没啥技术含量，主要是扫ExternalInterface.call

#!/usr/bin/php -q 
     log ----------------------------------xy7@80sec.com---------------------------*/  set_time_limit(0);  function find($directory) { $mydir=dir($directory); while($file=$mydir->read()){ if((is_dir("$directory/$file"))&&($file!=".")&&($file!="..")) { find("$directory/$file"); } else{ if($file != "." && $file != ".."&&eregi(".as",$file)){ $fd=realpath($directory."/".$file); $fp = fopen($fd, "r"); $i=0; while ($buffer = fgets($fp, 128)) { $i++; if(eregi("ExternalInterface.call",$buffer)) { echo "Line".$i.":".$buffer."\r\n\r\n"; preg_match("/\((.*)\)/i", $buffer, $match); if (strstr($match[1],"(")) { preg_match("/\((.*)\)/i", $match[1], $newmatch); echo "再次提取后参数包含 :".$newmatch[1]."\r\n\r\n"; $oldfp = ftell($fp); fseek($fp, 0); $p = 0; while ($newbuffer = fgets($fp, 128)) { $p++; if(eregi("loaderInfo.parameters",$newbuffer)) { //echo "Line".$p.":".$newbuffer."\r\n"; if (strstr($newbuffer,$newmatch[1])) { echo $newmatch[1]."存在漏洞\r\n\r\n";  } } } fseek($fp, $oldfp); unset($oldfp); } elseif(strstr($match[1],",")) { echo "多个参数:$match[1]\r\n"; if (strstr($match[1],"loaderInfo.parameters")){ echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n"; } $var_array = array(); $var_array = explode(",",$match[1]); $oldfp = ftell($fp); fseek($fp,0); while ($newbuffer = fgets($fp, 128)) { if(eregi("loaderInfo.parameters",$newbuffer)) { //echo "Line".$p.":".$newbuffer."\r\n\r\n"; foreach ($var_array as $value) { if (strstr($newbuffer,$value)) { echo trim($value)."存在漏洞\r\n\r\n"; }  }  } } fseek($fp, $oldfp); unset($oldfp); }else { echo "唯一参数:".$match[1]."\r\n"; if (strstr($match[1],"loaderInfo.parameters")){ echo $match[1]."直接调用loaderInfo.parameters传递存在漏洞\r\n\r\n"; } $oldfp = ftell($fp); fseek($fp,0); while ($newbuffer = fgets($fp, 128)) { if(eregi("loaderInfo.parameters",$newbuffer)) { //echo "Line".$p.":".$newbuffer."\r\n\r\n"; if (strstr($newbuffer,$match[1])) { echo trim($match[1])."存在漏洞\r\n\r\n"; } } } fseek($fp, $oldfp); unset($oldfp); } } } fclose($fp);  } } } $mydir->close(); } function all() { static $count = 1; echo $count; $count++; } find($argv[1]); ?>