daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added reference and fix matcher

patch-1
Dhiyaneshwaran 2023-06-29 12:59:33 +05:30
parent 619f9fd7e0
commit ced01f1ac8
4 changed files with 52 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
file/webshell/asp.yaml → file/webshell/asp-webshell.yaml
View File

@ -1,12 +1,16 @@
id: asp-webshell-scanner
id: asp-webshell
info:
name: ASP/ASP.NET Webshell Scanner
name: ASP/ASP.NET Webshell - Detect
author: lu4nx
severity: high
reference:
- https://github.com/tennc/webshell
tags: asp,asp.net,file
- https://github.com/tennc/webshell/tree/master/aspx
- https://github.com/tennc/webshell/tree/master/asp
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
metadata:
verified: true
tags: asp,aspx,file,webshell
file:
- extensions:
@ -20,14 +24,10 @@ file:
extractors:
- type: regex
regex:
# <%eval request("xx")%>
- '(?i)(eval)'
- '(?i)(eval|execute)\('
- '(?i)wscript.shell'
- '(?i)ExecuteStatement'
- '(?i)cmd.exe'
- type: regex
regex:
# mmshell = 'xxx'
- '(?i)mmshell'
- '(?i)GetCmd'

15
file/webshell/jsp.yaml → file/webshell/jsp-webshell.yaml
View File

@ -1,17 +1,22 @@
id: jsp-webshell-scanner
id: jsp-webshell
info:
name: JSP Webshell Scanner
name: JSP Webshell - Detect
author: lu4nx
severity: high
reference:
- https://github.com/tennc/webshell
tags: jsp,file
- https://github.com/tennc/webshell/tree/master/jsp
- https://github.com/tennc/webshell/tree/master/jspx
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
metadata:
verified: true
tags: jsp,java,jspx,webshell,file
file:
- extensions:
- jsp
- java
- jspx
extractors:
- type: regex
@ -20,6 +25,4 @@ file:
- '(?i)cmd.exe'
- '(?i)/bin/sh'
- '(?i)/bin/bash'
- type: regex
regex:
- '(?i)exeCmd'

33
file/webshell/php-webshell.yaml Normal file
View File

@ -0,0 +1,33 @@
id: php-webshell
info:
name: PHP Webshell - Detect
author: lu4nx
severity: high
reference:
- https://github.com/tennc/webshell/tree/master/php
- https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
metadata:
verified: true
tags: php,file,webshell
file:
- extensions:
- php
extractors:
- type: regex
regex:
- '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
- '(?i)cmd.exe'
- '(?i)/bin/sh'
- '(?i)/bin/bash'
- '(?i)WScript.Shell'
- '(?i)gzuncompress\(base64_decode\('
- '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
- '(?i)new\s*(ReflectionFunction|ReflectionClass)'
- '(?i)0x647261646e617473'
- '65786563' # exec
- '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
- '(?i)b4tm4n'
- '(?i)cmdshell'

41
file/webshell/php.yaml
View File

@ -1,41 +0,0 @@
id: php-webshell-scanner
info:
name: PHP Webshell Scanner
author: lu4nx
severity: high
reference:
- https://github.com/tennc/webshell
tags: php,file
file:
- extensions:
- php
extractors:
- type: regex
regex:
- '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
- '(?i)cmd.exe'
- '(?i)/bin/sh'
- '(?i)/bin/bash'
- '(?i)WScript.Shell'
- type: regex
regex:
- '(?i)gzuncompress\(base64_decode\('
# Example: $array[0]['tt']($_POST['tt1234']);
- '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
# Example:
# $f = new class($_POST['name']) extends ReflectionFunction {};
# $f->invoke($_POST[xxx]);
- '(?i)new\s*(ReflectionFunction|ReflectionClass)'
# Reference: https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php
- '(?i)0x647261646e617473'
# Reference: https://github.com/upsi1on/webshell/blob/main/upsi1on/upsi1on.php#L1173
- '65786563' # exec
# Example:
# $a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
# $a($_POST['x']);
- '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
- '(?i)b4tm4n'
- '(?i)cmdshell'