Buscando Shells con PHP

Publicado el 17/11/2011 12:11:00 en Seguridad.
Author: [x][x] KiKoArg | Total de votos: 4   Vote



Bue, siguiendo el articulo de n4ch0m4n en donde comparte un script escrito en bash, aca pongo uno en php que uso hace tiempo.

El lado positivo de usar el php es que no necesitas backconnect para correr el bash anterior.

Sin mas, el codigo que no me acuerdo la fuente...

<head>

<style>

*{

background-color:#000000;

color:#CCCCCC;

font-family:Verdana;

font-size:10px;

}

#boton{

background:none;

border:solid;

border-width:1px;

}

a,a:link,a:visited,a:active

{

color:#ffffff;

text-decoration:none;

}

a:hover

{

color:#CCCCCC;

}

.style1{color: #00FF00;}

</style>

</head>

<?php

/*

*    this script find some shell like

*    c99, c100, r57, erne, Safe_Over

*    and try to find some of unknow shell searching specific words this can be

*    not safe

*

*      how to use:

*      the script don't need no-one of these parameter thay are facoltative

*      -e Y/N enable disable eusristic mode (default is enable)

*      -p a number 1-100 , it's the percentual of word that must be find into the file to warm the euristic mode

*      -f check a single file

*     -d check a single dir (normaly the program is recursive chek ALL file )

*        powered by Dr. p3p1t0

*/

$euristic__ = array("fopen", "file(", "file_get_contents", "sql", "opendir", "perms", "port", "eval", "system", "exec", "rename", "copy", "delete", "hack", "(\$_", "phpinfo", "uname", "glob", "is_writable", "is_readable", "get_magic_quotes_gpc()", "move_uploaded_file", "\$dir", "& 00", "get", "pirulin", "owned", "deface");

$word__ = array(

            "c99" => array("c999shexit();", "setcookie(\"c999sh_surl\");", "c999_buff_prepare();"),

            "c100" => array("\$back_connect_c=\"f0VMRgEBAQA", "function myshellexec(\$command) {", "tEY87ExcilDfgAMhwqM74s6o"),

            "r57" => array("if(strpos(ex(\"echo abcr57\"),\"r57\")!=3)", "function ex(\$cfe)", "\$port_bind_bd_c=\"I2luY2x1ZGUg"),

            "erne"=> array("function unix2DosTime(\$unixtime = 0)", "eh(\$errno, \$er", "\$mtime=@date(\"Y-m-d H:i:s\",@filemti"),

            "Safe_Over" => array("function walkArray(\$array){", "function printpagelink(\$a, \$b, \$link = \"\")", "if (\$cmd != \"downl\")"),

            "cmd_asp" => array("   ' -- Read th", "ll oFileSys.D", "Author: Maceo")

        );

//the script work

$euristic_active = true;

$euristic_sens = 40;

for ($i = 1; $i < $argc; $i++)

{

    if ($argv[$i] == "-h")

        help($argv[0]);

    elseif($argv[$i] == "-e")

    {

        if ($argv[$i+1] == "Y") $euristic_active = true;

        if ($argv[$i+1] == "N") $euristic_active = false;

    }

    elseif($argv[$i] == "-p")

        $euristic_sens = $argv[$i+1];

    elseif($argv[$i] == "-d")

    {

        dir_scan($argv[$i+1]);    

        exit;

    }

    elseif($argv[$i] == "-f")

    {

        a($argv[$i+1]);    

        exit;

    }

}

dir_scan(".");

function dir_scan($name)

{

    if (!is_dir($name))

        echo "$name is not a dir \n"; 

    if ($o = @opendir($name))

    {

        while(false !== ($file = readdir($o)))

        {

            if ($file == '.' or $file == '..' or $file == basename(__file__)){    continue;}

            else if (is_dir($name."/".$file)){dir_scan($name."/".$file);}

            else

                a($name."/".$file);

        }

        closedir($o);

    }

    else

        echo "<font color='red'>i can't open $name dir </font> <br>";

}

function a($file)

{

    global $euristic_active;

    global $euristic_sens;

    if ($l = file_get_contents($file))

    {

        if ( $shell = check($l))

        {

            echo "[DANGER] word_list > ".$file."  <h2><font color='green'> probably ".$shell." shell </h2></font><br>";

        } 

        else if ($euristic_active)

            if ($t = check_euristic($l)   and $t > $euristic_sens)

            {    

                echo "[_ALERT] euristic $t%> ".$file." <h1><font color='green'>probably is a shell<h1></font> <br>";

            }

    }

    else

    {

        echo "i can't open $file file <br>";

    }

}

function check($string)

{

    $check = 0;

    global $word__;

    foreach($word__ as $shell => $code)

        foreach($code as $microcode)

            if (stripos($string, $microcode) !== false)

            {

                $check ++;

                if ($check == 3) return $shell;

            }

    return false;

}

function check_euristic($string)

{

    global $euristic__;

    $check = 0;

    foreach($euristic__ as $code)

        if (stripos($string, $code) !== false)

            $check++;

    return intval(($check * 100) / count($euristic__));

}

function help($me)

{

    echo     "Dr. nefasto shell scanner <br>".

        "$me {-e [euristic method default = Y] Y/N   -p [[0-100] euristic sensibility fewer == most feeble ]   [-d [directory] / -f [file] ]} <br>".

        "exemple: $me -e N -d /tmp\n"

        ;

    exit;

}

?>

Comments:


[x]
[x][x] n4ch0m4n (11 y) : 55485 +1 por compartir el código!

Igual estuve probando y me detectó cosas que no serían shells, por ej:

------------------------------------------------
[_ALERT] euristic 42%> ./mail/program/lib/magic
probably is a shell

[_ALERT] euristic 42%> ./mail/program/lib/MDB2.php

probably is a shell

[_ALERT] euristic 42%> ./mail/program/include/rcube_template.php

probably is a shell

[_ALERT] euristic 50%> ./mail/program/include/main.inc

probably is a shell
--------------------------------------------

Lo que está ahi dentro de la carpeta mail no es más que un roundcube que tengo. Habría que ver que línea es la que está detectando


[x]
[x][x] KiKoArg (11 y) : 55547 Se, aveces chotea, porque detecta algunos eval()