这个Python脚本遍历指定目录下所有PHP文件,使用正则表达式匹配常见的恶意代码模式,如eval函数、shell命令执行等。当找到匹配项时,它会打印出文件路径和恶意代码片段,帮助识别潜在的安全风险。
#!/usr/bin/python
# -*- coding: utf-8 -*-
#blog:www.sinesafe.com
importos
importsys
importre
rulelist =[
'(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))',
'(_decode\([\'"][\w\+/=]{200,}[\'"]\))',
'eval\(_decode\(',
'(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
'(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
'(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))',
'(w\.shell)',
'(gethostbyname\()',
'(cmd\.exe)',
'(shell\.application)',
'(documents\s+and\s+settings)',
'(system32)',
'(serv-u)',
'(提权)',
'(phpspy)',
'(后门)',
'(webshell)',
'(Program\s+Files)'
]
defScan(path):
forroot,dirs,files inos.walk(path):
forfilespath infiles:
isover =False
if'.'infilespath:
ext =filespath[(filespath.rindex('.')+1):]
ifext=='php':
file=open(os.path.join(root,filespath))
filestr =file.read()
file.close()
forrule inrulelist:
result =re.compile(rule).findall(filestr)
ifresult:
print'文件:'+os.path.join(root,filespath)
print'恶意代码:'+str(result[0])
print'\n\n'
break
ifos.path.lexists(sys.argv[1]):
print('\n\n开始扫描:'+sys.argv[1])
print(' 可疑文件 ')
print('########################################')
Scan(sys.argv[1])
print('提示:扫描完成-- O(∩_∩)O哈哈~')
else:
print'提示:指定的扫描目录不存在--- 我靠( \'o′)!!凸'
扫一扫
3413
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
