Add ASP.NET, ASP, JSP and PHP webshell scanner

2026-01-31 15:53:33 +08:00 · 2022-11-11 16:51:52 +08:00
parent acbeeb231a
commit 619f9fd7e0
3 changed files with 99 additions and 0 deletions
--- a/file/webshell/asp.yaml
+++ b/file/webshell/asp.yaml
@@ -0,0 +1,33 @@
+id: asp-webshell-scanner
+
+info:
+  name: ASP/ASP.NET Webshell Scanner
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell
+  tags: asp,asp.net,file
+
+file:
+  - extensions:
+      - asp
+      - asa
+      - aspx
+      - ashx
+      - asmx
+      - asax
+
+    extractors:
+      - type: regex
+        regex:
+          # <%eval request("xx")%>
+          - '(?i)(eval)'
+          - '(?i)(eval|execute)\('
+          - '(?i)wscript.shell'
+          - '(?i)ExecuteStatement'
+          - '(?i)cmd.exe'
+      - type: regex
+        regex:
+          # mmshell = 'xxx'
+          - '(?i)mmshell'
+          - '(?i)GetCmd'
--- a/file/webshell/jsp.yaml
+++ b/file/webshell/jsp.yaml
@@ -0,0 +1,25 @@
+id: jsp-webshell-scanner
+
+info:
+  name: JSP Webshell Scanner
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell
+  tags: jsp,file
+
+file:
+  - extensions:
+      - jsp
+      - java
+
+    extractors:
+      - type: regex
+        regex:
+          - '(?i)(ClassLoader|exec|eval|ProcessBuilder|getInputStream|loadClass|defineClass|URLClassLoader)\('
+          - '(?i)cmd.exe'
+          - '(?i)/bin/sh'
+          - '(?i)/bin/bash'
+      - type: regex
+        regex:
+          - '(?i)exeCmd'
--- a/file/webshell/php.yaml
+++ b/file/webshell/php.yaml
@@ -0,0 +1,41 @@
+id: php-webshell-scanner
+
+info:
+  name: PHP Webshell Scanner
+  author: lu4nx
+  severity: high
+  reference:
+    - https://github.com/tennc/webshell
+  tags: php,file
+
+file:
+  - extensions:
+      - php
+
+    extractors:
+      - type: regex
+        regex:
+          - '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
+          - '(?i)cmd.exe'
+          - '(?i)/bin/sh'
+          - '(?i)/bin/bash'
+          - '(?i)WScript.Shell'
+      - type: regex
+        regex:
+          - '(?i)gzuncompress\(base64_decode\('
+          # Example: $array[0]['tt']($_POST['tt1234']);
+          - '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
+          # Example:
+          # $f = new class($_POST['name']) extends ReflectionFunction {};
+          # $f->invoke($_POST[xxx]);
+          - '(?i)new\s*(ReflectionFunction|ReflectionClass)'
+          # Reference: https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php
+          - '(?i)0x647261646e617473'
+          # Reference: https://github.com/upsi1on/webshell/blob/main/upsi1on/upsi1on.php#L1173
+          - '65786563'          # exec
+          # Example:
+          # $a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
+          # $a($_POST['x']);
+          - '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
+          - '(?i)b4tm4n'
+          - '(?i)cmdshell'