Fix maximum recursion error + catch hardcoded password in define()

pull/13/head
Swissky 2020-01-09 22:54:56 +01:00
parent 4f985f9709
commit e3b1d7fb3c
5 changed files with 49 additions and 38 deletions

View File

@ -2,7 +2,8 @@
[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/) [![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
Basic script to detect vulnerabilities into a PHP source code Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
```bash ```bash
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master* ╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master*
╰─$ python index.py --dir test ╰─$ python index.py --dir test

View File

@ -11,6 +11,7 @@ result_files = 0
# Analyse the source code of a single page # Analyse the source code of a single page
def analysis(path, plain): def analysis(path, plain):
global result_count
global result_files global result_files
result_files += 1 result_files += 1
with open(path, 'r', encoding='utf-8', errors='replace') as content_file: with open(path, 'r', encoding='utf-8', errors='replace') as content_file:
@ -22,21 +23,23 @@ def analysis(path, plain):
# Hardcoded credentials (work as an exception, it's not function based) # Hardcoded credentials (work as an exception, it's not function based)
credz = ['pass', 'secret', 'token', 'pwd'] credz = ['pass', 'secret', 'token', 'pwd']
for credential in credz: for credential in credz:
content_pure = content.replace(' ', '') content_pure = content.replace(' ', '')
credential += ".*?=[\"|'][^\\$]+[\"|']"
regex = re.compile("\\$" + credential, re.I) # detect all variables
regex_var_detect = "\$[\w\s]+\s?=\s?[\"|'].*[\"|']|define\([\"|'].*[\"|']"
regex = re.compile(regex_var_detect , re.I)
matches = regex.findall(content_pure) matches = regex.findall(content_pure)
# If we find a variable with a constant for a given indicator # If we find a variable with a constant for a given indicator
for vuln_content in matches: for vuln_content in matches:
if credential in vuln_content.lower():
payload = ["", "Hardcoded Credential", []] payload = ["", "Hardcoded Credential", []]
# Get the line # Get the line
line_vuln = -1 line_vuln = -1
splitted_content = content.split('\n') splitted_content = content.split('\n')
for i in range(len(splitted_content)): for i in range(len(splitted_content)):
regex = re.compile("\\$" + credential + ".*?=", re.I) regex = re.compile(regex_var_detect, re.I)
matches = regex.findall(splitted_content[i]) matches = regex.findall(splitted_content[i])
if len(matches) > 0: if len(matches) > 0:
line_vuln = i line_vuln = i
@ -45,6 +48,8 @@ def analysis(path, plain):
line = str(line_vuln) line = str(line_vuln)
occurence = 1 occurence = 1
result_count = result_count + 1
display( display(
path, path,
payload, payload,
@ -97,7 +102,6 @@ def analysis(path, plain):
false_positive = True false_positive = True
if not false_positive: if not false_positive:
global result_count
result_count = result_count + 1 result_count = result_count + 1
display(path, payload, vuln_content, line_vuln, declaration_text, line, vulnerable_var[1], occurence, plain) display(path, payload, vuln_content, line_vuln, declaration_text, line, vulnerable_var[1], occurence, plain)
@ -111,7 +115,7 @@ def recursive(dir, progress, plain):
try: try:
for name in os.listdir(dir): for name in os.listdir(dir):
print('\tAnalyzing : ' + progress_indicator * progress + '\r'), print('\tAnalyzing : ' + progress_indicator * progress + '\r', end="\r"),
# Targetting only PHP Files # Targetting only PHP Files
if os.path.isfile(os.path.join(dir, name)): if os.path.isfile(os.path.join(dir, name)):

View File

@ -1,22 +1,23 @@
#!/usr/bin/python #!/usr/bin/python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Author : Swissky import sys
# How to use : python index.py --dir test
# Educational purpose only !
# TODO afficher toutes les modifications de la variable
import argparse import argparse
from detection import * from detection import *
if __name__ == "__main__": if __name__ == "__main__":
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument('--dir', action='store', dest='dir', help="Directory to analyse") parser.add_argument('--dir', action='store', dest='dir', help="Directory to analyse")
parser.add_argument('--plain', action='store_true', dest='plain', help="No color in output") parser.add_argument('--plain', action='store_true', dest='plain', help="No color in output")
results = parser.parse_args() results = parser.parse_args()
if results.dir is not None: if results.dir is not None:
# default recursion is limited to 1000
# since we browse files recursively,
# we need to set an higher threshold
sys.setrecursionlimit(1000000)
print(""" (`-') <-. (`-')_ _(`-') (`-') _ print(""" (`-') <-. (`-')_ _(`-') (`-') _
_(OO ) .-> <-. \\( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/ _(OO ) .-> <-. \\( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/
,--.(_/,-.\\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\\-,-----.(`-')----. \\ .'_ (,------. ,--.(_/,-.\\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\\-,-----.(`-')----. \\ .'_ (,------.

View File

@ -1,4 +1,7 @@
<?php <?php
define("USERNAME", "admin");
define("PASSWORD", "pwd123*");
// Fake configuration (include follow ?) // Fake configuration (include follow ?)
$DB_HOST = "localhost"; $DB_HOST = "localhost";
$DB_NAME = "securitychalls"; $DB_NAME = "securitychalls";
@ -11,4 +14,6 @@
$pwd = "mysuper_cr3dz"; $pwd = "mysuper_cr3dz";
$pass = $pwd.$token; $pass = $pwd.$token;
$Pass = "case!nsenSitiveP@ss" $Pass = "case!nsenSitiveP@ss"
?> ?>