/*
Yara Rule Set
Author: Florian Roth
Date: 2015-06-13
Identifier: CN-Tools Webshells
Reference: Diclosed hacktool set at http://w2op.us/ (Mirror: http://tools.zjqhr.com)
*/
rule Tools_cmd {
meta:
description = "Chinese Hacktool Set - file cmd.jSp"
author = "Florian Roth"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
hash = "02e37b95ef670336dc95331ec73dbb5a86f3ba2b"
strings:
$s0 = "if(\"1752393\".equals(request.getParameter(\"Confpwd\"))){" fullword ascii
$s1 = "java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"Conn\"" ascii
$s2 = "<%@ page import=\"java.io.*\" %>" fullword ascii
$s3 = "out.print(\"Hi,Man 2015
\");" fullword ascii
$s4 = "while((a=in.read(b))!=-1){" fullword ascii
$s5 = "out.println(new String(b));" fullword ascii
$s6 = "out.print(\"\");" fullword ascii
$s7 = "out.print(\"
\");" fullword ascii $s8 = "int a = -1;" fullword ascii $s9 = "byte[] b = new byte[2048];" fullword ascii condition: filesize < 3KB and 7 of them } rule trigger_drop { meta: description = "Chinese Hacktool Set - file trigger_drop.php" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "165dd2d82bf87285c8a53ad1ede6d61a90837ba4" strings: $s0 = "$_GET['returnto'] = 'database_properties.php';" fullword ascii $s1 = "echo(''" ascii $s2 = "@mssql_query('DROP TRIGGER" ascii $s3 = "if(empty($_GET['returnto']))" fullword ascii condition: filesize < 5KB and all of them } rule InjectionParameters { meta: description = "Chinese Hacktool Set - file InjectionParameters.vb" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "4f11aa5b3660c45e527606ee33de001f4994e1ea" strings: $s0 = "Public Shared ReadOnly Empty As New InjectionParameters(-1, \"\")" fullword ascii $s1 = "Public Class InjectionParameters" fullword ascii condition: filesize < 13KB and all of them } rule users_list { meta: description = "Chinese Hacktool Set - file users_list.php" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "6fba1a1a607198ed232405ccbebf9543037a63ef" strings: $s0 = "Create User" fullword ascii $s7 = "$skiplist = array('##MS_AgentSigningCertificate##','NT AUTHORITY\\NETWORK SERVIC" ascii $s11 = " Default DB " fullword ascii condition: filesize < 12KB and all of them } rule function_drop { meta: description = "Chinese Hacktool Set - file function_drop.php" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "209098c494ce10d82d1c2002488509c5e8983182" strings: $s0 = "@mssql_query('DROP FUNCTION ' . urldecode($_GET['function']) . ';') or" ascii $s1 = "$_GET['returnto'] = 'database_properties.php';" fullword ascii $s2 = "echo(''" ascii $s3 = "if(empty($_GET['returnto']))" fullword ascii condition: filesize < 5KB and all of them } rule table_export_download { meta: description = "Chinese Hacktool Set - file table_export_download.php" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "2758e553d1059bdbc4e3993dd6f46218fc26103d" strings: $s0 = "header('Content-Disposition: attachment; filename=\"' . $_SESSION['database'] . " ascii $s1 = "header('Content-Length: ' . strlen($_POST['data']));" fullword ascii $s2 = "header('Content-type: application/x-download');" fullword ascii $s3 = "echo $_POST['data'];" fullword ascii condition: filesize < 5KB and all of them } rule trigger_modify { meta: description = "Chinese Hacktool Set - file trigger_modify.php" author = "Florian Roth" reference = "http://tools.zjqhr.com/" date = "2015-06-13" hash = "c93cd7a6c3f962381e9bf2b511db9b1639a22de0" strings: $s1 = "