added reference and fix matcher
parent
619f9fd7e0
commit
ced01f1ac8
|
@ -1,12 +1,16 @@
|
|||
id: asp-webshell-scanner
|
||||
id: asp-webshell
|
||||
|
||||
info:
|
||||
name: ASP/ASP.NET Webshell Scanner
|
||||
name: ASP/ASP.NET Webshell - Detect
|
||||
author: lu4nx
|
||||
severity: high
|
||||
reference:
|
||||
- https://github.com/tennc/webshell
|
||||
tags: asp,asp.net,file
|
||||
- https://github.com/tennc/webshell/tree/master/aspx
|
||||
- https://github.com/tennc/webshell/tree/master/asp
|
||||
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: asp,aspx,file,webshell
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
|
@ -20,14 +24,10 @@ file:
|
|||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
# <%eval request("xx")%>
|
||||
- '(?i)(eval)'
|
||||
- '(?i)(eval|execute)\('
|
||||
- '(?i)wscript.shell'
|
||||
- '(?i)ExecuteStatement'
|
||||
- '(?i)cmd.exe'
|
||||
- type: regex
|
||||
regex:
|
||||
# mmshell = 'xxx'
|
||||
- '(?i)mmshell'
|
||||
- '(?i)GetCmd'
|
||||
- '(?i)GetCmd'
|
|
@ -1,17 +1,22 @@
|
|||
id: jsp-webshell-scanner
|
||||
id: jsp-webshell
|
||||
|
||||
info:
|
||||
name: JSP Webshell Scanner
|
||||
name: JSP Webshell - Detect
|
||||
author: lu4nx
|
||||
severity: high
|
||||
reference:
|
||||
- https://github.com/tennc/webshell
|
||||
tags: jsp,file
|
||||
- https://github.com/tennc/webshell/tree/master/jsp
|
||||
- https://github.com/tennc/webshell/tree/master/jspx
|
||||
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: jsp,java,jspx,webshell,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- jsp
|
||||
- java
|
||||
- jspx
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
|
@ -20,6 +25,4 @@ file:
|
|||
- '(?i)cmd.exe'
|
||||
- '(?i)/bin/sh'
|
||||
- '(?i)/bin/bash'
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)exeCmd'
|
||||
- '(?i)exeCmd'
|
|
@ -0,0 +1,33 @@
|
|||
id: php-webshell
|
||||
|
||||
info:
|
||||
name: PHP Webshell - Detect
|
||||
author: lu4nx
|
||||
severity: high
|
||||
reference:
|
||||
- https://github.com/tennc/webshell/tree/master/php
|
||||
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
|
||||
metadata:
|
||||
verified: true
|
||||
tags: php,file,webshell
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- php
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
|
||||
- '(?i)cmd.exe'
|
||||
- '(?i)/bin/sh'
|
||||
- '(?i)/bin/bash'
|
||||
- '(?i)WScript.Shell'
|
||||
- '(?i)gzuncompress\(base64_decode\('
|
||||
- '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
|
||||
- '(?i)new\s*(ReflectionFunction|ReflectionClass)'
|
||||
- '(?i)0x647261646e617473'
|
||||
- '65786563' # exec
|
||||
- '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
|
||||
- '(?i)b4tm4n'
|
||||
- '(?i)cmdshell'
|
|
@ -1,41 +0,0 @@
|
|||
id: php-webshell-scanner
|
||||
|
||||
info:
|
||||
name: PHP Webshell Scanner
|
||||
author: lu4nx
|
||||
severity: high
|
||||
reference:
|
||||
- https://github.com/tennc/webshell
|
||||
tags: php,file
|
||||
|
||||
file:
|
||||
- extensions:
|
||||
- php
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
|
||||
- '(?i)cmd.exe'
|
||||
- '(?i)/bin/sh'
|
||||
- '(?i)/bin/bash'
|
||||
- '(?i)WScript.Shell'
|
||||
- type: regex
|
||||
regex:
|
||||
- '(?i)gzuncompress\(base64_decode\('
|
||||
# Example: $array[0]['tt']($_POST['tt1234']);
|
||||
- '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
|
||||
# Example:
|
||||
# $f = new class($_POST['name']) extends ReflectionFunction {};
|
||||
# $f->invoke($_POST[xxx]);
|
||||
- '(?i)new\s*(ReflectionFunction|ReflectionClass)'
|
||||
# Reference: https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php
|
||||
- '(?i)0x647261646e617473'
|
||||
# Reference: https://github.com/upsi1on/webshell/blob/main/upsi1on/upsi1on.php#L1173
|
||||
- '65786563' # exec
|
||||
# Example:
|
||||
# $a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
|
||||
# $a($_POST['x']);
|
||||
- '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
|
||||
- '(?i)b4tm4n'
|
||||
- '(?i)cmdshell'
|
Loading…
Reference in New Issue