扫描目录下的可疑Webshell的文件,并显示出相应的代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python
import sys
import os
import re
import datetime
import os.path
if len(sys.argv) <2:
print("\n /*//////////////////////////////////////////");
print(" // Sov Webshell Scan tool //");
print(" // by:0x001 //");
print(" //////////////////////////////////////////*/\n");
print(' Usage : python SovScan.py /web/0x001')
pattern = re.compile(r"\bserver.execute\s+request|\bexecute\s+request|\beval\s+request|\beval_r\s+request|\bExecuteGlobal\s+request|\bExecute\s+Session|\bexecute\s*\(+\s*request|\beval\s*\(+\s*request|\beval_r\s*\(+\s*request|\bExecuteGlobal\s*\(+\s*request|\bExecute\s*\(+\s*Session|\s*'\s*:\s*eval|\bServer.CreateObject\s*\(\s*\"ScriptControl\"\s*\)|\bSystem.Reflection.Assembly.Load|\beval\s*\(+\s*\$|\beval_r\s*\(+\s*\$|\bassert\s*\(+\s*\$|`\$_Request\[.*`|`\$_GET\[.*`|`\$_POST\[.*`|\.ExecuteStatement\s*\(|\bnew\s+WebAdmin2Y|\beval\s*\(\s*@?base64_decode\s*\(|\beval\s*\(\s*@?gzuncompress\s*\(\s*@?base64_decode\(|\binclude.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire_once.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\bexecute\s*\(+\s*\w+\s*\(+.*\s*\)|\bshell_exec\b|\bpassthru\s*\(|\bwscript\.shell\b|\bShell\.Application\b|\bVBScript\.Encode\b|\bxp_cmdshell\b|\bproc_open\b|\bSystem\.Net\.Sockets\b|\bSystem\.Diagnostics\b|\bSystem\.DirectoryServices\b|\bSystem\.ServiceProcess\b|\bnew\s+Socket\b|\bSystem\.Reflection\.Assembly\.Load\(Request\.BinaryRead\b|\bRuntime\.getRuntime\(\)\.exec\b|clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8|clsid:13709620-C279-11CE-A49E-444553540000|clsid:0D43FE01-F093-11CF-8940-00A0C9054228|clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B|\bLANGUAGE\s*=\s*[\"]?\s*(vbscript|jscript|javascript).encode\b|'?e'?\.?'?v'?\.?'?a'?\.?'?l'")
def FileHandler(ev,filename):
# find file
p_file = re.compile(r"\.php$")
match = p_file.search(filename)
if match == None:
return False
e = os.path.exists(filename)
if e == False:
return False
# read file
filecontent = ''
file = open(filename)
while True:
lines = file.readlines(100000)
if not lines:
break
for line in lines:
filecontent = filecontent +line
#print filecontent
match = pattern.finditer(filecontent)
mlist = list(match)
num = len(mlist)
if num >0:
nowtime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
print '\n',nowtime,' ',ev,filename,', Matching number : ',num,'\nMatching Resut: ',
for m in mlist:
print m.group(),
print '\n'
else:
pass
rootdir = sys.argv[1]
for parent, dirnames, filenames in os.walk(rootdir):
#for dirname in dirnames:
# print os.path.join(parent,dirname),'/'
for filename in filenames:
FileHandler('Scan:',os.path.join(parent,filename))
from: ?p=687
,涛涛电脑知识网,涛涛电脑知识网