直接放在网站根目录运行即可

<?php

/**************PHP Web木马扫描器************************/

/* [+] 版本: v1.0                                      */

/* [+] 功能: web版php木马扫描工具                      */

/* [+] 注意: 扫描出来的文件并不一定就是后门,           */

/*           请自行判断、审核、对比原文件。            */

/*           如果你不确定扫出来的文件是否为后门,      */

/*           欢迎你把该文件发给我进行分析。            */

/*******************************************************/

ob_start();

set_time_limit(0);

$username = "t00ls"; //设置用户名

$password = "t00ls"; //设置密码

$md5 = md5(md5($username).md5($password));

$version = "PHP Web木马扫描器 v1.0";

$realpath = realpath('./');

$selfpath = $_SERVER['PHP_SELF'];

$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));

define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));

define('MYFILE', basename(__FILE__));

define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');

define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));

define('HOST', "http://".$_SERVER['HTTP_HOST']);

?>

<html>

<head>

<title><?php echo $version?></title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />

<style>

body{margin:0px;}

body,td{font: 12px Arial,Tahoma;line-height: 16px;}

a {color: #00f;text-decoration:underline;}

a:hover{color: #f00;text-decoration:none;}

.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}

.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}

.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}

.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}

.head td span{font-weight:normal;}

</style>

</head>

<body>

<?php

if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))

{

 echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';

}

elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))

{

 setcookie("t00ls", $md5, time()+60*60*24*365,"/");

 echo "登陆成功!";

 header( 'refresh: 1; url='.MYFILE.'?action=scan' );

 exit();

}

else

{

 setcookie("t00ls", $md5, time()+60*60*24*365,"/");

 $setting = getSetting();

 $action = isset($_GET['action'])?$_GET['action']:"";

 if($action=="logout")

 {

  setcookie ("t00ls", "", time() - 3600);

  Header("Location: ".MYFILE);

  exit();

 }

 if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")

 {

  $file = $_GET['file'];

  ob_clean();

  if (@file_exists($file)) {

   header("Content-type: application/octet-stream");

      header("Content-Disposition: filename=\"".basename($file)."\"");

   echo file_get_contents($file);

  }

  exit();

 }

?>

<table border="0" cellpadding="0" cellspacing="0" width="100%">

 <tbody><tr class="head">

  <td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>

 </tr>

 <tr class="alt1">

  <td><span style="float: right;"><?=date("Y-m-d H:i:s",time())?></span>

   <a href="?action=scan">扫描</a> |

            <a href="?action=setting">设定</a> |

          <a href="?action=logout">登出</a>

  </td>

 </tr>

</tbody></table>

<br>

<?php

 if($action=="setting")

 {

  if(isset($_POST['btnsetting']))

  {

   $Ssetting = array();

   $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";

   $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;

   $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;

   setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

   echo "设置完成!";

   header( 'refresh: 1; url='.MYFILE.'?action=setting' );

   exit();

  }

?>

<form name="frmSetting" method="post" action="?action=setting">

<fieldset style="width:400px">

<LEGEND>扫描设定</LEGEND>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

  <tr>

    <td width="60">文件后缀:</td>

    <td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>

  </tr>

  <tr>

    <td><label for="checkall">所有文件</label></td>

    <td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>

  </tr>

  <tr>

    <td><label for="checkhta">设置文件</label></td>

    <td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>

  </tr>

  <tr>

    <td> </td>

    <td>

      <input type="submit" name="btnsetting" id="btnsetting" value="提交">

    </td>

  </tr>

</table>

</fieldset>

</form>

<?php

 }

 else

 {

  $dir = isset($_POST['path'])?$_POST['path']:MYPATH;

  $dir = substr($dir,-1)!="/"?$dir."/":$dir;

?>

<form name="frmScan" method="post" action="">

<table width="100%%" border="0" cellspacing="0" cellpadding="0">

  <tr>

    <td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td>

    <td width="690">

        <input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">

          <input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td>

  </tr>

</table>

</form>

<?php

  if(isset($_POST['btnScan']))

  {

   $start=time();

   $is_user = array();

   $is_ext = "";

   $list = "";

   if(trim($setting['user'])!="")

   {

    $is_user = explode("|",$setting['user']);

    if(count($is_user)>0)

    {

     foreach($is_user as $key=>$value)

      $is_user[$key]=trim(str_replace("?","(.)",$value));

     $is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";

    }

   }

   if($setting['hta']==1)

   {

    $is_hta=1;

    $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;

    $is_ext.="(^\.htaccess$)";

   }

   if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))

   {

    $is_ext="(.+)";

   }

   $php_code = getCode();

   if(!is_readable($dir))

    $dir = MYPATH;

   $count=$scanned=0;

   scan($dir,$is_ext);

   $end=time();

   $spent = ($end - $start);

?>

<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 可疑文件 | 耗时: <?php echo $spent?> 秒</div>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

  <tr class="head">

    <td width="15" align="center">No.</td>

    <td width="48%">文件</td>

    <td width="12%">更新时间</td>

    <td width="10%">原因</td>

    <td width="20%">特征</td>

    <td>动作</td>

  </tr>

<?php echo $list?>

</table>

<?php

  }

 }

}

ob_flush();

?>

</body>

</html>

<?php

function scan($path = '.',$is_ext){

 global $php_code,$count,$scanned,$list;

    $ignore = array('.', '..' );

 $replace=array(" ","\n","\r","\t");

    $dh = @opendir( $path );

    while(false!==($file=readdir($dh))){

        if( !in_array( $file, $ignore ) ){

            if( is_dir( "$path$file" ) ){

                scan("$path$file/",$is_ext);

            } else {

    $current = $path.$file;

    if(MYFULLPATH==$current) continue;

    if(!preg_match("/$is_ext/i",$file)) continue;

    if(is_readable($current))

    {

     $scanned++;

     $content=file_get_contents($current);

     $content= str_replace($replace,"",$content);

     foreach($php_code as $key => $value)

     {

      if(preg_match("/$value/i",$content))

      {

       $count++;

       $j = $count % 2 + 1;

       $filetime = date('Y-m-d H:i:s',filemtime($current));

       $reason = explode("->",$key);

       $url =  str_replace(REALPATH,HOST,$current);

       preg_match("/$value/i",$content,$arr);

       $list.="

   <tr class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'>

  <td>$count</td>

  <td><a href='$url' target='_blank'>$current</a></td>

  <td>$filetime</td>

  <td><font color=red>$reason[0]</font></td>

  <td><font color=#090>$reason[1]</font></td>

  <td><a href='?action=download&file=$current' target='_blank'>下载</a></td>

   </tr>";

       //echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";

       //echo $path . $file ."<br />";

       break;

      }

     }

    }

            }

        }

    }

    closedir( $dh );

}

function getSetting()

{

 $Ssetting = array();

 if(isset($_COOKIE['t00ls_s']))

 {

  $Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));

  $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";

  $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;

  $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;

 }

 else

 {

  $Ssetting['user']="php | php? | phtml | shtml";

  $Ssetting['all']=0;

  $Ssetting['hta']=1;

  setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

 }

 return $Ssetting;

}

function getCode()

{

 return array(

 '后门特征->cha88.cn'=>'cha88\.cn',

 '后门特征->c99shell'=>'c99shell',

 '后门特征->phpspy'=>'phpspy',

 '后门特征->Scanners'=>'Scanners',

 '后门特征->cmd.php'=>'cmd\.php',

 '后门特征->str_rot13'=>'str_rot13',

 '后门特征->webshell'=>'webshell',

 '后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',

 '后门特征->tools88.com'=>'tools88\.com',

 '后门特征->SECFORCE'=>'SECFORCE',

 '后门特征->eval("?>'=>'eval\((\'|")\?>',

 '可疑代码特征->system('=>'system\(',

 '可疑代码特征->passthru('=>'passthru\(',

 '可疑代码特征->shell_exec('=>'shell_exec\(',

 '可疑代码特征->exec('=>'exec\(',

 '可疑代码特征->popen('=>'popen\(',

 '可疑代码特征->proc_open'=>'proc_open',

 '可疑代码特征->eval($'=>'eval\((\'|"|\s*)\\$',

 '可疑代码特征->assert($'=>'assert\((\'|"|\s*)\\$',

 '危险MYSQL代码->returns string soname'=>'returnsstringsoname',

 '危险MYSQL代码->into outfile'=>'intooutfile',

 '危险MYSQL代码->load_file'=>'select(\s+)(.*)load_file',

 '加密后门特征->eval(gzinflate('=>'eval\(gzinflate\(',

 '加密后门特征->eval(base64_decode('=>'eval\(base64_decode\(',

 '加密后门特征->eval(gzuncompress('=>'eval\(gzuncompress\(',

 '加密后门特征->eval(gzdecode('=>'eval\(gzdecode\(',

 '加密后门特征->eval(str_rot13('=>'eval\(str_rot13\(',

 '加密后门特征->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(',

 '加密后门特征->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(',

 '一句话后门特征->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')',

 '一句话后门特征->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',

 '一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',

 '上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',

 '.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php',

 '.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',

 '.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'

 );

}

  

PHP Web 木马扫描器的更多相关文章

  1. PHP Web 木马扫描器代码

    scanner.php:<?php/**************PHP Web木马扫描器************************//* [+] 作者: alibaba *//* [+] ...

  2. PHP Web木马扫描器

    <?php  header('content-type:text/html;charset=gbk');  set_time_limit(0);//防止超时  /** * * php目录扫描监控 ...

  3. PHP Web木马扫描器代码

    <?php header('content-type:text/html;charset=gbk'); set_time_limit(0);//防止超时 /** * * php目录扫描监控增强版 ...

  4. 小米范工具系列之七:小米范 web目录扫描器2.x版本发布

    小米范web目录扫描器主要功能是探测web可能存在的目录及文件. 此工具使用java 1.8以上版本运行. 小米范web查找器2.x版本针对1.x版本(参考http://www.cnblogs.com ...

  5. 小米范工具系列之五:小米范WEB口令扫描器

    最新版本1.2,下载地址:http://pan.baidu.com/s/1c1NDSVe  文件名 webcracker,请使用java1.8运行 小米范WEB口令扫描器的主要功能是批量扫描web口令 ...

  6. 小米范工具系列之二:小米范 web目录扫描器

    最新版本1.1,下载地址:http://pan.baidu.com/s/1c1NDSVe  文件名scandir,请使用java1.8运行 小米范web目录扫描器主要功能是探测web可能存在的目录及文 ...

  7. 小陈WEB漏洞扫描器 V2.0

    小陈WEB漏洞扫描器 V2.0 小陈WEB漏洞扫描器 V2.0 https://pan.baidu.com/s/1NSmFCyxowEa3YlOuhvtwwQ

  8. python写一个web目录扫描器

    用到的模块urliib error #coding = utf-8 #web目录扫描器 by qianxiao996 #博客地址:https://blog.csdn.net/qq_36374896 i ...

  9. WEB安全扫描器Netsparker推荐给大家

    Netsparker是一款综合型的web应用安全漏洞扫描工具,它分为专业版和免费版,免费版的功能也比较强大. Netsparker与其他综合 性的web应用安全扫描工具相比的一个特点是它能够更好的检测 ...

随机推荐

  1. Influx Sql系列教程零:安装及influx-cli使用姿势介绍

    influxdb 时序数据库,因为实际业务中使用到了,然而并没有发现有特别好的文章,完整的介绍influx sql的使用姿势,因此记录下实际开发中学习的体会,主要参考来自于官方文档 Influx Qu ...

  2. Linux学习-防火墙-Selinux-配置本地YUM源

    关闭防火墙并设置开机不启动 systemctl status firewalld.service #查看firewalld状态systemctl stop firewalld #关闭systemctl ...

  3. python中的for循环加强

    #先执行外面for循环,再执行里面for循环,接着执行外面for循环,程序结束 #打印结果为1,10,2 flag=False for i in range(1,10): print(i) if fl ...

  4. 100天搞定机器学习|Day55 最大熵模型

    1.熵的定义 熵最早是一个物理学概念,由克劳修斯于1854年提出,它是描述事物无序性的参数,跟热力学第二定律的宏观方向性有关:在不加外力的情况下,总是往混乱状态改变.熵增是宇宙的基本定律,自然的有序状 ...

  5. 【C#】上机实验二

    实验1: 求解 1/1 + 1 / 2  + 1 / 3  + 1 / 4 …… + 1 / i = ? 确保精度在 1e-6内. using System; using System.Collect ...

  6. Spring Cloud--服务的发布与调用示例

    [Provider] 引依赖: 启动类上添加注解: 配置文件: [Consumer] 引依赖: 加注解: 配置文件: 调用服务: 方式一(动态获取服务列表): Eureka默认30秒拉取一次服务列表. ...

  7. [高清] Spring揭秘完整高清版

      ------ 郑重声明 --------- 资源来自网络,纯粹共享交流, 如果喜欢,请您务必支持正版!! --------------------------------------------- ...

  8. Helm命令帮助参数

    # helm help The Kubernetes package manager To begin working with Helm, run the 'helm init' command: ...

  9. (转)数据库函数解析JSON字符串

    一.返回单行单列 二.返回表 三.SQL206版本开始支持 SELECT * FROM OPENJSON(@JsonStr)

  10. 【Java拾遗】Java transient关键字

    1. transient的作用及使用方法 2. transient使用小结 3. transient使用细节--被transient关键字修饰的变量真的不能被序列化吗? 1. transient的作用 ...