예제 #1
0
function optSig(&$sigs)
{
    $sigs = array_unique($sigs);
    // Add SigId
    foreach ($sigs as &$s) {
        $s .= '(?<X' . myCheckSum($s) . '>)';
    }
    unset($s);
    $fix = array('([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e' => '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e', 'http://.+?/.+?\\.php\\?a' => 'http://[^?\\s]++(?<=\\.php)\\?a', '\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*' => '.+?', '[\'"]{0,1}.+?[\'"]{0,1}' => '.+?');
    $sigs = str_replace(array_keys($fix), array_values($fix), $sigs);
    $fix = array('~^\\\\[d]\\+&@~' => '&@(?<=\\d..)', '~^((\\[\'"\\]|\\\\s|@)(\\{0,1\\}\\.?|[?*]))+~' => '');
    $sigs = preg_replace(array_keys($fix), array_values($fix), $sigs);
    optSigCheck($sigs);
    $tmp = array();
    foreach ($sigs as $i => $s) {
        if (strpos($s, '.+') !== false || strpos($s, '.*') !== false) {
            unset($sigs[$i]);
            $tmp[] = $s;
        }
    }
    usort($sigs, 'strcasecmp');
    $txt = implode("\n", $sigs);
    for ($i = 24; $i >= 1; $i > 4 ? $i -= 4 : --$i) {
        $txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\\n]|\\((?:\\\\.|[^)(\\n])++\\))(?:[*?+]\\+?|)){' . $i . ',}).*(?:\\n\\1(?![{?*+]).+)+#im', 'optMergePrefixes', $txt);
    }
    $sigs = array_merge(explode("\n", $txt), $tmp);
    optSigCheck($sigs);
}
예제 #2
0
function CriticalPHP($l_FN, $l_Index, $l_Content, &$l_Pos, &$l_SigId)
{
    global $g_ExceptFlex, $gXX_FlexDBShe, $gX_FlexDBShe, $g_FlexDBShe, $gX_DBShe, $g_DBShe, $g_Base64, $g_Base64Fragment, $g_CriticalFiles, $g_CriticalEntries;
    // H24LKHLKJHKLHJGJG4567869869GGHJ
    // need check file (by extension) ?
    $l_SkipCheck = SMART_SCAN;
    if ($l_SkipCheck) {
        foreach ($g_CriticalFiles as $l_Ext) {
            if (strpos($l_FN, $l_Ext) !== false) {
                $l_SkipCheck = false;
                break;
            }
        }
    }
    // need check file (by signatures) ?
    if ($l_SkipCheck && preg_match('~' . $g_CriticalEntries . '~smiS', $l_Content, $l_Found)) {
        $l_SkipCheck = false;
    }
    if (strpos($l_FN, '.php.') !== false) {
        $g_Base64[] = $l_Index;
        $g_Base64Fragment[] = '".php."';
        $l_Pos = 0;
        if (DEBUG_MODE) {
            echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
        }
        AddResult($l_FN, $l_Index);
    }
    // if not critical - skip it
    if ($l_SkipCheck && SMART_SCAN) {
        if (DEBUG_MODE) {
            echo "Skipped file, not critical.\n";
        }
        return false;
    }
    foreach ($g_FlexDBShe as $l_Item) {
        if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
            if (!CheckException($l_Content, $l_Found)) {
                $l_Pos = $l_Found[0][1];
                $l_SigId = myCheckSum($l_Item);
                if (DEBUG_MODE) {
                    echo "CRIT 1: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
                }
                return true;
            }
        }
    }
    if (AI_EXPERT > 1) {
        foreach ($gXX_FlexDBShe as $l_Item) {
            if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
                if (!CheckException($l_Content, $l_Found)) {
                    $l_Pos = $l_Found[0][1];
                    $l_SigId = myCheckSum($l_Item);
                    if (DEBUG_MODE) {
                        echo "CRIT 2: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
                    }
                    return true;
                }
            }
        }
    }
    if (AI_EXPERT > 0) {
        foreach ($gX_FlexDBShe as $l_Item) {
            if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
                if (!CheckException($l_Content, $l_Found)) {
                    $l_Pos = $l_Found[0][1];
                    $l_SigId = myCheckSum($l_Item);
                    if (DEBUG_MODE) {
                        echo "CRIT 3: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
                    }
                    return true;
                }
            }
        }
    }
    $l_Content_lo = strtolower($l_Content);
    foreach ($g_DBShe as $l_Item) {
        $l_Pos = strpos($l_Content_lo, $l_Item);
        if ($l_Pos !== false) {
            $l_SigId = myCheckSum($l_Item);
            if (DEBUG_MODE) {
                echo "CRIT 4: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
            }
            return true;
        }
    }
    if (AI_EXPERT) {
        foreach ($gX_DBShe as $l_Item) {
            $l_Pos = strpos($l_Content_lo, $l_Item);
            if ($l_Pos !== false) {
                $l_SigId = myCheckSum($l_Item);
                if (DEBUG_MODE) {
                    echo "CRIT 5: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
                }
                return true;
            }
        }
        if (strpos($l_FN, '.ph') !== false && AI_EXPERT > 1) {
            // for php only
            $g_Specials = array(');#');
            foreach ($g_Specials as $l_Item) {
                $l_Pos = stripos($l_Content, $l_Item);
                if ($l_Pos !== false) {
                    $l_SigId = myCheckSum($l_Item);
                    return true;
                }
            }
        }
    }
    if (strpos($l_Content, 'GIF89') === 0 && strpos($l_FN, '.php') !== false) {
        $l_Pos = 0;
        if (DEBUG_MODE) {
            echo "CRIT 6: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
        }
        return true;
    }
    // detect uploaders / droppers
    if (AI_EXPERT > 1) {
        $l_Found = null;
        if (filesize($l_FN) < 1024 && strpos($l_FN, '.ph') !== false && (($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0 || ($l_Pos = strpos($l_Content, '$_FILE[') > 0) || ($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0 || preg_match('|\\bcopy\\s*\\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE))) {
            if ($l_Found != null) {
                $l_Pos = $l_Found[0][1];
            }
            if (DEBUG_MODE) {
                echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
            }
            return true;
        }
    }
    // count number of base64_decode entries
    $l_Count = substr_count($l_Content, 'base64_decode');
    if ($l_Count > 10) {
        $g_Base64[] = $l_Index;
        $g_Base64Fragment[] = getFragment($l_Content, stripos($l_Content, 'base64_decode'));
        if (DEBUG_MODE) {
            echo "CRIT 10: {$l_FN} matched\n";
        }
        AddResult($l_FN, $l_Index);
    }
    return false;
}