swisskyrepo
/
Vulny-Code-Static-Analysis
mirror of https://github.com/swisskyrepo/Vulny-Code-Static-Analysis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Check declaration - following include

pull/3/head
Swissky 2017-05-24 00:23:05 +02:00
parent 1a128bd1ac
commit df9851983d
6 changed files with 62 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
detection.py
View File

@ -9,6 +9,7 @@ from functions import *
# Analyse the source code of a single page
def analysis(path):
with open(path, 'r') as content_file:
false_positive = False
# Clean source for a better detection
content = content_file.read()
@ -26,12 +27,14 @@ def analysis(path):
# No declaration for $_GET, $_POST ...
if check_exception(vuln[1]) == False:
# Look for the declaration of $something = xxxxx
declaration_text, line_declaration = check_declaration(content, vuln[1])
false_positive, declaration_text, line_declaration = check_declaration(content, vuln[1], path)
# Display all the informations
line_vuln = find_line_vuln(path, payload, vuln, content)
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
if not false_positive:
display(path, payload, vuln, line_vuln, declaration_text, line_declaration)
# Run thru every files and subdirectories

31
functions.py
View File

@ -81,14 +81,29 @@ def check_exception(match):
return False
# Check declaration
# TODO: should follow any include and add its content
# TODO: should handle constant variable
def check_declaration(content, vuln):
# Parse include and content = include_content + content
def check_declaration(content, vuln, path):
# Follow and parse include, then add it's content
regex_declaration = re.compile("(include.*?|require.*?)\([\"\'](.*?)[\"\']\)")
includes = regex_declaration.findall(content)
# Path is the path of the current scanned file, we can use it to compute the relative include
for include in includes:
relative_include = os.path.dirname(path)+"/"
path_include = relative_include + include[1]
with open(path_include, 'r') as f:
content = f.read() + content
# Extract declaration
regex_declaration = re.compile("\$"+vuln[1:]+"([\t ]*)=(?!=)(.*)")
declaration = regex_declaration.findall(content)
if len(declaration)>0:
declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
line_declaration = find_line_declaration(declaration_text, content)
return (declaration_text,line_declaration)
return ("","")
# TODO: Check constant then return True if constant because it's false positive
declaration_text = "$"+vuln[1:] +declaration[0][0]+"="+declaration[0][1]
line_declaration = find_line_declaration(declaration_text, content)
#regex_constant = re.compile("\$"+vuln[1:]+"([\t ]*)=[\t ]*([\"\'][a-zA-Z0-9]*?[\"\']);")
#false_positive = regex_constant.match(declaration_text)
#if false_positive:
# return (True, "","")
return (False, declaration_text,line_declaration)
return (False, "","")

25
index.py
View File

@ -5,12 +5,13 @@
# How to use : python index.py --dir test
# Educational purpose only !
# TODO remonter les includes (parse include/require xxx , chercher son contenu et l'ajouter au debut du content actuel)
# TODO afficher toutes les modifications de la variable -
# TODO enlever les faux positifs : constantes
# BUG variable multiple (check en recursif dans vuln)
# BUG color var['something']
# BUG detection include
# BUG SQLi 2 ligne 17 not found
# TODO print help if no dir in arg
import sys
import argparse
@ -23,20 +24,20 @@ if __name__ == "__main__":
results = parser.parse_args()
if results.dir != None:
print " ██▒ █▓ █ ██ ██▓ ███▄ █▓██ ██▓"
print "▓██░ █▒ ██ ▓██▒▓██▒ ██ ▀█ █ ▒██ ██▒"
print " ▓██ █▒░▓██ ▒██░▒██░ ▓██ ▀█ ██▒ ▒██ ██░"
print " ▒██ █░░▓▓█ ░██░▒██░ ▓██▒ ▐▌██▒ ░ ▐██▓░"
print " ▒▀█░ ▒▒█████▓ ░██████▒▒██░ ▓██░ ░ ██▒▓░"
print " ░ ▐░ ░▒▓▒ ▒ ▒ ░ ▒░▓ ░░ ▒░ ▒ ▒ ██▒▒▒ "
print " ░ ░░ ░░▒░ ░ ░ ░ ░ ▒ ░░ ░░ ░ ▒░▓██ ░▒░ "
print " ░░ ░░░ ░ ░ ░ ░ ░ ░ ░ ▒ ▒ ░░ "
print " ░ ░ ░ ░ ░ ░ ░ "
print " ░ ░ ░ "
print " ░ Copyright @pentest_swissky "
print " (`-') <-. (`-')_ _(`-') (`-') _"
print " _(OO ) .-> <-. \( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/"
print ",--.(_/,-.\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\-,-----.(`-')----. \ .'_ (,------."
print "\ \ / (_/| | |(`-') | (`-')| \ | | (`-')'.' / | .--./( OO).-. ''`'-..__) | .---'"
print " \ / / | | |(OO ) | |OO )| . '| |)(OO \ / /_) (`-')( _) | | || | ' |(| '--."
print "_ \ /_)| | | | \(| '__ || |\ | | / /) || |OO ) \| |)| || | / : | .--'"
print "\-'\ / \ '-'(_ .' | |'| | \ | `-/ /` (_' '--'\ ' '-' '| '-' / | `---."
print " `-' `-----' `-----' `--' `--' `--' `-----' `-----' `------' `------'"
print " Copyright @pentest_swissky "
print "\n\033[1mAnalyzing '"+results.dir+"' source code\033[0m"
if os.path.isfile(results.dir):
analysis(results.dir)
else:
recursive(results.dir,0)
# else print help

9
test/configuration.php Normal file
View File

@ -0,0 +1,9 @@
<?php
// Fake configuration (include follow ?)
$DB_HOST = "localhost";
$DB_NAME = "securitychalls";
$DB_USER = "admin";
$DB_PASS = "password";
$DB_CHALL_ONE = "graduatecms";
$DB_CHALL_TWO = "androidcompare";
?>

2
test/sqli.php
View File

@ -11,7 +11,7 @@
<article>
<?php
//Connexion à la BDD
include('../../inc/configuration.php');
include('configuration.php');
mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
mysql_select_db($DB_NAME);
mysql_query("SET NAMES 'utf8'");

4
test/sqli2.php
View File

@ -9,12 +9,12 @@
<article>
<?php
//CONFIGURATION
include('../../inc/configuration.php');
include('configuration.php');
mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
mysql_select_db($DB_NAME);
if(isset($_POST['username']) and isset($_POST['password'])){
$sql = mysql_query("SELECT * FROM ".$DB_CHALL_ONE." WHERE username='".$_POST['username']."' AND password = '".$_POST['password']."'") or die(mysql_error());
$sql = mysql_query("SELECT * FROM users WHERE username='".$_POST['username']."' AND password = '".$_POST['password']."'") or die(mysql_error());
if(mysql_num_rows($sql) > 0){
$data = mysql_fetch_assoc($sql);
echo "Welcome ".$data['username']."<br>";