BUGFIX - False positive for declaration $var = pgconnect

2017-06-05 21:15:38 +02:00 · 2017-06-05 21:15:38 +02:00 · 37887b7635
parent 1289809b15
commit 37887b7635
3 changed files with 9 additions and 7 deletions
--- a/detection.py
+++ b/detection.py
@ -24,6 +24,7 @@ def analysis(path):
      matches = regex.findall(content)

      for vuln_content in matches:
+
        # Security hole detected, is it protected ?
      	if check_protection(payload[2], vuln_content) == False:
            declaration_text, line_declaration = "",""
@ -34,15 +35,14 @@ def analysis(path):
            for vulnerable_var in regax.findall(sentence):
                false_positive = False

-                # BUG nt des var et mettre en couleur la bonne plutôt que la première
-                # BUG ex fct(occurence) et mettre en couleur la xieme occurence
                # No declaration for $_GET, $_POST ...
                if check_exception(vulnerable_var[1]) == False:
+
                    # Look for the declaration of $something = xxxxx
                    false_positive, declaration_text, line_declaration = check_declaration(content, vulnerable_var[1], path)
-
-                # Set false positive if protection is in the variable's declaration
-                false_positive = false_positive or check_protection(payload[2], declaration_text)==True
+                    
+                    # Set false positive if protection is in the variable's declaration
+                    false_positive = false_positive or check_protection(payload[2], declaration_text)==True

                # Display all the vuln
                line_vuln = find_line_vuln(path, payload, vuln_content, content)
--- a/index.py
+++ b/index.py
@ -9,6 +9,8 @@
 # TODO checker recursivement les vulns dans la déclaration d'une var
 # BUG color var['something']
 # BUG PGSQL : pg_pconnect / pg_connect detected
+# BUG nt des var et mettre en couleur la bonne plutôt que la première
+# BUG ex fct(occurence) et mettre en couleur la xieme occurence

 import sys
 import argparse
--- a/indicators.py
+++ b/indicators.py
@ -1,6 +1,6 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
- 
+
 # /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
 regex_indicators = '\((.*?)(\$_GET\[.*?\]|\$_FILES\[.*?\]|\$_POST\[.*?\]|\$_REQUEST\[.*?\]|\$_COOKIES\[.*?\]|\$_SESSION\[.*?\]|\$(?!this|e-)[a-zA-Z0-9_]*)(.*?)\)'

@ -37,7 +37,7 @@ payloads = [
  ["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
  ["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
  ["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
-  ["pg_query","SQL Injection",["pg_escape_string"]],
+  ["pg_query","SQL Injection",["pg_escape_string","pg_pconnect"]],
  ["->query","SQL Injection",["->prepare"]],
  ["->exec","SQL Injection",["->prepare"]],
  ["->execute","SQL Injection",["->prepare"]],