[ Generation time: \".round(getTime()-startTime,4).\" second"
$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
$s12 = "$ret = shellexec($command);" fullword
condition:
2 of them
}
rule WebShell_CasuS_1_5 {
meta:
description = "PHP Webshells Github Archive - file CasuS 1.5.php"
author = "Florian Roth"
hash = "7eee8882ad9b940407acc0146db018c302696341"
strings:
$s2 = "CasuS 1.5'in URL'si : http://$HTTP_HO"
$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
$s18 = "if (file_exists(\"F:\\\\\")){" fullword
condition:
1 of them
}
rule WebShell_ftpsearch {
meta:
description = "PHP Webshells Github Archive - file ftpsearch.php"
author = "Florian Roth"
hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
strings:
$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
$s12 = "echo \"Edited By KingDefacer \";" fullword
$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
condition:
2 of them
}
rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
meta:
description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
author = "Florian Roth"
super_rule = 1
hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
strings:
$s4 = " Cyber Lords Community"
$s10 = "echo \" " fullword
condition:
2 of them
}
rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
meta:
description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
author = "Florian Roth"
super_rule = 1
hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
strings:
$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
$s3 = "$dt = $_POST['filecontent'];" fullword
$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
$s6 = "print \"Sorry, none of the command functions works.\";" fullword
$s11 = "document.cmdform.command.value='';" fullword
$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
condition:
3 of them
}
rule WebShell_Generic_PHP_7 {
meta:
description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
author = "Florian Roth"
super_rule = 1
hash0 = "de98f890790756f226f597489844eb3e53a867a9"
hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
hash3 = "715f17e286416724e90113feab914c707a26d456"
strings:
$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
$s2 = "echo \"[$USERNAME] - \\n\";" fullword
$s4 = "if( $action == \"dumpTable\" )" fullword
condition:
2 of them
}
rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
meta:
description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
author = "Florian Roth"
super_rule = 1
hash0 = "b148ead15d34a55771894424ace2a92983351dda"
hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
strings:
$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
condition:
2 of them
}
rule WebShell_Generic_PHP_8 {
meta:
description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
author = "Florian Roth"
super_rule = 1
hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
strings:
$s1 = "elseif ( $cmd==\"file\" ) { /* */" fullword
$s2 = "elseif ( $cmd==\"upload\" ) { /* */ " fullword
$s3 = "/* I added this to ensure the script will run correctly..." fullword
$s14 = "" fullword
$s15 = " " fullword
$s5 = "" fullword
$s6 = "onfocus=\"if (this.value == 'Kullan" fullword
$s16 = " "
condition:
2 of them
}
rule WebShell_Generic_PHP_9 {
meta:
description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
author = "Florian Roth"
super_rule = 1
hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
strings:
$s2 = ":\" .base64_decode($_POST['tot']). \" \";" fullword
$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
$s12 = "if (!empty($_POST['c'])){" fullword
$s13 = "passthru($_POST['c']);" fullword
$s16 = " B64 Decode " fullword
$s20 = " md5 Hash" fullword
condition:
3 of them
}
rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
meta:
description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
author = "Florian Roth"
super_rule = 1
hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
strings:
$s4 = "