XXE / SSRF / Cookies and more use-cases
parent
95fbef209c
commit
f2df2acd6d
61
README.md
61
README.md
|
@ -1,12 +1,23 @@
|
||||||
# VulnyCode - PHP Code Static Analysis
|
# VulnyCode - PHP Code Static Analysis [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=VulnyCode%20-%20PHP%20Code%20Static%20Analysis&url=https://github.com/swisskyrepo/Vulny-Code-Static-Analysis)
|
||||||
|
|
||||||
[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/)
|
![1.0.0](https://img.shields.io/badge/Version-1.0.0%20Beta-RED) ![Python](https://img.shields.io/badge/Python-3.4+-GREEN) ![Platform](https://img.shields.io/badge/Platforms-Linux%20x64-yellowgreen)
|
||||||
|
|
||||||
Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
|
Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
# HELP
|
||||||
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis ‹master*›
|
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis ‹master*›
|
||||||
╰─$ python index.py --dir test
|
╰─$ python3 index.py
|
||||||
|
usage: index.py [-h] [--dir DIR] [--plain]
|
||||||
|
|
||||||
|
optional arguments:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
--dir DIR Directory to analyse
|
||||||
|
--plain No color in output
|
||||||
|
|
||||||
|
# Example
|
||||||
|
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis ‹master*›
|
||||||
|
╰─$ python3 index.py --dir test
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
Analyzing 'test' source code
|
Analyzing 'test' source code
|
||||||
------------------------------------------------------------
|
------------------------------------------------------------
|
||||||
|
@ -21,19 +32,39 @@ Declared at line 1 : $dest = $_GET['who'];
|
||||||
```
|
```
|
||||||
|
|
||||||
Currently detecting :
|
Currently detecting :
|
||||||
- SQL injection
|
- Arbitrary Cookie
|
||||||
- Local File Inclusion
|
- Arbitrary File Deletion
|
||||||
- Insecure emails
|
- Arbitrary Variable Overwrite
|
||||||
- Cross Site Scripting
|
- Cross Site Scripting
|
||||||
- Remote Commands Execution
|
- File Inclusion
|
||||||
- LDAP injection
|
- File Inclusion / Path Traversal
|
||||||
- XPATH injection
|
- File Upload
|
||||||
- PHP Objet Injection
|
- Header Injection
|
||||||
- Header injection
|
- Information Leak
|
||||||
- URL redirection
|
- Insecure E-mail
|
||||||
- Hardcoded credential
|
- Insecure Weak Random
|
||||||
- High Entropy string
|
- LDAP Injection
|
||||||
|
- PHP Object Injection
|
||||||
|
- Remote Code Execution
|
||||||
|
- Remote Command Execution
|
||||||
|
- Server Side Request Forgery
|
||||||
|
- Server Side Template Injection
|
||||||
|
- SQL Injection
|
||||||
|
- URL Redirection
|
||||||
|
- Weak Cryptographic Hash
|
||||||
|
- XML external entity
|
||||||
|
- XPATH Injection
|
||||||
|
- Hardcoded credentials
|
||||||
|
- High Entropy string
|
||||||
|
|
||||||
> if you want to export each vulnerabilities type into a folder use the "export.sh"
|
> if you want to export each vulnerabilities type into a folder use the "export.sh"
|
||||||
|
|
||||||
Don't forget to read the [license](/LICENSE) ;)
|
Don't forget to read the [license](/LICENSE) ;)
|
||||||
|
|
||||||
|
|
||||||
|
## Alternatives
|
||||||
|
|
||||||
|
* [RIPS - A static source code analyser for vulnerabilities in PHP scripts](https://blog.ripstech.com/2016/introducing-the-rips-analysis-engine/)
|
||||||
|
* [Cobra - Source Code Security Audit](https://github.com/WhaleShark-Team/cobra)
|
||||||
|
* [PHP parser written in Python using PLY](https://github.com/viraptor/phply)
|
||||||
|
* [Psalm - A static analysis tool for finding errors in PHP applications](https://psalm.dev/docs/security_analysis/)
|
10
detection.py
10
detection.py
|
@ -70,9 +70,17 @@ def analysis(path, plain):
|
||||||
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
|
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
|
||||||
for payload in payloads:
|
for payload in payloads:
|
||||||
regex = re.compile(payload[0] + regex_indicators)
|
regex = re.compile(payload[0] + regex_indicators)
|
||||||
matches = regex.findall(content)
|
matches = regex.findall(content.replace(" ", "(PLACEHOLDER"))
|
||||||
|
|
||||||
for vuln_content in matches:
|
for vuln_content in matches:
|
||||||
|
|
||||||
|
# Handle "require something" vs "require(something)"
|
||||||
|
# Dirty trick to force a parenthesis before the function's argument
|
||||||
|
vuln_content = list(vuln_content)
|
||||||
|
for i in range(len(vuln_content)):
|
||||||
|
vuln_content[i] = vuln_content[i].replace("(PLACEHOLDER", " ")
|
||||||
|
vuln_content[i] = vuln_content[i].replace("PLACEHOLDER", "")
|
||||||
|
|
||||||
occurence = 0
|
occurence = 0
|
||||||
|
|
||||||
# Security hole detected, is it protected ?
|
# Security hole detected, is it protected ?
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
# /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
|
# /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
|
||||||
regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_,]*)(.*?)\\)'
|
regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_]*)(.*?)\\)'
|
||||||
|
|
||||||
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
|
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
|
||||||
payloads = [
|
payloads = [
|
||||||
|
@ -10,6 +10,7 @@ payloads = [
|
||||||
# Remote Command Execution
|
# Remote Command Execution
|
||||||
["eval", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
["eval", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
["popen", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
["popen", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
|
["popen_ex", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
["system", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
["system", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
|
||||||
|
@ -36,7 +37,7 @@ payloads = [
|
||||||
|
|
||||||
["readfile", "File Inclusion / Path Traversal", []],
|
["readfile", "File Inclusion / Path Traversal", []],
|
||||||
["file_get_contents", "File Inclusion / Path Traversal", []],
|
["file_get_contents", "File Inclusion / Path Traversal", []],
|
||||||
["stream_get_contents", "File Inclusion / Path Traversal", []],
|
["file_put_contents", "File Inclusion / Path Traversal", []],
|
||||||
["show_source", "File Inclusion / Path Traversal", []],
|
["show_source", "File Inclusion / Path Traversal", []],
|
||||||
["fopen", "File Inclusion / Path Traversal", []],
|
["fopen", "File Inclusion / Path Traversal", []],
|
||||||
["file", "File Inclusion / Path Traversal", []],
|
["file", "File Inclusion / Path Traversal", []],
|
||||||
|
@ -45,6 +46,10 @@ payloads = [
|
||||||
["gzfile", "File Inclusion / Path Traversal", []],
|
["gzfile", "File Inclusion / Path Traversal", []],
|
||||||
["gzpassthru", "File Inclusion / Path Traversal", []],
|
["gzpassthru", "File Inclusion / Path Traversal", []],
|
||||||
["readgzfile", "File Inclusion / Path Traversal", []],
|
["readgzfile", "File Inclusion / Path Traversal", []],
|
||||||
|
|
||||||
|
["DirectoryIterator", "File Inclusion / Path Traversal", []],
|
||||||
|
["stream_get_contents", "File Inclusion / Path Traversal", []],
|
||||||
|
["copy", "File Inclusion / Path Traversal", []],
|
||||||
|
|
||||||
# MySQL(i) SQL Injection
|
# MySQL(i) SQL Injection
|
||||||
["mysql_query", "SQL Injection", ["mysql_real_escape_string"]],
|
["mysql_query", "SQL Injection", ["mysql_real_escape_string"]],
|
||||||
|
@ -104,6 +109,7 @@ payloads = [
|
||||||
["ifx_htmltbl_result", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
["ifx_htmltbl_result", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
||||||
["die", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
["die", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
||||||
["exit", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
["exit", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
||||||
|
["var_dump", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
|
||||||
|
|
||||||
# XPATH and LDAP
|
# XPATH and LDAP
|
||||||
["xpath", "XPATH Injection", []],
|
["xpath", "XPATH Injection", []],
|
||||||
|
@ -130,6 +136,7 @@ payloads = [
|
||||||
|
|
||||||
# Weak Cryptographic Hash
|
# Weak Cryptographic Hash
|
||||||
["md5", "Weak Cryptographic Hash", []],
|
["md5", "Weak Cryptographic Hash", []],
|
||||||
|
["sha1", "Weak Cryptographic Hash", []],
|
||||||
|
|
||||||
# Insecure Weak Random
|
# Insecure Weak Random
|
||||||
["mt_rand", "Insecure Weak Random", []],
|
["mt_rand", "Insecure Weak Random", []],
|
||||||
|
@ -141,5 +148,23 @@ payloads = [
|
||||||
["show_source", "Information Leak", []],
|
["show_source", "Information Leak", []],
|
||||||
["highlight_file", "Information Leak", []],
|
["highlight_file", "Information Leak", []],
|
||||||
|
|
||||||
|
# Server Side Request Forgery
|
||||||
|
["curl_setopt", "Server Side Request Forgery", []],
|
||||||
|
["curl_exec", "Server Side Request Forgery", []],
|
||||||
|
["fsockopen", "Server Side Request Forgery", []],
|
||||||
|
|
||||||
|
|
||||||
|
# XML External Entity
|
||||||
|
["SimpleXMLElement", "XML External Entity", []],
|
||||||
|
["xmlparse", "XML External Entity", []],
|
||||||
|
["loadXML", "XML External Entity", []],
|
||||||
|
["simplexml_load_string", "XML External Entity", []],
|
||||||
|
|
||||||
|
# Others
|
||||||
|
["unlink", "Arbitrary File Deletion", []],
|
||||||
|
["extract", "Arbitrary Variable Overwrite", []],
|
||||||
|
["setcookie", "Arbitrary Cookie", []],
|
||||||
|
["chmod", "Arbitrary File Permission", []],
|
||||||
|
["mkdir", "Arbitrary Folder Creation", []],
|
||||||
|
|
||||||
]
|
]
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
<?php
|
||||||
|
$value = $_GET['name'];
|
||||||
|
setcookie("TestCookie", $value, time()+3600);
|
||||||
|
setcookie("TestCookie", $value);
|
||||||
|
?>
|
|
@ -0,0 +1,18 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
$flag='xxx';
|
||||||
|
extract($_GET);
|
||||||
|
if(isset($shiyan))
|
||||||
|
{
|
||||||
|
$content=trim(file_get_contents($flag));
|
||||||
|
if($shiyan==$content)
|
||||||
|
{
|
||||||
|
echo'ctf{xxx}';
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
echo'Oh.no';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
|
@ -0,0 +1,10 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
if (isset($_GET['which']))
|
||||||
|
{
|
||||||
|
$which = $_GET['which'];
|
||||||
|
require_once $which.'noparenthesis.php';
|
||||||
|
require_once($which.'parenthesis.php';)
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
|
@ -0,0 +1,7 @@
|
||||||
|
<?php
|
||||||
|
function GetIP(){
|
||||||
|
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
|
||||||
|
$cip = $_SERVER["REMOTE_ADDR"];
|
||||||
|
mysql_query("SELECT * from toot where ip=$cip");
|
||||||
|
}
|
||||||
|
?>
|
|
@ -0,0 +1,9 @@
|
||||||
|
<?php
|
||||||
|
if(isset($_GET['r'])) {
|
||||||
|
$ch = curl_init();
|
||||||
|
curl_setopt($ch, CURLOPT_URL, $_GET['r']);
|
||||||
|
curl_setopt($ch, CURLOPT_HEADER, 0);
|
||||||
|
curl_exec($ch);
|
||||||
|
curl_close($ch);
|
||||||
|
}
|
||||||
|
?>
|
|
@ -0,0 +1,10 @@
|
||||||
|
<?php
|
||||||
|
libxml_disable_entity_loader (false);
|
||||||
|
$xmlfile = file_get_contents($_POST['data']);
|
||||||
|
$dom = new DOMDocument();
|
||||||
|
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
|
||||||
|
$creds = simplexml_import_dom($dom);
|
||||||
|
$user = $creds->user;
|
||||||
|
$pass = $creds->pass;
|
||||||
|
echo "You have logged in as user $user";
|
||||||
|
?>
|
|
@ -0,0 +1,14 @@
|
||||||
|
<?php
|
||||||
|
if ( isset( $_GET['name'] ) ) {
|
||||||
|
libxml_use_internal_errors( true );
|
||||||
|
libxml_disable_entity_loader( false );
|
||||||
|
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>' . $_GET['name'];
|
||||||
|
$parsed = simplexml_load_string( $xml, 'SimpleXMLElement', LIBXML_NOENT );
|
||||||
|
if ( !$parsed ) {
|
||||||
|
foreach( libxml_get_errors() as $error )
|
||||||
|
echo $error->message . "\n";
|
||||||
|
} else {
|
||||||
|
echo 'Hello ' . $parsed . "\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
?>
|
Loading…
Reference in New Issue