| gemaglabin |
17.10.2006 18:21 |
Сканер скриптов на уязвимости
Вот,накатал.База маленькая,дополнить можно самому )
Естествено будут ложные срабатывания,ну вообще х3 , тестим
PHP код:
<html>
<head>
<title>PHP source vulnerability scaner</title>
<style>
body {
margin : 0px;
padding : 0px;
background-color : #101010;
font-family : "Verdana";
font-size : 10px;
color : #CCCCCC;
}
.j {
white-space:-moz-pre-wrap;
white-space:-pre-wrap;
white-space:-o-pre-wrap;
ord-wrap:break-word;
margin-top:4px;
margin-bottom:4px;
border:1px solid silver;
background-color:#f5f5f5;
font-family : "Verdana";
font-size : 11px;
padding:0.5em;
width:85%;
color:#222
}
.expl {
font-size:small;
margin-left:2em;
margin-right:2em
}
.h {
margin-top:1em;
margin-bottom:0px
}
input,textarea,select {
font-family : "Verdana";
font-size : 10px;
color : #CCCCCC;
border: 1px solid #404040;
BACKGROUND-COLOR: #222;
Width: 190px;
Heigth:46;
}
td {
font-size: 12px;
font-family: Verdana, "Trebuchet MS";
text-align: left;
}
code{
</style><hr>
</head>
<div style="align:center;">
<form name="scan" method="post">
<center>
<table border="0" cellpadding="2" cellspacing="0" style="">
<tr>
<td>Directory </td>
<td colspan="2"><input name="dir" type="text" value=""/></td>
<td colspan="2"><input type="submit" Value="Run"/></td>
</tr>
</table>
</center>
<hr>
</div>
</body>
</html>
<?php
ini_set("display_errors","0");
function _highlight()
{
global $ftext;
$phpteg = array ("'<\?php'si",
"'<\?'si",
"'\?>'si");
$fphpteg = array ("<font color=#95001E><?php</font>",
"<font color=#95001E><?</font>",
"<font color=#95001E>></font>");
$strings = array ("'(\"[^\"]*\")'si",
"'(\'[^\']*\')'si");
$fstrings = array ("<font color=#DD0000>\\1</font>",
"<font color=#DD0000>\\1</font>");
$operator = array ("'\,'si",
"'\-'si",
"'\+'si",
"'\('si",
"'\)'si",
"'\{'si",
"'\}'si");
$foperator = array ("<font color=#007700>,</font>",
"<font color=#007700>-</font>",
"<font color=#007700>+</font>",
"<font color=#007700>(</font>",
"<font color=#007700>)</font>",
"<font color=#007700>{</font>",
"<font color=#007700>}</font>");
$reserved = array ("'(echo)'si",
"'(print)'si",
"'(while)'si",
"'(switch)'si",
"'(if)'si",
"'(else)'si",
"'(function)'si",
"'(array)'si",
"'(for)'si");
$freserved = array_fill (0,count($reserved),"<font color=#007700>\\1</font>");
$comment = "'((?:#|//)[^\n]*|/\*.*?\*/)'si";
$function = "'([\w]+)([\s]*)[\(]'si";
$variable = "'([\$]{1,2}[A-Za-z_]+)'si";
$ftext = str_replace("<", "<", $ftext);
$ftext = str_replace(">", ">" , $ftext);
$ftemp = preg_replace ($phpteg ,$fphpteg,$ftext);
$ftemp = preg_replace ($comment ,"<font color=#244ECC>\\1</font>",$ftemp);
$ftemp = preg_replace ($function,"<font color=#0000cc>\\1</font>\\2(",$ftemp);
$ftemp = preg_replace ($operator,$foperator,$ftemp);
$ftemp = preg_replace ($variable,"<font color=#0000BB>\\1</font>",$ftemp);
$ftemp = preg_replace ($strings ,$fstrings,$ftemp);
$ftemp = preg_replace ($reserved,$freserved,$ftemp);
return "<code>$ftemp</code>";
}
function show_error ($title,$num,$text)
{
global $filename;
print ('<div class=h>');
print ("<font size=2>$title in $filename at $num</font>");
print ('<pre class=j>');
print ($num);
print (': ');
print ('<font size=3>'._highlight("<?php\n".$text."?>").'</font>');
print ('</div></pre>');
}
function scan_file($file)
{
global $ftext;
global $filename;
$fileh = file($file, 'r');
for ($i=0;$i<=count($fileh);$i++)
{
# scan for sql errors
if (preg_match('[mysql_query\(.*\$_(GET|POST|SESSION|COOKIE|REQUEST).*\)]', $fileh[$i],$res) ||
preg_match('[WHERE .*=\$_(GET|POST|SESSION|COOKIE|REQUEST)]', $fileh[$i],$res) ||
preg_match('[request.form|request.querystring ADODB.Connection]',$fileh[$i],$res) ||
preg_match('[query\(.*\$_(GET|POST|COOKIE|REQUEST).*\)]',$fileh[$i],$res) )
{
$ftext .= $fileh[$i];
$vuln = $vuln + 1;
echo show_error('Possible SQL injection',$i,$ftext);
}
# scan for php injections
if (preg_match('[(include|require)(_once)\s*(\(|\s).*\$_(GET|POST|SESSION|COOKIE|REQUEST)]', $fileh[$i],$res) ||
preg_match('[(eval)\(\$_(GET|POST|REQUEST|COOKIE)]', $fileh[$i],$res))
{
$ftext .= $fileh[$i];
$vuln = $vuln + 1;
echo show_error('Possible PHP injection',$i,$ftext);
}
# scan for xss bugs
if (preg_match('[(echo|print).*\$_(GET|POST|SESSION|COOKIE|REQUEST)]', $fileh[$i],$res) ||
preg_match("<(echo|print).*\$_SERVER\['PHP_SELF']>", $fileh[$i],$res))
{
$ftext .= $fileh[$i];
$vuln = $vuln + 1;
echo show_error('Possible XSS bug',$i,$ftext);
}
# dangerous code
if (preg_match('[\s+eval\s*\(\s*\$_(GET|POST|SESSION|COOKIE|REQUEST)]', $fileh[$i],$res) ||
preg_match('[(system|popen|shell_exec|exec)\s*\(\$_(GET|POST|COOKIE|REQUEST).*\)]', $fileh[$i],$res))
{
$ftext .= $fileh[$i];
$vuln = $vuln + 1;
echo show_error('Dangerous code',$i,$ftext);
}
# HTTP response splitting
if (preg_match('[header\s*\("Location:.*\$_(GET|POST|SESSION|COOKIE|REQUEST).*\)]', $fileh[$i],$res) ||
preg_match('[header\s*\(.*\$_(GET|POST|SESSION|COOKIE|REQUEST).*\)]', $fileh[$i],$res))
{
$ftext .= $fileh[$i];
$vuln = $vuln + 1;
echo show_error('HTTP response splitting',$i,$ftext);
}
}
}
if (isset($_POST['dir']))
{
$dir = opendir($_POST['dir']);
if (!$dir) die("<center><h1>Cannot open directory</h1></center>");
else
{
while (($ffile = readdir($dir)) !== false ) $filez .= $ffile."\n";
$filez= explode("\n",$filez);
$vuln = 0;
for ($b=0;$b<=count($filez);$b++)
{
$filename = $filez[$b];
if (is_file($filename)) echo scan_file($filename);
}
closedir ($dir);
}
}
?>
|
