swisskyrepo
/
Vulny-Code-Static-Analysis
mirror of https://github.com/swisskyrepo/Vulny-Code-Static-Analysis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Echo bug fixed - refactored into small fcts

pull/3/head
Swissky 2017-05-21 20:39:28 +02:00
parent 017f1eb5b1
commit c78a7d950d
4 changed files with 51 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
detection.py
View File

@ -5,49 +5,62 @@ import re
from indicators import *
from functions import *
# Format the source code in order to improve the detection
def clean_source_and_format(content):
# Clean up - replace tab by space
content = content.replace(" "," ")
# Quickfix to detect both echo("something") and echo "something"
content = content.replace("echo ","echo(")
content = content.replace(";",");")
return content
# Check the line to detect an eventual protection
def check_protection(payload, match):
for protection in payload:
if protection in "".join(match):
return True
return False
# Check exception - When it's a function($SOMETHING) Match declaration $SOMETHING = ...
def check_exception(match):
exceptions = ["_GET","_REQUEST","_POST","_COOKIES","_FILES"]
is_exception = False
for exception in exceptions:
if exception in match:
return True
return False
# Analyse the source code of a single page
def analysis(path):
with open(path, 'r') as content_file:
content = content_file.read()
# Clean source for a better detection
content = content.replace("echo ","echo(")
content = content.replace("; ",";)")
content = clean_source_and_format(content)
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS
for payload in payloads:
regex = re.compile(payload[0]+'\((.*?)(\$_GET\[.*\]|\$_FILES\[.*\]|\$_POST\[.*\]|\$_REQUEST\[.*\]|\$_COOKIES\[.*\]|\$_SESSION\[.*\]|\$(?!this|e-)[a-zA-Z0-9_]*)(.*)\)')
regex = re.compile(payload[0]+regex_indicators)
matches = regex.findall(content)
for match in matches:
# Detection of good protection
is_protected = False
for protection in payload[2]:
if protection in "".join(match):
is_protected = True
# Detect line of the vuln
if is_protected == False:
# When it's a function($SOMEHTING) Match declaration $SOMETHING = ...
exceptions = ["_GET","_REQUEST","_POST","_COOKIES","_FILES"]
is_exception = False
for exception in exceptions:
if exception in match[1]:
is_exception = True
for vuln in matches:
# Vulnerability detected
if check_protection(payload[2], vuln) == False:
declaration_text = ""
line_declaration = ""
if is_exception == False:
regex_declaration = re.compile("\$"+match[1][1:]+"([\t ]*)=(?!=)(.*)")
if check_exception(vuln[1]) == False:
regex_declaration = re.compile("\$"+vuln[1][1:]+"([\t ]*)=(?!=)(.*)")
declaration = regex_declaration.findall(content)
if len(declaration)>0:
declaration_text = "$"+match[1][1:] +declaration[0][0]+"="+declaration[0][1]
declaration_text = "$"+vuln[1][1:] +declaration[0][0]+"="+declaration[0][1]
line_declaration = find_line_declaration(declaration_text, content)
# Display all the informations
line_vuln = find_line_vuln(path,payload,match,content)
display(path,payload,match,line_vuln,declaration_text,line_declaration)
line_vuln = find_line_vuln(path, payload, vuln, content)
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
# Run thru every files and subdirectories
@ -56,6 +69,7 @@ def recursive(dir,progress):
try:
for name in os.listdir(dir):
print('\tAnalyzing : '+''*progress+'\r'),
# Targetting only PHP Files
if os.path.isfile(os.path.join(dir, name)):
if ".php" in os.path.join(dir, name):

8
index.py
View File

@ -2,13 +2,11 @@
# -*- coding: utf-8 -*-
# Author : Swissky
# How to use : python analysis_source.py "../Www/Hacking/"
# How to use : python index.py --dir test
# Educational purpose only !
# TODO
# 1. https://www.ripstech.com/blog/2017/why-mail-is-dangerous-in-php/
# 2. Parcourir les fichiers en recursif avec les includes et afficher toutes les modifications de la variable - detecter les constantes
# BUG du echo()
# TODO Parcourir les fichiers en recursif avec les includes et afficher toutes les modifications de la variable - detecter les constantes
# BUG variable multiple
import sys
import argparse

7
indicators.py
View File

@ -1,10 +1,11 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
payloads = [
# /!\ Detection Format (.*)function($vuln)(.*)
# /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
regex_indicators = '\((.*?)(\$_GET\[.*\]|\$_FILES\[.*\]|\$_POST\[.*\]|\$_REQUEST\[.*\]|\$_COOKIES\[.*\]|\$_SESSION\[.*\]|\$(?!this|e-)[a-zA-Z0-9_]*)(.*)\)'
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
payloads = [
["eval","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["popen","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["system","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],

11
test/xss.php
View File

@ -9,21 +9,21 @@
<h1>Welcome to the Moon Club !</h1>
<h2>It's time to party on another planet !</h2>
<div id='moonShow'>
</div>
<p>Suscribe to our newsletter try to <strong>win a travel to the Moon</strong></p>
<form method="POST" action='index.php'>
<input type='text' name='mail' id='mail' placeholder='example@mail.com' />
<input type='submit' id='suscribe' value='Suscribe' />
</form>
</form>
<?php
if (isset($_POST['mail'])){
$mail = $_POST['mail'];
//$mail = str_replace("script", "", $mail);
//$mail = str_ireplace("script", "replace", $mail);
$mail = str_ireplace("img", "replace", $mail);
//$mail = str_ireplace("img", "replace", $mail);
//$mail = str_ireplace("prompt", "", $mail);
$mail = str_ireplace("alert", "", $mail);
//$mail = str_ireplace("alert", "", $mail);
//$mail = str_ireplace("data", "", $mail);
//$mail = str_ireplace("on", "", $mail);
echo "<p>The mail ".$mail." has been registered in our database.</p>";
@ -31,8 +31,7 @@
?>
</body>
<footer>
<a href='#'>Copyright® Swissky</a> -
<a href='#'>Copyright® Swissky</a> -
<a href='../../index.php'>Challenges</a>
</footer>
</html>