Merge pull request #6024 from lu4nx/add-webshell-file-scan

Add ASP.NET, ASP, JSP and PHP web shell files scanner
2023-07-04 10:37:10 +05:30 · 2023-07-04 10:37:10 +05:30 · d39cd2d586
parent 98088594a1 ced01f1ac8
commit d39cd2d586
3 changed files with 94 additions and 0 deletions
--- a/file/webshell/asp-webshell.yaml
+++ b/file/webshell/asp-webshell.yaml
@ -0,0 +1,33 @@
+id: asp-webshell
+
+info:
+  name: ASP/ASP.NET Webshell - Detect
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell/tree/master/aspx
+    - https://github.com/tennc/webshell/tree/master/asp
+    - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
+  metadata:
+    verified: true
+  tags: asp,aspx,file,webshell
+
+file:
+  - extensions:
+      - asp
+      - asa
+      - aspx
+      - ashx
+      - asmx
+      - asax
+
+    extractors:
+      - type: regex
+        regex:
+          - '(?i)(eval)'
+          - '(?i)(eval|execute)\('
+          - '(?i)wscript.shell'
+          - '(?i)ExecuteStatement'
+          - '(?i)cmd.exe'
+          - '(?i)mmshell'
+          - '(?i)GetCmd'
--- a/file/webshell/jsp-webshell.yaml
+++ b/file/webshell/jsp-webshell.yaml
@ -0,0 +1,28 @@
+id: jsp-webshell
+
+info:
+  name: JSP Webshell - Detect
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell/tree/master/jsp
+    - https://github.com/tennc/webshell/tree/master/jspx
+    - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
+  metadata:
+    verified: true
+  tags: jsp,java,jspx,webshell,file
+
+file:
+  - extensions:
+      - jsp
+      - java
+      - jspx
+
+    extractors:
+      - type: regex
+        regex:
+          - '(?i)(ClassLoader|exec|eval|ProcessBuilder|getInputStream|loadClass|defineClass|URLClassLoader)\('
+          - '(?i)cmd.exe'
+          - '(?i)/bin/sh'
+          - '(?i)/bin/bash'
+          - '(?i)exeCmd'
--- a/file/webshell/php-webshell.yaml
+++ b/file/webshell/php-webshell.yaml
@ -0,0 +1,33 @@
+id: php-webshell
+
+info:
+  name: PHP Webshell - Detect
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell/tree/master/php
+    - https://www.rapid7.com/blog/post/2016/12/14/webshells-101/
+  metadata:
+    verified: true
+  tags: php,file,webshell
+
+file:
+  - extensions:
+      - php
+
+    extractors:
+      - type: regex
+        regex:
+          - '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
+          - '(?i)cmd.exe'
+          - '(?i)/bin/sh'
+          - '(?i)/bin/bash'
+          - '(?i)WScript.Shell'
+          - '(?i)gzuncompress\(base64_decode\('
+          - '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
+          - '(?i)new\s*(ReflectionFunction|ReflectionClass)'
+          - '(?i)0x647261646e617473'
+          - '65786563' # exec
+          - '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
+          - '(?i)b4tm4n'
+          - '(?i)cmdshell'