Improved detection of WebShell and PHP code in HTTP URLs that is reported via flow risk

author: Luca <deri@ntop.org> 2022-10-04 11:26:03 +0200
committer: Luca <deri@ntop.org> 2022-10-04 11:26:44 +0200
commit: 3fa941698133190dd5bca6100b74f7e3f5683a55 (patch)
tree: 3dd839f3dac21d113a97d8b379e6d1612b6e60da /src/lib/protocols/http.c
parent: de59eb823724cea1f197f8012f41e6cb159b2a56 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 96e0e309a..ef5887643 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -628,7 +628,10 @@ static void ndpi_check_numeric_ip(struct ndpi_detection_module_struct *ndpi_stru
 static void ndpi_check_http_url(struct ndpi_detection_module_struct *ndpi_struct,
 				struct ndpi_flow_struct *flow,
 				char *url) {
-  /* Nothing to do */
+  if(strstr(url, "<php>") != NULL /* PHP code in the URL */)
+    ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "PHP code in URL");
+  else if(strncmp(url, "/shell?", 7) == 0)
+    ndpi_set_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION, "Possible WebShell detected");
 }
 
 /* ************************************************************* */
author	Luca <deri@ntop.org>	2022-10-04 11:26:03 +0200
committer	Luca <deri@ntop.org>	2022-10-04 11:26:44 +0200
commit	3fa941698133190dd5bca6100b74f7e3f5683a55 (patch)
tree	3dd839f3dac21d113a97d8b379e6d1612b6e60da /src/lib/protocols/http.c
parent	de59eb823724cea1f197f8012f41e6cb159b2a56 (diff)