使用PHP连接的base64_decode的正则表达式(正则表达式)匹配

所以我一直试图在过去的几个小时里建立一个正则表达式,我开始发疯了 想一想这是否可能或者值得疯狂。</ p>

我有一个脚本可以扫描PHP文件,检查已知恶意文件和某些字符串的MD5总和。 最近我遇到过文件,而不是在PHP文件中使用base64_decode,他们使用变量并连接它,所以扫描仪不会把它拿起来。</ p>

这里举例说明 我找到的最新版本:</ p>

  $ a ='bas'。'e6'。'4_d'。'ecode'; eval($ a 
</ code> < / pre>

因为扫描程序搜索base64_decode这个文件没有被选中,因为他们使用PHP连接变量中的base64_decode,然后调用变量。</ p>

原谅我,因为我刚开始使用正则表达式,但是甚至可以使用正则表达式来搜索这样的东西吗?我的意思是,我理解并且能够得到一个与那个完全匹配的正则表达式,但是怎么样? 如果他们改为使用它:</ p>

  $ a ='b'。'ase'。'64_d'。'ecode'; eval($ a 
</ code> < / pre>

由于正则表达式正在寻找'然后是b然后a等等,它不会被拾取。</ p>

我已经添加了</ p>

 (eval)\(\ $ [az] 
</ code> </ pre>

向我发送电子邮件作为非 冰检查文件,我将不得不让它运行几天,看看有多少误报出现,但我主要担心的是base64_decode </ p>

如果有人可以请 对我有所了解并且可能指出我正确的方向,我将非常感激。</ p>

谢谢!! </ p>
</ div>

展开原文

原文

So i've been trying to build a regex for the past couple hours and i'm starting to go crazy in thinking if this is even possible or worth wild.

I have a script that scans PHP files checking MD5 sum for known malicious files, and certain strings. Most recently i've come across files where instead of using base64_decode in the PHP file, they are using variables and concatenating it so the scanner doesn't pick it up.

As an example here's the latest one I found:

$a='bas'.'e6'.'4_d'.'ecode';eval($a

So because the scanner searches for base64_decode this file wasn't picked up as they are using PHP to concatenate base64_decode in a variable, and then call the variable.

Forgive me because i've just started with regex, but is it even possible to search for something like this using regex? I mean, I understand and was able to get a regex that would match that exact one, but what about if they used this instead:

$a='b'.'ase'.'64_d'.'ecode';eval($a

It wouldn't be picked up because the regex was looking for ' then b then a, etc etc.

I've already added

(eval)\(\$[a-z]

To send me an email as a notice to check the file, i'll have to let it run for a couple days and see how many false positives show up, but my main concern is with the base64_decode

If someone could please shed some light on this for me and maybe point me in the right direction, I would greatly appreciate it.

Thanks!!

1个回答



您可以使用此正则表达式:</ p>

  b \ W * a \ W * 小号\ W * E \ W * 6 \ W4 \ W * _ \ W * d \ W * E \ W * C \ W *○\ W * d \ W * E 
</代码> </ PRE> \ n

它搜索 base64_decode </ code>,其中散布着任何非字母数字字符。</ p>
</ div>

展开原文

原文

You can use this regexp:

b\W*a\W*s\W*e\W*6\W4\W*_\W*d\W*e\W*c\W*o\W*d\W*e

It searches for base64_decode with any non-alphanumeric characters interspersed.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐