Fix maximum recursion error + catch hardcoded password in define()

README.md

@@ -2,7 +2,8 @@
 
 [![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
 
-Basic script to detect vulnerabilities into a PHP source code
+Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
+
 ```bash
 ╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis  ‹master*›
 ╰─$ python index.py --dir test    

detection.py

@@ -11,6 +11,7 @@ result_files = 0
 
 # Analyse the source code of a single page
 def analysis(path, plain):
+    global result_count
     global result_files
     result_files += 1
     with open(path, 'r', encoding='utf-8', errors='replace') as content_file:
@@ -22,40 +23,44 @@ def analysis(path, plain):
         # Hardcoded credentials (work as an exception, it's not function based)
         credz = ['pass', 'secret', 'token', 'pwd']
         for credential in credz:
-
             content_pure = content.replace(' ', '')
-            credential += ".*?=[\"|'][^\\$]+[\"|']"
-            regex = re.compile("\\$" + credential, re.I)
-            matches = regex.findall(content_pure)
 
+            # detect all variables
+            regex_var_detect = "\$[\w\s]+\s?=\s?[\"|'].*[\"|']|define\([\"|'].*[\"|']"
+            regex = re.compile(regex_var_detect , re.I)
+            matches = regex.findall(content_pure)
+            
             # If we find a variable with a constant for a given indicator
             for vuln_content in matches:
-                payload = ["", "Hardcoded Credential", []]
+                if credential in vuln_content.lower():
+                    payload = ["", "Hardcoded Credential", []]
 
-                # Get the line
+                    # Get the line
-                line_vuln = -1
+                    line_vuln = -1
-                splitted_content = content.split('\n')
+                    splitted_content = content.split('\n')
-                for i in range(len(splitted_content)):
+                    for i in range(len(splitted_content)):
-                    regex = re.compile("\\$" + credential + ".*?=", re.I)
+                        regex = re.compile(regex_var_detect, re.I)
-                    matches = regex.findall(splitted_content[i])
+                        matches = regex.findall(splitted_content[i])
-                    if len(matches) > 0:
+                        if len(matches) > 0:
-                        line_vuln = i
+                            line_vuln = i
 
-                declaration_text = vuln_content
+                    declaration_text = vuln_content
-                line = str(line_vuln)
+                    line = str(line_vuln)
-                occurence = 1
+                    occurence = 1
 
-                display(
+                    result_count = result_count + 1
-                    path,
+
-                    payload,
+                    display(
-                    vuln_content,
+                        path,
-                    line_vuln,
+                        payload,
-                    declaration_text,
+                        vuln_content,
-                    line,
+                        line_vuln,
-                    vuln_content,
+                        declaration_text,
-                    occurence,
+                        line,
-                    plain
+                        vuln_content,
-                )
+                        occurence,
+                        plain
+                    )
 
         # Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
         for payload in payloads:
@@ -97,7 +102,6 @@ def analysis(path, plain):
                                 false_positive = True
 
                         if not false_positive:
-                            global result_count
                             result_count = result_count + 1
                             display(path, payload, vuln_content, line_vuln, declaration_text, line, vulnerable_var[1], occurence, plain)
 
@@ -111,7 +115,7 @@ def recursive(dir, progress, plain):
     try:
         for name in os.listdir(dir):
 
-            print('\tAnalyzing : ' + progress_indicator * progress + '\r'),
+            print('\tAnalyzing : ' + progress_indicator * progress + '\r', end="\r"),
 
             # Targetting only PHP Files
             if os.path.isfile(os.path.join(dir, name)):

index.py

@@ -1,22 +1,23 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 
-# Author     : Swissky
+import sys
-# How to use : python index.py --dir test
-# Educational purpose only !
-
-# TODO afficher toutes les modifications de la variable
-
 import argparse
 from detection import *
 
 if __name__ == "__main__":
+
     parser = argparse.ArgumentParser()
     parser.add_argument('--dir', action='store', dest='dir', help="Directory to analyse")
     parser.add_argument('--plain', action='store_true', dest='plain', help="No color in output")
     results = parser.parse_args()
 
     if results.dir is not None:
+        # default recursion is limited to 1000
+        # since we browse files recursively,
+        # we need to set an higher threshold
+        sys.setrecursionlimit(1000000)
+
         print("""      (`-')                    <-. (`-')_                                _(`-')    (`-')  _
              _(OO )     .->      <-.      \\( OO) )     .->   _             .->  ( (OO ).-> ( OO).-/
         ,--.(_/,-.\\,--.(,--.   ,--. )  ,--./ ,--/  ,--.'  ,-.\\-,-----.(`-')----. \\    .'_ (,------.

test/configuration.php

@@ -1,5 +1,8 @@
 <?php
-  // Fake configuration (include follow ?)
+define("USERNAME", "admin");
+define("PASSWORD", "pwd123*");
+
+// Fake configuration (include follow ?)
   $DB_HOST = "localhost";
 	$DB_NAME = "securitychalls";
 	$DB_USER = "admin";
@@ -11,4 +14,6 @@
   $pwd   = "mysuper_cr3dz";
   $pass  = $pwd.$token;
   $Pass  = "case!nsenSitiveP@ss"
- ?>
+
+
+?>