$fileWritable,
'file_not_writable' => $fileNotWritable
);
}
/**
* Recurisively list a file by array of extension
*
* @param string $path
* @param array $ext
* @return array of files
*/
function getSortedByExtension($path, $ext)
{
$result = getSortedByTime($path);
$fileWritable = $result['file_writable'];
isset($result['file_not_writable']) ? $result['file_not_writable'] : false;
foreach ($fileWritable as $entry) {
$pathinfo = pathinfo($entry, PATHINFO_EXTENSION);
$pathinfo = strtolower($pathinfo);
if (in_array($pathinfo, $ext)) {
$sortedWritableFile[] = $entry;
}
}
if (isset($fileNotWritable)) {
foreach ($fileNotWritable as $entry) {
$pathinfo = pathinfo($entry, PATHINFO_EXTENSION);
$pathinfo = strtolower($pathinfo);
if (in_array($pathinfo, $ext)) {
$sortedNotWritableFile[] = $entry;
}
}
} else {
$sortedNotWritableFile = false;
}
return array(
'file_writable' => $sortedWritableFile,
'file_not_writable' => $sortedNotWritableFile
);
}
/**
* Get lowercase Array of tokens in a file
*
* @param string $filename
* @return array
*/
function getFileTokens($filename)
{
/*
token_get_all() This function not support :
- Old notation : "" and "<% %>"
- heredoc syntax
- nowdoc syntax (since PHP 5.3.0)
*/
$fileContent = file_get_contents($filename);
$fileContent = preg_replace('/<\?([^p=\w])/m', ' 0) {
for ($i = 0; $i < $tokenCount; $i++) {
if (isset($token[$i][1])) {
$output[] .= strtolower($token[$i][1]);
}
}
}
$output = array_values(
array_unique(array_filter(array_map("trim", $output)))
);
return $output;
}
/**
* Compare tokens and return array of matched tokens
*
* @param array $tokenNeedles
* @param array $tokenHaystack
* @return array
*/
function compareTokens($tokenNeedles, $tokenHaystack)
{
$output = array();
foreach ($tokenNeedles as $tokenNeedle) {
if (in_array($tokenNeedle, $tokenHaystack)) {
$output[] = $tokenNeedle;
}
}
return $output;
}
$ext = array(
'php',
'phps',
'pht',
'phpt',
'phtml',
'phar',
'php3',
'php4',
'php5',
'php7',
'suspected'
);
$tokenNeedles = array(
// Obfuscation
'base64_decode',
'rawurldecode',
'urldecode',
'gzinflate',
'gzuncompress',
'str_rot13',
'convert_uu',
'htmlspecialchars_decode',
'bin2hex',
'hex2bin',
'hexdec',
'chr',
'strrev',
'goto',
'implode',
'strtr',
'extract',
'parse_str', //works like extract if only one argument is given.
'substr',
'mb_substr',
'str_replace',
'substr_replace',
'preg_replace', // able to do eval on match
'exif_read_data',
'readgzfile',
// Shell / Process
'eval',
'exec',
'shell_exec',
'system',
'passthru',
'pcntl_fork',
'fsockopen',
'proc_open',
'popen ',
'assert', // identical to eval
'posix_kill',
'posix_setpgid',
'posix_setsid',
'posix_setuid',
'proc_nice',
'proc_close',
'proc_terminate',
'apache_child_terminate',
// Server Information
'posix_getuid',
'posix_geteuid',
'posix_getegid',
'posix_getpwuid',
'posix_getgrgid',
'posix_mkfifo',
'posix_getlogin',
'posix_ttyname',
'getenv',
'proc_get_status',
'get_cfg_var',
'disk_free_space',
'disk_total_space',
'diskfreespace',
'getlastmo',
'getmyinode',
'getmypid',
'getmyuid',
'getmygid',
'fileowner',
'filegroup',
'get_current_user',
'pathinfo',
'getcwd',
'sys_get_temp_dir',
'basename',
'phpinfo',
// Database
'mysql_connect',
'mysqli_connect',
'mysqli_query',
'mysql_query',
// I/O
'fopen',
'fsockopen',
'file_put_contents',
'file_get_contents',
'url_get_contents',
'stream_get_meta_data',
'move_uploaded_file',
'$_files',
'copy',
'include',
'include_once',
'require',
'require_once',
'__file__',
// Miscellaneous
'mail',
'putenv',
'curl_init',
'tmpfile',
'allow_url_fopen',
'ini_set',
'set_time_limit',
'session_start',
'symlink',
'__halt_compiler',
'__compiler_halt_offset__',
'error_reporting',
'create_function',
'get_magic_quotes_gpc',
'$auth_pass',
'$password',
);
?>
Cicak WebSHell Scanner