-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathreservoir.php
64 lines (64 loc) · 4.06 KB
/
reservoir.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
function getCode()
{
return array(
'后门特征->cha88.cn->1010'=>'cha88\.cn',
'后门特征->c99shell->1010'=>'c99shell',
'后门特征->phpspy->1010'=>'phpspy',
'后门特征->Scanners->60'=>'Scanners',
'后门特征->cmd.php->70'=>'cmd\.php',
'可疑的编码方式->str_rot13->101'=>'str_rot13',
'后门特征->webshell->10'=>'webshell',
'后门特征->EgY_SpIdEr->101'=>'EgY_SpIdEr',
'后门特征->tools88.com->1010'=>'tools88\.com',
'后门特征->SECFORCE->101'=>'SECFORCE',
'后门特征->eval_r(->70'=>'eval\((\'|")\?',
'后门特征->eval($_->1000'=>'eval\(\$_',
'可疑代码特征->system(->30'=>'system\(',
'可疑代码特征->scandir(->20'=>'scandir\(',
'可疑代码特征->getmygid(->10'=>'getmygid\(',
'可疑代码特征->get_current_user(->10'=>'get_current_user\(',
'可疑代码特征->posix_getpwuid(->25'=>'posix_getpwuid\(',
'可疑代码特征->passthru(->30'=>'passthru\(',
'可疑代码特征->shell_exec(->70'=>'shell_exec\(',
'可疑代码特征->exec(->70'=>'exec\(',
'可疑代码特征->chmod(->35'=>'chmod\(',
'可疑代码特征->unlink(->35'=>'unlind\(',
'可疑代码特征->rmdir(->35'=>'rmdir\(',
'可疑代码特征->popen(->20'=>'popen\(',
'可疑代码特征->is_writable(->15'=>'is_writable\(',
'可疑代码特征->gethostbyname->15'=>'gethostbyname\(',
'可疑代码特征->filemtime(->10'=>'filemtime\(',
'可疑代码特征->disk_free_space(->40'=>'disk_free_space\(',
'可疑代码特征->disk_total_space(->40'=>'disk_total_space\(',
'可疑代码特征->proc_open->30'=>'proc_open',
'可疑代码特征->eval_r($->70'=>'eval\((\'|"|\s*)\\$',
'可疑代码特征->assert($->101'=>'assert\((\'|"|\s*)\\$',
'危险MYSQL代码->returns string soname->101'=>'returnsstringsoname',
'危险MYSQL代码->into outfile->101'=>'intooutfile',
'危险MYSQL代码->load_file->101'=>'select(\s+)(.*)load_file',
'加密后门特征->eval_r(gzinflate(->999'=>'eval\(gzinflate\(',
'加密后门特征->eval_r(base64_decode(->999'=>'eval\(base64_decode\(',
'加密后门特征->eval_r(gzuncompress(->999'=>'eval\(gzuncompress\(',
'加密后门特征->eval_r(gzdecode(->999'=>'eval\(gzdecode\(',
'加密后门特征->eval_r(str_rot13(->999'=>'eval\(str_rot13\(',
'可疑的字符串解码->gzuncompress(base64_decode(->101'=>'gzuncompress\(base64_decode\(',
'可以的字符串解码->base64_decode(gzuncompress(->101'=>'base64_decode\(gzuncompress\(',
'一句话后门特征->eval_r($_->260'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->assert($_->260'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require($_->269'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require_once($_->260'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include($_->260'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include_once($_->260'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->call_user_func("assert"->260'=>'call_user_func\(("|\')assert("|\')',
'一句话后门特征->call_user_func($_->260'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]->260'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE->101'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE->200'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[->200'=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'.htaccess插马特征->SetHandler application/x-httpd-php->260'=>'SetHandlerapplication\/x-httpd-php',
'.htaccess插马特征->php_value auto_prepend_file->260'=>'php_valueauto_prepend_file',
'.htaccess插马特征->php_value auto_append_file->260'=>'php_valueauto_append_file'
);
}
?>