Signature detection does not work #12
Description
Hi! I've been looking at your code for the past few days and sorry to tell you this but your fingerprint detection method is most definitely broken. I would fix it but it seems like your database is not properly encoded or something. Look at these lines for proof:
Lines 193 and 194 in particular:
for _regex, shellname in self._get_precomputed_fingerprints():
_match = _regex.findall(_content)Your _regex here is a base64 string, which would be okay if your signatures were actually all base64 strings found in webshells. But thats not the case. You are never actually decoding these base64 strings. However when we try to do that, we get padding errors all over the place and get junk output, still we can see bits of the actual signatures in there:
Sample Garbage:
if (!empty($work_dir)) {
/* A workdir has bee
♠3ôù♠ç♠û7↕τ♠ç☻♥≥♠çGG♥ó≥÷67FV▬╥µτV╢╞V÷ΓτW0╨ó22222↓→\ïêï╚ïë↓→\█ZLï ↓Ü[↓\↓\¢JH☼Å↓¢█↑██←▄ÅI╚╠♀X-o 6-o X-o O-o L-o e-o x-o R-o 4-o +-o 6-o T-o
╥╥╥╥╥╥╥╥╥╥╨áó☻♦Fû╥♠⌡67&ù@ó☻♦Fû╥♠⌡67&ùDµW@ó☻♦Fû
]╒T═⌐ìÿ╒ß!%òY↔Öä╨σiT┼QIQ4╠╒╣U▒◄ÑÖ╒ß↓ì(╤
How did you generate the database or where did you get it from? Anyway, it most definitely is broken.