mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 15:53:33 +08:00
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
id: php-webshell-scanner
|
|
|
|
info:
|
|
name: PHP Webshell Scanner
|
|
author: lu4nx
|
|
severity: high
|
|
reference:
|
|
- https://github.com/tennc/webshell
|
|
tags: php,file
|
|
|
|
file:
|
|
- extensions:
|
|
- php
|
|
|
|
extractors:
|
|
- type: regex
|
|
regex:
|
|
- '(?i)\b(passthru|eval|exec|system|phpinfo|assert|call_user_func|call_user_func_array)\('
|
|
- '(?i)cmd.exe'
|
|
- '(?i)/bin/sh'
|
|
- '(?i)/bin/bash'
|
|
- '(?i)WScript.Shell'
|
|
- type: regex
|
|
regex:
|
|
- '(?i)gzuncompress\(base64_decode\('
|
|
# Example: $array[0]['tt']($_POST['tt1234']);
|
|
- '\]\(\$_(GET|POST|COOKIE|REQUEST)\['
|
|
# Example:
|
|
# $f = new class($_POST['name']) extends ReflectionFunction {};
|
|
# $f->invoke($_POST[xxx]);
|
|
- '(?i)new\s*(ReflectionFunction|ReflectionClass)'
|
|
# Reference: https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php
|
|
- '(?i)0x647261646e617473'
|
|
# Reference: https://github.com/upsi1on/webshell/blob/main/upsi1on/upsi1on.php#L1173
|
|
- '65786563' # exec
|
|
# Example:
|
|
# $a = substr('1a',1).'s'.'s'.'e'.'r'.'t';
|
|
# $a($_POST['x']);
|
|
- '(?i)\$\w+\(\$_(GET|POST|COOKIE|REQUEST)'
|
|
- '(?i)b4tm4n'
|
|
- '(?i)cmdshell'
|