swisskyrepo
/
Vulny-Code-Static-Analysis
mirror of https://github.com/swisskyrepo/Vulny-Code-Static-Analysis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Basic refactoring

pull/3/head
Swissky 2017-05-21 15:56:42 +02:00
parent 9c5d60c5e7
commit f1e06def4c
7 changed files with 152 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.pyc

68
detection.py
View File

@ -0,0 +1,68 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import re
from indicators import *
from functions import *
# Analyse the source code of a single page
def analysis(path):
with open(path, 'r') as content_file:
content = content_file.read()
# Clean source for a better detection
content = content.replace("echo ","echo(")
content = content.replace("; ",";)")
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS
for payload in payloads:
regex = re.compile(payload[0]+'\((.*?)(\$_GET\[.*\]|\$_FILES\[.*\]|\$_POST\[.*\]|\$_REQUEST\[.*\]|\$_COOKIES\[.*\]|\$_SESSION\[.*\]|\$(?!this|e-)[a-zA-Z0-9_]*)(.*)\)')
matches = regex.findall(content)
for match in matches:
# Detection of good protection
is_protected = False
for protection in payload[2]:
if protection in "".join(match):
is_protected = True
# Detect line of the vuln
if is_protected == False:
# When it's a function($SOMEHTING) Match declaration $SOMETHING = ...
exceptions = ["_GET","_REQUEST","_POST","_COOKIES","_FILES"]
is_exception = False
for exception in exceptions:
if exception in match[1]:
is_exception = True
declaration_text = ""
line_declaration = ""
if is_exception == False:
regex_declaration = re.compile("\$"+match[1][1:]+"([\t ]*)=(?!=)(.*)")
declaration = regex_declaration.findall(content)
if len(declaration)>0:
declaration_text = "$"+match[1][1:] +declaration[0][0]+"="+declaration[0][1]
line_declaration = find_line_declaration(declaration_text, content)
# Display all the informations
line_vuln = find_line_vuln(path,payload,match,content)
display(path,payload,match,line_vuln,declaration_text,line_declaration)
# Run thru every files and subdirectories
def recursive(dir,progress):
progress += 1
try:
for name in os.listdir(dir):
print('\tAnalyzing : '+''*progress+'\r'),
# Targetting only PHP Files
if os.path.isfile(os.path.join(dir, name)):
if ".php" in os.path.join(dir, name):
analysis(dir+"/"+name)
else :
recursive(dir+"/"+name, progress)
except OSError, e:
print "Error 404 - Not Found, maybe you need more right ?"+" "*30
exit(-1)

0
function.py
View File

38
functions.py Normal file
View File

@ -0,0 +1,38 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import re
from indicators import *
# Display the found vulnerability with basic informations like the line
def display(path,payload,vulnerability,line,declaration_text,declaration_line):
print "-"*60+"\r\n\033[1m"+"Potential vulnerability found : \033[0m\033[92m" + payload[1]+"\033[0m"
print "\033[1mLine \033[0m\033[92m"+line+"\033[0m in "+path
if not "POST" in vulnerability[1] and not "GET" in vulnerability[1]:
print "\033[1mCode : \033[0m"+payload[0]+'('+vulnerability[0]+"\033[93m"+vulnerability[1]+"\033[0m"+vulnerability[2]+')'
if declaration_text != "":
print "\033[1mDeclared at line \033[0;92m"+declaration_line+"\033[0m : "+ declaration_text
else:
print "\033[1mUndeclared \033[0m"+ declaration_text+" in the file"
else:
print "\033[1mCode : \033[0m"+payload[0]+'('+vulnerability[0]+"\033[93m"+vulnerability[1]+"\033[0m"+vulnerability[2]+')'
# Find the line where the vulnerability is located
def find_line_vuln(path,payload,vulnerability,content):
content = content.split('\n')
for i in range(len(content)):
if payload[0]+'('+vulnerability[0]+vulnerability[1]+vulnerability[2]+')' in content[i]:
return str(i)
return "-1"
# Find the line where the entry point is declared
def find_line_declaration(declaration, content):
content = content.split('\n')
for i in range(len(content)):
if declaration in content[i]:
return str(i)
return "-1"

12
index.py
View File

@ -8,18 +8,22 @@
# TODO
# 1. https://www.ripstech.com/blog/2017/why-mail-is-dangerous-in-php/
# 2. Parcourir les fichiers en recursif avec les includes et afficher toutes les modifications de la variable
# BUG du echo()
import sys
import argparse
import os, re
from detection import *
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--dir', action ='store', dest='dir', help="Directory to analyse")
results = parser.parse_args()
if results.dir == None:
exit()
if results.dir != None:
print "-"*60+"\r\n\033[1mAnalyzing '"+results.dir+"' source code\033[0m"
print "-"*60+"\r\n\033[1mAnalyzing '"+results.dir+"' source code\033[0m"
#print "INFO - "
if os.path.isfile(results.dir):
analysis(results.dir)
else:
recursive(results.dir,0)

37
indicators.py
View File

@ -0,0 +1,37 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
payloads = [
# /!\ Detection Format (.*)function($vuln)(.*)
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
["eval","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["popen","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["system","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["passthru","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["shell_exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["include","File Inclusion",[]],
["require","File Inclusion",[]],
["include_once","File Inclusion",[]],
["require_once","File Inclusion",[]],
["readfile","File Inclusion",[]],
["file_get_contents","File Inclusion",[]],
["mysql_query","SQL Injection",["mysql_real_escape_string"]],
["mysql_unbuffered_query","SQL Injection",["mysql_real_escape_string"]],
["mysql_db_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli::real_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
# pdo querys
["move_uploaded_file","File Upload",[]],
["echo","Cross Site Scripting",["htmlentities","htmlspecialchars"]],
# Print etc
["mail", "Insecure E-mail",[]]
]

173
old.py
View File

@ -1,173 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author : Swissky
# How to use : python analysis_source.py "../Www/Hacking/"
# Educational purpose only !
# TODO:
# 1. https://www.ripstech.com/blog/2017/why-mail-is-dangerous-in-php/
# 2. Parcourir les fichiers en recursif avec les includes et afficher toutes les modifications de la variable
import sys, getopt
import os, re
score = 0
payloads = [
# /!\ Detection Format (.*)function($vuln)(.*)
# Function_Name:String, Vulnerability_Name:String, Protection:Array
["eval","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["popen","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["system","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["passthru","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["shell_exec","Remote Command Execution",["escapeshellarg","escapeshellcmd"]],
["include","File Inclusion",[]],
["require","File Inclusion",[]],
["include_once","File Inclusion",[]],
["require_once","File Inclusion",[]],
["readfile","File Inclusion",[]],
["file_get_contents","File Inclusion",[]],
["mysql_query","SQL Injection",["mysql_real_escape_string"]],
["mysql_unbuffered_query","SQL Injection",["mysql_real_escape_string"]],
["mysql_db_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli::real_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli_real_query","SQL Injection",["mysql_real_escape_string"]],
["mysqli::query","SQL Injection",["mysql_real_escape_string"]],
["mysqli_query","SQL Injection",["mysql_real_escape_string"]],
# pdo querys
["move_uploaded_file","File Upload",[]],
["echo","Cross Site Scripting",["htmlentities","htmlspecialchars"]],
# Print etc
["mail", "Insecure E-mail",[]]
]
# Display the found vulnerability with basic informations like the line
def display(path,payload,vulnerability,line,declaration_text,declaration_line):
# New Vulnerability found -> Score +1
global score
score = score+1
print "-"*60+"\r\n\033[1m"+"Potential vulnerability found : \033[0m\033[92m" + payload[1]+"\033[0m"
print "\033[1mLine \033[0m\033[92m"+line+"\033[0m in "+path
if not "POST" in vulnerability[1] and not "GET" in vulnerability[1]:
print "\033[1mCode : \033[0m"+payload[0]+'('+vulnerability[0]+"\033[93m"+vulnerability[1]+"\033[0m"+vulnerability[2]+')'
if declaration_text != "":
print "\033[1mDeclared at line \033[0;92m"+declaration_line+"\033[0m : "+ declaration_text
else:
print "\033[1mUndeclared \033[0m"+ declaration_text+" in the file"
else:
print "\033[1mCode : \033[0m"+payload[0]+'('+vulnerability[0]+"\033[93m"+vulnerability[1]+"\033[0m"+vulnerability[2]+')'
# Find the line where the vulnerability is located
def find_line_vuln(path,payload,vulnerability,content):
content = content.split('\n')
for i in range(len(content)):
if payload[0]+'('+vulnerability[0]+vulnerability[1]+vulnerability[2]+')' in content[i]:
return str(i)
return "-1"
# Find the line where the entry point is declared
def find_line_declaration(declaration, content):
content = content.split('\n')
for i in range(len(content)):
if declaration in content[i]:
return str(i)
return "-1"
# Analyse the source code of a single page
def analysis(path):
with open(path, 'r') as content_file:
content = content_file.read()
# Clean source for a better detection
content = content.replace("echo ","echo(")
content = content.replace("; ",";)")
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS
for payload in payloads:
regex = re.compile(payload[0]+'\((.*?)(\$_GET\[.*\]|\$_FILES\[.*\]|\$_POST\[.*\]|\$_REQUEST\[.*\]|\$_COOKIES\[.*\]|\$_SESSION\[.*\]|\$(?!this|e-)[a-zA-Z0-9_]*)(.*)\)')
matches = regex.findall(content)
for match in matches:
# Detection of good protection
is_protected = False
for protection in payload[2]:
if protection in "".join(match):
is_protected = True
# Detect line of the vuln
if is_protected == False:
# When it's a function($SOMEHTING) Match declaration $SOMETHING = ...
exceptions = ["_GET","_REQUEST","_POST","_COOKIES","_FILES"]
is_exception = False
for exception in exceptions:
if exception in match[1]:
is_exception = True
declaration_text = ""
line_declaration = ""
if is_exception == False:
regex_declaration = re.compile("\$"+match[1][1:]+"([\t ]*)=(?!=)(.*)")
declaration = regex_declaration.findall(content)
if len(declaration)>0:
declaration_text = "$"+match[1][1:] +declaration[0][0]+"="+declaration[0][1]
line_declaration = find_line_declaration(declaration_text, content)
# Display all the informations
line_vuln = find_line_vuln(path,payload,match,content)
display(path,payload,match,line_vuln,declaration_text,line_declaration)
# Run thru every files and subdirectories
def recursive(dir,progress):
progress += 1
try:
for name in os.listdir(dir):
print('\tAnalyzing : '+''*progress+'\r'),
# Targetting only PHP Files
if os.path.isfile(os.path.join(dir, name)):
if ".php" in os.path.join(dir, name):
analysis(dir+"/"+name)
else :
recursive(dir+"/"+name, progress)
except OSError, e:
print "Error 404 - Not Found, maybe you need more right ?"+" "*30
exit(-1)
if __name__ == "__main__":
# Handle arguments
url = sys.argv[1]
if len(sys.argv) < 2:
print 'Usage : main.py "./link/to/somewhere"'
exit()
print "-"*60+"\r\n\033[1mAnalyzing '"+url+"' source code\033[0m"
# Analyse a file or an entire folder
if(os.path.isfile(url)):
analysis(url)
else:
recursive(url,0)
# Display final result
if score != 0:
print "-"*60+"\r\n\r\033[0mApplication score : \033[91m"+str(score)+" potential vulnerabilities found !\033[0m\r\n"+"-"*60
else:
print "-"*60+"\r\n\r\033[0mApplication score : \033[92m"+str(score)+" potential vulnerabilities found !\033[0m\r\n"+"-"*60