nuclei-templates/file/php/php-scanner.yaml

246 lines
6.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

id: php-scanner
info:
name: PHP Scanner
author: geeknik
severity: info
tags: php,file
file:
- extensions:
- html
- htm
- phtml
- php
- php3
- php4
- php5
- phps
- cgi
- inc
- tpl
- test
- module
- plugin
extractors:
- type: regex
# Investigate for possible SQL Injection
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array($user_id));
regex:
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex
# Warn when var_dump is found
regex:
- 'var_dump'
- type: regex
# Warn when display_errors is enabled manually
regex:
- 'display_errors'
- type: regex
# Avoid the use of eval()
regex:
- 'eval'
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
- type: regex
# Avoid the use of exit or die()
regex:
- 'exit'
- 'die'
- type: regex
# Avoid the use of logical operators (ex. using and over &&)
regex:
- 'and'
- type: regex
# Avoid the use of the ereg* functions (now deprecated)
regex:
- 'ereg'
- type: regex
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
regex:
- 'extract'
- type: regex
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
regex:
- 'echo'
- 'print'
- 'printf'
- 'print_r'
- 'vprintf'
- 'sprintf'
- type: regex
# Ensuring you're not using echo with file_get_contents
regex:
- 'file_get_contents'
- type: regex
# Testing for the system execution functions and shell exec (backticks)
regex:
- '\\`'
- type: regex
# Use of readfile, readlink and readgzfile
regex:
- 'readfile'
- 'readlink'
- 'readgzfile'
- type: regex
# Using parse_str or mb_parse_str (writes values to the local scope)
regex:
- 'parse_st'
- 'mb_parse_str'
- type: regex
# Using session_regenerate_id either without a parameter or using false
regex:
- 'session_regenerate'
- type: regex
# Avoid use of $_REQUEST (know where your data is coming from)
regex:
- '\\$_REQUEST'
- type: regex
# Don't use mysql_real_escape_string
regex:
- 'mysql_real_escape_string'
- type: regex
# Avoiding use of import_request_variables
regex:
- 'import_request_variables'
- type: regex
# Avoid use of $GLOBALS
regex:
- '\\$GLOBALS'
- type: regex
regex:
- '\\$_GET'
- type: regex
regex:
- '\\$_POST'
- type: regex
# Ensure the use of type checking validating against booleans (===)
regex:
- '\\=\\=\\='
- type: regex
# Ensure that the /e modifier isn't used in regular expressions (execute)
regex:
- '\\/e'
- type: regex
# Using concatenation in header() calls
regex:
- 'header'
- type: regex
# Avoiding the use of $http_raw_post_data
regex:
- '\\$http_raw_post_data'
- type: regex
# interesting functions for POP/Unserialize
regex:
- "__autoload"
- "__destruct"
- "__wakeup"
- "__toString"
- "__call"
- "__callStatic"
- "__get"
- "__set"
- "__isset"
- "__unset"
- type: regex
# phpinfo detected
regex:
- "phpinfo"
- type: regex
# registerPHPFunctions() allows code exec in XML
regex:
- "registerPHPFunctions"
- type: regex
regex:
- "session_start"
- type: regex
# dBase DBMS
regex:
- "dbase_open"
- type: regex
# DB++ DBMS
regex:
- "dbplus_open"
- "dbplus_ropen"
- type: regex
# Frontbase DBMS
regex:
- "fbsql_connect"
- type: regex
# Informix DBMS
regex:
- "ifx_connect"
- type: regex
# IBM DB2 DBMS
regex:
- "db2_(p?)connect"
- type: regex
# FTP server
regex:
- "ftp_(ssl_)?connect"
- type: regex
# Ingres DBMS
regex:
- "ingres_(p?)connect"
- type: regex
# LDAP server
regex:
- "ldap_connect"
- type: regex
# msession server
regex:
- "msession_connect"
- type: regex
# mSQL DBMS
regex:
- "msql_(p?)connect"
- type: regex
# MsSQL DBMS
regex:
- "mssql_(p?)connect"
- type: regex
# MySQL DBMS
regex:
- "mysql_(p?)connect"
- type: regex
# MySQLi Extension
regex:
- "mysqli((_real)?_connect)?"
- type: regex
# Oracle OCI8 DBMS
regex:
- "oci|(_new?)|_connect|(n?|p?)logon"
- type: regex
# Oracle DBMS
regex:
- "ora_(p?)connect"
- type: regex
# Ovrimos SQL DBMS
regex:
- "ovrimos_connect"
- type: regex
# PostgreSQL DBMS
regex:
- "pg_(p?)connect"
- type: regex
# SQLite DBMS
regex:
- "sqlite_(p?)open"
- type: regex
# SQLite3 DBMS
regex:
- "SQLite3"
- type: regex
# Sybase DBMS
regex:
- "sybase_(p?)connect"
- type: regex
# TokyoTyrant DBMS
regex:
- "TokyoTyrant"
- type: regex
# XML document
regex:
- "x(ptr|path)_new_context"