XXE / SSRF / Cookies and more use-cases

README.md

@@ -1,12 +1,23 @@
-# VulnyCode - PHP Code Static Analysis
+# VulnyCode - PHP Code Static Analysis [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=VulnyCode%20-%20PHP%20Code%20Static%20Analysis&url=https://github.com/swisskyrepo/Vulny-Code-Static-Analysis)
 
-[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
+![1.0.0](https://img.shields.io/badge/Version-1.0.0%20Beta-RED) ![Python](https://img.shields.io/badge/Python-3.4+-GREEN) ![Platform](https://img.shields.io/badge/Platforms-Linux%20x64-yellowgreen) 
 
 Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
 
 ```bash
+# HELP
 ╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis  ‹master*›
-╰─$ python index.py --dir test    
+╰─$ python3 index.py           
+usage: index.py [-h] [--dir DIR] [--plain]
+
+optional arguments:
+  -h, --help  show this help message and exit
+  --dir DIR   Directory to analyse
+  --plain     No color in output
+
+# Example
+╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis  ‹master*›
+╰─$ python3 index.py --dir test    
 ------------------------------------------------------------
 Analyzing 'test' source code
 ------------------------------------------------------------
@@ -21,19 +32,39 @@ Declared at line 1 : $dest = $_GET['who'];
 ```
 
 Currently detecting :
- - SQL injection
- - Local File Inclusion
- - Insecure emails
- - Cross Site Scripting
- - Remote Commands Execution
- - LDAP injection
- - XPATH injection
- - PHP Objet Injection
- - Header injection
- - URL redirection
- - Hardcoded credential
- - High Entropy string
+- Arbitrary Cookie
+- Arbitrary File Deletion
+- Arbitrary Variable Overwrite
+- Cross Site Scripting
+- File Inclusion
+- File Inclusion / Path Traversal
+- File Upload
+- Header Injection
+- Information Leak
+- Insecure E-mail
+- Insecure Weak Random
+- LDAP Injection
+- PHP Object Injection
+- Remote Code Execution
+- Remote Command Execution
+- Server Side Request Forgery
+- Server Side Template Injection
+- SQL Injection
+- URL Redirection
+- Weak Cryptographic Hash
+- XML external entity
+- XPATH Injection
+- Hardcoded credentials
+- High Entropy string
 
 > if you want to export each vulnerabilities type into a folder use the "export.sh"
 
 Don't forget to read the [license](/LICENSE) ;)
+
+
+## Alternatives
+
+* [RIPS - A static source code analyser for vulnerabilities in PHP scripts](https://blog.ripstech.com/2016/introducing-the-rips-analysis-engine/)
+* [Cobra - Source Code Security Audit](https://github.com/WhaleShark-Team/cobra)
+* [PHP parser written in Python using PLY](https://github.com/viraptor/phply)
+* [Psalm - A static analysis tool for finding errors in PHP applications](https://psalm.dev/docs/security_analysis/)

detection.py

@@ -70,9 +70,17 @@ def analysis(path, plain):
         # Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
         for payload in payloads:
             regex = re.compile(payload[0] + regex_indicators)
-            matches = regex.findall(content)
+            matches = regex.findall(content.replace(" ", "(PLACEHOLDER"))
 
             for vuln_content in matches:
+
+                # Handle "require something" vs "require(something)"
+                # Dirty trick to force a parenthesis before the function's argument
+                vuln_content = list(vuln_content)
+                for i in range(len(vuln_content)):
+                    vuln_content[i] = vuln_content[i].replace("(PLACEHOLDER", " ")
+                    vuln_content[i] = vuln_content[i].replace("PLACEHOLDER", "")
+
                 occurence = 0
 
                 # Security hole detected, is it protected ?

indicators.py

@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 
 # /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
-regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_,]*)(.*?)\\)'
+regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_]*)(.*?)\\)'
 
 # Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
 payloads = [
@@ -10,6 +10,7 @@ payloads = [
     # Remote Command Execution
     ["eval", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["popen", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
+    ["popen_ex", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["system", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
     ["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
@@ -36,7 +37,7 @@ payloads = [
 
     ["readfile", "File Inclusion / Path Traversal", []],
     ["file_get_contents", "File Inclusion / Path Traversal", []],
-    ["stream_get_contents", "File Inclusion / Path Traversal", []],
+    ["file_put_contents", "File Inclusion / Path Traversal", []],
     ["show_source", "File Inclusion / Path Traversal", []],
     ["fopen", "File Inclusion / Path Traversal", []],
     ["file", "File Inclusion / Path Traversal", []],
@@ -45,6 +46,10 @@ payloads = [
     ["gzfile", "File Inclusion / Path Traversal", []],
     ["gzpassthru", "File Inclusion / Path Traversal", []],
     ["readgzfile", "File Inclusion / Path Traversal", []],
+    
+    ["DirectoryIterator", "File Inclusion / Path Traversal", []],
+    ["stream_get_contents", "File Inclusion / Path Traversal", []],
+    ["copy", "File Inclusion / Path Traversal", []],
 
     # MySQL(i) SQL Injection
     ["mysql_query", "SQL Injection", ["mysql_real_escape_string"]],
@@ -104,6 +109,7 @@ payloads = [
     ["ifx_htmltbl_result", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
     ["die", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
     ["exit", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
+    ["var_dump", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
 
     # XPATH and LDAP
     ["xpath", "XPATH Injection", []],
@@ -130,6 +136,7 @@ payloads = [
 
     # Weak Cryptographic Hash
     ["md5", "Weak Cryptographic Hash", []],
+    ["sha1", "Weak Cryptographic Hash", []],
 
     # Insecure Weak Random
     ["mt_rand", "Insecure Weak Random", []],
@@ -141,5 +148,23 @@ payloads = [
     ["show_source", "Information Leak", []],
     ["highlight_file", "Information Leak", []],
 
+    # Server Side Request Forgery
+    ["curl_setopt", "Server Side Request Forgery", []],
+    ["curl_exec", "Server Side Request Forgery", []],
+    ["fsockopen", "Server Side Request Forgery", []],
 
+
+    # XML External Entity
+    ["SimpleXMLElement", "XML External Entity", []],
+    ["xmlparse", "XML External Entity", []],
+    ["loadXML", "XML External Entity", []],
+    ["simplexml_load_string", "XML External Entity", []],
+
+    # Others
+    ["unlink", "Arbitrary File Deletion", []],
+    ["extract", "Arbitrary Variable Overwrite", []],
+    ["setcookie", "Arbitrary Cookie", []],
+    ["chmod", "Arbitrary File Permission", []],
+    ["mkdir", "Arbitrary Folder Creation", []],
+    
 ]

test/cookies.php

@@ -0,0 +1,5 @@
+<?php
+$value = $_GET['name'];
+setcookie("TestCookie", $value, time()+3600);
+setcookie("TestCookie", $value);
+?>

test/extract.php

@@ -0,0 +1,18 @@
+<?php
+
+$flag='xxx'; 
+extract($_GET);
+ if(isset($shiyan))
+ { 
+    $content=trim(file_get_contents($flag));
+    if($shiyan==$content)
+    { 
+        echo'ctf{xxx}'; 
+    }
+   else
+   { 
+    echo'Oh.no';
+   } 
+   }
+
+?>

test/require.php

@@ -0,0 +1,10 @@
+<?php
+
+if (isset($_GET['which']))
+{
+    $which = $_GET['which'];
+    require_once $which.'noparenthesis.php';
+    require_once($which.'parenthesis.php';)
+}
+
+?>

test/sql-ip.php

@@ -0,0 +1,7 @@
+<?php
+function GetIP(){
+    $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
+    $cip = $_SERVER["REMOTE_ADDR"];
+    mysql_query("SELECT * from toot where ip=$cip");
+}
+?>

test/ssrf.php

@@ -0,0 +1,9 @@
+<?php
+    if(isset($_GET['r'])) {
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $_GET['r']);
+        curl_setopt($ch, CURLOPT_HEADER, 0);
+        curl_exec($ch);
+        curl_close($ch);
+    }
+?>

test/xxe.php

@@ -0,0 +1,10 @@
+<?php 
+    libxml_disable_entity_loader (false);
+    $xmlfile = file_get_contents($_POST['data']);
+    $dom = new DOMDocument();
+    $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
+    $creds = simplexml_import_dom($dom);
+    $user = $creds->user;
+    $pass = $creds->pass;
+    echo "You have logged in as user $user";
+?> 

test/xxe2.php

@@ -0,0 +1,14 @@
+<?php
+if ( isset( $_GET['name'] ) ) {
+libxml_use_internal_errors( true );
+libxml_disable_entity_loader( false );
+$xml = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>' . $_GET['name'];
+$parsed = simplexml_load_string( $xml, 'SimpleXMLElement', LIBXML_NOENT );
+if ( !$parsed ) {
+foreach( libxml_get_errors() as $error )
+echo $error->message . "\n";
+} else {
+echo 'Hello ' . $parsed . "\n";
+}
+ }
+?>