-
Notifications
You must be signed in to change notification settings - Fork 6
/
highlight.go
118 lines (103 loc) · 2.42 KB
/
highlight.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package main
import (
"bytes"
"regexp"
)
var (
highlightPatternsReg = compileRegexps([]string{
// php
`\$_[A-Z]`, // $_GET, $_POST, etc.
`\S"\s*\.\s*"\S`, // " . "
`\S'\s*\.\s*'\S`, // ' . '
`@$?\w{1,16}\(`, // suppressed function call
`\$.\(\$.\(`, // $x($y(
`\@\$\w{1,12}\(`, // suppressed dynamic function call
`\/\*\s*\w+\s*\*\/.+\/\*\s*\w+\s*\*\/[^\s]+`, // comment obfuscation
`include\s{1,10}["'\x60](\w|\/)+\.(png|jpeg|svg|jpg|webp)["'\x60]`, // include php as image
// common
`[a-zA-Z0-9\/\+\=]{25,}`, // long base64 string
`(\\x[A-Z0-9]{2}){15,}`, // long hex string
`(_0x\w{4,8}.+){4,}`, // multiple obfuscated variables
})
highlightPatternsLit = [][]byte{
// php
[]byte(`system(`),
[]byte(`fopen(`),
[]byte(`hex2bin(`),
[]byte(`die(`),
[]byte(`chr(`),
[]byte(`hexdec(`),
[]byte(`exec`),
[]byte(`shell_exec`),
[]byte(`passthru`),
[]byte(`popen`),
[]byte(`system(`),
[]byte(`proc_open`),
[]byte(`pcntl_exec`),
[]byte(`pcntl_fork`),
[]byte(`escapeshellcmd`),
[]byte(`preg_replace`),
[]byte(`create_function`),
[]byte(`call_user_func_array`),
[]byte(`strrev`),
[]byte(`str_rot13`),
[]byte(`htmlspecialchars_decode`),
[]byte(`file_get_contents`),
[]byte(`file_put_contents`),
[]byte(`fwrite`),
[]byte(`fread`),
[]byte(`fgetc`),
[]byte(`fgets`),
[]byte(`fscanf`),
[]byte(`fgetss`),
[]byte(`fpassthru`),
[]byte(`readfile`),
[]byte(`gzuncompress`),
[]byte(`gzinflate`),
[]byte(`gzdecode`),
[]byte(`readgzfile`),
[]byte(`gzwrite`),
[]byte(`gzfile`),
[]byte(`umask(`),
[]byte(`chmod(`),
[]byte(`chown(`),
[]byte(`chgrp(`),
[]byte(`unlink(`),
[]byte(`rmdir(`),
[]byte(`mkdir(`),
[]byte(`stream_get_meta_data`),
[]byte(`GLOBALS`),
[]byte(`$obirninja`),
[]byte(`$pass`),
[]byte(`<?php @'$`),
// js
[]byte(`atob`),
[]byte(`btoa`),
[]byte(`String.fromCharCode(`),
[]byte(`jQuery.getScript(`),
// common
[]byte(`../../../../`),
[]byte(`base64`),
[]byte(`eval`),
}
)
func compileRegexps(patterns []string) []*regexp.Regexp {
rxs := make([]*regexp.Regexp, len(patterns))
for i, p := range patterns {
rxs[i] = regexp.MustCompile(p)
}
return rxs
}
func shouldHighlight(b []byte) bool {
for _, p := range highlightPatternsLit {
if bytes.Contains(b, p) {
return true
}
}
for _, rx := range highlightPatternsReg {
if rx.Match(b) {
return true
}
}
return false
}