id: php-scanner info: name: PHP Scanner author: geeknik severity: info tags: php,file file: - extensions: - html - htm - phtml - php - php3 - php4 - php5 - phps - cgi - inc - tpl - test - module - plugin extractors: - type: regex # Investigate for possible SQL Injection # Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id"); # Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id')); regex: - '(?i)getone|getrow|getall|getcol|getassoc|execute|replace' - type: regex # Warn when var_dump is found regex: - 'var_dump' - type: regex # Warn when display_errors is enabled manually regex: - 'display_errors' - type: regex # Avoid the use of eval() regex: - 'eval' - 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))' - type: regex # Avoid the use of exit or die() regex: - 'exit' - 'die' - type: regex # Avoid the use of logical operators (ex. using and over &&) regex: - 'and' - type: regex # Avoid the use of the ereg* functions (now deprecated) regex: - 'ereg' - type: regex # Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE) regex: - 'extract' - type: regex # Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options regex: - 'echo' - 'print' - 'printf' - 'print_r' - 'vprintf' - 'sprintf' - type: regex # Ensuring you're not using echo with file_get_contents regex: - 'file_get_contents' - type: regex # Testing for the system execution functions and shell exec (backticks) regex: - '\\`' - type: regex # Use of readfile, readlink and readgzfile regex: - 'readfile' - 'readlink' - 'readgzfile' - type: regex # Using parse_str or mb_parse_str (writes values to the local scope) regex: - 'parse_st' - 'mb_parse_str' - type: regex # Using session_regenerate_id either without a parameter or using false regex: - 'session_regenerate' - type: regex # Avoid use of $_REQUEST (know where your data is coming from) regex: - '\\$_REQUEST' - type: regex # Don't use mysql_real_escape_string regex: - 'mysql_real_escape_string' - type: regex # Avoiding use of import_request_variables regex: - 'import_request_variables' - type: regex # Avoid use of GLOBALS regex: - 'GLOBALS' - type: regex regex: - '_GET' - type: regex regex: - '_POST' - type: regex regex: - '_COOKIE' - type: regex regex: - '_SESSION' - type: regex # Ensure the use of type checking validating against booleans (===) regex: - '\\=\\=\\=' - type: regex # Ensure that the /e modifier isn't used in regular expressions (execute) regex: - '\\/e' - type: regex # Using concatenation in header() calls regex: - 'header' - type: regex # Avoiding the use of $http_raw_post_data regex: - '\\$http_raw_post_data' - type: regex # interesting functions for POP/Unserialize regex: - "__autoload" - "__destruct" - "__wakeup" - "__toString" - "__call" - "__callStatic" - "__get" - "__set" - "__isset" - "__unset" - type: regex # phpinfo detected regex: - "phpinfo" - type: regex # registerPHPFunctions() allows code exec in XML regex: - "registerPHPFunctions" - type: regex regex: - "session_start" - type: regex # dBase DBMS regex: - "dbase_open" - type: regex # DB++ DBMS regex: - "dbplus_open" - "dbplus_ropen" - type: regex # Frontbase DBMS regex: - "fbsql_connect" - type: regex # Informix DBMS regex: - "ifx_connect" - type: regex # IBM DB2 DBMS regex: - "db2_(p?)connect" - type: regex # FTP server regex: - "ftp_(ssl_)?connect" - type: regex # Ingres DBMS regex: - "ingres_(p?)connect" - type: regex # LDAP server regex: - "ldap_connect" - type: regex # msession server regex: - "msession_connect" - type: regex # mSQL DBMS regex: - "msql_(p?)connect" - type: regex # MsSQL DBMS regex: - "mssql_(p?)connect" - type: regex # MySQL DBMS regex: - "mysql_(p?)connect" - type: regex # MySQLi Extension regex: - "mysqli((_real)?_connect)?|_query" - type: regex # Oracle OCI8 DBMS regex: - "oci|(_new?)|_connect|(n?|p?)logon" - type: regex # Oracle DBMS regex: - "ora_(p?)connect" - type: regex # Ovrimos SQL DBMS regex: - "ovrimos_connect" - type: regex # PostgreSQL DBMS regex: - "pg_(p?)connect" - type: regex # SQLite DBMS regex: - "sqlite_(p?)open" - type: regex # SQLite3 DBMS regex: - "SQLite3" - type: regex # Sybase DBMS regex: - "sybase_(p?)connect" - type: regex # TokyoTyrant DBMS regex: - "TokyoTyrant" - type: regex # XML document regex: - "x(ptr|path)_new_context" - type: regex # Investigate if GetTableFields is called safely regex: - "GetTableFields" - type: regex regex: - "ini_get.*magic_quotes_gpc.*" # digest: 4a0a00473045022100cdc04b80c9479b1a4fe8a4dd836ca51e473d21b6dfee8a10d4766eab8980dd66022002ed5ea70b600f04f8842ba1b24b70122656832d5769131b53c765c8f678a62a:922c64590222798bb761d5b6d8e72950