nuclei-templates/file/php/php-scanner.yaml

124 lines
3.4 KiB
YAML
Raw Normal View History

2021-08-05 00:18:37 +00:00
id: php-scanner
info:
name: PHP Scanner
author: geeknik
severity: info
tags: php,file
file:
- extensions:
- html
- phtml
- php
- php3
- php4
extractors:
- type: regex
# Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array($user_id));
regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex
# Warn when var_dump is found
regex:
- 'var_dump'
- type: regex
# Warn when display_errors is enabled manually
regex:
- 'display_errors'
- type: regex
# Avoid the use of eval()
regex:
- 'eval'
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
- type: regex
# Avoid the use of exit or die()
regex:
- 'exit'
- 'die'
- type: regex
# Avoid the use of logical operators (ex. using and over &&)
regex:
- 'and'
- type: regex
# Avoid the use of the ereg* functions (now deprecated)
regex:
- 'ereg'
- type: regex
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
regex:
- 'extract'
- type: regex
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
regex:
- 'echo'
- 'print'
- 'printf'
- 'print_r'
- 'vprintf'
- 'sprintf'
- type: regex
# Ensuring you're not using echo with file_get_contents
regex:
- 'file_get_contents'
- type: regex
# Testing for the system execution functions and shell exec (backticks)
regex:
- '\\`'
- type: regex
# Use of readfile, readlink and readgzfile
regex:
- 'readfile'
- 'readlink'
- 'readgzfile'
- type: regex
# Using parse_str or mb_parse_str (writes values to the local scope)
regex:
- 'parse_st'
- 'mb_parse_str'
- type: regex
# Using session_regenerate_id either without a parameter or using false
regex:
- 'session_regenerate'
- type: regex
# Avoid use of $_REQUEST (know where your data is coming from)
regex:
- '\\$_REQUEST'
- type: regex
# Don't use mysql_real_escape_string
regex:
- 'mysql_real_escape_string'
- type: regex
# Avoiding use of import_request_variables
regex:
- 'import_request_variables'
- type: regex
# Avoid use of $GLOBALS
regex:
- '\\$GLOBALS'
- type: regex
regex:
- '\\$_GET'
- type: regex
regex:
- '\\$_POST'
- type: regex
# Ensure the use of type checking validating against booleans (===)
regex:
- '\\=\\=\\='
- type: regex
# Ensure that the /e modifier isn't used in regular expressions (execute)
regex:
- '\\/e'
- type: regex
# Using concatenation in header() calls
regex:
- 'header'
- type: regex
# Avoiding the use of $http_raw_post_data
regex:
- '\\$http_raw_post_data'