使用 YARA 检查时 phpseclib 中的 DangerousPhp
[英]DangerousPhp inside phpseclib when checking with YARA
问题描述
When doing malware scanning inside the PHP app using YARA ,
在使用YARA在 PHP 应用程序中进行恶意软件扫描时,
yara -r./php.yar -s /myapp
DangerousPhp /myapp/phpseclib/Net/SSH2.php
0x1140c:$system: system
0x1083a:$: call_user_func
0x1671f:$: call_user_func
0x154:$: EXEC
The malware finder tool used inside is https://github.com/nbs-system/php-malware-finder/里面使用的恶意软件查找工具是https://github.com/nbs-system/php-malware-finder/
The phpseclib library file that's throwing this error is https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Net/SSH2.php引发此错误的 phpseclib 库文件是https://github.com/phpseclib/phpseclib/blob/master/phpseclib/Net/SSH2.php
Any help would be highly appreciated.任何帮助将不胜感激。
1 个解决方案
解决方案1
0 2021-11-19 01:09:58
False positive.假阳性。 It's unclear what version of phpseclib you're using but let's assume you're using the latest 2.0 release (2.0.34).目前尚不清楚您使用的是哪个版本的 phpseclib,但我们假设您使用的是最新的 2.0 版本 (2.0.34)。 call_user_func only occurs on line 2946: call_user_func仅出现在第 2946 行:
https://github.com/phpseclib/phpseclib/blob/2.0.34/phpseclib/Net/SSH2.php#L2946 https://github.com/phpseclib/phpseclib/blob/2.0.34/phpseclib/Net/SSH2.php#L2946
default:
if (is_callable($callback)) {
if (call_user_func($callback, $temp) === true) {
$this->_close_channel(self::CHANNEL_EXEC);
return true;
}
} else {
$output.= $temp;
}
It's in the exec() method.它在 exec() 方法中。 $callback is a parameter who's purpose is discussed at https://phpseclib.com/docs/commands#callbacks . $callback是一个参数,其用途在https://phpseclib.com/docs/commands#callbacks中讨论。 The 3.0 branch does $callback($temp) instead of callback_user_func($temp) but it's the same basic idea. 3.0 分支执行$callback($temp)而不是callback_user_func($temp)但它是相同的基本思想。 Probably $callback($temp) doesn't work on older versions of PHP whereas callback_user_func($temp) does.可能$callback($temp)不适用于旧版本的 PHP 而callback_user_func($temp)可以。
call_user_func_array is called twice in SSH2.php. call_user_func_array在 SSH2.php 中被调用了两次。 Once on line 2227 and once on line 3375 .一次在2227 行,一次在3375 行。
Line 2227 is in the login method.第 2227 行在login方法中。 Here's what that method does:这是该方法的作用:
function login($username)
{
$args = func_get_args();
$this->auth[] = $args;
// try logging with 'none' as an authentication method first since that's what
// PuTTY does
if (substr($this->server_identifier, 0, 15) != 'SSH-2.0-CoreFTP' && $this->auth_methods_to_continue === null) {
if ($this->_login($username)) {
return true;
}
if (count($args) == 1) {
return false;
}
}
return call_user_func_array(array(&$this, '_login'), $args);
}
In phpseclib 3.0.11 it's doing return $this->sublogin($username, ...$args);在 phpseclib 3.0.11 中,它正在执行return $this->sublogin($username, ...$args); but the basic idea is that it's taking each element of $args and passing it as an individual parameter to $this->_login .但基本思想是它获取$args的每个元素并将其作为单独的参数传递给$this->_login 。 Like if you did $this->_login($args) then _login would only be taking a single parameter.就像你做$this->_login($args)那么_login只会采用一个参数。 PHP 5.6 introduced the splat (...) operator but phpseclib 2 runs on PHP 5.3 so you have to do call_user_func_array or just use a single parameter and that's it. PHP 5.6 引入了 splat (...) 运算符,但 phpseclib 2 在 PHP 5.3 上运行,因此您必须执行call_user_func_array或仅使用单个参数,仅此而已。
Here's the other instance of call_user_func_array :这是call_user_func_array的另一个实例:
function _reconnect()
{
$this->_reset_connection(NET_SSH2_DISCONNECT_CONNECTION_LOST);
$this->retry_connect = true;
if (!$this->_connect()) {
return false;
}
foreach ($this->auth as $auth) {
$result = call_user_func_array(array(&$this, 'login'), $auth);
}
return $result;
}
So same thing.所以同样的事情。
So like I said, this is a nothing sandwich.所以就像我说的,这是一个没有三明治的东西。 A false positive.误报。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.