass' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\x00\/\.\.\/|LD_PRELOAD/i', ], 'ioncube_loader' => [ 'description' => 'IonCube is a PHP encoder and hence a module/library for protected functions and often used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/IonCube\_loader/i', 'link' => 'https://www.ioncube.com', ], 'nano' => [ 'description' => 'Nano is a family of PHP webshells which are code golfed to be extremely stealthy and efficient', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/', 'link' => 'https://github.com/s0md3v/nano', ], 'nano2' => [ 'description' => 'Nano is a family of PHP webshells which are code golfed to be extremely stealthy and efficient', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/base64_decode[^;]+getallheaders/', 'link' => 'https://github.com/s0md3v/nano', ], // function that takes a callback as 1st parameter 'execution' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s]*\([\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], // functions that takes a callback as 2nd parameter 'execution2' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s]*\([\s]*[^,]+,[\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], // functions that takes a callback as 2nd parameter 'execution3' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s]*\([\s]*([^,]+[\s]*,?)+[\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s]*\[[^]]+\][\s]*\)+[\s]*;/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], 'shellshock' => [ 'description' => 'Shell shock technique is usually used for the obfuscation of malicious code using PHP functions', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\(\)[\s]*{[\s]*[a-z:][\s]*;[\s]*}[\s]*;/', ], 'silenced_eval' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@eval[\s]*\((?<=\().*?(?=\))\)/', ], 'silence_inclusion' => [ 'description' => 'LFI (Local File Inclusion), through a silent inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@(include|include_once|require|require_once)[\s\r\n]+([\s]*\()?("|\\\')([^"\\\']*)(\\\\x[0-9a-f]{2,}.*?){2,}([^"\\\']*)("|\\\')[\s]*((?=\))\))?/si', ], 'silence_inclusion2' => [ 'description' => 'LFI (Local File Inclusion), through a silent inclusion, allow remote attackers to inject and execut arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@(include|include_once|require|require_once)[\s\r\n]+([\s]*\()?("|\\\')([^"\\\']*)(\\[0-9]{3,}.*?){2,}([^"\\\']*)("|\\\')[\s]*((?=\))\))?/si', ], 'ssi_exec' => [ 'description' => 'SSI (Server-Side Includes) injection allows the exploitation of a web application by injecting malicious code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\<\!\-\-\#exec[\s]*cmd\=/i', 'link' => 'https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection, http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec', ], 'htaccess_handler' => [ 'description' => 'RCE (Remote Code Execution), through Htaccess handler x-httpd-php/cgi, interpreting PHP code, allow remote attackers to execute PHP code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/SetHandler[\s]*application\/x\-httpd\-(php|cgi)/i', ], 'htaccess_type' => [ 'description' => 'RCE (Remote Code Execution), through Htaccess add type x-httpd-php/cgi, interpreting PHP code, allow remote attackers to execute PHP code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/AddType\s+application\/x-httpd-(php|cgi)/i', ], 'file_prepend' => [ 'description' => 'LFI (Local File Inclusion), prepending a file at the bottom of every others PHP files, allow remote attackers to inject and execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/php_value[\s]*auto_prepend_file/i', ], 'iis_com' => [ 'description' => 'RCE (Remote Code Execution), through ISS Server, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::WARNING, 'pattern' => '/IIS\:\/\/localhost\/w3svc/i', ], 'reversed' => [ 'description' => 'Reverse function technique is used for the obfuscation of dangerous PHP functions', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(noitcnuf\_etaerc|metsys|urhtssap|edulcni|etucexe\_llehs|ecalper\_rts|ecalper_rts)/i', ], 'rawurlendcode_rot13' => [ 'description' => 'Raw url decode and rot13 string together technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/rawurldecode[\s]*\(str_rot13[\s]*\((?<=\().*?(?=\))\)/i', ], 'serialize_phpversion' => [ 'description' => 'RCE (Remote Code Execution), unserializing php version, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\@serialize[\s]*\([\s]*(Array\(|\[)[\'"]php[\'"][\s]*\=\>[\s]*\@phpversion[\s]*\((?<=\().*?(?=\))\)/si', ], 'md5_create_function' => [ 'description' => 'The `create_function` technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$md5[\s]*=[\s]*.*create_function[\s]*\(.*?\);[\s]*\$.*?\)[\s]*;/si', ], 'god_mode' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\/\*god_mode_on\*\/eval\(base64_decode\([\"\\\'][^\"\\\']{255,}[\"\\\']\)\);[\s]*\/\*god_mode_off\*\//si', ], 'wordpress_filter' => [ 'description' => 'Wordpress Filter RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$md5[\s]*=[\s]*[\"|\\\']\w+[\"|\\\'];[\s]*\$wp_salt[\s]*=[\s]*[\w\(\),\"\\\'\;$]+[\s]*\$wp_add_filter[\s]*=[\s]*create_function\(.*?\);[\s]*\$wp_add_filter\(.*?\);/si', ], 'password_protection_md5' => [ 'description' => 'MD5 Password protection file, typically used on web shells', 'level' => CodeMatch::WARNING, 'pattern' => '/md5[\s]*\([\s]*@?\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)[\s]*===?[\s]*[\\\'\"][0-9a-f]{32}[\\\'\"]/si', ], 'password_protection_sha' => [ 'description' => 'SHA Password protection file, typically used on web shells', 'level' => CodeMatch::WARNING, 'pattern' => '/sha[\d]+[\s]*\([\s]*@?\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)[\s]*===?[\s]*[\\\'\"][0-9a-f]{40}[\\\'\"]/si', ], 'custom_math' => [ 'description' => 'Custom math technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/%\(\d+[\s]*\-[\s]*\d+[\s]*\+[\s]*\d+\)[\s]*==[\s]*\([\s]*\-[\s]*\d+[\s]*\+[\s]*\d+[\s]*\+[\s]*\d+[\s]*\)/si', ], 'custom_math2' => [ 'description' => 'Custom math technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\([\s]*\$[a-zA-Z0-9]+%\d[\s]*==[\s]*\([\s]*\d+[\s]*\-[\s]*\d+[\s]*\+[\s]*\d+[\s]*\)/si', ], 'uncommon_function' => [ 'description' => 'Function name technique usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => 'function\s+_[0-9]{8,}[\s]*\([\s]*(?<=\().*?(?=\))\)', ], 'download_remote_code' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/file_get_contents[\s]*\([\s]*base64_url_decode[\s]*\([\s]*@*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/i', ], 'download_remote_code2' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/fwrite[\s]*(\(\w+\((?<=\().*?(?=\))\))?[^\)]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', ], 'download_remote_code3' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(file_get_contents|fwrite)[\s]*\([\s]*@?*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', 'link' => 'https://www.acunetix.com/blog/articles/local-file-inclusion-lfi', ], 'download_remote_code_web' => [ 'description' => 'RFU (Remote File Upload), from external website, allow to write malicious code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(file_get_contents|file_put_contents)[\s]*\([\s]*[\'"]https?:\/\/(codepad|pastebin|controlc|hastebin|justpaste|privatebin|cryptbin|zerobin)\.(org|com|net|in|me).*?(?=\))\)/i', ], 'php_uname' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/php_uname[\s]*\([\s]*["\'asrvm]+[\s]*\)/si', ], 'etc_passwd' => [ 'description' => 'The `/etc/passwd` file on Unix systems contains password information, an attacker who has accessed the `etc/passwd` file may attempt a brute force attack of all passwords on the system', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\/)*etc\/+passwd\/*/si', ], 'etc_shadow' => [ 'description' => 'The `/etc/shadow` file on Unix systems contains password information, an attacker who has accessed the `etc/shadow` file may attempt a brute force attack of all passwords on the system', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\/)*etc\/+shadow\/*/si', ], 'explode_chr' => [ 'description' => 'RCE (Remote Code Execution), exploding chars, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/explode[\s]*\(chr[\s]*\([\s]*\(?\d{3}([\s]*-[\s]*\d{3})?[\s]*\).*?(?=\))\)/i', ], 'imap_open' => [ 'description' => 'RCE (Remote Code Execution), through imap_open, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/imap_open\([\'"]{[\'"][\s]*\.[\s]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/i', 'link' => 'https://bugs.php.net/bug.php?id=76428', ], 'imap_open_proxy' => [ 'description' => 'RCE (Remote Code Execution), through imap, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/x[\s]*\-oProxyCommand[\s]*\=(.*?\|base64(\\\\t\-d)?(\|sh)?)?/i', ], 'exec_escaped' => [ 'description' => 'RCE (Remote Code Execution), through exec escaped chars, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/exec[\s]*[\s]*\([\s]*[\'"][\s]*([\s]*\\[0-9a-fx]{2,3}[\s]*){3,}/i', ], 'urldecode_concat' => [ 'description' => 'RCE (Remote Code Execution), through concatenated text encoded with urldecode or rawurldecode, allow remote attackers to execute arbitrary commands or code on the target machine', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\$[a-z]{2,}[\s]*=[\s]*(urldecode|rawurldecode)[\s]*\([\s]*\$_(GET|REQUEST|POST|COOKIE|SERVER)[\s]*\[[\s]*\'[\s]*[a-z]{2,}[\s]*\'[\s]*\][\s]*\)[\s]*;[\s]*){3,}/i', ], 'xor_post_payload' => [ 'description' => 'XOR post technique is usually used for the obfuscation of malicious code', 'level' => CodeMatch::WARNING, 'pattern' => '/([\s]*\$\w+[\s]*\[[\s]*\$\w+[\s]*%[\s]*strlen[\s]*\([\s]*\$\w+\)[\s]*\][\s]*\;?[\s]*){2,}/i', ], 'source_guardian' => [ 'description' => 'SourceGuardian is a PHP encoder often used for the obfuscation of malicious code', 'level' => CodeMatch::DANGEROUS, 'pattern' => '/[;\s]*sg\_load[\s]*\([\s]*[\\\'\"][A-Za-z0-9+\/]{150,}={0,3}[\\\'\"][\s]*\)/i', 'link' => 'https://www.sourceguardian.com', ], ]; /** * Get all exploits. * * @return array[] */ public static function getAll() { return self::$default; } /** * Get lite exploits. * * @return array[] */ public static function getLite() { $exploits = self::$default; // Function that takes a callback as 1st parameter $exploits['execution']['pattern'] = '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/'; // Concatenation of more than 8 words, with spaces $exploits['concat_vars_with_spaces']['pattern'] = '/(\$([a-zA-Z0-9]+)[\s\r\n]*\.[\s\r\n]*){8}/'; // Concatenation of more than 8 words, with spaces $exploits['concat_vars_array']['pattern'] = '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s\r\n]*\.[\s\r\n]*){8}.*?(?=\})\}/i'; unset( $exploits['nano'], $exploits['double_var2'], $exploits['base64_long'] ); return $exploits; } }