Jump to content
Wubi

PHP Shell Detector : Tool for web shell detection

Recommended Posts

Posted

PHP Shell Detector is a php script that helps you find and identify php shells. It also has a “web shells” signature database that helps to identify “web shell” up to 99%. By using the latest javascript and css technologies, php shell detector has a light weight and friendly interface . The main features is that if you’re not sure about a suspicious file, you may send it to the websecure.co.il team. After submitting your file, it will be inspected and if there are any threats, it will be inserted into a “php shell detector” web shells signature database and the next time this file will be recognized positively

aaafd469ae1bc0483629411.png

We were planing to build similar kind of tool for internal testing process. PHP Shell Detector will help us to build it.

Settings used in PHP Shell Detector:

  • extension – extensions that should be scanned
  • showlinenumbers – show line number where suspicious function used
  • dateformat – used with access time & modified time
  • langauge – if I want to use other language
  • directory – scan specific directory
  • task – perform different task
  • report_format – used with is_cron(true) file format for report file
  • is_cron – if true run like a cron(no output)
  • filelimit – maximum files to scan (more then 30000 you should scan specific directory)
  • useget – activate _GET variable for easy way to recive tasks
  • authentication – protect script with user & password in case to disable simply set to NULL
  • remotefingerprint – get shells signatures db by remote
  • Number of shells in signature database is: 141

Download PHP Shell Detector:

PHP Shell Detectoremposha-PHP-Shell-Detector-001fa28.tar.gz

Sursa:PHP Shell Detector a new Tool for web shell detection — PenTestIT

Posted

Ar fi bine sa faca ce zice dar nu prea cred, asa zisa baza de date cu sheluri e un simplu fisier nici macar un sqlite(cu toate ca iau pus extensia .db), in care pastreaza monstre din sheluri base 64 encode.Preia fisier cu file_get_contents, verifica cu ce e in bza de date si 2-3 preg match ca sa detecteze base64 encode eval exec etc. Downlod de la sursa acum se lauda cu o baza de date de 462 semnaturi :))

Posted

la fel fac si antivirusii :) ( in mare parte... ) ideea e buna... dar se pot face foarte simplu bypass-uri :) de exemplu inloc de base64_decode poti sa faci

$c = 'b' . "ase6" . '4_d' . 'eco' . "de";

$c("base 64 encoded string");

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...