通过Python检测webshell——利用百度webshell检测接口

百度提供了一个webshell检测的接口，支持单文件、压缩包（多/单文件）但是貌似数据库比较旧。仅当做程序学习！代码如下：

#-*-coding:utf-8-*-
from poster.encode import multipart_encode  
from poster.streaminghttp import register_openers  
import urllib2
import re
import sys
type = sys.getfilesystemencoding()
register_openers()  
file_name = sys.argv[1]

datagen, headers = multipart_encode({"archive": open(file_name, "rb")})
request = urllib2.Request("http://scanner.baidu.com/enqueue", datagen, headers)

ret = urllib2.urlopen(request).read()
reg = r'"url":"(.+?)"}'
data = re.compile(reg)
res = re.findall(data,ret)
url = res[0]

new_url = url.replace("\\","")
scan_res = urllib2.urlopen(new_url).read().decode('utf-8').encode(type)
#print scan_res
reg2 = r'sandbox":"(.+?)"'
data2 = re.compile(reg2)
res2 = re.findall(data2,scan_res)
print ""
print "检测结果："
print
print "是否为后门："+res2[0]

reg3 = r'descr":"(.+?)"'
data3 = re.compile(reg3)
res3 = re.findall(data3,scan_res)
print "后门类型："+res3[0]