扫描目录下的可疑Webshell的文件，并显示出相应的代码。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python
import sys
import os
import re
import datetime
import os.path
 
if len(sys.argv) <2:
    print("\n  /*//////////////////////////////////////////");
    print("  //         Sov Webshell Scan tool         //");
    print("  //      by:0x001  http://www.0x001.com    //");
    print("  //////////////////////////////////////////*/\n");
    print('  Usage : python SovScan.py /web/0x001')
 
pattern = re.compile(r"\bserver.execute\s+request|\bexecute\s+request|\beval\s+request|\beval_r\s+request|\bExecuteGlobal\s+request|\bExecute\s+Session|\bexecute\s*\(+\s*request|\beval\s*\(+\s*request|\beval_r\s*\(+\s*request|\bExecuteGlobal\s*\(+\s*request|\bExecute\s*\(+\s*Session|\s*'\s*:\s*eval|\bServer.CreateObject\s*\(\s*\"ScriptControl\"\s*\)|\bSystem.Reflection.Assembly.Load|\beval\s*\(+\s*\$|\beval_r\s*\(+\s*\$|\bassert\s*\(+\s*\$|`\$_Request\[.*`|`\$_GET\[.*`|`\$_POST\[.*`|\.ExecuteStatement\s*\(|\bnew\s+WebAdmin2Y|\beval\s*\(\s*@?base64_decode\s*\(|\beval\s*\(\s*@?gzuncompress\s*\(\s*@?base64_decode\(|\binclude.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire_once.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\bexecute\s*\(+\s*\w+\s*\(+.*\s*\)|\bshell_exec\b|\bpassthru\s*\(|\bwscript\.shell\b|\bShell\.Application\b|\bVBScript\.Encode\b|\bxp_cmdshell\b|\bproc_open\b|\bSystem\.Net\.Sockets\b|\bSystem\.Diagnostics\b|\bSystem\.DirectoryServices\b|\bSystem\.ServiceProcess\b|\bnew\s+Socket\b|\bSystem\.Reflection\.Assembly\.Load\(Request\.BinaryRead\b|\bRuntime\.getRuntime\(\)\.exec\b|clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8|clsid:13709620-C279-11CE-A49E-444553540000|clsid:0D43FE01-F093-11CF-8940-00A0C9054228|clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B|\bLANGUAGE\s*=\s*[\"]?\s*(vbscript|jscript|javascript).encode\b|'?e'?\.?'?v'?\.?'?a'?\.?'?l'")
 
def FileHandler(ev,filename):
    # find file
    p_file = re.compile(r"\.php$")
    match = p_file.search(filename)
    if match == None:
        return False
 
    e = os.path.exists(filename)
    if e == False:
        return False
 
    # read file
    filecontent = ''
    file = open(filename)
    while True:
        lines = file.readlines(100000)
        if not lines:
            break
        for line in lines:
            filecontent = filecontent +line
    #print filecontent  
 
    match = pattern.finditer(filecontent)
    mlist = list(match)
    num = len(mlist)
    if num >0:
        nowtime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
        print '\n',nowtime,' ',ev,filename,', Matching number : ',num,'\nMatching Resut:   ',
        for m in mlist:
            print m.group(),
        print '\n'
    else:
        pass
 
rootdir = sys.argv[1]
for parent, dirnames, filenames in os.walk(rootdir):
    #for dirname in dirnames:
    #    print os.path.join(parent,dirname),'/'
    for filename in filenames:
        FileHandler('Scan:',os.path.join(parent,filename))

from: http://www.0x001.com/?p=687