Bugfix - Constant var not vuln +$_XXX vuln display
Swissky
parent
df9851983d
commit
7797481bf7
|
|
@ -19,19 +19,17 @@ def analysis(path):
|
|||
for payload in payloads:
|
||||
regex = re.compile(payload[0]+regex_indicators)
|
||||
matches = regex.findall(content)
|
||||
for vuln in matches:
|
||||
|
||||
for vuln in matches:
|
||||
# Security hole detected, is it protected ?
|
||||
if check_protection(payload[2], vuln) == False:
|
||||
declaration_text, line_declaration = "",""
|
||||
|
||||
# No declaration for $_GET, $_POST ...
|
||||
if check_exception(vuln[1]) == False:
|
||||
|
||||
# Look for the declaration of $something = xxxxx
|
||||
false_positive, declaration_text, line_declaration = check_declaration(content, vuln[1], path)
|
||||
|
||||
# Display all the informations
|
||||
# Display all the vuln
|
||||
line_vuln = find_line_vuln(path, payload, vuln, content)
|
||||
if not false_positive:
|
||||
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
|
||||
|
|
|
|||
28
functions.py
28
functions.py
|
|
@ -17,14 +17,6 @@ def display(path,payload,vulnerability,line,declaration_text,declaration_line):
|
|||
vuln = vulnerability[0]+"\033[93m"+vulnerability[1]+"\033[0m"+vulnerability[2]
|
||||
vuln = "{}({})".format(payload[0], vuln)
|
||||
|
||||
# Declared at line 1 : $dest = $_GET['who'];
|
||||
declared = ""
|
||||
if not "$_" in vulnerability[1]:
|
||||
if declaration_text != "":
|
||||
declared = "Line n°\033[0;92m"+declaration_line+"\033[0m : "+ declaration_text
|
||||
else:
|
||||
declared = "Undeclared \033[0m"+ declaration_text+" in the file"
|
||||
|
||||
# Final Display
|
||||
rows, columns = os.popen('stty size', 'r').read().split()
|
||||
print "-" * (int(columns)-1)
|
||||
|
|
@ -32,8 +24,18 @@ def display(path,payload,vulnerability,line,declaration_text,declaration_line):
|
|||
print "-" * (int(columns)-1)
|
||||
print "\033[1mLine \033[0m " + "\t"+line
|
||||
print "\033[1mCode \033[0m " + "\t"+vuln
|
||||
print "\033[1mDeclaration \033[0m " + "\t"+declared+"\n"
|
||||
|
||||
# Declared at line 1 : $dest = $_GET['who'];
|
||||
declared = ""
|
||||
if not "$_" in vulnerability[1]:
|
||||
if declaration_text != "":
|
||||
declared = "Line n°\033[0;92m"+declaration_line+"\033[0m : "+ declaration_text
|
||||
else:
|
||||
declared = "Undeclared \033[0m"+ declaration_text+" in the file"
|
||||
print "\033[1mDeclaration \033[0m " + "\t"+declared
|
||||
|
||||
# Small delimiter
|
||||
print ""
|
||||
|
||||
# Find the line where the vulnerability is located
|
||||
def find_line_vuln(path,payload,vulnerability,content):
|
||||
|
|
@ -100,10 +102,10 @@ def check_declaration(content, vuln, path):
|
|||
# TODO: Check constant then return True if constant because it's false positive
|
||||
declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
|
||||
line_declaration = find_line_declaration(declaration_text, content)
|
||||
#regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*([\"\'][a-zA-Z0-9]*?[\"\']);")
|
||||
#false_positive = regex_constant.match(declaration_text)
|
||||
#if false_positive:
|
||||
# return (True, "","")
|
||||
regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*([\"\'][a-zA-Z0-9]*?[\"\']);")
|
||||
false_positive = regex_constant.match(declaration_text)
|
||||
if false_positive:
|
||||
return (True, "","")
|
||||
return (False, declaration_text,line_declaration)
|
||||
|
||||
return (False, "","")
|
||||
|
|
|
|||
1
index.py
1
index.py
|
|
@ -6,7 +6,6 @@
|
|||
# Educational purpose only !
|
||||
|
||||
# TODO afficher toutes les modifications de la variable -
|
||||
# TODO enlever les faux positifs : constantes
|
||||
# BUG variable multiple (check en recursif dans vuln)
|
||||
# BUG color var['something']
|
||||
# BUG detection include
|
||||
|
|
|
|||
|
|
@ -1,55 +1,12 @@
|
|||
<?php error_reporting(0);
|
||||
/*$mail = $_POST['mail'];
|
||||
include($_POST['mail']);
|
||||
include($mail);*/
|
||||
?>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<link rel='stylesheet' type='text/css' href='index.css' />
|
||||
<title>Security Challs : Sublime Patisserie</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1><a href='./index.php'>Sublime Patisserie</a></h1>
|
||||
<article>
|
||||
<div id='container'>
|
||||
<a href='?patisserie=patisserie1.php'><img src='./img/eclairs.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie2.php'><img src='./img/millefeuille.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie3.php'><img src='./img/paris_brest.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie4.php'><img src='./img/saint_honore.jpg' id='carre' alt='patisserie'></a>
|
||||
<?php
|
||||
if(isset($_GET['patisserie'])){
|
||||
echo "<div id='texte'>";
|
||||
if(strstr($_GET['patisserie'], 'patisserie') || strstr($_GET['patisserie'], 'index') || strstr($_GET['patisserie'], 'flag') ){
|
||||
include($_GET['patisserie']);
|
||||
}
|
||||
else{
|
||||
echo "<h2>Hacker Spotted !</h2>";
|
||||
}
|
||||
echo "</div>";
|
||||
}
|
||||
else{
|
||||
|
||||
$mail = $_POST['mail'];
|
||||
include($_POST['mail']);
|
||||
include($mail);
|
||||
?>
|
||||
<div id='contact'>
|
||||
Bienvenue à <br>
|
||||
Sublime Patisserie !<br>
|
||||
<span id='little'>
|
||||
sublimepatisserie@yopmail.com<br>
|
||||
01 23 45 67 89<br>
|
||||
</span>
|
||||
</div>
|
||||
<?php
|
||||
}
|
||||
?>
|
||||
<a href='?patisserie=patisserie5.php'><img src='./img/tarte_citron.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie6.php'><img src='./img/tarte_fraises.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie7.php'><img src='./img/tarte_orange.jpg' id='carre' alt='patisserie'></a>
|
||||
<a href='?patisserie=patisserie8.php'><img src='./img/viennoiseries.jpg' id='carre' alt='patisserie'></a>
|
||||
</div>
|
||||
</article>
|
||||
</body>
|
||||
<footer>
|
||||
<a href='#'>Copyright® Swissky</a> -
|
||||
<a href='../../index.php'>Challenges</a>
|
||||
</footer>
|
||||
</html>
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@
|
|||
mysql_select_db($DB_NAME);
|
||||
mysql_query("SET NAMES 'utf8'");
|
||||
|
||||
|
||||
if(isset($_GET['id'])){
|
||||
//Affichage du smartphone
|
||||
$news = mysql_query("SELECT id,name,image,specifications FROM ".$DB_CHALL_TWO." WHERE id=".$_GET['id']) or die(mysql_error());
|
||||
|
|
|
|||
|
|
@ -1,33 +1,15 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<link rel='stylesheet' type='text/css' href='index.css' />
|
||||
<title>Security Challs : Univers Upload</title>
|
||||
</head>
|
||||
<body>
|
||||
<header>
|
||||
<h1><a href='index.php'>Univers Upload</a></h1>
|
||||
</header>
|
||||
|
||||
<?php
|
||||
if(isset($_FILES['nom'])){
|
||||
$name = htmlentities($_FILES['nom']['name']);
|
||||
|
||||
if(stristr($name, ".jpg")==true || stristr($name, ".png")==true){
|
||||
echo "<h3>The file ".$name." has been uploaded</h3>";
|
||||
echo "<a href='./index.php' id='button'>UPLOAD AGAIN</a><br>";
|
||||
if(stristr($name, ".php")==true){
|
||||
echo "<h3>Well done, you just bypass the filter.</h3>";
|
||||
echo "<h3>The Challenge is over :) </h3>";
|
||||
}
|
||||
}
|
||||
else{
|
||||
echo "<h3>Only JPG/PNG Files are allowed !</h3>";
|
||||
echo "<a href='./index.php' id='button'>RETRY</a>";
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
else{
|
||||
?>
|
||||
<form method="post" action="index.php" enctype="multipart/form-data">
|
||||
|
|
@ -35,13 +17,8 @@
|
|||
<input type="file" name="nom" id='upload' onchange='this.form.submit()' />
|
||||
</div>
|
||||
</form>
|
||||
<p>Clic to upload</p>
|
||||
<p>Click to upload</p>
|
||||
<?php
|
||||
}
|
||||
?>
|
||||
</body>
|
||||
<footer>
|
||||
<a href='#'>Copyright® Swissky</a> -
|
||||
<a href='../../index.php'>Challenges</a>
|
||||
</footer>
|
||||
</html>
|
||||
|
|
|
|||
32
test/xss.php
32
test/xss.php
|
|
@ -1,37 +1,11 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8" />
|
||||
<link rel='stylesheet' type='text/css' href='index.css' />
|
||||
<title>Security Challs : Go to the Moon</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>Welcome to the Moon Club !</h1>
|
||||
<h2>It's time to party on another planet !</h2>
|
||||
<div id='moonShow'>
|
||||
|
||||
</div>
|
||||
<p>Suscribe to our newsletter try to <strong>win a travel to the Moon</strong></p>
|
||||
<form method="POST" action='index.php'>
|
||||
<input type='text' name='mail' id='mail' placeholder='example@mail.com' />
|
||||
<input type='submit' id='suscribe' value='Suscribe' />
|
||||
</form>
|
||||
<?php
|
||||
if (isset($_POST['mail'])){
|
||||
$mail = $_POST['mail'];
|
||||
//$mail = str_replace("script", "", $mail);
|
||||
//$mail = str_ireplace("script", "replace", $mail);
|
||||
//$mail = str_ireplace("img", "replace", $mail);
|
||||
//$mail = str_ireplace("prompt", "", $mail);
|
||||
//$mail = str_ireplace("alert", "", $mail);
|
||||
//$mail = str_ireplace("data", "", $mail);
|
||||
//$mail = str_ireplace("on", "", $mail);
|
||||
echo "<p>The mail ".$mail." has been registered in our database.</p>";
|
||||
}
|
||||
else{
|
||||
echo "<p>The mail ".$_GET['mail']." has been registered in our database.</p>";
|
||||
}
|
||||
?>
|
||||
</body>
|
||||
<footer>
|
||||
<a href='#'>Copyright® Swissky</a> -
|
||||
<a href='../../index.php'>Challenges</a>
|
||||
</footer>
|
||||
</html>
|
||||
|
|
|
|||
Loading…
Reference in New Issue