Check declaration - following include
Swissky
parent
1a128bd1ac
commit
df9851983d
|
|
@ -9,6 +9,7 @@ from functions import *
|
|||
# Analyse the source code of a single page
|
||||
def analysis(path):
|
||||
with open(path, 'r') as content_file:
|
||||
false_positive = False
|
||||
|
||||
# Clean source for a better detection
|
||||
content = content_file.read()
|
||||
|
|
@ -26,12 +27,14 @@ def analysis(path):
|
|||
|
||||
# No declaration for $_GET, $_POST ...
|
||||
if check_exception(vuln[1]) == False:
|
||||
|
||||
# Look for the declaration of $something = xxxxx
|
||||
declaration_text, line_declaration = check_declaration(content, vuln[1])
|
||||
false_positive, declaration_text, line_declaration = check_declaration(content, vuln[1], path)
|
||||
|
||||
# Display all the informations
|
||||
line_vuln = find_line_vuln(path, payload, vuln, content)
|
||||
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
|
||||
if not false_positive:
|
||||
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
|
||||
|
||||
|
||||
# Run thru every files and subdirectories
|
||||
|
|
|
|||
31
functions.py
31
functions.py
|
|
@ -81,14 +81,29 @@ def check_exception(match):
|
|||
return False
|
||||
|
||||
# Check declaration
|
||||
# TODO: should follow any include and add its content
|
||||
# TODO: should handle constant variable
|
||||
def check_declaration(content, vuln):
|
||||
# Parse include and content = include_content + content
|
||||
def check_declaration(content, vuln, path):
|
||||
# Follow and parse include, then add it's content
|
||||
regex_declaration = re.compile("(include.*?|require.*?)\([\"\'](.*?)[\"\']\)")
|
||||
includes = regex_declaration.findall(content)
|
||||
# Path is the path of the current scanned file, we can use it to compute the relative include
|
||||
for include in includes:
|
||||
relative_include = os.path.dirname(path)+"/"
|
||||
path_include = relative_include + include[1]
|
||||
with open(path_include, 'r') as f:
|
||||
content = f.read() + content
|
||||
|
||||
# Extract declaration
|
||||
regex_declaration = re.compile("\$"+vuln[1:]+"([\t ]*)=(?!=)(.*)")
|
||||
declaration = regex_declaration.findall(content)
|
||||
if len(declaration)>0:
|
||||
declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
|
||||
line_declaration = find_line_declaration(declaration_text, content)
|
||||
return (declaration_text,line_declaration)
|
||||
return ("","")
|
||||
|
||||
# TODO: Check constant then return True if constant because it's false positive
|
||||
declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
|
||||
line_declaration = find_line_declaration(declaration_text, content)
|
||||
#regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*([\"\'][a-zA-Z0-9]*?[\"\']);")
|
||||
#false_positive = regex_constant.match(declaration_text)
|
||||
#if false_positive:
|
||||
# return (True, "","")
|
||||
return (False, declaration_text,line_declaration)
|
||||
|
||||
return (False, "","")
|
||||
|
|
|
|||
25
index.py
25
index.py
|
|
@ -5,12 +5,13 @@
|
|||
# How to use : python index.py --dir test
|
||||
# Educational purpose only !
|
||||
|
||||
# TODO remonter les includes (parse include/require xxx , chercher son contenu et l'ajouter au debut du content actuel)
|
||||
# TODO afficher toutes les modifications de la variable -
|
||||
# TODO enlever les faux positifs : constantes
|
||||
# BUG variable multiple (check en recursif dans vuln)
|
||||
# BUG color var['something']
|
||||
# BUG detection include
|
||||
# BUG SQLi 2 ligne 17 not found
|
||||
# TODO print help if no dir in arg
|
||||
|
||||
import sys
|
||||
import argparse
|
||||
|
|
@ -23,20 +24,20 @@ if __name__ == "__main__":
|
|||
results = parser.parse_args()
|
||||
|
||||
if results.dir != None:
|
||||
print " ██▒ █▓ █ ██ ██▓ ███▄ █▓██ ██▓"
|
||||
print "▓██░ █▒ ██ ▓██▒▓██▒ ██ ▀█ █ ▒██ ██▒"
|
||||
print " ▓██ █▒░▓██ ▒██░▒██░ ▓██ ▀█ ██▒ ▒██ ██░"
|
||||
print " ▒██ █░░▓▓█ ░██░▒██░ ▓██▒ ▐▌██▒ ░ ▐██▓░"
|
||||
print " ▒▀█░ ▒▒█████▓ ░██████▒▒██░ ▓██░ ░ ██▒▓░"
|
||||
print " ░ ▐░ ░▒▓▒ ▒ ▒ ░ ▒░▓ ░░ ▒░ ▒ ▒ ██▒▒▒ "
|
||||
print " ░ ░░ ░░▒░ ░ ░ ░ ░ ▒ ░░ ░░ ░ ▒░▓██ ░▒░ "
|
||||
print " ░░ ░░░ ░ ░ ░ ░ ░ ░ ░ ▒ ▒ ░░ "
|
||||
print " ░ ░ ░ ░ ░ ░ ░ "
|
||||
print " ░ ░ ░ "
|
||||
print " ░ Copyright @pentest_swissky "
|
||||
print " (`-') <-. (`-')_ _(`-') (`-') _"
|
||||
print " _(OO ) .-> <-. \( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/"
|
||||
print ",--.(_/,-.\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\-,-----.(`-')----. \ .'_ (,------."
|
||||
print "\ \ / (_/| | |(`-') | (`-')| \ | | (`-')'.' / | .--./( OO).-. ''`'-..__) | .---'"
|
||||
print " \ / / | | |(OO ) | |OO )| . '| |)(OO \ / /_) (`-')( _) | | || | ' |(| '--."
|
||||
print "_ \ /_)| | | | \(| '__ || |\ | | / /) || |OO ) \| |)| || | / : | .--'"
|
||||
print "\-'\ / \ '-'(_ .' | |'| | \ | `-/ /` (_' '--'\ ' '-' '| '-' / | `---."
|
||||
print " `-' `-----' `-----' `--' `--' `--' `-----' `-----' `------' `------'"
|
||||
print " Copyright @pentest_swissky "
|
||||
print "\n\033[1mAnalyzing '"+results.dir+"' source code\033[0m"
|
||||
|
||||
if os.path.isfile(results.dir):
|
||||
analysis(results.dir)
|
||||
else:
|
||||
recursive(results.dir,0)
|
||||
|
||||
# else print help
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
<?php
|
||||
// Fake configuration (include follow ?)
|
||||
$DB_HOST = "localhost";
|
||||
$DB_NAME = "securitychalls";
|
||||
$DB_USER = "admin";
|
||||
$DB_PASS = "password";
|
||||
$DB_CHALL_ONE = "graduatecms";
|
||||
$DB_CHALL_TWO = "androidcompare";
|
||||
?>
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
<article>
|
||||
<?php
|
||||
//Connexion à la BDD
|
||||
include('../../inc/configuration.php');
|
||||
include('configuration.php');
|
||||
mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
|
||||
mysql_select_db($DB_NAME);
|
||||
mysql_query("SET NAMES 'utf8'");
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@
|
|||
<article>
|
||||
<?php
|
||||
//CONFIGURATION
|
||||
include('../../inc/configuration.php');
|
||||
include('configuration.php');
|
||||
mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
|
||||
mysql_select_db($DB_NAME);
|
||||
|
||||
|
||||
if(isset($_POST['username']) and isset($_POST['password'])){
|
||||
$sql = mysql_query("SELECT * FROM ".$DB_CHALL_ONE." WHERE username='".$_POST['username']."' AND password = '".$_POST['password']."'") or die(mysql_error());
|
||||
$sql = mysql_query("SELECT * FROM users WHERE username='".$_POST['username']."' AND password = '".$_POST['password']."'") or die(mysql_error());
|
||||
if(mysql_num_rows($sql) > 0){
|
||||
$data = mysql_fetch_assoc($sql);
|
||||
echo "Welcome ".$data['username']."<br>";
|
||||
|
|
@ -23,13 +23,13 @@
|
|||
}
|
||||
else{
|
||||
echo "<p>Congratulation, you're graduated !<br></p>";
|
||||
}
|
||||
echo "<a href='index.php' id='connection'>Log Out</a>";
|
||||
}
|
||||
}
|
||||
echo "<a href='index.php' id='connection'>Log Out</a>";
|
||||
}
|
||||
else{
|
||||
echo "Error<br>";
|
||||
echo "Unknown username or password<br><br>";
|
||||
echo "<a href='index.php' id='connection'>Retry</a>";
|
||||
echo "<a href='index.php' id='connection'>Retry</a>";
|
||||
}
|
||||
}
|
||||
else{
|
||||
|
|
@ -39,13 +39,13 @@
|
|||
<input type=password name='password' id='password' placeholder='Password'><br>
|
||||
<input type=submit id='connection' value='Log In'>
|
||||
</form>
|
||||
<?php
|
||||
<?php
|
||||
}
|
||||
?>
|
||||
?>
|
||||
</article>
|
||||
</body>
|
||||
<footer>
|
||||
<a href='#'>Copyright® Swissky</a> -
|
||||
<a href='#'>Copyright® Swissky</a> -
|
||||
<a href='../../index.php'>Challenges</a>
|
||||
</footer>
|
||||
</html>
|
||||
</html>
|
||||
|
|
|
|||
Loading…
Reference in New Issue