DZone Snippets: vuln code http://snippets.dzone.com/posts Thu, 24 Jul 2008 17:03:21 GMT DZone Snippets: vuln code bScan - Simple Web Aplications Scanner http://snippets.dzone.com/posts/show/5094 // Web application scanner (ex: phpBB, myCMS, myBlog, mySite etc..) - Only in PHP ! <br />// Find XSS, sql injection, remote file inclusion <br /> <br /><code> <br />##################################################################################### <br /># Black_H / Nooz -- 30:01:07 <br /># Bl4ck.H<>gmail<>com <br /># <br /> <br />class BScan <br /> <br />##################################################################################### <br /># Regex <br /># <br /> <br />@@space = '([[:space:]]*)' <br /> <br />@@userdat = '(' <br />@@userdat += '(\$_SERVER\[([\'\"]*)HTTP_)|' <br />@@userdat += '(\$_GET)|' <br />@@userdat += '(\$_POST)|' <br />@@userdat += '(\$_COOKIE)|' <br />@@userdat += '(\$_REQUEST)|' <br />@@userdat += '(\$_FILES)|' <br />@@userdat += '(\$_ENV)|' <br />@@userdat += '(\$_HTTP_COOKIE_VARS)|' <br />@@userdat += '(\$_HTTP_ENV_VARS)|' <br />@@userdat += '(\$_HTTP_GET_VARS)|' <br />@@userdat += '(\$_HTTP_POST_FILES)|' <br />@@userdat += '(\$_HTTP_POST_VARS)|' <br />@@userdat += '(\$_HTTP_SERVER_VARS\[([\'\"]*)HTTP_)' <br />@@userdat += ')' <br /> <br />@@regex = Hash.new <br />@@regex = <br /> {'TYPE' => 'vars overwrite','LEVEL' => '2','REGEX' => /extract#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'vars overwrite','LEVEL' => '2','REGEX' => /import_request_variables#{@@space}\((.*)\)/i}, <br /> {'TYPE' => 'fopen vuln','LEVEL' => '3','REGEX' => /fopen#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'copy vuln','LEVEL' => '3','REGEX' => /copy#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'fwrite vuln','LEVEL' => '3','REGEX' => /fwrite#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'sql injection','LEVEL' => '2','REGEX' => /(mysql_query|mssql_query|mysqli_query)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'crlf injection','LEVEL' => '1','REGEX' => /mail#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'cross site scripting','LEVEL' => '1','REGEX' => /\<\?\=#{@@space}(.*)#{@@userdat}/i}, <br /> {'TYPE' => 'cross site scripting','LEVEL' => '1','REGEX' => /(print|echo|print_r|var_dump)#{@@space}(|\(|\")(.*)#{@@userdat}/i}, <br /> {'TYPE' => 'php code execution','LEVEL' => '3','REGEX' => /eval#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'php code execution','LEVEL' => '3','REGEX' => /file_put_contents#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'variable attribution', 'LEVEL' => '2','REGEX' => /(.*)\$#{@@userdat}(.*)/i}, <br /> {'TYPE' => 'chmod affectation','LEVEL' => '1','REGEX' => /chmod#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'file disclosure','LEVEL' => '2','REGEX' => /(readfile|file_get_contents|file)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'file disclosure','LEVEL' => '2','REGEX' => /(show_source|highlight_file)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'bzopen vuln','LEVEL' => '2','REGEX' => /bzopen#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'file deletion','LEVEL' => '2','REGEX' => /(rmdir|unlink|delete)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'command execution','LEVEL' => '3','REGEX' => /(exec|system|passthru|shell_exec|proc_open|pcntl_exec)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'buffer overflow','LEVEL' => '3','REGEX' => /(confirm_phpdoc_compiled|mssql_pconnect|mssql_connect|crack_opendict|snmpget|ibase_connect)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'ip falsification','LEVEL' => '1','REGEX' => /(.*)(HTTP_CLIENT_IP|HTTP_X_FORWARDED_FOR|HTTP_PC_REMOTE_ADDR)(.*)/i}, <br /> {'TYPE' => 'putenv vuln','LEVEL' => '2','REGEX' => /putenv#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'full path disclosure','LEVEL' => '1','REGEX' => /(htmlentities|htmlspecialchars)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'magic_quotes_gpc bypass','LEVEL' => '1','REGEX' => /(stripslashes|urldecode)#{@@space}\((.*)#{@@userdat}(.*)\)/i}, <br /> {'TYPE' => 'file inclusion','LEVEL' => '3','REGEX' => /(include|include_once|require|require_once)#{@@space}(|\(|\")(.*)#{@@userdat}/i} <br /> <br />##################################################################################### <br /># Main <br /># <br /> <br /> def initialize() <br /> <br /> ################ <br /> # Usage <br /> <br />if (ARGV.length < 4) <br />puts ' <br /> --------------------------------------------------------------------- <br />| Credits: Black_H <bl4ck.h@gmail.com> | <br />| URL: Lemon-Inside.sup.fr | <br />| Note: Premier code Ruby | <br /> --------------------------------------------------------------------- <br /> <br /> --------------------------------------------------------------------- <br />| Usage: scan.rb -d <Dossier> -i <Save.html> | <br />| Ex: scan.rb -d ./ -i output.html | <br /> --------------------------------------------------------------------- <br /> ' <br /> end <br /> <br /> ################ <br /> # Options & Vars <br /> <br /> @@scan_alldir = self.options('d') <br /> @@out_file = self.options('i') <br /> <br /> @@ban = [".", "..", "scan.rb", @@out_file.to_s] <br /> <br /> @@scan_buffer = Array.new <br /> <br /> ################ <br /> # Options Error ? <br /> <br /> if (@@scan_alldir != false and @@scan_alldir.empty? == false) <br /> self.dscan(@@scan_alldir) <br /> self.output(@@scan_buffer) <br /> @@scan_buffer = '' <br /> end <br /> <br /> <br /> <br /> <br /> end <br /> <br />##################################################################################### <br /># Dir Scan <br /># <br /> <br /> def dscan(dir) <br /> <br /> d = Dir.open(dir.to_s) <br /> d = d.sort - @@ban <br /> <br /> d.each { |fichier| <br /> <br /> case File.ftype(dir+fichier) <br /> when "directory" <br /> self.dscan(dir + fichier + "/") <br /> when "file" <br /> puts 'Scan => ' + dir + fichier <br /> self.fscan(dir + fichier) <br /> end <br /> <br /> } <br /> end <br /> <br />##################################################################################### <br /># File Scan <br /># <br /> <br /> def fscan(file) <br /> <br /> fichier = File.readlines(file) <br /> i = 1 <br /> <br /> fichier.each { |line| <br /> <br /> @@regex.each { |info| <br /> <br /> test = (line =~ info['REGEX']) <br /> <br /> if (test) <br /> <br /> @@scan_buffer += ['FILE' => file, 'LINE' => i.to_s, 'MATCH' => line, 'LEVEL' => info['LEVEL'], 'TYPE' => info['TYPE']] <br /> # 5 , 1 , 3 , 4 , 2 <br /> next @@scan_buffer <br /> end <br /> } <br /> <br /> i += 1 <br /> } <br /> <br /> end <br /> <br />##################################################################################### <br /># Output buffer <br /># <br /> <br /> def output(buffer) <br /> <br /> @html_hmodel = '<html>' <br /> @html_hmodel += '<style type="text/css">' <br /> @html_hmodel += '<!--' <br /> @html_hmodel += '.level0 {background-color: #CCCCCC;}' <br /> @html_hmodel += '.level1 {background-color: #33FF66;}' <br /> @html_hmodel += '.level2 {background-color: #FFFF33;}' <br /> @html_hmodel += '.level3 {background-color: #FF0000;}' <br /> @html_hmodel += '--></style><body><h1>BScan v1.0</h1><pre>' <br /> <br /> code = @html_hmodel <br /> <br /> buffer.each { |infos| <br /> <br /> keys = infos.keys <br /> code += "<span class='level" + infos["LEVEL"] + "'>" + keys[1].to_s + ' : ' + infos["TYPE"] + '</span><br />' <br /> code += "<span class='" + infos["LEVEL"] + "'>" + keys[3].to_s + ' : ' + infos["LEVEL"] + '</span><br />' <br /> code += "<span class='" + infos["LEVEL"] + "'>" + keys[4].to_s + ' : ' + infos["FILE"] + '</span><br />' <br /> code += "<span class='" + infos["LEVEL"] + "'>" + keys[0].to_s + ' : ' + infos["LINE"] + '</span><br />' <br /> code += "<span class='" + infos["LEVEL"] + "'>" + keys[2].to_s + ' : ' + infos["MATCH"] + '</span><br />' <br /> <br /> <br /> } <br /> code += "</pre></body></html>" <br /> fhtml = File.open(@@out_file.to_s, "w") <br /> fhtml.write code <br /> code = '' <br /> <br /> <br /> end <br />##################################################################################### <br /># Parse & Get Options <br /># <br /> <br /> def options(param) <br /> <br /> i = 0 <br /> ARGV.each { |valeur| <br /> <br /> if (valeur == '-' + param.to_s) <br /> return ARGV[i+1] <br /> elseif (valeur != '-' + param.to_s) <br /> return false <br /> end <br /> i += 1 <br /> } <br /> <br /> end <br /> <br />end <br /> <br />scan = BScan.new <br /> <br /></code> Sun, 03 Feb 2008 11:51:05 GMT http://snippets.dzone.com/posts/show/5094 Black_H (Black_H)