$fileWritable, 'file_not_writable' => $fileNotWritable ); } /** * Recurisively list a file by array of extension * * @param string $path * @param array $ext * @return array of files */ function getSortedByExtension($path, $ext) { $result = getSortedByTime($path); $fileWritable = $result['file_writable']; isset($result['file_not_writable']) ? $result['file_not_writable'] : false; foreach ($fileWritable as $entry) { $pathinfo = pathinfo($entry, PATHINFO_EXTENSION); $pathinfo = strtolower($pathinfo); if (in_array($pathinfo, $ext)) { $sortedWritableFile[] = $entry; } } if (isset($fileNotWritable)) { foreach ($fileNotWritable as $entry) { $pathinfo = pathinfo($entry, PATHINFO_EXTENSION); $pathinfo = strtolower($pathinfo); if (in_array($pathinfo, $ext)) { $sortedNotWritableFile[] = $entry; } } } else { $sortedNotWritableFile = false; } return array( 'file_writable' => $sortedWritableFile, 'file_not_writable' => $sortedNotWritableFile ); } /** * Get lowercase Array of tokens in a file * * @param string $filename * @return array */ function getFileTokens($filename) { /* token_get_all() This function not support : - Old notation : "" and "<% %>" - heredoc syntax - nowdoc syntax (since PHP 5.3.0) */ $fileContent = file_get_contents($filename); $fileContent = preg_replace('/<\?([^p=\w])/m', ' 0) { for ($i = 0; $i < $tokenCount; $i++) { if (isset($token[$i][1])) { $output[] .= strtolower($token[$i][1]); } } } $output = array_values( array_unique(array_filter(array_map("trim", $output))) ); return $output; } /** * Compare tokens and return array of matched tokens * * @param array $tokenNeedles * @param array $tokenHaystack * @return array */ function compareTokens($tokenNeedles, $tokenHaystack) { $output = array(); foreach ($tokenNeedles as $tokenNeedle) { if (in_array($tokenNeedle, $tokenHaystack)) { $output[] = $tokenNeedle; } } return $output; } $ext = array( 'php', 'phps', 'pht', 'phpt', 'phtml', 'phar', 'php3', 'php4', 'php5', 'php7', 'suspected' ); $tokenNeedles = array( // Obfuscation 'base64_decode', 'rawurldecode', 'urldecode', 'gzinflate', 'gzuncompress', 'str_rot13', 'convert_uu', 'htmlspecialchars_decode', 'bin2hex', 'hex2bin', 'hexdec', 'chr', 'strrev', 'goto', 'implode', 'strtr', 'extract', 'parse_str', //works like extract if only one argument is given. 'substr', 'mb_substr', 'str_replace', 'substr_replace', 'preg_replace', // able to do eval on match 'exif_read_data', 'readgzfile', // Shell / Process 'eval', 'exec', 'shell_exec', 'system', 'passthru', 'pcntl_fork', 'fsockopen', 'proc_open', 'popen ', 'assert', // identical to eval 'posix_kill', 'posix_setpgid', 'posix_setsid', 'posix_setuid', 'proc_nice', 'proc_close', 'proc_terminate', 'apache_child_terminate', // Server Information 'posix_getuid', 'posix_geteuid', 'posix_getegid', 'posix_getpwuid', 'posix_getgrgid', 'posix_mkfifo', 'posix_getlogin', 'posix_ttyname', 'getenv', 'proc_get_status', 'get_cfg_var', 'disk_free_space', 'disk_total_space', 'diskfreespace', 'getlastmo', 'getmyinode', 'getmypid', 'getmyuid', 'getmygid', 'fileowner', 'filegroup', 'get_current_user', 'pathinfo', 'getcwd', 'sys_get_temp_dir', 'basename', 'phpinfo', // Database 'mysql_connect', 'mysqli_connect', 'mysqli_query', 'mysql_query', // I/O 'fopen', 'fsockopen', 'file_put_contents', 'file_get_contents', 'url_get_contents', 'stream_get_meta_data', 'move_uploaded_file', '$_files', 'copy', 'include', 'include_once', 'require', 'require_once', '__file__', // Miscellaneous 'mail', 'putenv', 'curl_init', 'tmpfile', 'allow_url_fopen', 'ini_set', 'set_time_limit', 'session_start', 'symlink', '__halt_compiler', '__compiler_halt_offset__', 'error_reporting', 'create_function', 'get_magic_quotes_gpc', '$auth_pass', '$password', ); ?> Cicak WebSHell Scanner
Webshell Scanner
RESULT
', $filePath, $cmp); //unlink($filePath); } } }
%s (%s)