Fix maximum recursion error + catch hardcoded password in define()

pull/13/head
Swissky 2020-01-09 22:54:56 +01:00
parent 4f985f9709
commit e3b1d7fb3c
5 changed files with 49 additions and 38 deletions

View File

@ -2,7 +2,8 @@
[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
Basic script to detect vulnerabilities into a PHP source code
Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
```bash
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master*
╰─$ python index.py --dir test

View File

@ -11,6 +11,7 @@ result_files = 0
# Analyse the source code of a single page
def analysis(path, plain):
global result_count
global result_files
result_files += 1
with open(path, 'r', encoding='utf-8', errors='replace') as content_file:
@ -22,40 +23,44 @@ def analysis(path, plain):
# Hardcoded credentials (work as an exception, it's not function based)
credz = ['pass', 'secret', 'token', 'pwd']
for credential in credz:
content_pure = content.replace(' ', '')
credential += ".*?=[\"|'][^\\$]+[\"|']"
regex = re.compile("\\$" + credential, re.I)
# detect all variables
regex_var_detect = "\$[\w\s]+\s?=\s?[\"|'].*[\"|']|define\([\"|'].*[\"|']"
regex = re.compile(regex_var_detect , re.I)
matches = regex.findall(content_pure)
# If we find a variable with a constant for a given indicator
for vuln_content in matches:
payload = ["", "Hardcoded Credential", []]
if credential in vuln_content.lower():
payload = ["", "Hardcoded Credential", []]
# Get the line
line_vuln = -1
splitted_content = content.split('\n')
for i in range(len(splitted_content)):
regex = re.compile("\\$" + credential + ".*?=", re.I)
matches = regex.findall(splitted_content[i])
if len(matches) > 0:
line_vuln = i
# Get the line
line_vuln = -1
splitted_content = content.split('\n')
for i in range(len(splitted_content)):
regex = re.compile(regex_var_detect, re.I)
matches = regex.findall(splitted_content[i])
if len(matches) > 0:
line_vuln = i
declaration_text = vuln_content
line = str(line_vuln)
occurence = 1
declaration_text = vuln_content
line = str(line_vuln)
occurence = 1
display(
path,
payload,
vuln_content,
line_vuln,
declaration_text,
line,
vuln_content,
occurence,
plain
)
result_count = result_count + 1
display(
path,
payload,
vuln_content,
line_vuln,
declaration_text,
line,
vuln_content,
occurence,
plain
)
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
for payload in payloads:
@ -97,7 +102,6 @@ def analysis(path, plain):
false_positive = True
if not false_positive:
global result_count
result_count = result_count + 1
display(path, payload, vuln_content, line_vuln, declaration_text, line, vulnerable_var[1], occurence, plain)
@ -111,7 +115,7 @@ def recursive(dir, progress, plain):
try:
for name in os.listdir(dir):
print('\tAnalyzing : ' + progress_indicator * progress + '\r'),
print('\tAnalyzing : ' + progress_indicator * progress + '\r', end="\r"),
# Targetting only PHP Files
if os.path.isfile(os.path.join(dir, name)):

View File

@ -1,22 +1,23 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author : Swissky
# How to use : python index.py --dir test
# Educational purpose only !
# TODO afficher toutes les modifications de la variable
import sys
import argparse
from detection import *
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--dir', action='store', dest='dir', help="Directory to analyse")
parser.add_argument('--plain', action='store_true', dest='plain', help="No color in output")
results = parser.parse_args()
if results.dir is not None:
# default recursion is limited to 1000
# since we browse files recursively,
# we need to set an higher threshold
sys.setrecursionlimit(1000000)
print(""" (`-') <-. (`-')_ _(`-') (`-') _
_(OO ) .-> <-. \\( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/
,--.(_/,-.\\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\\-,-----.(`-')----. \\ .'_ (,------.

View File

@ -1,5 +1,8 @@
<?php
// Fake configuration (include follow ?)
define("USERNAME", "admin");
define("PASSWORD", "pwd123*");
// Fake configuration (include follow ?)
$DB_HOST = "localhost";
$DB_NAME = "securitychalls";
$DB_USER = "admin";
@ -11,4 +14,6 @@
$pwd = "mysuper_cr3dz";
$pass = $pwd.$token;
$Pass = "case!nsenSitiveP@ss"
?>
?>