manage to bypass the regex & signature using backtick to execute shell operation #5

Closed
xanda opened this Issue Aug 9, 2012 · 4 comments

Comments

Projects
None yet
2 participants
@xanda

xanda commented Aug 9, 2012

regex that might help: /.*?\$.*?/

To reduce false positive due to the usage of regex, you can use php tokenizer to eliminate the "strings" that is not important such as commented code/information/header etc etc..

http://php.net/manual/en/book.tokenizer.php

@emposha

This comment has been minimized.

Show comment
Hide comment
@emposha

emposha Aug 9, 2012

Owner

Thanks for your help, but shell detector is more like antivirus, find shells by their signature. So regex is good but the main problem with this approach that there will be many false positive results. And that what I'm trying to avoid.

Owner

emposha commented Aug 9, 2012

Thanks for your help, but shell detector is more like antivirus, find shells by their signature. So regex is good but the main problem with this approach that there will be many false positive results. And that what I'm trying to avoid.

@emposha

This comment has been minimized.

Show comment
Hide comment
@emposha

emposha Aug 20, 2012

Owner

Sorry for miss understanding, I will update core file with your regex.
And thank you one more time!

Owner

emposha commented Aug 20, 2012

Sorry for miss understanding, I will update core file with your regex.
And thank you one more time!

@emposha

This comment has been minimized.

Show comment
Hide comment
@emposha

emposha Aug 21, 2012

Owner

regex updated, please review changes.
thanks!

Owner

emposha commented Aug 21, 2012

regex updated, please review changes.
thanks!

@xanda

This comment has been minimized.

Show comment
Hide comment
@xanda

xanda Aug 25, 2012

tested 04e16b8 and its able to detect backtick shell now :) thanks

xanda commented Aug 25, 2012

tested 04e16b8 and its able to detect backtick shell now :) thanks

@xanda xanda closed this Aug 25, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment