Скенер за заплахи

C++ JAVA
User avatar
dakata__92
Web-tourist
Web-tourist
Posts: 3259
Joined: Tue Aug 02, 2011 7:24 pm
Answers: 126

Скенер за заплахи

Post by dakata__92 » Mon Jan 15, 2018 1:37 pm

Здравейте колеги! Реших да си създам скенер за възможни заплахи качени в сайта. В момента следя по разширението на файла и ако файла е PHP, то да се проверява за следните tokens:
T_BAD_CHARACTER,
T_START_HEREDOC,
T_END_HEREDOC,
T_CURLY_OPEN,
T_DECLARE,
T_EVAL,
T_DOLLAR_OPEN_CURLY_BRACES,
T_ELLIPSIS,
T_GOTO,
T_HALT_COMPILER,
T_INLINE_HTML,
T_STRING_VARNAME,
T_YIELD
Какво мислите по темата?

User avatar
anonimen
Web-tourist
Web-tourist
Posts: 1561
Joined: Mon Jun 11, 2012 6:07 pm
Answers: 163
Location: Parse error: unexpected "}" in /home/index.php on line 26

Re: Скенер за заплахи

Post by anonimen » Mon Jan 15, 2018 3:34 pm

Какъв е проблемът с тези?
T_START_HEREDOC,
T_END_HEREDOC,
T_CURLY_OPEN,
T_DOLLAR_OPEN_CURLY_BRACES,
T_ELLIPSIS,
T_STRING_VARNAME,
T_YIELD
Прегледах ги в документацията, не виждам каква заплаха може да предизвикат? Изглеждат си съвсем ок.

User avatar
dakata__92
Web-tourist
Web-tourist
Posts: 3259
Joined: Tue Aug 02, 2011 7:24 pm
Answers: 126

Post by dakata__92 » Mon Jan 15, 2018 5:16 pm

Принципно нищо, но съм ги поставил за да ме алармират дали се съдържат в даден код. Идеята ми е да си създам скенер да проверява дали нянам качен shell в системата. Принципно това ще е една да кажем минимална защита, която да се активира в Админ панела, но като цяло съм мераклия да я поразвия малко, като идея.

User avatar
anonimen
Web-tourist
Web-tourist
Posts: 1561
Joined: Mon Jun 11, 2012 6:07 pm
Answers: 163
Location: Parse error: unexpected "}" in /home/index.php on line 26

Post by anonimen » Mon Jan 15, 2018 8:14 pm

Ако се пазиш от шел, вместо синтактични елементи търси команди - примерно rm/mount/cp/mv/.... Това лесно ще се заобикoли с разделяне на стринга на парчета, така че може би за това ще трябва да следиш - подозрителна конкатенация на повече стрингове в един.

Fakeheal
Гуру
Гуру
Posts: 2703
Joined: Sat Apr 17, 2010 6:37 am
Answers: 351
Location: /r/eyebleach
Contact:

Post by Fakeheal » Tue Jan 16, 2018 4:07 pm

Btw:

Code: Select all

<?$&#123;&#91;&#93;&#125;.=&#91;&#93;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;
!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;
&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;
!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;.$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;^$&#123;
&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;.$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!
&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;.$&#123;&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;$&#123;&#91;&#93;&#125;=$&#123;&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;^$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;&#125;?><?=$&#123;!&#91;&#93;&#125;;

User avatar
dakata__92
Web-tourist
Web-tourist
Posts: 3259
Joined: Tue Aug 02, 2011 7:24 pm
Answers: 126

Post by dakata__92 » Wed Jan 17, 2018 2:06 pm

Fakeheal wrote:Btw:

Code: Select all

<?$&#123;&#91;&#93;&#125;.=&#91;&#93;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;
!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;
&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;
!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;.$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;^$&#123;
&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;.$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!
&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;&#125;.$&#123;&#91;&#93;&#125;&#123;!&#91;&#93;+!&#91;&#93;+!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;&#125;;++$&#123;!&#91;&#93;
&#125;;$&#123;&#91;&#93;&#125;=$&#123;&#91;&#93;&#125;&#123;!!&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;++$&#123;&#91;&#93;&#125;;$&#123;!&#91;&#93;&#125;.=$&#123;&#91;&#93;&#125;^$&#123;!&#91;&#93;&#125;&#123;!&#91;&#93;&#125;?><?=$&#123;!&#91;&#93;&#125;;
Извинявай, но нещо не схванах поста ти.

User avatar
dakata__92
Web-tourist
Web-tourist
Posts: 3259
Joined: Tue Aug 02, 2011 7:24 pm
Answers: 126

Post by dakata__92 » Wed Jan 17, 2018 2:10 pm

anonimen wrote:Ако се пазиш от шел, вместо синтактични елементи търси команди - примерно rm/mount/cp/mv/.... Това лесно ще се заобикoли с разделяне на стринга на парчета, така че може би за това ще трябва да следиш - подозрителна конкатенация на повече стрингове в един.
Добре, но как да следя за командите? Примерно да следя за функциите, като: system, exec, passthru и други ли?
Last edited by dakata__92 on Thu Jan 18, 2018 4:31 pm, edited 1 time in total.

User avatar
djman
Гуру
Гуру
Posts: 2796
Joined: Sat Sep 12, 2009 8:07 am
Answers: 107

Post by djman » Wed Jan 17, 2018 6:19 pm

dakata__92 wrote:
Fakeheal wrote:Btw:
...
Извинявай, но нещо не схванах поста ти.
Изпълни го, валиден (безобиден) PHP е :) т.е. помисли пак дали проверяването за "system", "exec" и т.н. е достатъчно...

Каква е целта ти? Разрешаваш на потребителите да качват файлове и да ги изпълняват, но искаш да ограничиш какво могат да правят?

User avatar
dakata__92
Web-tourist
Web-tourist
Posts: 3259
Joined: Tue Aug 02, 2011 7:24 pm
Answers: 126

Post by dakata__92 » Wed Jan 17, 2018 7:06 pm

Не. Желая да си направя скенер, който да си вграждам в приложенията и да проверява за нежелан софтуер от мен.

novakabg
Турист
Турист
Posts: 337
Joined: Fri May 13, 2016 12:29 pm
Contact:

Post by novakabg » Thu Jan 18, 2018 3:17 pm

Хахах сега е време аз да те насера :) :D :D :D :D :D

Сега аз като c++ и python програмист и Haskell знам един метод за проверка на лоши кодове към php виж се колко разбираш ти само от php да ми се ебаваш на мен във постовете :D :D :D :D

Правиш скеннер за shell_exec,base64_decode,edoced_46esab,fopen,fclose,system,php_uname,chmod,readfile,eval,passthru!

Тоест защо не направиш проверка на strings :)

Ето ти примерен shell .sh

Code: Select all

#! /bin/bash
# Scanner
#
exec >> scanlog.txt
echo "Mal Scan"
echo ""
read -p "Vkarai Papka&#40;Root&#41; " phplocation
echo "Proverka na strings v cqlata papka"
grep -Rn "eval" $phplocation
echo "Gotovo priqtelche vij si scanlog.txt."
echo ""
echo "Skaniraneto prikluchi"
echo ""
exec 2>&1


Правиш си един .sh примерно scan.sh пускаш в папката и го викаш :) и гледаш после лога!

Успех! :)

Прочем може да се напише и код за всеки 24 часа да сканира целият сайт чрез Cron Job и да ти прати на SMS или на Пощата, името на файла :) и време кога и къде е сканиран и как!

Post Reply