-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathwordpress.js
71 lines (67 loc) · 2.55 KB
/
wordpress.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
const Promise = require('bluebird');
const fs = Promise.promisifyAll(require('graceful-fs'));
module.exports = [
{
id: 'P64:php:cms:wordpress:wso_webshell',
name: 'Matches any PHP scripts that contain the wso WebShell exploit',
description: '',
urls: null,
deprecated: false,
tags: ['php', 'cms', 'wordpress', 'wso', 'webshell'],
tests: {
path: /\.php$/i,
content: (content, f) => {
if (f.match(/wp-info\.php$/i))
return true;
return !!content.match(/wsoex/i);
},
},
},
{
id: 'P64:php:cms:wordpress:wp_cd_code',
name: 'Matches any PHP scripts that contain malicious code contained in a variable called "wp_cd_code"',
description: '',
urls: ['https://www.polaris64.net/blog/cyber-security/2017/wordpress-hacks-functions-php-backdoors'],
deprecated: false,
tags: ['php', 'cms', 'wordpress', 'wp_cd_code'],
tests: {
path: /\.php$/i,
content: (content) => !!content.match(/wp_cd_code/i),
},
},
{
id: 'P64:php:cms:wordpress:php_in_uploads',
name: 'Matches PHP scripts within the "wp-content/uploads" directory structure that are > 28 bytes',
description: 'PHP scripts in the wp-content/uploads directory of a WordPress installation could be malicious, but also could be legitimate. This rule detects any PHP script that is bigger than 28 bytes so as to avoid matching any empty placeholder scripts (e.g. index.php scripts with the "silence is golden" comment).',
urls: null,
deprecated: false,
tags: ['suspicion', 'php', 'cms', 'wordpress', 'uploads'],
tests: {
path: /wp-content\/uploads\/.*\.php$/i,
content: (content, f) => {
return fs.statAsync(f)
.then(stat => stat.size > 28);
},
},
},
{
id: 'P64:php:cms:wordpress:unknown_mail_function_call',
name: 'Matches PHP scripts that include calls to mail() in unusual locations',
description: 'PHP scripts which include a call to mail() could be malicious scripts used for sending spam from a server. This rule detects uses of the mail() function in scripts outside of the usual WordPress locations.',
urls: null,
deprecated: false,
tags: ['suspicion', 'php', 'cms', 'wordpress', 'mail', 'spam'],
tests: {
path: (f) => {
return !!(
f.match(/wp-content\/uploads\/.*\.php$/i) ||
f.match(/wp-content\/themes\/.*\.php$/i)
);
},
content: (content) => !!(
content.match(/[\s+.]*(wp_)?mail\s*\(/) &&
!content.match(/\/\/[\s+.]*(wp_)?mail\s*\(/)
),
},
},
];