FEATURE: XPATH,LDAP,Assert, PGSQLi detection added

2017-05-29 22:02:00 +02:00 · 2017-05-29 22:02:00 +02:00 · 4ad8f01911
parent 7aa1fd26b9
commit 4ad8f01911
8 changed files with 120 additions and 3 deletions
--- a/functions.py
+++ b/functions.py
@ -102,7 +102,7 @@ def check_declaration(content, vuln, path):
 		# Check constant then return True if constant because it's false positive
 		declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
 		line_declaration = find_line_declaration(declaration_text, content)
-		regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*?([\"\'(]*?[a-zA-Z0-9{}_\(\)@\.: ]*?[\"\')]*?);")
+		regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*?([\"\'(]*?[a-zA-Z0-9{}_\(\)@\.,!: ]*?[\"\')]*?);")
 		false_positive = regex_constant.match(declaration_text)

 		if false_positive:
--- a/index.py
+++ b/index.py
@ -8,6 +8,15 @@
 # TODO afficher toutes les modifications de la variable -
 # TODO checker recursivement les vulns dans la déclaration d'une var
 # BUG color var['something']
+# BUG XPATH injection var declaration $employees
+# BUG PGSQL : pg_pconnect / pg_connect detected 
+# TODO count of vuln (passer une var à analysis, recursive et l'incrementer
+"""
+invcount = 0
+def inv_sort (listIn):
+    global invcount
+    invcount += 1
+"""

 import sys
 import argparse
--- a/indicators.py
+++ b/indicators.py
@ -12,14 +12,21 @@ payloads = [
  ["passthru","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
  ["exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
  ["shell_exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
+  ["assert","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
+
+  ["preg_replace","Remote Command Execution",["preg_quote"]],
+  ["ereg_replace","Remote Command Execution",["preg_quote"]],
+  ["eregi_replace","Remote Command Execution",["preg_quote"]],
+  ["mb_ereg_replace","Remote Command Execution",["preg_quote"]],
+  ["mb_eregi_replace","Remote Command Execution",["preg_quote"]],

  ["include","File Inclusion",[]],
  ["require","File Inclusion",[]],
  ["include_once","File Inclusion",[]],
  ["require_once","File Inclusion",[]],
-  ["readfile","File Inclusion",[]],
-  ["file_get_contents","File Inclusion",[]],

+  ["readfile","File Inclusion / Path Traversal",[]],
+  ["file_get_contents","File Inclusion / Path Traversal",[]],
  ["show_source","File Inclusion / Path Traversal",[]],
  ["highlight_file","File Inclusion / Path Traversal",[]],

@ -30,6 +37,7 @@ payloads = [
  ["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
  ["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
  ["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
+  ["pg_query","SQL Injection",["pg_escape_string"]],
  ["->query","SQL Injection",["->prepare"]],
  ["->exec","SQL Injection",["->prepare"]],
  ["->execute","SQL Injection",["->prepare"]],
@ -38,6 +46,10 @@ payloads = [

  ["echo","Cross Site Scripting",["htmlentities","htmlspecialchars"]],
  ["print","Cross Site Scripting",["htmlentities","htmlspecialchars"]],
+  ["printf","Cross Site Scripting",["htmlentities","htmlspecialchars"]],
+
+  ["xpath","XPATH Injection",[]],
+  ["ldap_search","LDAP Injection",["Zend_Ldap","ldap_escape"]],

  ["mail", "Insecure E-mail",[]],

--- a/test/assert.php
+++ b/test/assert.php
@ -0,0 +1,13 @@
+<?php
+
+if (isset($_GET['page'])) {
+$page = $_GET['page'];
+} else {
+$page = "home";
+}
+// I heard '..' is dangerous!
+assert("strpos('templates/'" . $page . "'.php', '..') === false") or die("Detected hacking attempt!");
+
+// TODO: Make this look nice
+assert("file_exists('templates/'". $page . "'.php')") or die("That file doesn't exist!");
+?>
--- a/test/ldap.php
+++ b/test/ldap.php
@ -0,0 +1,27 @@
+<?php
+$ds=ldap_connect("localhost");
+ if ($ds)
+ {
+    $ok=ldap_bind($ds);
+ // anonymously bind for read-only access
+    $surname=$_GET['surname'];
+    $filter = "(sn=" . $surname . ")";
+    $sr=ldap_search($ds, "o=My Company, c=".$_GET['language'], $filter);
+    $info = ldap_get_entries($ds, $sr);
+    echo "<p>There are " . $info["count"] . " entries for that search:<p>";
+
+    for ($i=0; $i<$info["count"]; $i++)
+{
+        echo "common name: " . $info[$i]["cn"][0] . "<br />";
+        echo "telephone: " . $info[$i]["telephoneNumber"][0] . "<br />";
+        echo "email: " . $info[$i]["mail"][0] . "<br /><hr />";
+}
+
+    ldap_close($ds);
+
+}
+ else
+{
+    echo "<h4>connection error</h4>";
+}
+?>
--- a/test/pgsqli.php
+++ b/test/pgsqli.php
@ -0,0 +1,20 @@
+<?php
+
+$conn = pg_pconnect("dbname=publisher");
+if (!$conn) {
+  echo "An error occurred.\n";
+  exit;
+}
+
+$result = pg_query($conn, "SELECT author, email FROM authors WHERE id=".$_GET['vuln']);
+if (!$result) {
+  echo "An error occurred.\n";
+  exit;
+}
+
+while ($row = pg_fetch_row($result)) {
+  echo "Author: $row[0]  E-mail: $row[1]";
+  echo "<br />\n";
+}
+
+?>
--- a/test/preg_replace.php
+++ b/test/preg_replace.php
@ -0,0 +1,4 @@
+<?php
+$in = 'Somewhere, something incredible is waiting to be known';
+echo preg_replace($_GET['replace'], $_GET['with'], $in);
+?>
--- a/test/xpath.php
+++ b/test/xpath.php
@ -0,0 +1,32 @@
+<?php
+    $xml = simplexml_load_file('employees.xml');
+
+    echo "<strong>Matching employees with name 'Laura Pollard'</strong><br />";
+    $employees = $xml->xpath('/employees/employee[name="'.$_GET['name'].'"]');
+
+    foreach($employees as $employee) {
+        echo "Found {$employee->name}<br />";
+    }
+
+    echo "<br />";
+
+    echo "<strong>Matching employees younger than 54</strong><br />";
+    $employees = $xml->xpath('/employees/employee[age<54]');
+
+    foreach($employees as $employee) {
+        echo "Found {$employee->name}<br />";
+    }
+
+    echo "<br />";
+
+    echo "<strong>Matching employees as old or older than 48</strong><br />";
+		$age = $_POST['age'];
+    $employees = $xml->xpath('//employee[age>='.$age.']');
+
+    foreach($employees as $employee) {
+        echo "Found {$employee->name}<br />";
+    }
+
+    echo "<br />";
+
+?>