php webshell扫描后门木马实例程序
本文章来给大家介绍一个php webshell扫描后门木马实例程序,这个可以扫描你网站上的木马程序,这个给大家找网站木马提供了很大的方便.
php webshell扫描后门木马实例程序代码如下:
<?php
/**********************
php扫描后门
**********************/
error_reporting(E_ERROR);
ini_set('max_execution_time', 20000);
ini_set('memory_limit', '512M');
header("content-Type: text/html; charset=gb2312");
$matches = array(
'/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i',
'/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*\)/i',
'/((udp|tcp)\:\/\/(.*)\;)+/i',
'/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i',
'/preg\_replace\s*\((.*)\(base64\_decode\(\$/i',
'/(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*(base64\_decode|str\_rot13|gz(\w+)|file\_(\w+)\_contents|(.*)php\:\/\/input)+/i',
'/(eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*\)/i',
'/eval\s*\(\s*\(\s*\$\$(\w+)/i',
'/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+)\.(jpg|gif|ico|bmp|png|txt|zip|rar|htm|css|js)+[\'|\"]\s*\)/i',
'/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*\$(\w+)\s*\)/i',
'/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*\)/i',
'/(fopen|fwrite|fputs|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)\)/i',
'/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i',
'/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i',
'/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i',
'/\$\_\=(.*)\$\_/i',
'/\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i',
'/\$(\w+)\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i',
'/\$(\w+)\(\$\{(.*)\}/i'
);
function antivirus($dir, $exs, $matches) {
if (($handle = @opendir($dir)) == NULL) return false;
while (false !== ($name = readdir($handle))) {
if ($name == '.' || $name == '..') continue;
$path = $dir . $name;
if (is_dir($path)) {
if (is_readable($path)) antivirus($path . '/', $exs, $matches);
} elseif (strpos($name, ';') > - 1 || strpos($name, '%00') > - 1 || strpos($name, '/') > - 1) {
echo '<p>特征 <input type="text" style="width:218px;" value="解析漏洞"> ' . $path . '</p>';
flush();
ob_flush();
} else {
if (!preg_match($exs, $name)) continue;
if (filesize($path) > 10000000) continue;
$fp = fopen($path, 'r');
$code = fread($fp, filesize($path));
fclose($fp);
if (emptyempty($code)) continue;
foreach ($matches as $matche) {
$array = array();
preg_match($matche, $code, $array);
if (!$array) continue;
if (strpos($array[0], "\x24\x74\x68\x69\x73\x2d\x3e")) continue;
$len = strlen($array[0]);
if ($len > 10 && $len < 1500) {
echo '<p>特征 <input type="text" style="width:218px;" value="' . htmlspecialchars($array[0]) . '"> ' . $path . '</p>';
flush();
ob_flush();
break;
}
}
unset($code, $array);
}
}
closedir($handle);
return true;
}
function strdir($str) {
return str_replace(array(
'\\',
'//',
'//'
) , array(
'/',
'/',
'/'
) , chop($str));
}
echo '<form method="POST">';
echo '<p>路径: <input type="text" name="dir" value="' . ($_POST['dir'] ? strdir($_POST['dir'] . '/') : strdir($_SERVER['DOCUMENT_ROOT'] . '/')) . '" style="width:398px;"></p>';
echo '<p>后缀: <input type="text" name="exs" value="' . ($_POST['exs'] ? $_POST['exs'] : '.php|.inc|.phtml') . '" style="width:398px;"></p>';
echo '<p>操作: <input type="submit" style="width:80px;" value="scan"></p>';
echo '</form>';
if (file_exists($_POST['dir']) && $_POST['exs']) {
$dir = strdir($_POST['dir'] . '/');
$exs = '/(' . str_replace('.', '\\.', $_POST['exs']) . ')/i';
echo antivirus($dir, $exs, $matches) ? '<p>扫描完毕</p>' : '<p>扫描中断</p>';
}教程链接:http://www.phprm.com/develop/fs4618.html
随意转载~但请保留教程地址★