Snippet Name: Vulnerability Tester

Description: A source code tester. This searches through code (PHP files in this case) and finds possible vulnerable syntax problems.

Language: PHP
Highlight Mode: PHP
Last Modified: March 16th, 2009

<title>PHP Source Code Checker</title>
<script language="JavaScript">
function mouseDown_Action(c_id) {
   var obj = document.getElementById(c_id);
   if (obj.style.visibility == 'hidden') {
      obj.style.visibility = 'visible';
      obj.style.position = 'static';
   } else {
      obj.style.visibility = 'hidden';
      obj.style.position = 'absolute';
function mouseOver_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
function mouseOut_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
<style type="text/css">
a:link {text-decoration:none; color: #FFCCCC}
a:visited {text-decoration:none;color: #FFCCCC}
a:hover {text-decoration:none;color: #FFCCCC}
a:active {text-decoration:none;color: #FFCCCC}
a:focus {outline-style: none;}
body {background-color: #000; margin: 4; padding: 0;}
.main_window {
   border-color: #ccc;
   border-width: 1px;
   padding: 5 5 15 5;
   background-color: #000033;
.title_window {
   width: 90%; 
   height: auto;
   background-color: #330099;
   text-align: center;
   padding: 5 0 5 0;
   margin: 0 0 10 0;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   font-family: impact;
   font-size: 30;
   color: #FFF;
.file_window {
   width: 88%; 
   background-color: #339933;
   text-align: left;
   padding: 1 0 1 10;
   margin: 10 0 3 0;
   border-style: solid;
   border-color: #66CC66;
   border-width: 1px;
   color: #CCFFCC;
.rfi_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF3366;
   border-width: 1px;
   color: #FFCCCC;
.sql_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #3399FF;
   border-width: 1px;
   color: #99CCFF;
.rce_window {
   width: 84%; 
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF9933;
   border-width: 1px;
   color: #FFCC99;
.code_window { 
   width: 80%;
   background-color: #333;
   text-align: left;
   padding: 10 10 10 10;
   margin: 5 0 10 0;
   border-style: solid;
   border-color: #003399;
   border-width: 1px;
   color: #CCCCFF;
   position: absolute;
INPUT.user_input {
   margin: 0 0 5 0;
   padding: 0 2 0 2;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
INPUT.button {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
LABEL.button {
   margin: 0 5 0 4;
   color: #CCCCFF;
SELECT.user_select {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
<body onload="makerequest('analyze.php', 'analyzing');return false;">
<div class="main_window">
<div class="title_window">PHP Source Analyzer by Delicon</div>
<FORM name="user_form" action="index.php" method="get">
   <SELECT id="user_select" class="user_select" name="search_style" onmouseover="javascript:mouseOver_Action('user_select', '#333399');" onmouseout="javascript:mouseOut_Action('user_select', '#333366');">
      <OPTION <?PHP IF($_GET["search_style"] == "Directory") { ?> selected="selected" <?PHP } ?>>Directory</OPTION>
      <OPTION <?PHP IF($_GET["search_style"] == "File") { ?> selected="selected" <?PHP } ?>>File</OPTION>
   <INPUT id="user_input" class="user_input" value="" name="source_dir" size="80" onmouseover="javascript:mouseOver_Action('user_input', '#333399');" onmouseout="javascript:mouseOut_Action('user_input', '#333366');">
   <INPUT id="analyze" class="button" value="Analyse" type="submit" onmouseover="javascript:mouseOver_Action('analyze', '#333399');" onmouseout="javascript:mouseOut_Action('analyze', '#333366');">
   <INPUT id="reset" class="button" type="reset" onmouseover="javascript:mouseOver_Action('reset', '#333399');" onmouseout="javascript:mouseOut_Action('reset', '#333366');"><BR>
   <INPUT class="button" type="checkbox" name="RFI"<?PHP IF($_GET["RFI"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote File Inc.</LABEL>
   <INPUT class="button" type="checkbox" name="SQL"<?PHP IF($_GET["SQL"] == "on") { ECHO "checked"; }?>><LABEL class="button">SQL</LABEL>
   <INPUT class="button" type="checkbox" name="RCE"<?PHP IF($_GET["RCE"] == "on") { ECHO "checked"; }?>><LABEL class="button">Remote Command Execute</LABEL>
<FIELDSET style='color:#CCCCFF; border-width:1; border-color:#CCCCFF; width:50%;background-color:#333366; margin:0 0 5 0'>
<LEGEND>Custum Search</LEGEND>
<LABEL class="button">Search String: </LABEL><INPUT id="custom_search" class="user_input"  value="<?PHP IF(ISSET($_GET['custom_search'])) { ECHO $_GET['custom_search']; } ?>"name="custom_search" size="80" onmouseover="javascript:mouseOver_Action('custom_search', '#333399');" onmouseout="javascript:mouseOut_Action('custom_search', '#333366');" style='margin:0;'>
IF((!ISSET($_GET["source_dir"])) or ($_GET["source_dir"] == "")) { ?><div class="sql_window">[INFO] Please enter a directory [INFO]</div><?PHP DIE; }
IF(($_GET["search_style"] == "Directory") and (!IS_DIR($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a directory [Error]</div><?PHP DIE;
} ELSE IF (($_GET["search_style"] == "File") and (!IS_FILE($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] <?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a file [Error]</div><?PHP DIE;
$base_dir = $_GET["source_dir"] . "\\";
$dir_listing = array(0 => $base_dir);               //Create array for holding dir_listing first entry is user argument
$php_listing = array();                           //Create array for holding php files found in search
$x = 0;                                       //set counter
if($_GET["search_style"] == "Directory") {
while($x < count($dir_listing)) {                     //Loop while the counter is less or equal to array count
$curr_directory = $dir_listing[$x];                     //set curr_directory
$dir_handle[$x] = opendir($curr_directory);               //set the directory handle for opening the dir. according to the counter
   while(false !== ($file = readdir($dir_handle[$x]))) {      //read directory listing and loop till the end
      $curr_file = $curr_directory . $file;
      if(is_dir($curr_file)) {            //check if its a directory
         if(($file != ".") && ($file != "..")) {         //check if its a hidden dire.
            $dir_listing[count($dir_listing)] = $curr_file . "\\";   //add to array . using count adds appends it count is not based on 0 start
      if(is_file($curr_file)) {               //Check if its a file
         if(substr_count($file, ".php")) {      //Check if its a php file
            $php_listing[count($php_listing)] = $curr_file;         //add to files found array php_listing
   closedir($dir_handle[$x]);         //close handle
   $x++;                     //itterate count
} else {
   $php_listing[count($php_listing)] = $base_dir;
//Array holding all the strings to search for
if($_GET['custom_search'] <> NULL) {            //Check to see if custome search is set to something other than nothing
   $custom_search = "on";                     //Set custom search on
   $vuln_custom_syntax = $_GET['custom_search'];      //Get was custom search string contains
   $vuln_custom_syntax = explode(',',  $vuln_custom_syntax);      //seperate everything in custom search into an array
//Arrays Containing the most common strings to search for
$vuln_rfi_syntax = array("REQUIRE", "INCLUDE", "EMPTY", "READFILE", "FREAD", "FWRITE", "writefile", "FOPEN","_GET", "_POST", "_SESSION", "_REQUEST", "_USER", "EVAL");
$vuln_sql_syntax = array("sql", "dbquery", "query", "WHERE", "SELECT", "DELETE", "INSERT");
$vuln_rce_syntax = array("POPEN", "SYSTEM", "EVAL", "PASSTHRU");
$vuln_count = 1;      //keeps track of the vulnerablities for the xhtml variables to pass to javascript
for($z=0; $z < count($php_listing); $z++) {               
   $vuln_found = array();            
   $filename = $php_listing[$z];      //holds the file to search
   $handle = fopen($filename, "r");                                 //opens file for reading only
   $contents = fread($handle, filesize($filename));                     //reads all content to $contents
<!--New File Started-->
<div class='file_window'>Filename:<?PHP ECHO " " .  $filename ?></div>
   FCLOSE($handle);                                             //closes file
   $exp_content = EXPLODE("\n", $contents);                           //seperate each line of the file into diff. array keys
   FOR($i=0; $i<= COUNT($exp_content); $i++) {                           //loop until the end of the array
      IF(($exp_content[$i] <> "")                                    //check to see if the line is empty, and for unwanted lines comments and such
         and (!STRSTR($exp_content[$i], "//"))                        //check to see if the line is a comment
         and (!STRSTR($exp_content[$i], "/*"))
         and (!STRSTR($exp_content[$i], "* "))
         ) {                                 
      $exp_content[$i] = STRIP_TAGS($exp_content[$i]);                  //strip all html tags before printing out
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
IF($custom_search == "on") {
      FOR($x=0; $x < COUNT($vuln_custom_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_custom_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         
// It loops through each vulnerability for the current line of code from exp_content
//    it also adds it to vuln_found array to double check and see if its a duplicate line. sometimes more than one word is found in a line
//    after it finds a line it prints it out. or at least allows the html to do its thing with the xhtml in it.
//   At the end it prints out the next 20 and it increments the exp_content for not searching (since we already can see it)
//   Then it increments the vuln_count counter which designates the counts on the xhtml
IF($_GET["RFI"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rfi_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rfi_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC0000');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rfi_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
IF($_GET["SQL"] == "on") {
   FOR($x=0; $x < COUNT($vuln_sql_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_sql_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#666699');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="sql_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br>";         
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
IF($_GET["RCE"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rce_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rce_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
                  <a border="0" onmouseover="javascript:mouseOver_Action('v<?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v<?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c<?PHP ECHO $vuln_count?>');"><div id="v<?PHP ECHO $vuln_count?>" class="rce_window"><?PHP ECHO $vuln_line ?>
                  <div id="c<?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br>";         

