Skip to content

Commit

Permalink
Update v1.1.1.4
Browse files Browse the repository at this point in the history
  • Loading branch information
Arya-f4 committed Oct 1, 2024
1 parent caf2666 commit f2919a5
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 11 deletions.
14 changes: 5 additions & 9 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -303,15 +303,11 @@ func main() {

// Refined regex patterns for more specific webshell detection
regexPatterns := []string{
`(?i)(eval|assert|system|shell_exec|passthru)\s*\(\s*["']?[a-zA-Z0-9+/=]{20,}["']?\s*\)`, // Obfuscated eval with base64-like strings
`(?i)(exec|system|popen|proc_open)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[([^\]]+)\]\s*\)`, // Remote command execution via superglobals
`(?i)move_uploaded_file\s*\(.*?,\s*['"]\.\./(.*?)\.php['"]\s*\)`, // File upload and renaming to PHP
`(?i)(passthru|shell_exec|system|exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]\s*\)`, // Command execution via superglobals
`(?i)\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\s*\[\s*["']REMOTE_ADDR["']\s*\]`, // Accessing superglobal arrays with user input
`(?i)\$_FILES\s*\[\s*["'][^"']+["']\s*\]\s*\[\s*["']tmp_name["']\s*\]`, // File upload with temp file
`(?i)\$_FILES\s*\[\s*["'][^"']+["']\s*\]\s*\[\s*["']name["']\s*\]\s*\.\s*["']\.php["']`, // File upload with PHP extension
`eval\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\)\s*\)\s*\)\s*\)\s*\)\s*;`, // Nested eval
`(?i)\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[^\]]+\]\s*=.*?\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[[^\]]+\]`, // Variable variable assignments
`(?i)(eval|assert|system|shell_exec|passthru)\s*\(\s*["']?[a-zA-Z0-9+/=]{20,}["']?\s*\)`, // Obfuscated eval with base64-like strings
`(?i)(exec|system|popen|proc_open)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[([^\]]+)\]\s*\)`, // Remote command execution via superglobals
`(?i)move_uploaded_file\s*\(.*?,\s*['"]\.\./(.*?)\.php['"]\s*\)`, // File upload and renaming to PHP
`(?i)(passthru|shell_exec|system|exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\[.*?\]\s*\)`, // Command execution via superglobals
`eval\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\(\s*\$\w+\s*\)\s*\)\s*\)\s*\)\s*\)\s*;`, // Nested eval
}

// Compile regexes
Expand Down
2 changes: 0 additions & 2 deletions wordlists/default.txt
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,6 @@ $_REQUEST['cmd']
@fopen($_FILES['
if(isset($_REQUEST['cmd']))
shell_exec(base64_decode(
file_get_contents('php://input')
@system(base64_decode(
@eval(gzinflate(base64_decode(
htmlentities(highlight_file($this->file));
Expand All @@ -83,7 +82,6 @@ gzuncompress(base64_decode($
ActiveXObject("WScript.Shell").Run(
if (os.platform() == 'win32') {
@shell_exec($)
(strtoupper(substr(PHP_OS,
chunk_split(base64_encode($
<?php echo(str_replace('<','',$_POST['cmd']));?
trim(trim(trim($
Expand Down

0 comments on commit f2919a5

Please sign in to comment.