Home >> Snippet List >> Snippet

Name
Vulnerability Tester
Description
A source code tester This searches through code (PHP files in this case) and finds possible vulnerable syntax problems
PHP Snippet
<?PHP IF($_GET["search_style"] == "Directory") { ?> selected="selected" <?PHP } ?>>Directory</OPTION>
      <OPTION <?PHP IF($_GET["search_style"] == "File") { ?> selected="selected" <?PHP } ?>>File</OPTION>
   </SELECT>
   <INPUT id="user_input" class="user_input" value="" name="source_dir" size="80" onmouseover="javascript:mouseOver_Action('user_input', '#333399');" onmouseout="javascript:mouseOut_Action('user_input', '#333366');">
 
   <INPUT id="analyze" class="button" value="Analyse" type="submit" onmouseover="javascript:mouseOver_Action('analyze', '#333399');" onmouseout="javascript:mouseOut_Action('analyze', '#333366');">
   <INPUT id="reset" class="button" type="reset" onmouseover="javascript:mouseOver_Action('reset', '#333399');" onmouseout="javascript:mouseOut_Action('reset', '#333366');"><BR>
   <INPUT class="button" type="checkbox" name="RFI"<?PHP IF($_GET["RFI"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote File Inc.</LABEL>
   <INPUT class="button" type="checkbox" name="SQL"<?PHP IF($_GET["SQL"] == "on") { ECHO "checked"; }?>><LABEL class="button">SQL</LABEL>
   <INPUT class="button" type="checkbox" name="RCE"<?PHP IF($_GET["RCE"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote Command Execute</LABEL>
 
 
<FIELDSET style='color:#CCCCFF; border-width:1; border-color:#CCCCFF; width:50%;background-color:#333366; margin:0 0 5 0'>
<LEGEND>Custum Search</LEGEND>
<LABEL class="button">Search String: </LABEL><INPUT id="custom_search" class="user_input"  value="<?PHP IF(ISSET($_GET['custom_search'])) { ECHO $_GET['custom_search']; } ?>"name="custom_search" size="80" onmouseover="javascript:mouseOver_Action('custom_search', '#333399');" onmouseout="javascript:mouseOut_Action('custom_search', '#333366');" style='margin:0;'>
</FIELDSET>
</FORM>
<?PHP
 
/*----------------------------------------------------------------------------------------------
DIRECTORY RECURSION FUNCTION
-------------------------------------------------------------------------------------------------*/
IF((!ISSET($_GET["source_dir"])) or ($_GET["source_dir"] == "")) { ?><div class="sql_window">[INFO] Please enter a directory [INFO]</div><?PHP DIE; }
IF(($_GET["search_style"] == "Directory") and (!IS_DIR($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a directory [Error]</div><?PHP DIE;
} ELSE IF (($_GET["search_style"] == "File") and (!IS_FILE($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a file [Error]</div><?PHP DIE;
}
 
$base_dir = $_GET["source_dir"] . "\\";
$dir_listing = array(0 => $base_dir);               //Create array for holding dir_listing first entry is user argument
$php_listing = array();                           //Create array for holding php files found in search
$x = 0;                                       //set counter
 
if($_GET["search_style"] == "Directory") {
while($x < count($dir_listing)) {                     //Loop while the counter is less or equal to array count
$curr_directory = $dir_listing[$x];                     //set curr_directory
$dir_handle[$x] = opendir($curr_directory);               //set the directory handle for opening the dir. according to the counter
   while(false !== ($file = readdir($dir_handle[$x]))) {      //read directory listing and loop till the end
      $curr_file = $curr_directory . $file;
      if(is_dir($curr_file)) {            //check if its a directory
         if(($file != ".") && ($file != "..")) {         //check if its a hidden dire.
            $dir_listing[count($dir_listing)] = $curr_file . "\\";   //add to array . using count adds appends it count is not based on 0 start
         }
      }
      if(is_file($curr_file)) {               //Check if its a file
         if(substr_count($file, ".php")) {      //Check if its a php file
            $php_listing[count($php_listing)] = $curr_file;         //add to files found array php_listing
         }
      }
   }
   closedir($dir_handle[$x]);         //close handle
   $x++;                     //itterate count
}
} else {
   $php_listing[count($php_listing)] = $base_dir;
}
/*-------------------------------------------------------------------------------------------
SOURCE SYNTAX SEARCH FUNCTION
--------------------------------------------------------------------------------------------*/   
//Array holding all the strings to search for
if($_GET['custom_search'] <> NULL) {            //Check to see if custome search is set to something other than nothing
   $custom_search = "on";                     //Set custom search on
   $vuln_custom_syntax = $_GET['custom_search'];      //Get was custom search string contains
   $vuln_custom_syntax = explode(',',  $vuln_custom_syntax);      //seperate everything in custom search into an array
   }
 
//Arrays Containing the most common strings to search for
$vuln_rfi_syntax = array("REQUIRE", "INCLUDE", "EMPTY", "READFILE", "FREAD", "FWRITE", "writefile", "FOPEN","_GET", "_POST", "_SESSION", "_REQUEST", "_USER", "EVAL");
$vuln_sql_syntax = array("sql", "dbquery", "query", "WHERE", "SELECT", "DELETE", "INSERT");
$vuln_rce_syntax = array("POPEN", "SYSTEM", "EVAL", "PASSTHRU");
 
 
$vuln_count = 1;      //keeps track of the vulnerablities for the xhtml variables to pass to javascript
for($z=0; $z < count($php_listing); $z++) {               
   $vuln_found = array();            
   $filename = $php_listing[$z];      //holds the file to search
   $handle = fopen($filename, "r");                                 //opens file for reading only
   $contents = fread($handle, filesize($filename));                     //reads all content to $contents
 
?>
<!--New File Started-->
<div class='file_window'>Filename:<?PHP ECHO " " .  $filename ?></div>
<?PHP
   FCLOSE($handle);                                             //closes file
   $exp_content = EXPLODE("\n", $contents);                           //seperate each line of the file into diff. array keys
 
   FOR($i=0; $i<= COUNT($exp_content); $i++) {                           //loop until the end of the array
      IF(($exp_content[$i] <> "")                                    //check to see if the line is empty, and for unwanted lines comments and such
         and (!STRSTR($exp_content[$i], "//"))                        //check to see if the line is a comment
         and (!STRSTR($exp_content[$i], "/*"))
         and (!STRSTR($exp_content[$i], "* "))
         ) {                                 
      $exp_content[$i] = STRIP_TAGS($exp_content[$i]);                  //strip all html tags before printing out
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR CUSTOM SEARCH STRINGS PROVIDED BY THE USER
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($custom_search == "on") {
      FOR($x=0; $x < COUNT($vuln_custom_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_custom_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE FILE INCLUSION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
//    it also adds it to vuln_found array to double check and see if its a duplicate line. sometimes more than one word is found in a line
//    after it finds a line it prints it out. or at least allows the html to do its thing with the xhtml in it.
//   At the end it prints out the next 20 and it increments the exp_content for not searching (since we already can see it)
//   Then it increments the vuln_count counter which designates the counts on the xhtml
//#########################################################################################
IF($_GET["RFI"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rfi_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rfi_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC0000');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rfi_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR SQL VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["SQL"] == "on") {
   FOR($x=0; $x < COUNT($vuln_sql_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_sql_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#666699');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="sql_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE COMMAND EXECUTION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["RCE"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rce_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rce_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
      }
   }
}
?>