259 lines
6.4 KiB
YAML
259 lines
6.4 KiB
YAML
id: php-scanner
|
||
|
||
info:
|
||
name: PHP Scanner
|
||
author: geeknik
|
||
severity: info
|
||
tags: php,file
|
||
|
||
file:
|
||
- extensions:
|
||
- html
|
||
- htm
|
||
- phtml
|
||
- php
|
||
- php3
|
||
- php4
|
||
- php5
|
||
- phps
|
||
- cgi
|
||
- inc
|
||
- tpl
|
||
- test
|
||
- module
|
||
- plugin
|
||
|
||
extractors:
|
||
- type: regex
|
||
# Investigate for possible SQL Injection
|
||
# Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id");
|
||
# Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array(‘$user_id’));
|
||
regex:
|
||
- '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
|
||
- type: regex
|
||
# Warn when var_dump is found
|
||
regex:
|
||
- 'var_dump'
|
||
- type: regex
|
||
# Warn when display_errors is enabled manually
|
||
regex:
|
||
- 'display_errors'
|
||
- type: regex
|
||
# Avoid the use of eval()
|
||
regex:
|
||
- 'eval'
|
||
- 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
|
||
- type: regex
|
||
# Avoid the use of exit or die()
|
||
regex:
|
||
- 'exit'
|
||
- 'die'
|
||
- type: regex
|
||
# Avoid the use of logical operators (ex. using and over &&)
|
||
regex:
|
||
- 'and'
|
||
- type: regex
|
||
# Avoid the use of the ereg* functions (now deprecated)
|
||
regex:
|
||
- 'ereg'
|
||
- type: regex
|
||
# Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE)
|
||
regex:
|
||
- 'extract'
|
||
- type: regex
|
||
# Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options
|
||
regex:
|
||
- 'echo'
|
||
- 'print'
|
||
- 'printf'
|
||
- 'print_r'
|
||
- 'vprintf'
|
||
- 'sprintf'
|
||
- type: regex
|
||
# Ensuring you're not using echo with file_get_contents
|
||
regex:
|
||
- 'file_get_contents'
|
||
- type: regex
|
||
# Testing for the system execution functions and shell exec (backticks)
|
||
regex:
|
||
- '\\`'
|
||
- type: regex
|
||
# Use of readfile, readlink and readgzfile
|
||
regex:
|
||
- 'readfile'
|
||
- 'readlink'
|
||
- 'readgzfile'
|
||
- type: regex
|
||
# Using parse_str or mb_parse_str (writes values to the local scope)
|
||
regex:
|
||
- 'parse_st'
|
||
- 'mb_parse_str'
|
||
- type: regex
|
||
# Using session_regenerate_id either without a parameter or using false
|
||
regex:
|
||
- 'session_regenerate'
|
||
- type: regex
|
||
# Avoid use of $_REQUEST (know where your data is coming from)
|
||
regex:
|
||
- '\\$_REQUEST'
|
||
- type: regex
|
||
# Don't use mysql_real_escape_string
|
||
regex:
|
||
- 'mysql_real_escape_string'
|
||
- type: regex
|
||
# Avoiding use of import_request_variables
|
||
regex:
|
||
- 'import_request_variables'
|
||
- type: regex
|
||
# Avoid use of GLOBALS
|
||
regex:
|
||
- 'GLOBALS'
|
||
- type: regex
|
||
regex:
|
||
- '_GET'
|
||
- type: regex
|
||
regex:
|
||
- '_POST'
|
||
- type: regex
|
||
regex:
|
||
- '_COOKIE'
|
||
- type: regex
|
||
regex:
|
||
- '_SESSION'
|
||
- type: regex
|
||
# Ensure the use of type checking validating against booleans (===)
|
||
regex:
|
||
- '\\=\\=\\='
|
||
- type: regex
|
||
# Ensure that the /e modifier isn't used in regular expressions (execute)
|
||
regex:
|
||
- '\\/e'
|
||
- type: regex
|
||
# Using concatenation in header() calls
|
||
regex:
|
||
- 'header'
|
||
- type: regex
|
||
# Avoiding the use of $http_raw_post_data
|
||
regex:
|
||
- '\\$http_raw_post_data'
|
||
- type: regex
|
||
# interesting functions for POP/Unserialize
|
||
regex:
|
||
- "__autoload"
|
||
- "__destruct"
|
||
- "__wakeup"
|
||
- "__toString"
|
||
- "__call"
|
||
- "__callStatic"
|
||
- "__get"
|
||
- "__set"
|
||
- "__isset"
|
||
- "__unset"
|
||
- type: regex
|
||
# phpinfo detected
|
||
regex:
|
||
- "phpinfo"
|
||
- type: regex
|
||
# registerPHPFunctions() allows code exec in XML
|
||
regex:
|
||
- "registerPHPFunctions"
|
||
- type: regex
|
||
regex:
|
||
- "session_start"
|
||
- type: regex
|
||
# dBase DBMS
|
||
regex:
|
||
- "dbase_open"
|
||
- type: regex
|
||
# DB++ DBMS
|
||
regex:
|
||
- "dbplus_open"
|
||
- "dbplus_ropen"
|
||
- type: regex
|
||
# Frontbase DBMS
|
||
regex:
|
||
- "fbsql_connect"
|
||
- type: regex
|
||
# Informix DBMS
|
||
regex:
|
||
- "ifx_connect"
|
||
- type: regex
|
||
# IBM DB2 DBMS
|
||
regex:
|
||
- "db2_(p?)connect"
|
||
- type: regex
|
||
# FTP server
|
||
regex:
|
||
- "ftp_(ssl_)?connect"
|
||
- type: regex
|
||
# Ingres DBMS
|
||
regex:
|
||
- "ingres_(p?)connect"
|
||
- type: regex
|
||
# LDAP server
|
||
regex:
|
||
- "ldap_connect"
|
||
- type: regex
|
||
# msession server
|
||
regex:
|
||
- "msession_connect"
|
||
- type: regex
|
||
# mSQL DBMS
|
||
regex:
|
||
- "msql_(p?)connect"
|
||
- type: regex
|
||
# MsSQL DBMS
|
||
regex:
|
||
- "mssql_(p?)connect"
|
||
- type: regex
|
||
# MySQL DBMS
|
||
regex:
|
||
- "mysql_(p?)connect"
|
||
- type: regex
|
||
# MySQLi Extension
|
||
regex:
|
||
- "mysqli((_real)?_connect)?|_query"
|
||
- type: regex
|
||
# Oracle OCI8 DBMS
|
||
regex:
|
||
- "oci|(_new?)|_connect|(n?|p?)logon"
|
||
- type: regex
|
||
# Oracle DBMS
|
||
regex:
|
||
- "ora_(p?)connect"
|
||
- type: regex
|
||
# Ovrimos SQL DBMS
|
||
regex:
|
||
- "ovrimos_connect"
|
||
- type: regex
|
||
# PostgreSQL DBMS
|
||
regex:
|
||
- "pg_(p?)connect"
|
||
- type: regex
|
||
# SQLite DBMS
|
||
regex:
|
||
- "sqlite_(p?)open"
|
||
- type: regex
|
||
# SQLite3 DBMS
|
||
regex:
|
||
- "SQLite3"
|
||
- type: regex
|
||
# Sybase DBMS
|
||
regex:
|
||
- "sybase_(p?)connect"
|
||
- type: regex
|
||
# TokyoTyrant DBMS
|
||
regex:
|
||
- "TokyoTyrant"
|
||
- type: regex
|
||
# XML document
|
||
regex:
|
||
- "x(ptr|path)_new_context"
|
||
- type: regex
|
||
# Investigate if GetTableFields is called safely
|
||
regex:
|
||
- "GetTableFields"
|
||
- type: regex
|
||
regex:
|
||
- "ini_get.*magic_quotes_gpc.*"
|