@@ -826,10 +826,10 @@ public function scanFile($info)
826826 $ contentDecoded$ deobfuscatordecode ($ contentDeobfuscated
827827
828828 $ contents
829- $ contentRaw// Original content
830- $ contentClean// Cleaned content
831- $ contentDeobfuscated// Deobfuscated content
832- $ contentDecoded// Decoded content
829+ ' raw ' => $ contentRaw// Original content
830+ ' cleaned ' => $ contentClean// Cleaned content
831+ ' deobfuscated ' => $ contentDeobfuscated// Deobfuscated content
832+ ' decoded ' => $ contentDecoded// Decoded content
833833 ];
834834
835835 /**
@@ -854,11 +854,14 @@ public function scanFile($info)
854854 'key ' => $ key
855855 'level ' => $ exploit'level ' ],
856856 'output ' => $ matchDescription
857+ 'description ' => $ exploit'description ' ],
857858 'line ' => $ lineNumber
858859 'pattern ' => $ pattern
859860 'match ' => $ lastMatch
860- 'exploit ' => $ exploit
861861 ];
862+ if (isset ($ exploit'link ' ])) {
863+ $ patternFound$ patternFoundKey'link ' ] = $ exploit'link ' ];
864+ }
862865 }
863866 };
864867 // Check exploits
@@ -878,7 +881,13 @@ public function scanFile($info)
878881 foreach ($ functionsas $ funcRaw
879882 $ lastMatchnull ;
880883 $ funcpreg_quote (trim ($ funcRaw'/ ' );
881- $ checkFunctionfunction ($ match$ pattern$ levelLVL_WARNING , $ type'' ) use ($ contentRaw$ funcRaw$ patternFound
884+ $ checkFunctionfunction (
885+ $ match
886+ $ pattern
887+ $ levelLVL_WARNING ,
888+ $ descriptionPrefix'' ,
889+ $ type''
890+ ) use ($ contentRaw$ funcRaw$ patternFound
882891 $ suffix'' ;
883892 if (!empty ($ type
884893 $ suffix'_ ' . $ type
@@ -901,9 +910,11 @@ public function scanFile($info)
901910 'key ' => $ funcKey
902911 'level ' => $ level
903912 'output ' => $ matchDescription
913+ 'description ' => $ descriptionPrefix' ` ' . $ funcRaw'` ' ,
904914 'line ' => $ lineNumber
905915 'pattern ' => $ pattern
906916 'match ' => $ lastMatch
917+ 'link ' => 'https://www.php.net/ ' . $ funcRaw
907918 ];
908919 }
909920 };
@@ -914,10 +925,21 @@ public function scanFile($info)
914925 if (in_array ($ funcRawself ::$ functions
915926 // Check raw functions
916927 $ regexPattern"/(?:^|[\s \r\n]+|[^a-zA-Z0-9_>]+)( " . $ func"[\s \r\n]*\((?<=\().*?(?=\))\))/si " ;
917- foreach ($ contentsas $ content
928+ foreach ($ contentsas $ contentType => $ content
918929 if (@preg_match_all ($ regexPattern$ content$ matchesPREG_OFFSET_CAPTURE )) {
919930 foreach ($ matches0 ] as $ match
920- $ checkFunction$ match$ regexPattern
931+ $ descriptionPrefix'Potentially dangerous function ' ;
932+ $ severityLVL_WARNING ;
933+ if ($ contentType'decoded ' ) {
934+ $ severityLVL_DANGEROUS ;
935+ $ descriptionPrefix'Encoded Function ' ;
936+ }
937+ $ checkFunction
938+ $ match
939+ $ regexPattern
940+ $ severity
941+ $ descriptionPrefix
942+ );
921943 }
922944 }
923945 }
@@ -927,35 +949,28 @@ public function scanFile($info)
927949 * Encoded functions.
928950 */
929951 if (in_array ($ funcRawself ::$ functionsEncoded
930- $ decoders
952+ $ encoders
931953 'str_rot13 ' ,
932954 'base64_decode ' ,
933955 'strrev ' ,
934956 ];
935- foreach ($ decoders as $ decoder
957+ foreach ($ encoders as $ encoder
936958 // Check encoded functions
937- $ regexPatternEncoded'/ ' . @$ decoder $ funcRaw'/s ' ;
938- foreach ($ contentsas $ content
959+ $ regexPatternEncoded'/ ' . @$ encoder $ funcRaw'/s ' ;
960+ foreach ($ contentsas $ contentType => $ content
939961 if (@preg_match_all ($ regexPatternEncoded$ content$ matchesPREG_OFFSET_CAPTURE )) {
940962 foreach ($ matches0 ] as $ match
941- $ checkFunction$ match$ regexPatternEncodedLVL_DANGEROUS , $ decoder
963+ $ checkFunction
964+ $ match
965+ $ regexPatternEncoded
966+ Definitions::LVL_DANGEROUS ,
967+ 'Encoded Function ' ,
968+ $ encoder
969+ );
942970 }
943971 }
944972 }
945973 }
946-
947- // Check hex functions
948- $ funcHexbin2hex ($ funcRaw
949- $ funcHexchunk_split ($ funcHex2 , '\x ' );
950- $ funcHex'\x ' . substr ($ funcHex0 , -2 );
951- $ regexPatternHex'/( ' . preg_quote ($ funcHex'/ ' ) . ')/si ' ;
952- foreach ($ contentsas $ content
953- if (@preg_match_all ($ regexPatternHex$ content$ matchesPREG_OFFSET_CAPTURE )) {
954- foreach ($ matches0 ] as $ match
955- $ checkFunction$ match$ regexPatternHexLVL_DANGEROUS , 'hex ' );
956- }
957- }
958- }
959974 }
960975 }
961976
@@ -981,6 +996,7 @@ public function scanFile($info)
981996 'key ' => $ key
982997 'level ' => Definitions::LVL_DANGEROUS ,
983998 'output ' => $ matchDescription
999+ 'description ' => 'Sign definition ` ' . $ key'` ' ,
9841000 'line ' => $ lineNumber
9851001 'pattern ' => $ regexPattern
9861002 'match ' => $ lastMatch
@@ -1006,6 +1022,7 @@ public function scanFile($info)
10061022 'key ' => $ key
10071023 'level ' => Definitions::LVL_DANGEROUS ,
10081024 'output ' => $ description
1025+ 'description ' => 'LFI (Local File Inclusion), through an infected file with icon, allow remote attackers to inject and execute arbitrary commands or code on the target machine ' ,
10091026 'line ' => '' ,
10101027 'pattern ' => '' ,
10111028 'match ' => '' ,
0 commit comments