BUGFIX - Only the nth occurence var is colored if dup vuln

pull/3/head
Swissky 2017-06-05 22:56:23 +02:00
parent 37887b7635
commit bd2d77b6c9
4 changed files with 35 additions and 11 deletions

View File

@ -24,6 +24,7 @@ def analysis(path):
matches = regex.findall(content)
for vuln_content in matches:
occurence = 0
# Security hole detected, is it protected ?
if check_protection(payload[2], vuln_content) == False:
@ -34,6 +35,7 @@ def analysis(path):
regax = re.compile(regex_indicators[2:-2])
for vulnerable_var in regax.findall(sentence):
false_positive = False
occurence += 1
# No declaration for $_GET, $_POST ...
if check_exception(vulnerable_var[1]) == False:
@ -49,7 +51,7 @@ def analysis(path):
if not false_positive:
global result_count
result_count = result_count + 1
display(path, payload, vuln_content, line_vuln, declaration_text, line_declaration, vulnerable_var[1])
display(path, payload, vuln_content, line_vuln, declaration_text, line_declaration, vulnerable_var[1], occurence)
# Run thru every files and subdirectories

View File

@ -4,8 +4,35 @@ import os
import re
from indicators import *
# Replace the nth occurence of a string
# From https://stackoverflow.com/questions/35091557/replace-nth-occurrence-of-substring-in-string
def nth_replace(string, old, new, n=1, option='only nth'):
"""
This function replaces occurrences of string 'old' with string 'new'.
There are three types of replacement of string 'old':
1) 'only nth' replaces only nth occurrence (default).
2) 'all left' replaces nth occurrence and all occurrences to the left.
3) 'all right' replaces nth occurrence and all occurrences to the right.
"""
if option == 'only nth':
left_join = old
right_join = old
elif option == 'all left':
left_join = new
right_join = old
elif option == 'all right':
left_join = old
right_join = new
else:
print("Invalid option. Please choose from: 'only nth' (default), 'all left' or 'all right'")
return None
groups = string.split(old)
nth_split = [left_join.join(groups[:n]), right_join.join(groups[n:])]
return new.join(nth_split)
# Display the found vulnerability with basic informations like the line
def display(path,payload,vulnerability,line,declaration_text,declaration_line, colored):
def display(path,payload,vulnerability,line,declaration_text,declaration_line, colored, occurence):
# Potential vulnerability found : SQL Injection
header = "\033[1mPotential vulnerability found : \033[92m{}\033[0m".format(payload[1])
@ -14,7 +41,7 @@ def display(path,payload,vulnerability,line,declaration_text,declaration_line, c
line = "\033[92m{}\033[0m in {}".format(line,path)
# Code : include($_GET['patisserie'])
vuln = ("".join(vulnerability)).replace(colored, "\033[93m"+colored+"\033[0m")
vuln = nth_replace("".join(vulnerability), colored, "\033[93m"+colored+"\033[0m", occurence)
vuln = "{}({})".format(payload[0], vuln)
# Final Display

View File

@ -5,12 +5,7 @@
# How to use : python index.py --dir test
# Educational purpose only !
# TODO afficher toutes les modifications de la variable -
# TODO checker recursivement les vulns dans la déclaration d'une var
# BUG color var['something']
# BUG PGSQL : pg_pconnect / pg_connect detected
# BUG nt des var et mettre en couleur la bonne plutôt que la première
# BUG ex fct(occurence) et mettre en couleur la xieme occurence
# TODO afficher toutes les modifications de la variable
import sys
import argparse

View File

@ -37,7 +37,7 @@ payloads = [
["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
["pg_query","SQL Injection",["pg_escape_string","pg_pconnect"]],
["pg_query","SQL Injection",["pg_escape_string","pg_pconnect","pg_connect"]],
["->query","SQL Injection",["->prepare"]],
["->exec","SQL Injection",["->prepare"]],
["->execute","SQL Injection",["->prepare"]],