XXE / SSRF / Cookies and more use-cases

pull/13/head
Swissky 2020-09-29 14:08:36 +02:00
parent 95fbef209c
commit f2df2acd6d
10 changed files with 155 additions and 18 deletions

View File

@ -1,12 +1,23 @@
# VulnyCode - PHP Code Static Analysis # VulnyCode - PHP Code Static Analysis [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=VulnyCode%20-%20PHP%20Code%20Static%20Analysis&url=https://github.com/swisskyrepo/Vulny-Code-Static-Analysis)
[![Python 3.4+](https://img.shields.io/badge/python-3.4+-blue.svg)](https://www.python.org/downloads/release/python-360/) ![1.0.0](https://img.shields.io/badge/Version-1.0.0%20Beta-RED) ![Python](https://img.shields.io/badge/Python-3.4+-GREEN) ![Platform](https://img.shields.io/badge/Platforms-Linux%20x64-yellowgreen)
Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes. Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.
```bash ```bash
# HELP
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master* ╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master*
╰─$ python index.py --dir test ╰─$ python3 index.py
usage: index.py [-h] [--dir DIR] [--plain]
optional arguments:
-h, --help show this help message and exit
--dir DIR Directory to analyse
--plain No color in output
# Example
╭─ 👻 swissky@crashlab: ~/Github/PHP_Code_Static_Analysis master*
╰─$ python3 index.py --dir test
------------------------------------------------------------ ------------------------------------------------------------
Analyzing 'test' source code Analyzing 'test' source code
------------------------------------------------------------ ------------------------------------------------------------
@ -21,19 +32,39 @@ Declared at line 1 : $dest = $_GET['who'];
``` ```
Currently detecting : Currently detecting :
- SQL injection - Arbitrary Cookie
- Local File Inclusion - Arbitrary File Deletion
- Insecure emails - Arbitrary Variable Overwrite
- Cross Site Scripting - Cross Site Scripting
- Remote Commands Execution - File Inclusion
- LDAP injection - File Inclusion / Path Traversal
- XPATH injection - File Upload
- PHP Objet Injection - Header Injection
- Header injection - Information Leak
- URL redirection - Insecure E-mail
- Hardcoded credential - Insecure Weak Random
- High Entropy string - LDAP Injection
- PHP Object Injection
- Remote Code Execution
- Remote Command Execution
- Server Side Request Forgery
- Server Side Template Injection
- SQL Injection
- URL Redirection
- Weak Cryptographic Hash
- XML external entity
- XPATH Injection
- Hardcoded credentials
- High Entropy string
> if you want to export each vulnerabilities type into a folder use the "export.sh" > if you want to export each vulnerabilities type into a folder use the "export.sh"
Don't forget to read the [license](/LICENSE) ;) Don't forget to read the [license](/LICENSE) ;)
## Alternatives
* [RIPS - A static source code analyser for vulnerabilities in PHP scripts](https://blog.ripstech.com/2016/introducing-the-rips-analysis-engine/)
* [Cobra - Source Code Security Audit](https://github.com/WhaleShark-Team/cobra)
* [PHP parser written in Python using PLY](https://github.com/viraptor/phply)
* [Psalm - A static analysis tool for finding errors in PHP applications](https://psalm.dev/docs/security_analysis/)

View File

@ -70,9 +70,17 @@ def analysis(path, plain):
# Detection of RCE/SQLI/LFI/RFI/RFU/XSS/... # Detection of RCE/SQLI/LFI/RFI/RFU/XSS/...
for payload in payloads: for payload in payloads:
regex = re.compile(payload[0] + regex_indicators) regex = re.compile(payload[0] + regex_indicators)
matches = regex.findall(content) matches = regex.findall(content.replace(" ", "(PLACEHOLDER"))
for vuln_content in matches: for vuln_content in matches:
# Handle "require something" vs "require(something)"
# Dirty trick to force a parenthesis before the function's argument
vuln_content = list(vuln_content)
for i in range(len(vuln_content)):
vuln_content[i] = vuln_content[i].replace("(PLACEHOLDER", " ")
vuln_content[i] = vuln_content[i].replace("PLACEHOLDER", "")
occurence = 0 occurence = 0
# Security hole detected, is it protected ? # Security hole detected, is it protected ?

View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators # /!\ Detection Format (.*)function($vuln)(.*) matched by payload[0]+regex_indicators
regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_,]*)(.*?)\\)' regex_indicators = '\\((.*?)(\\$_GET\\[.*?\\]|\\$_FILES\\[.*?\\]|\\$_POST\\[.*?\\]|\\$_REQUEST\\[.*?\\]|\\$_COOKIES\\[.*?\\]|\\$_SESSION\\[.*?\\]|\\$(?!this|e-)[a-zA-Z0-9_]*)(.*?)\\)'
# Function_Name:String, Vulnerability_Name:String, Protection_Function:Array # Function_Name:String, Vulnerability_Name:String, Protection_Function:Array
payloads = [ payloads = [
@ -10,6 +10,7 @@ payloads = [
# Remote Command Execution # Remote Command Execution
["eval", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]], ["eval", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
["popen", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]], ["popen", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
["popen_ex", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
["system", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]], ["system", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]], ["passthru", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]], ["exec", "Remote Command Execution", ["escapeshellarg", "escapeshellcmd"]],
@ -36,7 +37,7 @@ payloads = [
["readfile", "File Inclusion / Path Traversal", []], ["readfile", "File Inclusion / Path Traversal", []],
["file_get_contents", "File Inclusion / Path Traversal", []], ["file_get_contents", "File Inclusion / Path Traversal", []],
["stream_get_contents", "File Inclusion / Path Traversal", []], ["file_put_contents", "File Inclusion / Path Traversal", []],
["show_source", "File Inclusion / Path Traversal", []], ["show_source", "File Inclusion / Path Traversal", []],
["fopen", "File Inclusion / Path Traversal", []], ["fopen", "File Inclusion / Path Traversal", []],
["file", "File Inclusion / Path Traversal", []], ["file", "File Inclusion / Path Traversal", []],
@ -45,6 +46,10 @@ payloads = [
["gzfile", "File Inclusion / Path Traversal", []], ["gzfile", "File Inclusion / Path Traversal", []],
["gzpassthru", "File Inclusion / Path Traversal", []], ["gzpassthru", "File Inclusion / Path Traversal", []],
["readgzfile", "File Inclusion / Path Traversal", []], ["readgzfile", "File Inclusion / Path Traversal", []],
["DirectoryIterator", "File Inclusion / Path Traversal", []],
["stream_get_contents", "File Inclusion / Path Traversal", []],
["copy", "File Inclusion / Path Traversal", []],
# MySQL(i) SQL Injection # MySQL(i) SQL Injection
["mysql_query", "SQL Injection", ["mysql_real_escape_string"]], ["mysql_query", "SQL Injection", ["mysql_real_escape_string"]],
@ -104,6 +109,7 @@ payloads = [
["ifx_htmltbl_result", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]], ["ifx_htmltbl_result", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
["die", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]], ["die", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
["exit", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]], ["exit", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
["var_dump", "Cross Site Scripting", ["htmlentities", "htmlspecialchars"]],
# XPATH and LDAP # XPATH and LDAP
["xpath", "XPATH Injection", []], ["xpath", "XPATH Injection", []],
@ -130,6 +136,7 @@ payloads = [
# Weak Cryptographic Hash # Weak Cryptographic Hash
["md5", "Weak Cryptographic Hash", []], ["md5", "Weak Cryptographic Hash", []],
["sha1", "Weak Cryptographic Hash", []],
# Insecure Weak Random # Insecure Weak Random
["mt_rand", "Insecure Weak Random", []], ["mt_rand", "Insecure Weak Random", []],
@ -141,5 +148,23 @@ payloads = [
["show_source", "Information Leak", []], ["show_source", "Information Leak", []],
["highlight_file", "Information Leak", []], ["highlight_file", "Information Leak", []],
# Server Side Request Forgery
["curl_setopt", "Server Side Request Forgery", []],
["curl_exec", "Server Side Request Forgery", []],
["fsockopen", "Server Side Request Forgery", []],
# XML External Entity
["SimpleXMLElement", "XML External Entity", []],
["xmlparse", "XML External Entity", []],
["loadXML", "XML External Entity", []],
["simplexml_load_string", "XML External Entity", []],
# Others
["unlink", "Arbitrary File Deletion", []],
["extract", "Arbitrary Variable Overwrite", []],
["setcookie", "Arbitrary Cookie", []],
["chmod", "Arbitrary File Permission", []],
["mkdir", "Arbitrary Folder Creation", []],
] ]

5
test/cookies.php Normal file
View File

@ -0,0 +1,5 @@
<?php
$value = $_GET['name'];
setcookie("TestCookie", $value, time()+3600);
setcookie("TestCookie", $value);
?>

18
test/extract.php Normal file
View File

@ -0,0 +1,18 @@
<?php
$flag='xxx';
extract($_GET);
if(isset($shiyan))
{
$content=trim(file_get_contents($flag));
if($shiyan==$content)
{
echo'ctf{xxx}';
}
else
{
echo'Oh.no';
}
}
?>

10
test/require.php Normal file
View File

@ -0,0 +1,10 @@
<?php
if (isset($_GET['which']))
{
$which = $_GET['which'];
require_once $which.'noparenthesis.php';
require_once($which.'parenthesis.php';)
}
?>

7
test/sql-ip.php Normal file
View File

@ -0,0 +1,7 @@
<?php
function GetIP(){
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
$cip = $_SERVER["REMOTE_ADDR"];
mysql_query("SELECT * from toot where ip=$cip");
}
?>

9
test/ssrf.php Normal file
View File

@ -0,0 +1,9 @@
<?php
if(isset($_GET['r'])) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET['r']);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
}
?>

10
test/xxe.php Normal file
View File

@ -0,0 +1,10 @@
<?php
libxml_disable_entity_loader (false);
$xmlfile = file_get_contents($_POST['data']);
$dom = new DOMDocument();
$dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
$creds = simplexml_import_dom($dom);
$user = $creds->user;
$pass = $creds->pass;
echo "You have logged in as user $user";
?>

14
test/xxe2.php Normal file
View File

@ -0,0 +1,14 @@
<?php
if ( isset( $_GET['name'] ) ) {
libxml_use_internal_errors( true );
libxml_disable_entity_loader( false );
$xml = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>' . $_GET['name'];
$parsed = simplexml_load_string( $xml, 'SimpleXMLElement', LIBXML_NOENT );
if ( !$parsed ) {
foreach( libxml_get_errors() as $error )
echo $error->message . "\n";
} else {
echo 'Hello ' . $parsed . "\n";
}
}
?>