function CriticalPHP($l_FN, $l_Index, $l_Content, &$l_Pos, &$l_SigId) { global $g_ExceptFlex, $gXX_FlexDBShe, $gX_FlexDBShe, $g_FlexDBShe, $gX_DBShe, $g_DBShe, $g_Base64, $g_Base64Fragment, $g_CriticalFiles, $g_CriticalEntries; // 97ff76a1606109aee90c58f0d335abf3 H24LKHGHCGHFHGKJHGKJHGGGHJ // need check file (by extension) ? $l_SkipCheck = SMART_SCAN; if ($l_SkipCheck) { foreach ($g_CriticalFiles as $l_Ext) { if (strpos($l_FN, $l_Ext) !== false) { $l_SkipCheck = false; break; } } } // need check file (by signatures) ? if ($l_SkipCheck && preg_match('~' . $g_CriticalEntries . '~smiS', $l_Content, $l_Found)) { $l_SkipCheck = false; } // if not critical - skip it if ($l_SkipCheck && SMART_SCAN) { if (DEBUG_MODE) { echo "Skipped file, not critical.\n"; } return false; } /* if (AI_EXPERT > 1) { if (strpos($l_FN, '.php.') !== false ) { $g_Base64[] = $l_Index; $g_Base64Fragment[] = '".php."'; $l_Pos = 0; if (DEBUG_MODE) { echo "CRIT 7: $l_FN matched [$l_Item] in $l_Pos\n"; } AddResult($l_FN, $l_Index); } } */ foreach ($g_FlexDBShe as $l_Item) { $offset = 0; while (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; //$l_SigId = myCheckSum($l_Item); $l_SigId = getSigId($l_Found); if (DEBUG_MODE) { echo "CRIT 1: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } $offset = $l_Found[0][1] + 1; } // if (pcre_error($l_FN, $l_Index)) { } } if (AI_EXPERT > 1) { foreach ($gXX_FlexDBShe as $l_Item) { if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; //$l_SigId = myCheckSum($l_Item); $l_SigId = getSigId($l_Found); if (DEBUG_MODE) { echo "CRIT 2: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } // if (pcre_error($l_FN, $l_Index)) { } } } if (AI_EXPERT > 0) { foreach ($gX_FlexDBShe as $l_Item) { if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; //$l_SigId = myCheckSum($l_Item); $l_SigId = getSigId($l_Found); if (DEBUG_MODE) { echo "CRIT 3: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } // if (pcre_error($l_FN, $l_Index)) { } } } $l_Content_lo = strtolower($l_Content); foreach ($g_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 4: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } if (AI_EXPERT > 0) { foreach ($gX_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 5: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } } if (AI_EXPERT > 0) { if (strpos($l_Content, 'GIF89') === 0 && strpos($l_FN, '.php') !== false) { $l_Pos = 0; if (DEBUG_MODE) { echo "CRIT 6: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } // detect uploaders / droppers if (AI_EXPERT > 1) { $l_Found = null; if (filesize($l_FN) < 1024 && strpos($l_FN, '.ph') !== false && (($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0 || ($l_Pos = strpos($l_Content, '$_FILE[') > 0) || ($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0 || preg_match('|\\bcopy\\s*\\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE))) { if ($l_Found != null) { $l_Pos = $l_Found[0][1]; } if (DEBUG_MODE) { echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } return false; }
function CriticalPHP($l_FN, $l_Index, $l_Content, &$l_Pos, &$l_SigId) { global $g_ExceptFlex, $gXX_FlexDBShe, $gX_FlexDBShe, $g_FlexDBShe, $gX_DBShe, $g_DBShe, $g_Base64, $g_Base64Fragment, $g_CriticalFiles, $g_CriticalEntries; // H24LKHLKJHKLHJGJG4567869869GGHJ // need check file (by extension) ? $l_SkipCheck = SMART_SCAN; if ($l_SkipCheck) { foreach ($g_CriticalFiles as $l_Ext) { if (strpos($l_FN, $l_Ext) !== false) { $l_SkipCheck = false; break; } } } // need check file (by signatures) ? if ($l_SkipCheck && preg_match('~' . $g_CriticalEntries . '~smiS', $l_Content, $l_Found)) { $l_SkipCheck = false; } if (strpos($l_FN, '.php.') !== false) { $g_Base64[] = $l_Index; $g_Base64Fragment[] = '".php."'; $l_Pos = 0; if (DEBUG_MODE) { echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } AddResult($l_FN, $l_Index); } // if not critical - skip it if ($l_SkipCheck && SMART_SCAN) { if (DEBUG_MODE) { echo "Skipped file, not critical.\n"; } return false; } foreach ($g_FlexDBShe as $l_Item) { if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 1: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } } if (AI_EXPERT > 1) { foreach ($gXX_FlexDBShe as $l_Item) { if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 2: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } } } if (AI_EXPERT > 0) { foreach ($gX_FlexDBShe as $l_Item) { if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!CheckException($l_Content, $l_Found)) { $l_Pos = $l_Found[0][1]; $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 3: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } } } $l_Content_lo = strtolower($l_Content); foreach ($g_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 4: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } if (AI_EXPERT) { foreach ($gX_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = myCheckSum($l_Item); if (DEBUG_MODE) { echo "CRIT 5: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } if (strpos($l_FN, '.ph') !== false && AI_EXPERT > 1) { // for php only $g_Specials = array(');#'); foreach ($g_Specials as $l_Item) { $l_Pos = stripos($l_Content, $l_Item); if ($l_Pos !== false) { $l_SigId = myCheckSum($l_Item); return true; } } } } if (strpos($l_Content, 'GIF89') === 0 && strpos($l_FN, '.php') !== false) { $l_Pos = 0; if (DEBUG_MODE) { echo "CRIT 6: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } // detect uploaders / droppers if (AI_EXPERT > 1) { $l_Found = null; if (filesize($l_FN) < 1024 && strpos($l_FN, '.ph') !== false && (($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0 || ($l_Pos = strpos($l_Content, '$_FILE[') > 0) || ($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0 || preg_match('|\\bcopy\\s*\\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE))) { if ($l_Found != null) { $l_Pos = $l_Found[0][1]; } if (DEBUG_MODE) { echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n"; } return true; } } // count number of base64_decode entries $l_Count = substr_count($l_Content, 'base64_decode'); if ($l_Count > 10) { $g_Base64[] = $l_Index; $g_Base64Fragment[] = getFragment($l_Content, stripos($l_Content, 'base64_decode')); if (DEBUG_MODE) { echo "CRIT 10: {$l_FN} matched\n"; } AddResult($l_FN, $l_Index); } return false; }