<?php
|
date_default_timezone_set('GMT');
|
ini_set('display_errors', '0');
|
class scan{
|
private $directory = '../..';
|
private $extension = array('php');
|
private $_files = array();
|
private $filelimit = 5000;
|
private $scan_hidden = true;
|
private $_self = '';
|
private $_regex ='(preg_replace.*\/e|`.*?\$.*?`|\bcreate_function\b|\bpassthru\b|\bshell_exec\b|\bexec\b|\bbase64_decode\b|\bedoced_46esab\b|\beval\b|\bsystem\b|\bproc_open\b|\bpopen\b|\bcurl_exec\b|\bcurl_multi_exec\b|\bparse_ini_file\b|\bshow_source\b|cmd\.exe|KAdot@ngs\.ru|小组专用大马|提权|木马|PHP\s?反弹|shell\s?加强版|WScript\.shell|PHP\s?Shell|Eval\sPHP\sCode|Udp1-fsockopen|xxddos|Send\sFlow|fsockopen\("(udp|tcp)|SYN\sFlood)';
|
private $_shellcode='';
|
private $_shellcode_line=array();
|
private $_log_array= array();
|
private $_log_count=0;
|
private $webscan_url="http://safe.webscan.360.cn/webshell/upload";
|
private $action='';
|
private $taskid=0;
|
private $_tmp='';
|
|
function __construct(){
|
if (!defined('WEBSCAN_KEY')||WEBSCAN_KEY==null||WEBSCAN_KEY==''||WEBSCAN_KEY=="@webscan360key@"){
|
require_once dirname(dirname(__FILE__)).'/lib/webscan360_db.class.php';
|
$webscan360db = new Webscan360_db();
|
$ressult = $webscan360db->rec_getRow(array('var'=>'skey'));
|
if(!empty($ressult)&&!empty($ressult['value'])){
|
$skey = $ressult['value'];
|
define("WEBSCAN_KEY", "$skey");
|
}
|
}
|
if (defined('WEBSCAN_KEY')&&isset($_POST['action'])&&isset($_POST['key'])&&$_POST['key']==WEBSCAN_KEY&&isset($_POST['task'])&&WEBSCAN_KEY!=null&&WEBSCAN_KEY!=''&&WEBSCAN_KEY!="@webscan360key@") {
|
$this->action = $_POST['action'];
|
$this->taskid = $_POST['task'];
|
}
|
if (is_writable('./')) {
|
$this->_tmp='./';
|
}
|
elseif (is_writable(sys_get_temp_dir())) {
|
$this->_tmp=substr(sys_get_temp_dir(), -1)=='/'||substr(sys_get_temp_dir(), -1)=='\\' ? sys_get_temp_dir() : sys_get_temp_dir().'/';
|
}
|
|
}
|
|
private function is__writable($path) {
|
|
if ($path{strlen($path)-1}=='/')
|
return is__writable($path.uniqid(mt_rand()).'.tmp');
|
|
if (file_exists($path)) {
|
if (!($f = @fopen($path, 'r+')))
|
return false;
|
fclose($f);
|
return true;
|
}
|
|
if (!($f = @fopen($path, 'w')))
|
return false;
|
fclose($f);
|
@unlink($path);
|
return true;
|
}
|
|
|
private function json_encode_($arg, $force = true)
|
{
|
static $_force;
|
if (is_null($_force))
|
{
|
$_force = $force;
|
}
|
|
if ($_force && function_exists('json_encode'))
|
{
|
return json_encode($arg);
|
}
|
|
$returnValue = '';
|
$c = '';
|
$i = '';
|
$l = '';
|
$s = '';
|
$v = '';
|
$numeric = true;
|
|
switch (gettype($arg))
|
{
|
case 'array':
|
foreach ($arg AS $i => $v)
|
{
|
if (!is_numeric($i))
|
{
|
$numeric = false;
|
break;
|
}
|
}
|
|
if ($numeric)
|
{
|
foreach ($arg AS $i => $v)
|
{
|
if (strlen($s) > 0)
|
{
|
$s .= ',';
|
}
|
$s .= $this->json_encode_($arg[$i]);
|
}
|
|
$returnValue = '[' . $s . ']';
|
}
|
else
|
{
|
foreach ($arg AS $i => $v)
|
{
|
if (strlen($s) > 0)
|
{
|
$s .= ',';
|
}
|
$s .= $this->json_encode_($i) . ':' . $this->json_encode_($arg[$i]);
|
}
|
|
$returnValue = '{' . $s . '}';
|
}
|
break;
|
|
case 'object':
|
foreach (get_object_vars($arg) AS $i => $v)
|
{
|
$v = $this->json_encode_($v);
|
|
if (strlen($s) > 0)
|
{
|
$s .= ',';
|
}
|
$s .= $this->json_encode_($i) . ':' . $v;
|
}
|
|
$returnValue = '{' . $s . '}';
|
break;
|
|
case 'integer':
|
case 'double':
|
$returnValue = is_numeric($arg) ? (string) $arg : 'null';
|
break;
|
|
case 'string':
|
$returnValue = '"' . strtr($arg, array(
|
"\r" => '\\r', "\n" => '\\n', "\t" => '\\t', "\b" => '\\b',
|
"\f" => '\\f', '\\' => '\\\\', '"' => '\"',
|
"\x00" => '\u0000', "\x01" => '\u0001', "\x02" => '\u0002', "\x03" => '\u0003',
|
"\x04" => '\u0004', "\x05" => '\u0005', "\x06" => '\u0006', "\x07" => '\u0007',
|
"\x08" => '\b', "\x0b" => '\u000b', "\x0c" => '\f', "\x0e" => '\u000e',
|
"\x0f" => '\u000f', "\x10" => '\u0010', "\x11" => '\u0011', "\x12" => '\u0012',
|
"\x13" => '\u0013', "\x14" => '\u0014', "\x15" => '\u0015', "\x16" => '\u0016',
|
"\x17" => '\u0017', "\x18" => '\u0018', "\x19" => '\u0019', "\x1a" => '\u001a',
|
"\x1b" => '\u001b', "\x1c" => '\u001c', "\x1d" => '\u001d', "\x1e" => '\u001e',
|
"\x1f" => '\u001f'
|
)) . '"';
|
break;
|
|
case 'boolean':
|
$returnValue = $arg?'true':'false';
|
break;
|
|
default:
|
$returnValue = 'null';
|
}
|
|
return $returnValue;
|
}
|
|
|
private function ck_state(){
|
$a=fopen($this->_tmp.'scan_lock.tmp', 'w+');
|
fwrite($a, "scannig");
|
fclose($a);
|
|
}
|
|
public function del_state(){
|
$a=fopen($this->_tmp.'scan_lock.tmp', 'w+');
|
fwrite($a, '');
|
fclose($a);
|
@unlink($this->_tmp.'scan_lock.tmp');
|
$this->post($this->webscan_url,array('state'=>'1','key'=>WEBSCAN_KEY,'task'=>$this->taskid));
|
}
|
|
private function is_utf8($word)
|
{
|
if (preg_match("/^([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}$/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){2,}/",$word) == true)
|
{
|
return true;
|
}
|
else
|
{
|
|
return false;
|
}
|
}
|
|
private function check_environment()
|
{
|
|
$r = array("status"=>1,"allow_url_fopen"=>0,"writeable"=>0);
|
|
if (ini_get('allow_url_fopen')||function_exists('curl_init')) {
|
$r["allow_url_fopen"] = 1;
|
}
|
|
if ($this->is__writable($this->_tmp.'test.tmp'))
|
{
|
$r["writeable"] = 1;
|
}
|
|
if($r["allow_url_fopen"] && $r["writeable"])
|
{
|
$r["status"] = 1;
|
}
|
echo $this->json_encode_($r);
|
exit;
|
}
|
|
|
private function webscan_curl($url , $postdata = array()){
|
$ch = curl_init();
|
curl_setopt($ch, CURLOPT_URL, $url);
|
curl_setopt($ch, CURLOPT_HEADER, 0);
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
|
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
|
curl_setopt($ch, CURLOPT_POST, 1);
|
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
|
$response = curl_exec($ch);
|
$httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
|
curl_close($ch);
|
return array('httpcode'=>$httpcode,'response'=>$response);
|
}
|
|
private function post($url,$log=array()){
|
if(! function_exists('curl_init')) {
|
$postdata = http_build_query($log);
|
$context = stream_context_create(array('http' => array('method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded\r\n",'content' => $postdata)));
|
$server_version = @file_get_contents($url, 0, $context);
|
}
|
else{
|
$this->webscan_curl($url,$log);
|
}
|
|
}
|
|
private function findstr($filepath,$shellstr){
|
$a=false;
|
$text=@file_get_contents($filepath);
|
if(!$this->is_utf8($text)){
|
$text=@$text;
|
}
|
$_content = explode("\n", $text);
|
for ($line = 0; $line < count($_content); $line++)
|
{
|
$date = preg_match_all("/".$shellstr."/i", $_content[$line],$matches);
|
if($date){
|
$this->_shellcode[$line+1]=$_content[$line];
|
$a=true;
|
}
|
}
|
return $a;
|
}
|
private function upload_log($a = array()) {
|
if($this->_log_count==50){
|
$this->post($this->webscan_url,array('log' => $this->json_encode_($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid));
|
$this->_log_count=0;
|
$this->_log_array=array();
|
}
|
else{
|
$this->_log_array[]=$a;
|
$this->_log_count++;
|
}
|
|
}
|
private function listdir($dir) {
|
$handle = @opendir($dir);
|
if ($this->filelimit > 0) {
|
if (count($this->_files) > $this->filelimit) {
|
return true;
|
}
|
}
|
while (($file = @readdir($handle)) !== false) {
|
if ($file == '.' || $file == '..') {
|
continue;
|
}
|
$filepath = $dir == '.' ? $file : $dir . '/' . $file;
|
|
if (is_link($filepath)) {
|
continue;
|
}
|
if (is_file($filepath)) {
|
if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
|
$extension = pathinfo($filepath);
|
if (is_string($this->extension) && $this->extension == '*') {
|
if ($this->filelimit > 0) {
|
$this->_files[] = $filepath;
|
}
|
} else {
|
if (isset($extension['extension']) && in_array($extension['extension'], $this->extension)) {
|
if ($this->_self != basename($filepath)) {
|
if ($this->filelimit > 0) {
|
$this->_files[] = $filepath;
|
}
|
}
|
|
}
|
}
|
}
|
} else if (is_dir($filepath)) {
|
if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
|
if (is_readable($filepath)) {
|
$this->listdir($filepath);
|
}
|
}
|
}
|
}
|
closedir($handle);
|
}
|
|
private function anaylize() {
|
foreach ($this->_files as $file) {
|
if(!$this->is_utf8($file)){
|
$filename=@$file;
|
}
|
if($this->findstr($file,$this->_regex))
|
{
|
|
self::upload_log(array($filename => array('Trojan' => 1,'time' => date("Y-m-d H:i:s",filemtime($file)),'md5'=>md5(file_get_contents($file)),'size'=>filesize($file),'shellcode'=>$this->_shellcode) ));
|
$this->_shellcode=array();
|
}
|
/* else{
|
self::upload_log(array($filename => array('Trojan' => 0)));
|
}
|
*/
|
}
|
if ($this->_log_count>0) {
|
$this->post($this->webscan_url,array('log' => $this->json_encode_($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid));
|
}
|
sleep(5);
|
$this->del_state();
|
}
|
|
|
private function sendfile()
|
{
|
$r = array("md5"=>"","info"=>"","content"=>"");
|
if (isset($_POST['filename']))
|
{
|
$filename = $_SERVER['DOCUMENT_ROOT'].'/'.base64_decode($_POST['filename']);
|
|
if (file_exists($filename))
|
{
|
$r["md5"] = md5(file_get_contents($filename));
|
$r["content"]= base64_encode(file_get_contents($filename));
|
}
|
else {
|
$r["info"] = "Cant find selected file";
|
}
|
}
|
else {
|
$r["info"] = "No file specified";
|
|
}
|
$this->post($this->webscan_url,array('state'=>2,'log' => $this->json_encode_($r),'key'=>WEBSCAN_KEY,'task'=>$this->taskid));
|
exit;
|
}
|
|
public function start() {
|
if($this->action=='del_state'){
|
$this->del_state();
|
}
|
if($this->action=='sendfile'){
|
$this->sendfile();
|
}
|
if (@file_get_contents(($this->_tmp.'scan_lock.tmp'))=='scannig') {
|
exit("scannig");
|
}
|
switch ($this->action) {
|
case 'check_environment':
|
$this->check_environment();
|
break;
|
case 'shell_scan':
|
set_time_limit(0);
|
ignore_user_abort();
|
register_shutdown_function(array($this,"del_state"));
|
$this->ck_state();
|
$this->listdir($this->directory);
|
$this->anaylize();
|
$this->del_state();
|
break;
|
default:
|
echo "360webscan v1.5";
|
break;
|
}
|
}
|
|
}
|
|
$a=new scan();
|
$a->start();
|
?>
|
