nuclei-templates/file/php/php-scanner.yaml

311 lines
6.4 KiB
YAML

id: php-scanner
info:
name: PHP Scanner
author: geeknik
severity: info
tags: php,file
file:
- extensions:
- html
- htm
- phtml
- php
- php3
- php4
- php5
- phps
- cgi
- inc
- tpl
- test
- module
- plugin
extractors:
- type: regex
# Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id'));
regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex
# Warn when var_dump is found
regex:
- 'var_dump'
- type: regex
# Warn when display_errors is enabled manually
regex:
- 'display_errors'
- type: regex
# Avoid the use of eval()
regex:
- 'eval'
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
- type: regex
# Avoid the use of exit or die()
regex:
- 'exit'
- 'die'
- type: regex
# Avoid the use of logical operators (ex. using and over &&)
regex:
- 'and'
- type: regex
# Avoid the use of the ereg* functions (now deprecated)
regex:
- 'ereg'
- type: regex
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
regex:
- 'extract'
- type: regex
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
regex:
- 'echo'
- 'print'
- 'printf'
- 'print_r'
- 'vprintf'
- 'sprintf'
- type: regex
# Ensuring you're not using echo with file_get_contents
regex:
- 'file_get_contents'
- type: regex
# Testing for the system execution functions and shell exec (backticks)
regex:
- '\\`'
- type: regex
# Use of readfile, readlink and readgzfile
regex:
- 'readfile'
- 'readlink'
- 'readgzfile'
- type: regex
# Using parse_str or mb_parse_str (writes values to the local scope)
regex:
- 'parse_st'
- 'mb_parse_str'
- type: regex
# Using session_regenerate_id either without a parameter or using false
regex:
- 'session_regenerate'
- type: regex
# Avoid use of $_REQUEST (know where your data is coming from)
regex:
- '\\$_REQUEST'
- type: regex
# Don't use mysql_real_escape_string
regex:
- 'mysql_real_escape_string'
- type: regex
# Avoiding use of import_request_variables
regex:
- 'import_request_variables'
- type: regex
# Avoid use of GLOBALS
regex:
- 'GLOBALS'
- type: regex
regex:
- '_GET'
- type: regex
regex:
- '_POST'
- type: regex
regex:
- '_COOKIE'
- type: regex
regex:
- '_SESSION'
- type: regex
# Ensure the use of type checking validating against booleans (===)
regex:
- '\\=\\=\\='
- type: regex
# Ensure that the /e modifier isn't used in regular expressions (execute)
regex:
- '\\/e'
- type: regex
# Using concatenation in header() calls
regex:
- 'header'
- type: regex
# Avoiding the use of $http_raw_post_data
regex:
- '\\$http_raw_post_data'
- type: regex
# interesting functions for POP/Unserialize
regex:
- "__autoload"
- "__destruct"
- "__wakeup"
- "__toString"
- "__call"
- "__callStatic"
- "__get"
- "__set"
- "__isset"
- "__unset"
- type: regex
# phpinfo detected
regex:
- "phpinfo"
- type: regex
# registerPHPFunctions() allows code exec in XML
regex:
- "registerPHPFunctions"
- type: regex
regex:
- "session_start"
- type: regex
# dBase DBMS
regex:
- "dbase_open"
- type: regex
# DB++ DBMS
regex:
- "dbplus_open"
- "dbplus_ropen"
- type: regex
# Frontbase DBMS
regex:
- "fbsql_connect"
- type: regex
# Informix DBMS
regex:
- "ifx_connect"
- type: regex
# IBM DB2 DBMS
regex:
- "db2_(p?)connect"
- type: regex
# FTP server
regex:
- "ftp_(ssl_)?connect"
- type: regex
# Ingres DBMS
regex:
- "ingres_(p?)connect"
- type: regex
# LDAP server
regex:
- "ldap_connect"
- type: regex
# msession server
regex:
- "msession_connect"
- type: regex
# mSQL DBMS
regex:
- "msql_(p?)connect"
- type: regex
# MsSQL DBMS
regex:
- "mssql_(p?)connect"
- type: regex
# MySQL DBMS
regex:
- "mysql_(p?)connect"
- type: regex
# MySQLi Extension
regex:
- "mysqli((_real)?_connect)?|_query"
- type: regex
# Oracle OCI8 DBMS
regex:
- "oci|(_new?)|_connect|(n?|p?)logon"
- type: regex
# Oracle DBMS
regex:
- "ora_(p?)connect"
- type: regex
# Ovrimos SQL DBMS
regex:
- "ovrimos_connect"
- type: regex
# PostgreSQL DBMS
regex:
- "pg_(p?)connect"
- type: regex
# SQLite DBMS
regex:
- "sqlite_(p?)open"
- type: regex
# SQLite3 DBMS
regex:
- "SQLite3"
- type: regex
# Sybase DBMS
regex:
- "sybase_(p?)connect"
- type: regex
# TokyoTyrant DBMS
regex:
- "TokyoTyrant"
- type: regex
# XML document
regex:
- "x(ptr|path)_new_context"
- type: regex
# Investigate if GetTableFields is called safely
regex:
- "GetTableFields"
- type: regex
regex:
- "ini_get.*magic_quotes_gpc.*"