闲来无事逛了下腾讯SRC,发现有个小工具,查杀webshell的,用perl写的,蛮早的了,2013年的了,于是用python也写了一个,方便
利用python脚本查webshell及挂马蛮方便的,这个脚本的功能,notepad++也可以实现,不过脚本比较灵活,方便扩展,比如扩展文件特征去识别也都可以,代码如下:
#!/usr/bin/python
#coding:utf8
#author:ly55521
import os
import re
import sys
import time
reload(sys)
sys.setdefaultencoding('utf-8')
#定义代码目录
BASE_PATH = "D:\WWW"
#设定文件对象
file_object = os.walk(BASE_PATH)
#扩展名搜索过滤开关
extension_bool = 0 #默认0不开启,全部文件搜索,1开启
#要搜索包括的扩展名
extension = [".php",".asp",".jsp",]
#php webshell str
php_code_array = [
r'\beval\(.*\)',
r'\bassert\(.*\)',
r'\bsystem\(.*\)',
r'\bpassthru\(.*\)',
r'\bexec\(.*\)',
r'\bpcntl_exec\(.*\)',
r'\bshell_exec\(.*\)',
r'\bpopen\(.*\)',
r'\bproc_open\(.*\)',
r'\bpreg_replace\(.*\)',
r'\bcreate_function\(.*\)',
r'\bob_start\(.*\)',
r'\barray_map\(.*\)',
#r'(include|include_once|require|require_once)',
#r'(phpspy|4ngel|wofeiwo|c99shell|webshell|php_nst|reDuh)',
]
asp_code_array = [
'',
]
#asp.net webshell str
aspx_code_array = [
'',
]
#jsp webshell str
jsp_code_array = [
'',
]
def search_webshell(file_path):
with open(file_path,'r') as f: #"D:\\phpStudy\\WWW\\1.php"
#每次读取文件一行
line = f.readline()
#记录行数
i = 1
#循环遍历文件
while line:
#打印行数和行数内容
#print i,"==>",line,
#读取行文件
line = f.readline()
#增加空行处理
#print line
#if line:
# print "yes"
#else:
# print "no"
#time.sleep(2)
#
#
#记录行数
i = i+1
if line:
#判断是否存在
for re_str in php_code_array:
#print type(re_str)
code_Pattern = re.compile(re_str,re.I)
match = code_Pattern.search(line)
if match:
print u"文件路径:",file_path,u"文件行数:",i,"--->",u"匹配关键字:",re_str
print u"文件内容:",line
#写入文件日志记录
with open('access.log',"a") as log:
log.write("文件路径:"+file_path+"文件行数:"+str(i)+"--->"+"匹配关键字:"+re_str+
"文件内容:"+line+"\n")
if __name__ == '__main__':
#遍历目录
for path,dirlist,filelist in file_object:
for filename in filelist:
#print os.path.join(path,filename)
#处理扩展名
if extension_bool:
#开启扩展名过滤时,判断文件扩展名是否在列表里
if os.path.splitext(filename)[-1] in extension:
#print os.path.join(path,filename)
search_webshell(os.path.join(path,filename))
else:
#默认未开启扩展名过滤,全部文件搜索
search_webshell(os.path.join(path,filename))
#coding:utf8
#author:ly55521
import os
import re
import sys
import time
reload(sys)
sys.setdefaultencoding('utf-8')
#定义代码目录
BASE_PATH = "D:\WWW"
#设定文件对象
file_object = os.walk(BASE_PATH)
#扩展名搜索过滤开关
extension_bool = 0 #默认0不开启,全部文件搜索,1开启
#要搜索包括的扩展名
extension = [".php",".asp",".jsp",]
#php webshell str
php_code_array = [
r'\beval\(.*\)',
r'\bassert\(.*\)',
r'\bsystem\(.*\)',
r'\bpassthru\(.*\)',
r'\bexec\(.*\)',
r'\bpcntl_exec\(.*\)',
r'\bshell_exec\(.*\)',
r'\bpopen\(.*\)',
r'\bproc_open\(.*\)',
r'\bpreg_replace\(.*\)',
r'\bcreate_function\(.*\)',
r'\bob_start\(.*\)',
r'\barray_map\(.*\)',
#r'(include|include_once|require|require_once)',
#r'(phpspy|4ngel|wofeiwo|c99shell|webshell|php_nst|reDuh)',
]
asp_code_array = [
'',
]
#asp.net webshell str
aspx_code_array = [
'',
]
#jsp webshell str
jsp_code_array = [
'',
]
def search_webshell(file_path):
with open(file_path,'r') as f: #"D:\\phpStudy\\WWW\\1.php"
#每次读取文件一行
line = f.readline()
#记录行数
i = 1
#循环遍历文件
while line:
#打印行数和行数内容
#print i,"==>",line,
#读取行文件
line = f.readline()
#增加空行处理
#print line
#if line:
# print "yes"
#else:
# print "no"
#time.sleep(2)
#
#
#记录行数
i = i+1
if line:
#判断是否存在
for re_str in php_code_array:
#print type(re_str)
code_Pattern = re.compile(re_str,re.I)
match = code_Pattern.search(line)
if match:
print u"文件路径:",file_path,u"文件行数:",i,"--->",u"匹配关键字:",re_str
print u"文件内容:",line
#写入文件日志记录
with open('access.log',"a") as log:
log.write("文件路径:"+file_path+"文件行数:"+str(i)+"--->"+"匹配关键字:"+re_str+
"文件内容:"+line+"\n")
if __name__ == '__main__':
#遍历目录
for path,dirlist,filelist in file_object:
for filename in filelist:
#print os.path.join(path,filename)
#处理扩展名
if extension_bool:
#开启扩展名过滤时,判断文件扩展名是否在列表里
if os.path.splitext(filename)[-1] in extension:
#print os.path.join(path,filename)
search_webshell(os.path.join(path,filename))
else:
#默认未开启扩展名过滤,全部文件搜索
search_webshell(os.path.join(path,filename))
腾讯SRC perl原版链接:https://security.tencent.com/index.php/opensource/detail/2
CF_HB推荐个更完美的东东:https://github.com/xiaoqin00/00scanner/tree/master/00Scanner/findShell/FindShell