Quick Search:
CODE
Oracle PL/SQL Code Library
JOBS
Find Or Post Oracle Jobs
FORUM
Oracle Discussion & Chat
 PHP Code: Vulnerability Tester Jump to:  
Category: >> PHP Code >> Vulnerability Tester Bookmark and Share

<< lastnext >>

Snippet Name: Vulnerability Tester

Description: A source code tester. This searches through code (PHP files in this case) and finds possible vulnerable syntax problems.

Also see:
» Censor Message Text
» Block IP Addresses
» Ban Proxy Servers
» Bad Word Filter
» Anti-Flood Protection
» Anti-SQL Injection Function
» XSS Sanitizer Function
» Filter non-alphanumeric characters

Comment: (none)

Language: PHP
Highlight Mode: PHP
Last Modified: March 16th, 2009

<html>
<title>PHP Source Code Checker</title>
<head>
<script language="JavaScript">
function mouseDown_Action(c_id) {
   var obj = document.getElementById(c_id);
   if (obj.style.visibility == 'hidden') {
      obj.style.visibility = 'visible';
      obj.style.position = 'static';
   } else {
      obj.style.visibility = 'hidden';
      obj.style.position = 'absolute';
   }
}
function mouseOver_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
}
function mouseOut_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
}
 
</script>
<style type="text/css">
a:link {text-decoration:none; color: #FFCCCC}
a:visited {text-decoration:none;color: #FFCCCC}
a:hover {text-decoration:none;color: #FFCCCC}
a:active {text-decoration:none;color: #FFCCCC}
a:focus {outline-style: none;}
body {background-color: #000; margin: 4; padding: 0;}
.main_window {
   width:99%;
   border-style:solid;
   border-color: #ccc;
   border-width: 1px;
   padding: 5 5 15 5;
   background-color: #000033;
}
.title_window {
   width: 90%; 
   height: auto;
   background-color: #330099;
   text-align: center;
   padding: 5 0 5 0;
   margin: 0 0 10 0;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   font-family: impact;
   font-size: 30;
   color: #FFF;
}
.file_window {
   width: 88%; 
   background-color: #339933;
   text-align: left;
   padding: 1 0 1 10;
   margin: 10 0 3 0;
   border-style: solid;
   border-color: #66CC66;
   border-width: 1px;
   color: #CCFFCC;
}
.rfi_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF3366;
   border-width: 1px;
   color: #FFCCCC;
   text-decoration:none;
}
.sql_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #3399FF;
   border-width: 1px;
   color: #99CCFF;
   text-decoration:none;
}
.rce_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF9933;
   border-width: 1px;
   color: #FFCC99;
   text-decoration:none;
}
.code_window { 
   width: 80%;
   background-color: #333;
   text-align: left;
   padding: 10 10 10 10;
   margin: 5 0 10 0;
   border-style: solid;
   border-color: #003399;
   border-width: 1px;
   color: #CCCCFF;
   visibility:hidden;
   position: absolute;
}
INPUT.user_input {
   margin: 0 0 5 0;
   padding: 0 2 0 2;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
INPUT.button {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
LABEL.button {
   margin: 0 5 0 4;
   color: #CCCCFF;
}
SELECT.user_select {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
</style>
</head>
<body onload="makerequest('analyze.php', 'analyzing');return false;">
<center>
<div class="main_window">
<div class="title_window">PHP Source Analyzer by Delicon</div>
 
<FORM name="user_form" action="index.php" method="get">
   <SELECT id="user_select" class="user_select" name="search_style" onmouseover="javascript:mouseOver_Action('user_select', '#333399');" onmouseout="javascript:mouseOut_Action('user_select', '#333366');">
      <OPTION <?PHP IF($_GET["search_style"] == "Directory") { ?> selected="selected" <?PHP } ?>>Directory</OPTION>
      <OPTION <?PHP IF($_GET["search_style"] == "File") { ?> selected="selected" <?PHP } ?>>File</OPTION>
   </SELECT>
   <INPUT id="user_input" class="user_input" value="" name="source_dir" size="80" onmouseover="javascript:mouseOver_Action('user_input', '#333399');" onmouseout="javascript:mouseOut_Action('user_input', '#333366');">
 
   <INPUT id="analyze" class="button" value="Analyse" type="submit" onmouseover="javascript:mouseOver_Action('analyze', '#333399');" onmouseout="javascript:mouseOut_Action('analyze', '#333366');">
   <INPUT id="reset" class="button" type="reset" onmouseover="javascript:mouseOver_Action('reset', '#333399');" onmouseout="javascript:mouseOut_Action('reset', '#333366');"><BR>
   <INPUT class="button" type="checkbox" name="RFI"<?PHP IF($_GET["RFI"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote File Inc.</LABEL>
   <INPUT class="button" type="checkbox" name="SQL"<?PHP IF($_GET["SQL"] == "on") { ECHO "checked"; }?>><LABEL class="button">SQL</LABEL>
   <INPUT class="button" type="checkbox" name="RCE"<?PHP IF($_GET["RCE"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote Command Execute</LABEL>
 
 
<FIELDSET style='color:#CCCCFF; border-width:1; border-color:#CCCCFF; width:50%;background-color:#333366; margin:0 0 5 0'>
<LEGEND>Custum Search</LEGEND>
<LABEL class="button">Search String: </LABEL><INPUT id="custom_search" class="user_input"  value="<?PHP IF(ISSET($_GET['custom_search'])) { ECHO $_GET['custom_search']; } ?>"name="custom_search" size="80" onmouseover="javascript:mouseOver_Action('custom_search', '#333399');" onmouseout="javascript:mouseOut_Action('custom_search', '#333366');" style='margin:0;'>
</FIELDSET>
</FORM>
<?PHP
 
/*----------------------------------------------------------------------------------------------
DIRECTORY RECURSION FUNCTION
-------------------------------------------------------------------------------------------------*/
IF((!ISSET($_GET["source_dir"])) or ($_GET["source_dir"] == "")) { ?><div class="sql_window">[INFO] Please enter a directory [INFO]</div><?PHP DIE; }
IF(($_GET["search_style"] == "Directory") and (!IS_DIR($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a directory [Error]</div><?PHP DIE;
} ELSE IF (($_GET["search_style"] == "File") and (!IS_FILE($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a file [Error]</div><?PHP DIE;
}
 
$base_dir = $_GET["source_dir"] . "\\";
$dir_listing = array(0 => $base_dir);               //Create array for holding dir_listing first entry is user argument
$php_listing = array();                           //Create array for holding php files found in search
$x = 0;                                       //set counter
 
if($_GET["search_style"] == "Directory") {
while($x < count($dir_listing)) {                     //Loop while the counter is less or equal to array count
$curr_directory = $dir_listing[$x];                     //set curr_directory
$dir_handle[$x] = opendir($curr_directory);               //set the directory handle for opening the dir. according to the counter
   while(false !== ($file = readdir($dir_handle[$x]))) {      //read directory listing and loop till the end
      $curr_file = $curr_directory . $file;
      if(is_dir($curr_file)) {            //check if its a directory
         if(($file != ".") && ($file != "..")) {         //check if its a hidden dire.
            $dir_listing[count($dir_listing)] = $curr_file . "\\";   //add to array . using count adds appends it count is not based on 0 start
         }
      }
      if(is_file($curr_file)) {               //Check if its a file
         if(substr_count($file, ".php")) {      //Check if its a php file
            $php_listing[count($php_listing)] = $curr_file;         //add to files found array php_listing
         }
      }
   }
   closedir($dir_handle[$x]);         //close handle
   $x++;                     //itterate count
}
} else {
   $php_listing[count($php_listing)] = $base_dir;
}
/*-------------------------------------------------------------------------------------------
SOURCE SYNTAX SEARCH FUNCTION
--------------------------------------------------------------------------------------------*/   
//Array holding all the strings to search for
if($_GET['custom_search'] <> NULL) {            //Check to see if custome search is set to something other than nothing
   $custom_search = "on";                     //Set custom search on
   $vuln_custom_syntax = $_GET['custom_search'];      //Get was custom search string contains
   $vuln_custom_syntax = explode(',',  $vuln_custom_syntax);      //seperate everything in custom search into an array
   }
 
//Arrays Containing the most common strings to search for
$vuln_rfi_syntax = array("REQUIRE", "INCLUDE", "EMPTY", "READFILE", "FREAD", "FWRITE", "writefile", "FOPEN","_GET", "_POST", "_SESSION", "_REQUEST", "_USER", "EVAL");
$vuln_sql_syntax = array("sql", "dbquery", "query", "WHERE", "SELECT", "DELETE", "INSERT");
$vuln_rce_syntax = array("POPEN", "SYSTEM", "EVAL", "PASSTHRU");
 
 
$vuln_count = 1;      //keeps track of the vulnerablities for the xhtml variables to pass to javascript
for($z=0; $z < count($php_listing); $z++) {               
   $vuln_found = array();            
   $filename = $php_listing[$z];      //holds the file to search
   $handle = fopen($filename, "r");                                 //opens file for reading only
   $contents = fread($handle, filesize($filename));                     //reads all content to $contents
 
?>
<!--New File Started-->
<div class='file_window'>Filename:<?PHP ECHO " " .  $filename ?></div>
<?PHP
   FCLOSE($handle);                                             //closes file
   $exp_content = EXPLODE("\n", $contents);                           //seperate each line of the file into diff. array keys
 
   FOR($i=0; $i<= COUNT($exp_content); $i++) {                           //loop until the end of the array
      IF(($exp_content[$i] <> "")                                    //check to see if the line is empty, and for unwanted lines comments and such
         and (!STRSTR($exp_content[$i], "//"))                        //check to see if the line is a comment
         and (!STRSTR($exp_content[$i], "/*"))
         and (!STRSTR($exp_content[$i], "* "))
         ) {                                 
      $exp_content[$i] = STRIP_TAGS($exp_content[$i]);                  //strip all html tags before printing out
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR CUSTOM SEARCH STRINGS PROVIDED BY THE USER
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($custom_search == "on") {
      FOR($x=0; $x < COUNT($vuln_custom_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_custom_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE FILE INCLUSION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
//    it also adds it to vuln_found array to double check and see if its a duplicate line. sometimes more than one word is found in a line
//    after it finds a line it prints it out. or at least allows the html to do its thing with the xhtml in it.
//   At the end it prints out the next 20 and it increments the exp_content for not searching (since we already can see it)
//   Then it increments the vuln_count counter which designates the counts on the xhtml
//#########################################################################################
IF($_GET["RFI"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rfi_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rfi_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC0000');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rfi_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR SQL VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["SQL"] == "on") {
   FOR($x=0; $x < COUNT($vuln_sql_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_sql_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#666699');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="sql_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE COMMAND EXECUTION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["RCE"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rce_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rce_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               <?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         
                  }
?>
   </div></div></a>
<?PHP
}
$vuln_count++;
            }
         }
}
      }
   }
}
?>
</div>
</center>
</body>
</html> 


Free
Oracle Magazine
Subscriptions
and Oracle White Papers


SQL University.net courses meet the most demanding needs of the business world for advanced education in a cost-effective manner. SQL University.net courses are available immediately for IT professionals and can be taken without disruption of your workplace schedule or processes.

Compared to traditional travel-based training, SQL University.net saves time and valuable corporate resources, allowing companies to do more with less. That's our mission, and that's what we deliver.

Click here to find out more
 
Home      :      Code Library      :      Sponsors      :      Privacy      :      Terms of Use      :      Contact Us 207 users online    © 2009 psoug.org

PSOUG LOGIN
Username: 
Password: 
Forgot your password?