forked from jvoisin/php-malware-finder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tests.sh
executable file
·96 lines (83 loc) · 4.12 KB
/
tests.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
PMF=./php-malware-finder
SAMPLES=./data/samples
type yara 2>/dev/null 1>&2 || (echo "[-] Please make sure that yara is installed" && exit 1)
CPT=0
run_test(){
NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 | grep -c "$2" 2>/dev/null)
if [[ "$NB_DETECTED" != 1 ]]; then
echo "[-] $2 was not detected in $1, sorry"
exit 1
fi
CPT=$((CPT+1))
}
# Real samples
run_test cpanel.php '0x294d:$eval: {eval('
run_test freepbx.php 'ObfuscatedPhp'
run_test freepbx.php '0x72:$eval: { system('
run_test freepbx.php 'DodgyPhp'
run_test freepbx.php '0x31d:$execution: system(base64_decode'
# Classic shells
run_test classic/ajaxshell.php 'DodgyStrings'
run_test classic/ajaxshell.php '0x23e2:$: shell_exec'
run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode"
run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir"
run_test classic/angel.php '0x1b:$disable_magic_quotes:'
run_test classic/b374k.php 'ObfuscatedPhp'
run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'"
run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func('
run_test classic/b374k.php '0xd6:$align: ;$b374k=$func('
run_test classic/b374k.php '0x43:$: github.com/b374k/b374k'
run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST'
run_test classic/simattacker.php '0x158:$: fpassthru'
run_test classic/r57.php '0x142a2:$: xp_cmdshell'
run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://'
run_test classic/c99.php '0x3bb4:$eval: {exec('
run_test classic/c100.php '0x4f8d:$eval: {eval('
# Obfuscated php
run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode'
run_test obfuscators/cipher_design.php '0x123:$eval: ;eval('
run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace('
run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e"
run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding"
run_test obfuscators/phpencode.php "ObfuscatedPhp"
run_test obfuscators/phpencode.php "DodgyPhp"
# Artificial samples to test some rules
run_test artificial/obfuscated.php '0x0:$eval: <?php@eval('
run_test artificial/obfuscated.php '0x17:$eval: <?php'
run_test artificial/obfuscated.php '0xd1:$align: ;$b374k=$func('
run_test artificial/obfuscated.php '0xf0:$weevely3:'
run_test artificial/obfuscated.php '0x103:$c99_launcher:'
run_test artificial/obfuscated.php '0x117:$variable_variable:'
run_test artificial/dodgy.php '$basedir_bypass:'
run_test artificial/dodgy.php '$basedir_bypass2:'
run_test artificial/dodgy.php '$disable_magic_quotes:'
run_test artificial/dodgy.php '$execution: eval(base64_decode'
run_test artificial/dodgy.php '$execution: base64_decode($_GET'
run_test artificial/dodgy.php '$htaccess:'
run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
run_test artificial/dodgy.php "0xef:\$include: include ( 'lol.png"
run_test artificial/dodgy.php "\$ini_get: ini_get ( 'disable_functions"
run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
run_test artificial/dodgy.php '$shellshock: () { :;};'
run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
run_test artificial/dodgy.php '$various: <!--#exec cmd='
run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'
run_test artificial/bypasses.php 'DodgyPhp'
run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\]("
# real
run_test real/sucuri_2014_04.php '0x67:$execution3:'
run_test real/novahot.php 'DodgyStrings'
run_test real/guidtz.php '0x286:$non_printables:'
run_test real/ice.php 'double_var'
run_test real/srt.php '$register_function'
run_test real/awvjtnz.php '$reversed:'
run_test real/exceptions.php '$eval_comment: eval/\*k\*/('
run_test real/nano.php '$nano: $x\[f\]('
run_test real/ninja.php '$nano: $x\[0\]('
run_test real/ninja.php '$ninja: base64_decode(substr(getallheaders'
run_test real/include.php ':$silenced_include: @include'
run_test undetected/smart.php '0x6:$extract:'
echo "[+] Congratz, the $CPT tests succeeded!"