From 932a49042eb0f6a3379100fea4e47b612fb20b4f Mon Sep 17 00:00:00 2001 From: Marco Cesarato Date: Thu, 15 Jul 2021 17:02:15 +0200 Subject: [PATCH] refactor: rename match class --- dist/scanner | Bin 819394 -> 858167 bytes src/{Match.php => CodeMatch.php} | 2 +- src/Deobfuscator.php | 2 +- src/Exploits.php | 156 +++++++++++++++---------------- src/Scanner.php | 32 +++---- src/Templates/Report.php | 6 +- 6 files changed, 99 insertions(+), 99 deletions(-) rename src/{Match.php => CodeMatch.php} (99%) diff --git a/dist/scanner b/dist/scanner index a2bf7842654c0d5aaeb78160c2499321344d8664..8c9f77a505f95890b7522ab09ef5c0c5806090ab 100644 GIT binary patch delta 37143 zcmeHQ3v?Xib)K1(-?Fid8{3j4j~^f#*q3%!t6k%VUN*)y2n$yPBkbATk+rbeU3OP~ z5wb2P4lO4%qzav+Y16_{LjonoMJ96ym^8pSrH_+C;m~l}({_j^xV5^mygV&s8))iR=}5r@Az-l zH81_afwzy|y^^9H8|=?djPGb_s-h!bZ=$I4n>MbRKy>g~1m8gKz>$GUp~N?=p(sRz zw#|*VKCdUr<}>`sKyjov`BgQlagnf5!!trV(iRP8M^8Y^99o zo+`?8X#45AH?LRe)&pHvs$3ag*|c8L%0nRex1Kt7c4GV+>zX^4?UUKicIAKG+pV%8 zNe2{30sZAZT9N{7pV}V{OpO0qOOpimMTVk&x*_;a6XT~^H%mwE1pSSDe>*oZ{x7W? zr6UCp_IIv%qitgRk=FGq_QJ(NJwn^2*83ir82_u5%^m27|0;^Q@9Fa!RUwvw5Iuzq ze}Jo`C1t#`SY}1r&!+z5g^BTfEkUV?{UFA3ZMUAD7+=x6K{}EGdw6p6<@Ch(&Stsi z7v_VJe6{_ZiSc`zHc2!Kz;xa`{j;MJ4!B}P$izxJLuF@9p*Wzvzm!7BgmvX&nr&da4EZ?}MLwlsZyV*L8nmQ_eKpW3#N z`ogLQkEyB=|Ke-(5?Wa1YnU(YNHJ$t3hmD@H%zX)?3%U6(&+B7OqimU!%t*PXxjif zv-+U(=xh3bMx_s2PUKgBQKC31O;xCJ?wE4UY9m>?)rna;cCr0gQnXDo7xizWm{~e( zrGMnZi>NLtMU}ySb$%QkNEb$7$UvWlbMVK4YP8VXo5~eZaCYJS7ryw_-j|;3vZKuO zrm94w#SwkeC_qt-AYh3)MvYOU6i?+r&;V7WMyTT6Tp_IpfC#?<-z^_XAH)XHOXfQ+ z(^riQ^lAgc5~_zPKm%p?n}en-o1xDdxE4~oftmvWE$JCfp|65u@ROqE0Rw7A3Yhxd z{;hzY)hl?z?SHH)SjRtF0L3bLwWiSYDP8{`A^{dtd!^=iQ0uT1yLlA5^`bC0+tKNT zdh~QnC`(Mec#l?Hh&4%(jM9}~Kpg;0W#G!A%V7}liU)wqK%p0I` zOrydD3L&W$Q8$7hqhNmMidW1+t@(;I6$nVWnXdk)EAqwmr>nu~@&C5y-zRr-Im!q6?CS%bmGRrs zf6pBwWVqOWLPgCG*+umPoh zp&1n(qz{~A(GS?}QnqL0EgXSQ{SpJ^`defMazneM&CLC|Xn!-OTN32|@A{9DD9K18 z7N2G=p~Yt^%m+S!eVn;u@{XNPuBjew54DH=A@~<#!;xe-l#E1&*u#6T+kO2Ii|!Ax z8Lq-7*-#7-A>ta@VpraLHh+u_9xC&ta&VL@r3-1k%$2xGA=q0;kB##AN_#oDCtJB@ zEEViJFo>E9mP=`8VBx`68Gow_%?%;nnyNF+?!s6;!-nJRa5l%6*-C+hn|tZootb(N z3F?)^WJlZEb={u6gUk>se7EFVZ7auM*TL)dUbkn6l~BuLqe(Uvk9Bs2Qn4uC8RasG zbUU94rP7&bXNKof(QwSJ#TwLZ=nPwgTZ_q>;;WXLw^DqtD_zMJ^3v@_yO!j>4Y7U4 zvpF^m_wLwXq{t+Dc*798dn_*@ut$rfLi)%tzH+2o>EtS7<)iH3TsF_M;m*hq>u3A& zh&5x)Ak%N(F`h`S+iitgDDrs?Fzf&*Qv%djJnRb99_k>0`hKF_d`Tn8Xo$dX5SdA{ zCSF&+30KO&!9pq1U*gN<;EAH2D;Aw$C9km+d*Dz{Pv5`*TtLYwYS3&f5DB!iTloBu zLjzk`uEK6~bZ4_v8}(vUrP!f#*S5|6+}N>fp6xo$vpsOvo(%`0fruW)D@uQ%R2eSh zvIS^AV5@!-d2T#aA;rlPZ?WLN{aERyITf4qM(mzj;5BzLg7 zSnW06mk1-oHVn~F8EhrS4jp67Z0*cV8>l7TsE*ggP-A$j35Ao?G~+nCDm0NbcH+Eo zrD-zzOW@2q6lMpLGh3ViW1E6OY-BMQZ}gY!Y6XDYtYW&0juI7fG80MaX&g;2X1JEb zrWb?3PTvppDx$dSW_mG$1(2Iw%%J|NqCFzhizdTbZ|##)L}qeQ6R$kT?sv*g&BK{9 ztj!>+G;KS;%)}t;)~2F%mqFG8O3h@f2U!nDPO*yshJ27E07C<|dsxGOrZ>o9P<0t( z2@wh7pF5hjK~}+YA7p{h5OfG59WWZk9P&s9yoPv18tJ0Rc5OZ&4bPqiSztG$6spi9 z*4VBaV9?;F*vN6U=YT) zSW*XIpJE^~Q!ZfQMJdL0wK|MV8KySbwwuReur?`%LNlu=hFhCtDTW6WmlVSTl2eL7 z07IT)5P*@T7#Ps>QVa~LE-3~fqBj?`wdMYtw-iH>PDwGWE5k8;`A(?}$J!%qwPB3S zr8W$-XkTLwq? zJj>n2on%XV3RR`Hf-F_+?niq#8Pl>K+vqQm89I_Q^SV}Xp@}+K)g$_oB9cXa0yIz2U&V8sU?M_8 zMT{)VM~sG~S525*vwXyB$ax8~e8g$UbiGV4+uM^N!}LNG+BM5Zyi=ZFB4#bbO0yHs zSw6xrOi{c|FcE;^l6jn9A_U!qvrH-wjdqEMlM0;8IjI2JFuD{jNrg&Q%LJyLRG6UV zWKy9@NqDnb%@*Wa)b&m(V)|-^eNutQOryVvw?0V)25Xa4C^WO0RJgTCmQ;8^aY-sX zAUP!!1Tf@D1pydYQh@XK9tA`&JQ?r7eU3I)$SsQ^OVFo9}Xgh>T3YGa2q zOseCvdr|=tUPHZ-G^qeiL&4HhQUUCS#6T6=J*fa*Lta2$I&24KL+<81sW4-BOez4t zaLK$T6<9ezuudv~M!Q7hNd?B{l2iaKO0V3K3Wcm5Nre$=ZYC8vy?oS_ibz;a{NxB^ zn^Z_-#-zf`TbHB)hqX>BRGQgLDqPznN-DgdI42cekQ|Z<5*Xs7f&`2xslb7zl~mwR z^++m65y_GY0yIxag^K4?r$#i|C`lasaW?1Zk7!ZK;u8H;GK=WXN8_n@IMu;(kw_+$ z3MVpgJ{k*kb|%8ZTqibQ2$DDlorh))ftI@7U^RGdpihg0!TC^8%hg(G}A%v%@=4pnDE zfhCK_`BDX?5B{!P&X3^HoiFKV5sn7A%xE?rOqGWrvcUZ?bS#_qXY=I>m&-|a&8o^< z=j>!xm1Su{+S3;NNj|Lxnn*&j9`h3xG7*HH0Q$8B9vvtas`)aH?t@{s!6LBsL>p!7 zlS@SA&g+<5#-yi!+}By+BH1LDirAVP%>2U)s$8~hk|mdJlIu`hl1mRrPRS(!40&=% z07jNvVnEYNE-|ROB$tGUgvq5lnz!Uq!E;P5fkwNnLY`b=Y%a-VG#Nz|A{5pf7D0el zNn{p-fam1W2vz4nz-bYLT{2~inS0d!I!1e^gu!ca2}(g%T8mn9HMs;q(TzG)F*Z4a zLS%<5GK6a0E`|bBXs%*m zD2YTo5sro8=}s=nN5aFg4w%Hoh9i+gER{+Po0Cf;RGkflJI>2VV=kL22gi!&DeO}4 zIG@iHO2HBjnI-QpawS-MWjO_rr0df3;n_;$Bodph9!ZZBisp%GhrEQL{`R4&pc*97 zfy2xro{VaX9qjX2L}rZ5k$7^%!0edND*3G8q4o-2u2^0tOfs9a7Nb#yWtWACAhk|t zmoZtPRW4vvdF+2Uo6nXQ^D}0&+Uu7uq zqlM$v@^tDKqYPB--nkG#bSCq}nbBo%edmJd$$!i`*XrH|AvFo{Qpp<8ix*6fkmEFj z=7~w|Vx9^uv3X+HuI6b$ZEv1HTt#EAtPdjdw7_>UPYVtw^TfziYjZMBO9lt?Oz0PE zIhZG+GnpsOTyOKl&~2h8Mnh|p2Dzr-CLEF6YBchO5WFD}7JJJz}Cg2+iaq(z0 zp6G~WqFf{q?TAH&Q+7J7K_NSw+ABXW$JhHk-YK^=+5B-XcNANOT~%KLBA}wx(Y#fl6gK3b)%mmM`J%@PR5T>d#I<-cM=MZBP_<%d|J0UBWo0fN zD^Mn=kIYv)XgRD!HDwTzyc&$L0pz3TW zYWan%`eMw&Wa(z50tHP;?<}Z)EKya^Po@L=3KSAiT~g@~MHDIv4qK>SYOn@1Q^vuctduyo>y4iK3|2-*4pp+bY$eNEzC#dK z15}zULx*--8|qKF+!6iF?RIpB%JP9v9VtvVwzC@V7MN;OPO<)DZCkOI30B#o8WBE! zQKv8Z^MJaIy~~W-#s=8U<;tm?`9^v)rhjRPaT-&ty-ri2GhIRx^HioWRvCk0*4z1@ zx2uNl)PD@FYblSr5sndy=qvz}MP` zdjg^V;7qW#4M7>43ZS;Kcbc8Xk7@vIrg?u9(on6yW^@?MUl5teUnJhDTAiEfyx+lL zNc=@#KE-=u<1ko{2^|LGad8-+RhM(Z$YWQZLZTwFnw3w(VT@37!(lKzOxI!haoeAg z!^jUCwxbv3D86&ZgzDrw*jR>hD$r;FsRBKO6M(>0PML*T8N3cta!wYOuCZaZk{#vQ zkYVJ+!E8O>>u?#1$cdbqLSJ8$-p-jXROELIZ-94pR!XOgj*r;j>7S}nmbZ->5}ggR zj(4h~?2X3vW2o7qw^3H7#?)ZB0wOb-`F*||5$!Ucji zhoD-7To&5(Xs_wt8VO#mG>KINW9<3O!xYFCx?j{{$CH3caAxXt~a(0qoW~q7#)wR!$`F54kMA($6;`& zx#BQ7J$!5&raeUP9~;2ysu7uSgpqmYlEdJ=v33}ohRk7b9%qM9XCftxs=S0*AQLq6HNZ~rscE%|99O2@!9jt`32&+pV2)`Lk~Q-FLdo<`~v$f{l2y< z_Pj^mOY8POc%L57?IZH#!o9zsf1%L`{lB8;iRXVw7j%Ro9Bfqf>2=JN!acvHU(|TS z&-^caNFxu33qGX%+P?n@j@hf{euZYZRDb%O)eI{PhMA>epphBTpLuR6^N%$N zuM(bG#+<9+1cWbN!rWEc^$R`AnSapjZd<{;RND;*+g36^!gm*oH(ttYRGLE?5FcE{ zT&`~(2_~-k1hZRrP=te>`u#W7FiUj%!saIC*;+$>;nHU2O?elZ_-XA|Kv>tpJYS;= zh|5};tr|=~039wBO6!?dYBYYa!ZICtnpZb4zt&C*^d{zm+HOGHx|wO#sQuy{mobCd zen5Qxa^`N$Xahp-DrTYh&8^J+x`QGdY}V}yPXw6PYi;<&7lL>j%frkcYHj!h*gqt) z5oV2cFdz;`ne*DdU)O)`J4lOev1xlB*~2Ujy!YWo54 zKejWQbo;_jx|mCZ?w!ns5{3v4ds=r|gwqFsXQukGz~B4!5|eH;*NVyUpBiLt(w~ROaJ{lGso>i;Gt2eo|K~9C zrFoO3_50?Dk3LM_G+$P%@0;{vJ(EXwte}OK&w^=v{sME$r{q)ro$$RR1Be&4`TljD ztRFb~o{+!Aw?tSv;9D#{)a}!mO{?(dJ-!vfcZPgRWQ=!vd_jc~gjy%=-0QnT5$fEv zKE<^F@>OyFe&6SmGtk;<@vQ^Cw-lTH_kQ2K65PWhH~5reBLm7Y@#h0RPVNi}>#f4h zQ@&Ng+XsD(;umiAE%C`xOJ{=T>3N!L0yNVi{&>jO_Lst)7nnvd_&D=vT0FD8@yr_W zTPGMFE$$j?99}Yc#Z3!o0e&_L%LW@8<$g5{Httip$fp{W&>|MojW4bc-#yC&uM(E| z8Wa^Ty_5OzV)4n75Z5Q;L(A#MUs$vnKwIZezIt{`_vD^iPhT!>s?rThCs+R9io3f-7@+3rX}<}fCS%p@SP9e1@K)6-$n3U4BsWUw7pSW#V aD|=Vl{@?%8*41x3(}DiupkER=_zh9)tU)r6V*%>DYZ>3kc6!~4dgER3SL9pP-LPa*) z$8u&Rt$y^SZ;KTyX|p~ykju)G{!~{B*&w8SU!%Vc=yo!?Abw1wIZkm^D6ROn=>Sh-W@BzeALza(~4}hMR8pPy^_&ccjFX!sdF`6 z*$CPC?*8O<3*LEIG68X&hd{Ea9{jrxukH%RZ68QZz_NYPV;!~*NE>6Zu3riREIlNR z_u$j5l7ARVQM$=Z_~{8KxhGSYZbU~^axl8DoaI1jlFD!Y7K4}3AE1zR&bG?QSh}YJrW9e zJj#VL#z3N$fP}#uE=?e23k>ieoD>0eKpLOHx1J(9>cE17Hi*>{WH}&7gB?zAsJY0a zNVv;7bfYB-LV$QPX|v0tVYjwFHU_>T_haB1Yp8>FMLOf)f{G4|hszAP$f*esKrkMz z@+Hz`0`FrYS`%0cEH9yXowzHJwfNsU-VNbuF|3-zX3&@f_xRAr-el-!#S_TM$?&;~ zx~9NcwZ{Ib5U(DH&;tb#a|&GHZQ+>dFiqRpJOlpbBDO- z(8RCNg+;TVO@)L)BPKr!qqOyg47iQ7`7CWzKW4!W?KBiF#(}xoXO*lXf^ph@^8agNPOHV^#$PBJjtEFzibRL zOPc|2Y?J(e{1Yts$?ZNr3;^iy!@-v&Js|!5D;r4ud~xXQfFM6|YN_ZUH#5cE|$)(?![^\"]*\"\B)/si", '$1$3$4', @$matchPhp[0]); diff --git a/src/Exploits.php b/src/Exploits.php index a8f6963..ba3d446 100644 --- a/src/Exploits.php +++ b/src/Exploits.php @@ -20,414 +20,414 @@ class Exploits protected static $default = [ 'eval_chr' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eval[\s]*\([\s]*chr[\s]*\(.*?[\s]*\)/i', ], 'eval_chr_obf' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/chr[\s]*\([\s]*101[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*118[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*97[\s]*\)[\s]*\.[\s]*chr[\s]*\([\s]*108[\s]*\)/i', ], 'eval_preg' => [ 'description' => 'RCE (Remote Code Execution), through PCRE (Perl compatible Regular Expression), allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(preg_replace(_callback)?|mb_ereg_replace|preg_filter)[\s]*\([^)]*(\/|\\\\x2f)(e|\\\\x65)[\\\'\"].*?(?=\))\)/i', ], 'eval_base64' => [ 'description' => 'RCE (Remote Code Execution), through Base64 text, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eval[\s]*\([\s]*base64_decode[\s]*\((?<=\().*?(?=\))\)/i', ], 'eval_comment' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\((?<=\().*?(?=\))\)/', ], 'eval_execution' => [ 'description' => 'RCE (Remote Code Execution) and Code Injection allow remote attackers to execute arbitrary commands or code on the target machine via HTTP request', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(eval[\s]*\([\s]*\$[a-z0-9_]+[\s]*\([\s]*(?<=\()@?\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', ], 'align' => [ 'description' => 'Code alignment technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/(\$\w+=[^;]*)*;\$\w+=@?\$\w+\((?<=\().*?(?=\))\)/si', ], // b374k shell 'b374k' => [ 'description' => 'Web shell (b374k) for the remote management', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/[\'"]ev[\'"]\.[\'"]al[\'"]\.[\'"][\s]*\([\s]*("|\\\')[\s]*\?>/i', 'link' => 'https://github.com/b374k/b374k', ], // weevely3 launcher 'weevely3' => [ 'description' => 'Web shell (Weevely) for post-exploitation purposes that can be extended over the network at runtime', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i', 'link' => 'https://github.com/epinna/weevely3', ], 'c99_launcher' => [ 'description' => 'Web Shell (C99) designed for post-exploitation purposes that can be extended over the network at runtime', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i', 'link' => 'https://github.com/4Hackerz/C99-Shell', ], // concatenation of more than eight `chr()` 'too_many_chr' => [ 'description' => 'Concatenation of `chr` technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/(chr\([\d]+\)\.){8}/i', ], // concatenation of vars array 'concat' => [ 'description' => 'Concatenation of arrays technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i', ], // concatenation of more than 6 words, with spaces 'concat_vars_with_spaces' => [ 'description' => 'Concatenation of vars technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/(\$([a-zA-Z0-9]+)[\s]*\.[\s]*){6}/', ], // concatenation of more than 6 words, with spaces 'concat_vars_array' => [ 'description' => 'Concatenation of arrays technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s]*\.[\s]*){6}.*?(?=\})\}/i', ], 'var_as_func' => [ 'description' => 'RCE (Remote Code Execution) and Code Injection, through global vars used as PHP function, allow remote attackers to execute PHP code on the target machine via HTTP request', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$_(GET|POST|COOKIE|REQUEST|SERVER)[\s]*\[[^\]]+\][\s]*\((?<=\().*?(?=\))\)/i', ], 'global_var_string' => [ 'description' => 'Code Injection, through escaped global vars, allow inject attackers to execute PHP code on the target machine via HTTP request', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\{[\s]*[\'"]_(GET|POST|COOKIE|REQUEST|SERVER)[\'"][\s]*\}/i', ], 'extract_global' => [ 'description' => 'Code Injection, extracting global var arrays, allow remote attackers to inject PHP code on the target machine via HTTP request', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/extract\([\s]*\$_(GET|POST|COOKIE|REQUEST|SERVER).*?(?=\))\)/i', ], 'escaped_path' => [ 'description' => 'Escaped path technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\\\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}/i', ], 'include_icon' => [ 'description' => 'LFI (Local File Inclusion), including `.ico` file, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi', ], 'backdoor_code' => [ 'description' => 'Backdoor that checks to see if the user is a web spider and if not, retrieves data from another webserver and displays it to the visitor', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/eva1fYlbakBcVSir/i', ], 'infected_comment' => [ 'description' => 'Comments composed by 5 random chars usually used to detect if a file is infected yet', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/\/\*[a-z0-9]{5}\*\//i', ], 'hex_char' => [ 'description' => 'Hex char is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\\\\[Xx](5[Ff])/i', ], 'hacked_by' => [ 'description' => 'Hacker credits', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/hacked[\s]*by/i', ], 'killall' => [ 'description' => 'RCE (Remote Code Execution) that allow remote attackers to kill processes on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/killall[\s]*\-9/i', ], 'globals_concat' => [ 'description' => 'Concatenation of globals vars technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$GLOBALS\[[\s]*\$GLOBALS[\\\'[a-z0-9]{4,}\\\'\]/i', ], 'globals_assign' => [ 'description' => 'Global vars assignment is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$GLOBALS\[\\\'[a-z0-9]{5,}\\\'\][\s]*=[\s]*\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\./i', ], 'base64_long' => [ 'description' => 'Long Base64 encoded text is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/[\\\'\"][A-Za-z0-9+\/]{260,}={0,3}[\\\'\"]/', ], 'base64_inclusion' => [ 'description' => 'LFI (Local File Inclusion), through a Base64 inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')data\:text/plain;base64[\s]*\,[\s]*\$_GET\[[^\]]+\](\\\'|")[\s]*((?=\))\))?/si', ], 'clever_include' => [ 'description' => 'LFI (Local File Inclusion), through a image inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@?include[\s]*(\([\s]*)?("|\\\')[\s]*[^\.]+\.(png|jpe?g|gif|bmp|ico).*?("|\\\')[\s]*((?=\))\))?/i', ], 'basedir_bypass' => [ 'description' => 'Basedir bypass used for manipulate files or execute code outside the base directory set on the server configuration', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/curl_init[\s]*\([\s]*[\"\\\']file:\/\/.*?(?=\))\)/i', ], 'basedir_bypass2' => [ 'description' => 'Basedir bypass used for manipulate files or execute code outside the base directory set on the server configuration', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/file\:file\:\/\//i', ], 'non_printable' => [ 'description' => 'Non printable technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(function|return|base64_decode).{,256}[^\\x00-\\x1F\\x7F-\\xFF]{3}/i', ], 'double_var' => [ 'description' => 'Double var technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/\${[\s]*\${.*?}(.*)?}/i', ], 'double_var2' => [ 'description' => 'Double var technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/\${\$[0-9a-zA-z]+}/i', ], 'global_save' => [ 'description' => 'Globals assignment technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\[\s]*=[\s]*\$GLOBALS[\s]*\;[\s]*\$[\s]*\{/i', ], // Check for ${"\xFF"}, IonCube use this method ${"\x 'hex_var' => [ 'description' => 'Hex var technique is usually used for the obfuscation of malicious code, it is also used by IonCube', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$\{[\s]*[\'"]\\\\x.*?(?=\})\}/i', ], 'register_function' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/register_[a-z]+_function[\s]*\([\s]*[\\\'\"][\s]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i', ], 'safemode_bypass' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\x00\/\.\.\/|LD_PRELOAD/i', ], 'ioncube_loader' => [ 'description' => 'IonCube is a PHP encoder and hence a module/library for protected functions and often used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/IonCube\_loader/i', 'link' => 'https://www.ioncube.com', ], 'nano' => [ 'description' => 'Nano is a family of PHP webshells which are code golfed to be extremely stealthy and efficient', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/', 'link' => 'https://github.com/s0md3v/nano', ], 'nano2' => [ 'description' => 'Nano is a family of PHP webshells which are code golfed to be extremely stealthy and efficient', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/base64_decode[^;]+getallheaders/', 'link' => 'https://github.com/s0md3v/nano', ], // function that takes a callback as 1st parameter 'execution' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s]*\([\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], // functions that takes a callback as 2nd parameter 'execution2' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s]*\([\s]*[^,]+,[\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], // functions that takes a callback as 2nd parameter 'execution3' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine via HTTP', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s]*\([\s]*([^,]+[\s]*,?)+[\s]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s]*\[[^]]+\][\s]*\)+[\s]*;/', 'link' => 'https://cwe.mitre.org/data/definitions/77.html, https://cwe.mitre.org/data/definitions/78.html', ], 'shellshock' => [ 'description' => 'Shell shock technique is usually used for the obfuscation of malicious code using PHP functions', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\(\)[\s]*{[\s]*[a-z:][\s]*;[\s]*}[\s]*;/', ], 'silenced_eval' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute PHP code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@eval[\s]*\((?<=\().*?(?=\))\)/', ], 'silence_inclusion' => [ 'description' => 'LFI (Local File Inclusion), through a silent inclusion, allow remote attackers to inject and execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@(include|include_once|require|require_once)[\s\r\n]+([\s]*\()?("|\\\')([^"\\\']*)(\\\\x[0-9a-f]{2,}.*?){2,}([^"\\\']*)("|\\\')[\s]*((?=\))\))?/si', ], 'silence_inclusion2' => [ 'description' => 'LFI (Local File Inclusion), through a silent inclusion, allow remote attackers to inject and execut arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/@(include|include_once|require|require_once)[\s\r\n]+([\s]*\()?("|\\\')([^"\\\']*)(\\[0-9]{3,}.*?){2,}([^"\\\']*)("|\\\')[\s]*((?=\))\))?/si', ], 'ssi_exec' => [ 'description' => 'SSI (Server-Side Includes) injection allows the exploitation of a web application by injecting malicious code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\<\!\-\-\#exec[\s]*cmd\=/i', 'link' => 'https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection, http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec', ], 'htaccess_handler' => [ 'description' => 'RCE (Remote Code Execution), through Htaccess handler x-httpd-php/cgi, interpreting PHP code, allow remote attackers to execute PHP code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/SetHandler[\s]*application\/x\-httpd\-(php|cgi)/i', ], 'htaccess_type' => [ 'description' => 'RCE (Remote Code Execution), through Htaccess add type x-httpd-php/cgi, interpreting PHP code, allow remote attackers to execute PHP code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/AddType\s+application\/x-httpd-(php|cgi)/i', ], 'file_prepend' => [ 'description' => 'LFI (Local File Inclusion), prepending a file at the bottom of every others PHP files, allow remote attackers to inject and execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/php_value[\s]*auto_prepend_file/i', ], 'iis_com' => [ 'description' => 'RCE (Remote Code Execution), through ISS Server, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/IIS\:\/\/localhost\/w3svc/i', ], 'reversed' => [ 'description' => 'Reverse function technique is used for the obfuscation of dangerous PHP functions', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(noitcnuf\_etaerc|metsys|urhtssap|edulcni|etucexe\_llehs|ecalper\_rts|ecalper_rts)/i', ], 'rawurlendcode_rot13' => [ 'description' => 'Raw url decode and rot13 string together technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/rawurldecode[\s]*\(str_rot13[\s]*\((?<=\().*?(?=\))\)/i', ], 'serialize_phpversion' => [ 'description' => 'RCE (Remote Code Execution), unserializing php version, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\@serialize[\s]*\([\s]*(Array\(|\[)[\'"]php[\'"][\s]*\=\>[\s]*\@phpversion[\s]*\((?<=\().*?(?=\))\)/si', ], 'md5_create_function' => [ 'description' => 'The `create_function` technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$md5[\s]*=[\s]*.*create_function[\s]*\(.*?\);[\s]*\$.*?\)[\s]*;/si', ], 'god_mode' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\/\*god_mode_on\*\/eval\(base64_decode\([\"\\\'][^\"\\\']{255,}[\"\\\']\)\);[\s]*\/\*god_mode_off\*\//si', ], 'wordpress_filter' => [ 'description' => 'Wordpress Filter RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\$md5[\s]*=[\s]*[\"|\\\']\w+[\"|\\\'];[\s]*\$wp_salt[\s]*=[\s]*[\w\(\),\"\\\'\;$]+[\s]*\$wp_add_filter[\s]*=[\s]*create_function\(.*?\);[\s]*\$wp_add_filter\(.*?\);/si', ], 'password_protection_md5' => [ 'description' => 'MD5 Password protection file, typically used on web shells', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/md5[\s]*\([\s]*@?\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)[\s]*===?[\s]*[\\\'\"][0-9a-f]{32}[\\\'\"]/si', ], 'password_protection_sha' => [ 'description' => 'SHA Password protection file, typically used on web shells', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/sha[\d]+[\s]*\([\s]*@?\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)[\s]*===?[\s]*[\\\'\"][0-9a-f]{40}[\\\'\"]/si', ], 'custom_math' => [ 'description' => 'Custom math technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/%\(\d+[\s]*\-[\s]*\d+[\s]*\+[\s]*\d+\)[\s]*==[\s]*\([\s]*\-[\s]*\d+[\s]*\+[\s]*\d+[\s]*\+[\s]*\d+[\s]*\)/si', ], 'custom_math2' => [ 'description' => 'Custom math technique is usually used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/\([\s]*\$[a-zA-Z0-9]+%\d[\s]*==[\s]*\([\s]*\d+[\s]*\-[\s]*\d+[\s]*\+[\s]*\d+[\s]*\)/si', ], 'uncommon_function' => [ 'description' => 'Function name technique usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => 'function\s+_[0-9]{8,}[\s]*\([\s]*(?<=\().*?(?=\))\)', ], 'download_remote_code' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/file_get_contents[\s]*\([\s]*base64_url_decode[\s]*\([\s]*@*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/i', ], 'download_remote_code2' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/fwrite[\s]*(\(\w+\((?<=\().*?(?=\))\))?[^\)]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', ], 'download_remote_code3' => [ 'description' => 'RFU (Remote File Upload), via HTTP, allow to write malicious code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(file_get_contents|fwrite)[\s]*\([\s]*@?*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', 'link' => 'https://www.acunetix.com/blog/articles/local-file-inclusion-lfi', ], 'download_remote_code_web' => [ 'description' => 'RFU (Remote File Upload), from external website, allow to write malicious code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(file_get_contents|file_put_contents)[\s]*\([\s]*[\'"]https?:\/\/(codepad|pastebin|controlc|hastebin|justpaste|privatebin|cryptbin|zerobin)\.(org|com|net|in|me).*?(?=\))\)/i', ], 'php_uname' => [ 'description' => 'RCE (Remote Code Execution) allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/php_uname[\s]*\([\s]*["\'asrvm]+[\s]*\)/si', ], 'etc_passwd' => [ 'description' => 'The `/etc/passwd` file on Unix systems contains password information, an attacker who has accessed the `etc/passwd` file may attempt a brute force attack of all passwords on the system', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\/)*etc\/+passwd\/*/si', ], 'etc_shadow' => [ 'description' => 'The `/etc/shadow` file on Unix systems contains password information, an attacker who has accessed the `etc/shadow` file may attempt a brute force attack of all passwords on the system', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\/)*etc\/+shadow\/*/si', ], 'explode_chr' => [ 'description' => 'RCE (Remote Code Execution), exploding chars, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/explode[\s]*\(chr[\s]*\([\s]*\(?\d{3}([\s]*-[\s]*\d{3})?[\s]*\).*?(?=\))\)/i', ], 'imap_open' => [ 'description' => 'RCE (Remote Code Execution), through imap_open, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/imap_open\([\'"]{[\'"][\s]*\.[\s]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/i', 'link' => 'https://bugs.php.net/bug.php?id=76428', ], 'imap_open_proxy' => [ 'description' => 'RCE (Remote Code Execution), through imap, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/x[\s]*\-oProxyCommand[\s]*\=(.*?\|base64(\\\\t\-d)?(\|sh)?)?/i', ], 'exec_escaped' => [ 'description' => 'RCE (Remote Code Execution), through exec escaped chars, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/exec[\s]*[\s]*\([\s]*[\'"][\s]*([\s]*\\[0-9a-fx]{2,3}[\s]*){3,}/i', ], 'urldecode_concat' => [ 'description' => 'RCE (Remote Code Execution), through concatenated text encoded with urldecode or rawurldecode, allow remote attackers to execute arbitrary commands or code on the target machine', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/(\$[a-z]{2,}[\s]*=[\s]*(urldecode|rawurldecode)[\s]*\([\s]*\$_(GET|REQUEST|POST|COOKIE|SERVER)[\s]*\[[\s]*\'[\s]*[a-z]{2,}[\s]*\'[\s]*\][\s]*\)[\s]*;[\s]*){3,}/i', ], 'xor_post_payload' => [ 'description' => 'XOR post technique is usually used for the obfuscation of malicious code', - 'level' => Match::WARNING, + 'level' => CodeMatch::WARNING, 'pattern' => '/([\s]*\$\w+[\s]*\[[\s]*\$\w+[\s]*%[\s]*strlen[\s]*\([\s]*\$\w+\)[\s]*\][\s]*\;?[\s]*){2,}/i', ], 'source_guardian' => [ 'description' => 'SourceGuardian is a PHP encoder often used for the obfuscation of malicious code', - 'level' => Match::DANGEROUS, + 'level' => CodeMatch::DANGEROUS, 'pattern' => '/[;\s]*sg\_load[\s]*\([\s]*[\\\'\"][A-Za-z0-9+\/]{150,}={0,3}[\\\'\"][\s]*\)/i', 'link' => 'https://www.sourceguardian.com', ], diff --git a/src/Scanner.php b/src/Scanner.php index ec053f9..eae1587 100644 --- a/src/Scanner.php +++ b/src/Scanner.php @@ -937,7 +937,7 @@ public function scanFile($info) $type = 'exploit'; $lastMatch = $match[0]; $patternFoundKey = $type . $key; - $lineNumber = Match::getLineNumber($lastMatch, $contentRaw); + $lineNumber = CodeMatch::getLineNumber($lastMatch, $contentRaw); if ($lineNumber !== null) { $patternFoundKey .= $lineNumber; } @@ -946,7 +946,7 @@ public function scanFile($info) 'type' => $type, 'key' => $key, 'level' => $exploit['level'], - 'output' => Match::getText($type, $key, $exploit['description'], $lastMatch, $lineNumber), + 'output' => CodeMatch::getText($type, $key, $exploit['description'], $lastMatch, $lineNumber), 'description' => $exploit['description'], 'line' => $lineNumber, 'pattern' => $pattern, @@ -980,7 +980,7 @@ public function scanFile($info) $key = hash('crc32b', $key); $lastMatch = $match[0]; $patternFoundKey = $type . $key; - $lineNumber = Match::getLineNumber($lastMatch, $contentRaw); + $lineNumber = CodeMatch::getLineNumber($lastMatch, $contentRaw); if ($lineNumber !== null) { $patternFoundKey .= $lineNumber; } @@ -990,8 +990,8 @@ public function scanFile($info) $patternFound[$patternFoundKey] = [ 'type' => $type, 'key' => $key, - 'level' => Match::DANGEROUS, - 'output' => Match::getText($descriptionPrefix, $key, $description, $lastMatch, $lineNumber), + 'level' => CodeMatch::DANGEROUS, + 'output' => CodeMatch::getText($descriptionPrefix, $key, $description, $lastMatch, $lineNumber), 'description' => $description, 'line' => $lineNumber, 'pattern' => $regexPattern, @@ -1023,7 +1023,7 @@ public function scanFile($info) $checkFunction = function ( $match, $pattern, - $level = Match::WARNING, + $level = CodeMatch::WARNING, $descriptionPrefix = '', $functionType = '' ) use ($contentRaw, $funcRaw, &$patternFound) { @@ -1032,10 +1032,10 @@ public function scanFile($info) if (!empty($functionType)) { $suffix = '_' . $functionType; } - $lastMatch = Match::cleanFunctionResult($match[0]); // Clean match + $lastMatch = CodeMatch::cleanFunctionResult($match[0]); // Clean match $funcKey = $funcRaw . $suffix; $patternFoundKey = $type . $funcKey; - $lineNumber = Match::getLineNumber($lastMatch, $contentRaw); + $lineNumber = CodeMatch::getLineNumber($lastMatch, $contentRaw); if ($lineNumber !== null) { $patternFoundKey .= $lineNumber; } @@ -1045,7 +1045,7 @@ public function scanFile($info) 'type' => trim($type . ' ' . $functionType), 'key' => $funcKey, 'level' => $level, - 'output' => Match::getText($type, $funcRaw, $description, $lastMatch, $lineNumber), + 'output' => CodeMatch::getText($type, $funcRaw, $description, $lastMatch, $lineNumber), 'description' => $description, 'line' => $lineNumber, 'pattern' => $pattern, @@ -1064,9 +1064,9 @@ public function scanFile($info) 'base64_decode', 'strrev', ]; - $regexPattern = Match::patternFunction($func); + $regexPattern = CodeMatch::patternFunction($func); foreach ($contents as $contentType => $content) { - $codeParts = Match::getCode($content); + $codeParts = CodeMatch::getCode($content); foreach ($codeParts as $codePart) { /** * Raw functions. @@ -1074,9 +1074,9 @@ public function scanFile($info) if (@preg_match_all($regexPattern, $codePart[0], $matches, PREG_OFFSET_CAPTURE)) { foreach ($matches[0] as $match) { $descriptionPrefix = 'Potentially dangerous function'; - $severity = Match::WARNING; + $severity = CodeMatch::WARNING; if ($contentType === 'decoded') { - $severity = Match::DANGEROUS; + $severity = CodeMatch::DANGEROUS; $descriptionPrefix = 'Encoded Function'; } $checkFunction( @@ -1105,7 +1105,7 @@ public function scanFile($info) $checkFunction( $match, $regexPatternEncoded, - Match::DANGEROUS, + CodeMatch::DANGEROUS, 'Encoded Function', $encoder ); @@ -1126,8 +1126,8 @@ public function scanFile($info) $patternFound[$key] = [ 'type' => $type, 'key' => $key, - 'level' => Match::DANGEROUS, - 'output' => Match::getText($type, $key, $description, ''), + 'level' => CodeMatch::DANGEROUS, + 'output' => CodeMatch::getText($type, $key, $description, ''), 'description' => $description, 'line' => '', 'pattern' => '', diff --git a/src/Templates/Report.php b/src/Templates/Report.php index 2e227d4..a0bb850 100644 --- a/src/Templates/Report.php +++ b/src/Templates/Report.php @@ -10,7 +10,7 @@ namespace AMWScan\Templates; -use AMWScan\Match; +use AMWScan\CodeMatch; use AMWScan\Path; use AMWScan\Scanner; @@ -122,11 +122,11 @@ protected function saveHTML($output) if (!empty($item['level'])) { switch ($item['level']) { - case Match::WARNING: + case CodeMatch::WARNING: $warnings++; $badges[] = 'Warning'; break; - case Match::DANGEROUS: + case CodeMatch::DANGEROUS: $dangerous++; $badges[] = 'Dangerous'; break;