function rs_wpss_magic_parser($keyphrase_needles = array(), $haystack = NULL)
{
/**
* The Magic Parser
* Magically parse a large string of text for a number of keyphrases
* The "magic" is that this will check for all kinds of text variations, accents, plurals, 1337 (LEET), etc.
* Extremely accurate...same mechanism used in the rs_wpss_anchortxt_blacklist_chk() function
* @since 1.9.7.8
* @param array $keyphrase_needles The array containing keyphrases to search haystack for
* @param string $haystack The string of text to search. This works well for large chunks of text such as contact form submissions.
* @return bool TRUE if haystack contains any of the keyphrase needles, FALSE if it does not
*/
if (empty($keyphrase_needles) || empty($haystack) || !is_array($keyphrase_needles) || !is_string($haystack)) {
return FALSE;
}
foreach ($keyphrase_needles as $i => $keyphrase_needle) {
$keyphrase_needle_rgx = rs_wpss_regexify($keyphrase_needle);
$regex_check_phrase = rs_wpss_get_regex_phrase($keyphrase_needle_rgx, '', 'authorkw');
if (preg_match($regex_check_phrase, $haystack)) {
return TRUE;
}
}
return FALSE;
}
function rs_wpss_cf_content_blacklist_chk($haystack = NULL, $get_list_arr = FALSE)
{
/***
* Contact Form Content Blacklist Check
* Use for the message content of any contact form
***/
$blacklisted_content = rs_wpss_rbkmd(rs_wpss_get_cf_content_blacklist(), 'de', TRUE);
if (!empty($get_list_arr)) {
return $blacklisted_content;
}
/* Goes after array */
$blacklist_status = FALSE;
if (empty($haystack)) {
return FALSE;
}
$blacklisted_content_rgx = rs_wpss_get_regex_phrase($blacklisted_content, '', 'red_str');
$blacklisted_content_rgx = str_replace(array('email', 'disclaimer', '2007', '\\s+the\\s+', '\\s+an\\s+', '\\s+a\\s+', ','), array('e?mail', '(disclaimer|p\\.?s\\.?)', '20[0-9]{2}', '\\s+(the\\s+)?', '\\s+(an?\\s+)?', '\\s+(an?\\s+)?', ',?'), $blacklisted_content_rgx);
if (preg_match($blacklisted_content_rgx, $haystack)) {
$blacklist_status = TRUE;
}
return $blacklist_status;
}
public function check_post_sec()
{
/***
* Check if POST submission is security threat: hack attempt or vulnerability probe
***/
$site_url = WPSS_SITE_URL;
$site_dom = WPSS_SITE_DOMAIN;
$admin_url = WPSS_ADMIN_URL . '/';
$cont_url = WPSS_CONTENT_DIR_URL . '/';
$plug_url = WPSS_PLUGINS_DIR_URL . '/';
$post_count = count($_POST);
$user_agent = rs_wpss_get_user_agent();
$req_url = rs_wpss_casetrans('lower', rs_wpss_get_url());
$req_ajax = rs_wpss_is_ajax_request();
$req_404 = rs_wpss_is_404();
/* Not all WP sites return proper 404 status. The fact this security check even got activated means it was a 404. */
$req_hal = rs_wpss_get_http_accept(TRUE, TRUE, TRUE);
$req_ha = rs_wpss_get_http_accept(TRUE, TRUE);
/* IP / PROXY INFO - BEGIN */
global $wpss_ip_proxy_info;
if (empty($wpss_ip_proxy_info)) {
$wpss_ip_proxy_info = rs_wpss_ip_proxy_info();
}
extract($wpss_ip_proxy_info);
/* IP / PROXY INFO - END */
/* Short Signatures - Regex */
$rgx_sig_arr = array('-e*5l?*B-@yZ_-,8_-lSZ98BC[', '+25-Z9dCZ,87C-7CBlSZ=-C[');
foreach ($_POST as $k => $v) {
$v = rs_wpss_casetrans('lower', $v);
foreach ($rgx_sig_arr as $i => $s) {
/* Switch to single preg_match as this expands, replace nested foreach() */
$sd = rs_wpss_rbkmd($s, 'de');
if (FALSE !== strpos($v, $sd)) {
return TRUE;
}
}
}
/* Full Signatures */
$signatures = array(array('description' => 'Revslider & Showbiz Pro - AJAX Vulnerability', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-admin/admin-ajax.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'revslider_ajax_action', 'client_action' => 'update_plugin'), array('action' => 'showbiz_ajax_action', 'client_action' => 'update_plugin'))), array('description' => 'WP Marketplace <= 2.4.0 & WP Download Manager <=2.7.4 - Remote Code Execution', 'post_i_min' => 5, 'post_i_max' => 5, 'target_urls' => array(), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'wpmp_pp_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'), array('action' => 'wpdm_ajax_call', 'user_login' => '*', 'execute' => 'wp_insert_user', 'role' => 'administrator', 'user_pass' => '*'))), array('description' => 'WP Symposium <= 14.11 - Shell Upload Vulnerability', 'post_i_min' => 2, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/wp-symposium/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('uploader_url' => $plug_url . '/wp-symposium/server/php/', 'uploader_uid' => '1'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 3, 'post_i_max' => 3, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-links-ompt.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-styles.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('p2' => '2929', 'abc28' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'af5f492a1' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'), array('p2' => '2929', 'e41e' => 'print $_REQUEST[\'p1\'].$_REQUEST[\'p2\']', 'p1' => '4242'))), array('description' => 'Ultimate Product Catalogue <= 3.11 - Multiple Vulnerabilities', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-setup.php', '/wp-content/plugins/ultimate-product-catalogue/product-sheets/wp-includes.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('e51e' => 'die(pi());'), array('af5f492a1' => 'die(pi());'))), array('description' => 'Simple Ads Manager <= 2.5.94 - Arbitrary File Upload', 'post_i_min' => 2, 'post_i_max' => 2, 'target_urls' => array('/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload_ad_image', 'path' => '*'))), array('description' => 'Work The Flow File Upload <= 2.5.2 - Shell Upload', 'post_i_min' => 1, 'post_i_max' => 1, 'target_urls' => array('/wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php', '/assets/plugins/jquery-file-upload/server/php/index.php'), 'ajax_request' => FALSE, '404' => '*', 'session_cookie' => FALSE, 'hal_signature' => array(''), 'ha_signature' => array('', '*/*'), 'key_val_pairs' => array(array('action' => 'upload'))));
/* Run Checks Against Signatures */
foreach ($signatures as $i => $sig) {
if (!empty($sig['post_i_min']) && ($post_count < $sig['post_i_min'] || $post_count > $sig['post_i_max'])) {
continue;
}
if (!empty($sig['target_urls'])) {
$urls_rgx = rs_wpss_get_regex_phrase($sig['target_urls'], '', 'red_str');
if (!preg_match($urls_rgx, $req_url)) {
continue;
}
}
if ($sig['ajax_request'] !== '*' && $sig['ajax_request'] !== $req_ajax) {
continue;
}
if ($sig['404'] !== '*' && $sig['404'] !== $req_404) {
continue;
}
$hal_max = count($sig['hal_signature']) - 1;
$m = 0;
/* Matches */
foreach ($sig['hal_signature'] as $i => $hal_sig) {
if ($hal_sig == $req_hal) {
$m++;
}
if ($i == $hal_max && $m === 0) {
continue 2;
}
}
$ha_max = count($sig['ha_signature']) - 1;
$m = 0;
/* Matches */
foreach ($sig['ha_signature'] as $i => $ha_sig) {
if ($ha_sig == $req_ha) {
$m++;
}
if ($i == $ha_max && $m === 0) {
continue 2;
}
}
foreach ($sig['key_val_pairs'] as $i => $kvp) {
$kvp_max = count($kvp);
$m = 0;
/* Matches */
foreach ($kvp as $k => $v) {
if (!empty($_POST[$k]) && $_POST[$k] === $v || $v === '*' && isset($_POST[$k])) {
$m++;
}
if ($m === $kvp_max) {
return TRUE;
}
}
}
}
return FALSE;
}
