paxnWo Posted October 29, 2008 Report Posted October 29, 2008 <?php /*************************************************************************** * PHP Security-Shell RFI Scanner v1.0 * * * * Copyright (C) 2007 by pentest * * * * http://security-sh3ll.com * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * ***************************************************************************/ $escan_inc_regex = array( '/include(_once)?.\$/ix', '/require(_once)?.\$/ix' ); /* Regex to extract the names of variables */ $escan_var_regex = array( '/\Ainclude(_once)?./is', '/\Arequire(_once)?./is' ); /* Array of file extensions to scan */ $escan_valid_ext = array( 'php' ); /* Maximum size of a file to scan, scans all if 0 */ $escan_max_size = 0; /* Counter crawled directory */ $escan_dir_count = 0; /* Perpetual scanned files */ $escan_file_count = 0; /* Perpetual potential rfi found */ $escan_match_count = 0; /*Perpetual crawled total bytes */ $escan_byte_count = 0; escan_banner(); if( $argc < 2 ){ escan_usage($argv[0]); } else{ $stime = escan_get_mtime(); escan_recurse_dir( realpath($argv[1]).DIRECTORY_SEPARATOR ); $etime = escan_get_mtime(); print "\n@ Scan report : \n\n" . "\t$escan_dir_count directory .\n". "\t$escan_file_count file .\n". "\t" . escan_format_size($escan_byte_count) . " .\n". "\t$escan_match_count Potential RFI .\n". "\t".($etime-$stime) . " Second Processing .\n\n"; } /* A string formats in a magnitude expressed in bytes */ function escan_format_size($bytes) { if( $bytes < 1024 ) return "$bytes bytes"; if( $bytes < 1048576 ) return ($bytes / 1024) . " Kb"; if( $bytes < 1073741824 ) return ($bytes / 1048576) . " Mb"; return ($bytes / 1073741824) . " Gb"; } /* Returns the timestamp in seconds */ function escan_get_mtime() { list($usec, $sec) = explode(" ",microtime()); return ((float)$usec + (float)$sec); } /* Extracts line of code inclusion */ function escan_scan_line($content,$offset) { list( $line, $dummy ) = explode( ";" , substr($content,$offset,strlen($content)) ); return $line.";"; } /* Extract the variable name from line of code inclusion */ function escan_parse_var( $line, $regex_id ) { global $escan_var_regex; $vars = preg_split($escan_var_regex[$regex_id],$line); $varname = $vars[1]; $delimiters = " .);"; for( $i = 0; $i < strlen($varname); $i++ ){ for( $j = 0; $j < strlen($delimiters); $j++ ){ if($varname[$i] == $delimiters[$j]){ return substr( $varname, 0, $i ); } } } return $varname; } /* Check if the variable $var is defined in $content before position $offset*/ function escan_check_definitions($content,$offset,$var) { if( strpos( $var, "->" ) ){ return 1; } $chunk = substr($content,0,$offset); $regex = "/".preg_quote($var,"/")."\s*=/ix"; preg_match( $regex, $chunk,$matches ); return count($matches); } /* $file the file to check for potential rfi */ function escan_parse_file($file) { global $escan_inc_regex; global $escan_max_size; global $escan_file_count; global $escan_match_count; global $escan_byte_count; $fsize = filesize($file); if( $escan_max_size && $fsize > $escan_max_size ) return; $escan_file_count++; $escan_byte_count += $fsize; $content = @file_get_contents($file); for( $i = 0; $i < count($escan_inc_regex); $i++ ){ if( preg_match_all( $escan_inc_regex[$i], $content, $matches, PREG_OFFSET_CAPTURE ) ){ $nmatch = count($matches[0]); for( $j = 0; $j < $nmatch; $j++ ){ $offset = $matches[0][$j][1]; $line = escan_scan_line($content,$offset); $var = escan_parse_var($line,$i); if( escan_check_definitions($content,$offset,$var) == 0 ) { $escan_match_count++; print "@ $file - \n\t- '$var' The position $offset .\n"; } } } } } /* Returns the file extension $fname */ function escan_get_file_ext($fname) { if( strchr($fname,'.') ){ return substr($fname,strrpos($fname,'.')+1); } else{ return ""; } } /* Check if file $fname is a valid extension */ function escan_isvalid_ext($fname) { global $escan_valid_ext; for( $i = 0; $i < count($escan_valid_ext); $i++ ){ if(strstr(escan_get_file_ext($fname),$escan_valid_ext[$i])){ return true; } } return false; } /* That function scans directories recursively */ function escan_recurse_dir($dir) { global $escan_dir_count; $escan_dir_count++; if( $cdir = @dir($dir) ){ while( $entry = $cdir->read() ){ if( $entry != '.' && $entry != '..' ){ if( is_dir($dir.$entry) ){ escan_recurse_dir($dir.$entry.DIRECTORY_SEPARATOR); } else{ if( escan_isvalid_ext($dir.$entry) ){ escan_parse_file($dir.$entry); } } } } $cdir->close(); } } function escan_banner() { print "*-----------------------------------------------------*\n" . "* PHP Security-Shell RFI Scanner v1.0 by pentest *\n" . "* *\n" . "* http://security-sh3ll.com *\n" . "*-----------------------------------------------------*\n\n"; } function escan_usage($pname) { print "Use : php $pname <dir>\n"; } ?> Quote
