259 lines
6.4 KiB
YAML
259 lines
6.4 KiB
YAML
id: php-scanner
|
|
|
|
info:
|
|
name: PHP Scanner
|
|
author: geeknik
|
|
severity: info
|
|
tags: php,file
|
|
|
|
file:
|
|
- extensions:
|
|
- html
|
|
- htm
|
|
- phtml
|
|
- php
|
|
- php3
|
|
- php4
|
|
- php5
|
|
- phps
|
|
- cgi
|
|
- inc
|
|
- tpl
|
|
- test
|
|
- module
|
|
- plugin
|
|
|
|
extractors:
|
|
- type: regex
|
|
# Investigate for possible SQL Injection
|
|
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
|
|
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id'));
|
|
regex:
|
|
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
|
|
- type: regex
|
|
# Warn when var_dump is found
|
|
regex:
|
|
- 'var_dump'
|
|
- type: regex
|
|
# Warn when display_errors is enabled manually
|
|
regex:
|
|
- 'display_errors'
|
|
- type: regex
|
|
# Avoid the use of eval()
|
|
regex:
|
|
- 'eval'
|
|
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
|
|
- type: regex
|
|
# Avoid the use of exit or die()
|
|
regex:
|
|
- 'exit'
|
|
- 'die'
|
|
- type: regex
|
|
# Avoid the use of logical operators (ex. using and over &&)
|
|
regex:
|
|
- 'and'
|
|
- type: regex
|
|
# Avoid the use of the ereg* functions (now deprecated)
|
|
regex:
|
|
- 'ereg'
|
|
- type: regex
|
|
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
|
|
regex:
|
|
- 'extract'
|
|
- type: regex
|
|
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
|
|
regex:
|
|
- 'echo'
|
|
- 'print'
|
|
- 'printf'
|
|
- 'print_r'
|
|
- 'vprintf'
|
|
- 'sprintf'
|
|
- type: regex
|
|
# Ensuring you're not using echo with file_get_contents
|
|
regex:
|
|
- 'file_get_contents'
|
|
- type: regex
|
|
# Testing for the system execution functions and shell exec (backticks)
|
|
regex:
|
|
- '\\`'
|
|
- type: regex
|
|
# Use of readfile, readlink and readgzfile
|
|
regex:
|
|
- 'readfile'
|
|
- 'readlink'
|
|
- 'readgzfile'
|
|
- type: regex
|
|
# Using parse_str or mb_parse_str (writes values to the local scope)
|
|
regex:
|
|
- 'parse_st'
|
|
- 'mb_parse_str'
|
|
- type: regex
|
|
# Using session_regenerate_id either without a parameter or using false
|
|
regex:
|
|
- 'session_regenerate'
|
|
- type: regex
|
|
# Avoid use of $_REQUEST (know where your data is coming from)
|
|
regex:
|
|
- '\\$_REQUEST'
|
|
- type: regex
|
|
# Don't use mysql_real_escape_string
|
|
regex:
|
|
- 'mysql_real_escape_string'
|
|
- type: regex
|
|
# Avoiding use of import_request_variables
|
|
regex:
|
|
- 'import_request_variables'
|
|
- type: regex
|
|
# Avoid use of GLOBALS
|
|
regex:
|
|
- 'GLOBALS'
|
|
- type: regex
|
|
regex:
|
|
- '_GET'
|
|
- type: regex
|
|
regex:
|
|
- '_POST'
|
|
- type: regex
|
|
regex:
|
|
- '_COOKIE'
|
|
- type: regex
|
|
regex:
|
|
- '_SESSION'
|
|
- type: regex
|
|
# Ensure the use of type checking validating against booleans (===)
|
|
regex:
|
|
- '\\=\\=\\='
|
|
- type: regex
|
|
# Ensure that the /e modifier isn't used in regular expressions (execute)
|
|
regex:
|
|
- '\\/e'
|
|
- type: regex
|
|
# Using concatenation in header() calls
|
|
regex:
|
|
- 'header'
|
|
- type: regex
|
|
# Avoiding the use of $http_raw_post_data
|
|
regex:
|
|
- '\\$http_raw_post_data'
|
|
- type: regex
|
|
# interesting functions for POP/Unserialize
|
|
regex:
|
|
- "__autoload"
|
|
- "__destruct"
|
|
- "__wakeup"
|
|
- "__toString"
|
|
- "__call"
|
|
- "__callStatic"
|
|
- "__get"
|
|
- "__set"
|
|
- "__isset"
|
|
- "__unset"
|
|
- type: regex
|
|
# phpinfo detected
|
|
regex:
|
|
- "phpinfo"
|
|
- type: regex
|
|
# registerPHPFunctions() allows code exec in XML
|
|
regex:
|
|
- "registerPHPFunctions"
|
|
- type: regex
|
|
regex:
|
|
- "session_start"
|
|
- type: regex
|
|
# dBase DBMS
|
|
regex:
|
|
- "dbase_open"
|
|
- type: regex
|
|
# DB++ DBMS
|
|
regex:
|
|
- "dbplus_open"
|
|
- "dbplus_ropen"
|
|
- type: regex
|
|
# Frontbase DBMS
|
|
regex:
|
|
- "fbsql_connect"
|
|
- type: regex
|
|
# Informix DBMS
|
|
regex:
|
|
- "ifx_connect"
|
|
- type: regex
|
|
# IBM DB2 DBMS
|
|
regex:
|
|
- "db2_(p?)connect"
|
|
- type: regex
|
|
# FTP server
|
|
regex:
|
|
- "ftp_(ssl_)?connect"
|
|
- type: regex
|
|
# Ingres DBMS
|
|
regex:
|
|
- "ingres_(p?)connect"
|
|
- type: regex
|
|
# LDAP server
|
|
regex:
|
|
- "ldap_connect"
|
|
- type: regex
|
|
# msession server
|
|
regex:
|
|
- "msession_connect"
|
|
- type: regex
|
|
# mSQL DBMS
|
|
regex:
|
|
- "msql_(p?)connect"
|
|
- type: regex
|
|
# MsSQL DBMS
|
|
regex:
|
|
- "mssql_(p?)connect"
|
|
- type: regex
|
|
# MySQL DBMS
|
|
regex:
|
|
- "mysql_(p?)connect"
|
|
- type: regex
|
|
# MySQLi Extension
|
|
regex:
|
|
- "mysqli((_real)?_connect)?|_query"
|
|
- type: regex
|
|
# Oracle OCI8 DBMS
|
|
regex:
|
|
- "oci|(_new?)|_connect|(n?|p?)logon"
|
|
- type: regex
|
|
# Oracle DBMS
|
|
regex:
|
|
- "ora_(p?)connect"
|
|
- type: regex
|
|
# Ovrimos SQL DBMS
|
|
regex:
|
|
- "ovrimos_connect"
|
|
- type: regex
|
|
# PostgreSQL DBMS
|
|
regex:
|
|
- "pg_(p?)connect"
|
|
- type: regex
|
|
# SQLite DBMS
|
|
regex:
|
|
- "sqlite_(p?)open"
|
|
- type: regex
|
|
# SQLite3 DBMS
|
|
regex:
|
|
- "SQLite3"
|
|
- type: regex
|
|
# Sybase DBMS
|
|
regex:
|
|
- "sybase_(p?)connect"
|
|
- type: regex
|
|
# TokyoTyrant DBMS
|
|
regex:
|
|
- "TokyoTyrant"
|
|
- type: regex
|
|
# XML document
|
|
regex:
|
|
- "x(ptr|path)_new_context"
|
|
- type: regex
|
|
# Investigate if GetTableFields is called safely
|
|
regex:
|
|
- "GetTableFields"
|
|
- type: regex
|
|
regex:
|
|
- "ini_get.*magic_quotes_gpc.*"
|