Fix maximum recursion error + catch hardcoded password in define()
parent
4f985f9709
commit
e3b1d7fb3c
|
@ -2,7 +2,8 @@
|
|||
|
||||
[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
|
||||
|
||||
Basic script to detect vulnerabilities into a PHP source code
|
||||
Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
|
||||
|
||||
```bash
|
||||
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis ‹master*›
|
||||
╰─$ python index.py --dir test
|
||||
|
|
60
detection.py
60
detection.py
|
@ -11,6 +11,7 @@ result_files = 0
|
|||
|
||||
# Analyse the source code of a single page
|
||||
def analysis(path, plain):
|
||||
global result_count
|
||||
global result_files
|
||||
result_files += 1
|
||||
with open(path, 'r', encoding='utf-8', errors='replace') as content_file:
|
||||
|
@ -22,40 +23,44 @@ def analysis(path, plain):
|
|||
# Hardcoded credentials (work as an exception, it's not function based)
|
||||
credz = ['pass', 'secret', 'token', 'pwd']
|
||||
for credential in credz:
|
||||
|
||||
content_pure = content.replace(' ', '')
|
||||
credential += ".*?=[\"|'][^\\$]+[\"|']"
|
||||
regex = re.compile("\\$" + credential, re.I)
|
||||
|
||||
# detect all variables
|
||||
regex_var_detect = "\$[\w\s]+\s?=\s?[\"|'].*[\"|']|define\([\"|'].*[\"|']"
|
||||
regex = re.compile(regex_var_detect , re.I)
|
||||
matches = regex.findall(content_pure)
|
||||
|
||||
# If we find a variable with a constant for a given indicator
|
||||
for vuln_content in matches:
|
||||
payload = ["", "Hardcoded Credential", []]
|
||||
if credential in vuln_content.lower():
|
||||
payload = ["", "Hardcoded Credential", []]
|
||||
|
||||
# Get the line
|
||||
line_vuln = -1
|
||||
splitted_content = content.split('\n')
|
||||
for i in range(len(splitted_content)):
|
||||
regex = re.compile("\\$" + credential + ".*?=", re.I)
|
||||
matches = regex.findall(splitted_content[i])
|
||||
if len(matches) > 0:
|
||||
line_vuln = i
|
||||
# Get the line
|
||||
line_vuln = -1
|
||||
splitted_content = content.split('\n')
|
||||
for i in range(len(splitted_content)):
|
||||
regex = re.compile(regex_var_detect, re.I)
|
||||
matches = regex.findall(splitted_content[i])
|
||||
if len(matches) > 0:
|
||||
line_vuln = i
|
||||
|
||||
declaration_text = vuln_content
|
||||
line = str(line_vuln)
|
||||
occurence = 1
|
||||
declaration_text = vuln_content
|
||||
line = str(line_vuln)
|
||||
occurence = 1
|
||||
|
||||
display(
|
||||
path,
|
||||
payload,
|
||||
vuln_content,
|
||||
line_vuln,
|
||||
declaration_text,
|
||||
line,
|
||||
vuln_content,
|
||||
occurence,
|
||||
plain
|
||||
)
|
||||
result_count = result_count + 1
|
||||
|
||||
display(
|
||||
path,
|
||||
payload,
|
||||
vuln_content,
|
||||
line_vuln,
|
||||
declaration_text,
|
||||
line,
|
||||
vuln_content,
|
||||
occurence,
|
||||
plain
|
||||
)
|
||||
|
||||
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
|
||||
for payload in payloads:
|
||||
|
@ -97,7 +102,6 @@ def analysis(path, plain):
|
|||
false_positive = True
|
||||
|
||||
if not false_positive:
|
||||
global result_count
|
||||
result_count = result_count + 1
|
||||
display(path, payload, vuln_content, line_vuln, declaration_text, line, vulnerable_var[1], occurence, plain)
|
||||
|
||||
|
@ -111,7 +115,7 @@ def recursive(dir, progress, plain):
|
|||
try:
|
||||
for name in os.listdir(dir):
|
||||
|
||||
print('\tAnalyzing : ' + progress_indicator * progress + '\r'),
|
||||
print('\tAnalyzing : ' + progress_indicator * progress + '\r', end="\r"),
|
||||
|
||||
# Targetting only PHP Files
|
||||
if os.path.isfile(os.path.join(dir, name)):
|
||||
|
|
13
index.py
13
index.py
|
@ -1,22 +1,23 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Author : Swissky
|
||||
# How to use : python index.py --dir test
|
||||
# Educational purpose only !
|
||||
|
||||
# TODO afficher toutes les modifications de la variable
|
||||
|
||||
import sys
|
||||
import argparse
|
||||
from detection import *
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('--dir', action='store', dest='dir', help="Directory to analyse")
|
||||
parser.add_argument('--plain', action='store_true', dest='plain', help="No color in output")
|
||||
results = parser.parse_args()
|
||||
|
||||
if results.dir is not None:
|
||||
# default recursion is limited to 1000
|
||||
# since we browse files recursively,
|
||||
# we need to set an higher threshold
|
||||
sys.setrecursionlimit(1000000)
|
||||
|
||||
print(""" (`-') <-. (`-')_ _(`-') (`-') _
|
||||
_(OO ) .-> <-. \\( OO) ) .-> _ .-> ( (OO ).-> ( OO).-/
|
||||
,--.(_/,-.\\,--.(,--. ,--. ) ,--./ ,--/ ,--.' ,-.\\-,-----.(`-')----. \\ .'_ (,------.
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
<?php
|
||||
// Fake configuration (include follow ?)
|
||||
define("USERNAME", "admin");
|
||||
define("PASSWORD", "pwd123*");
|
||||
|
||||
// Fake configuration (include follow ?)
|
||||
$DB_HOST = "localhost";
|
||||
$DB_NAME = "securitychalls";
|
||||
$DB_USER = "admin";
|
||||
|
@ -11,4 +14,6 @@
|
|||
$pwd = "mysuper_cr3dz";
|
||||
$pass = $pwd.$token;
|
||||
$Pass = "case!nsenSitiveP@ss"
|
||||
?>
|
||||
|
||||
|
||||
?>
|
||||
|
|
Loading…
Reference in New Issue