function pcre_error($par_FN, $par_Index)
{
global $g_NotRead, $g_Structure;
$err = preg_last_error();
if ($err == PREG_BACKTRACK_LIMIT_ERROR || $err == PREG_RECURSION_LIMIT_ERROR) {
if (!in_array($par_Index, $g_NotRead)) {
$g_NotRead[] = $par_Index;
AddResult('[re] ' . $par_FN, $par_Index);
}
return true;
}
return false;
}
function CriticalPHP($l_FN, $l_Index, $l_Content, &$l_Pos, &$l_SigId)
{
global $g_ExceptFlex, $gXX_FlexDBShe, $gX_FlexDBShe, $g_FlexDBShe, $gX_DBShe, $g_DBShe, $g_Base64, $g_Base64Fragment, $g_CriticalFiles, $g_CriticalEntries;
// H24LKHLKJHKLHJGJG4567869869GGHJ
// need check file (by extension) ?
$l_SkipCheck = SMART_SCAN;
if ($l_SkipCheck) {
foreach ($g_CriticalFiles as $l_Ext) {
if (strpos($l_FN, $l_Ext) !== false) {
$l_SkipCheck = false;
break;
}
}
}
// need check file (by signatures) ?
if ($l_SkipCheck && preg_match('~' . $g_CriticalEntries . '~smiS', $l_Content, $l_Found)) {
$l_SkipCheck = false;
}
if (strpos($l_FN, '.php.') !== false) {
$g_Base64[] = $l_Index;
$g_Base64Fragment[] = '".php."';
$l_Pos = 0;
if (DEBUG_MODE) {
echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
AddResult($l_FN, $l_Index);
}
// if not critical - skip it
if ($l_SkipCheck && SMART_SCAN) {
if (DEBUG_MODE) {
echo "Skipped file, not critical.\n";
}
return false;
}
foreach ($g_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 1: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
if (AI_EXPERT > 1) {
foreach ($gXX_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 2: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
}
if (AI_EXPERT > 0) {
foreach ($gX_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 3: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
}
$l_Content_lo = strtolower($l_Content);
foreach ($g_DBShe as $l_Item) {
$l_Pos = strpos($l_Content_lo, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 4: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
if (AI_EXPERT) {
foreach ($gX_DBShe as $l_Item) {
$l_Pos = strpos($l_Content_lo, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 5: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
if (strpos($l_FN, '.ph') !== false && AI_EXPERT > 1) {
// for php only
$g_Specials = array(');#');
foreach ($g_Specials as $l_Item) {
$l_Pos = stripos($l_Content, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
return true;
}
}
}
}
if (strpos($l_Content, 'GIF89') === 0 && strpos($l_FN, '.php') !== false) {
$l_Pos = 0;
if (DEBUG_MODE) {
echo "CRIT 6: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
// detect uploaders / droppers
if (AI_EXPERT > 1) {
$l_Found = null;
if (filesize($l_FN) < 1024 && strpos($l_FN, '.ph') !== false && (($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0 || ($l_Pos = strpos($l_Content, '$_FILE[') > 0) || ($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0 || preg_match('|\\bcopy\\s*\\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE))) {
if ($l_Found != null) {
$l_Pos = $l_Found[0][1];
}
if (DEBUG_MODE) {
echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
// count number of base64_decode entries
$l_Count = substr_count($l_Content, 'base64_decode');
if ($l_Count > 10) {
$g_Base64[] = $l_Index;
$g_Base64Fragment[] = getFragment($l_Content, stripos($l_Content, 'base64_decode'));
if (DEBUG_MODE) {
echo "CRIT 10: {$l_FN} matched\n";
}
AddResult($l_FN, $l_Index);
}
return false;
}
