Jump to content
Ras

PHP Evil RFI Scanner v1.2

By Ras, in Exploituri

Recommended Posts

Ras Newbie

Ras

Posted
Posted 

<?php

/***************************************************************************

* PHP Evil RFI Scanner v1.2 *

* *

* Copyright © 2007 by evilsocket *

* *

* http://www.evilsocket.net *

* *

* This program is free software; you can redistribute it and/or modify *

* it under the terms of the GNU General Public License as published by *

* the Free Software Foundation; either version 2 of the License, or *

* (at your option) any later version. *

* *

* This program is distributed in the hope that it will be useful, *

* but WITHOUT ANY WARRANTY; without even the implied warranty of *

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *

* GNU General Public License for more details. *

* *

* You should have received a copy of the GNU General Public License *

* along with this program; if not, write to the *

* Free Software Foundation, Inc., *

* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *

* *

***************************************************************************/

/* regex per individuare le inclusioni */

$escan_inc_regex = array( '/include(_once)?.\$/ix', '/require(_once)?.\$/ix' )

;

/* regex per estrarre il nome delle variabili */

$escan_var_regex = array( '/\Ainclude(_once)?./is', '/\Arequire(_once)?./is' )

;

/* array di estensioni dei file da scansionare */

$escan_valid_ext = array( 'php' );

/* massima grandezza di un file da scansionare, se 0 scansiona tutti */

$escan_max_size = 0;

/* contatore delle directory scansionate */

$escan_dir_count = 0;

/* contatore dei file scansionati */

$escan_file_count = 0;

/* contatore dei potenziali rfi trovati */

$escan_match_count = 0;

/* contatore dei bytes totali scansionati */

$escan_byte_count = 0;

escan_banner();

if( $argc < 2 ){

escan_usage($argv[0]);

}

else{

$stime = escan_get_mtime();

escan_recurse_dir( realpath($argv[1]).DIRECTORY_SEPARATOR );

$etime = escan_get_mtime();

print "\n@ Scan report : \n\n" .

"\t$escan_dir_count directory .\n".

"\t$escan_file_count file .\n".

"\t" . escan_format_size($escan_byte_count) . " .\n".

"\t$escan_match_count potenziali RFI .\n".

"\t".($etime-$stime) . " secondi di elaborazione .\n\n";

}

/* formatta in una stringa una grandezza espressa in bytes */

function escan_format_size($bytes)

{

if( $bytes < 1024 ) return "$bytes bytes";

if( $bytes < 1048576 ) return ($bytes / 1024) . " Kb";

if( $bytes < 1073741824 ) return ($bytes / 1048576) . " Mb";

return ($bytes / 1073741824) . " Gb";

}

/* restituisce il timestamp espresso in secondi */

function escan_get_mtime()

{

list($usec, $sec) = explode(" ",microtime());

return ((float)$usec + (float)$sec);

}

/* estrae la linea di codice dell inclusione */

function escan_scan_line($content,$offset)

{

list( $line, $dummy ) = explode( ";" , substr($content,$offset,strlen($c

ontent)) );

return $line.";";

}

/* estrae il nome della variabile dalla riga di codice dell inclusione */

function escan_parse_var( $line, $regex_id )

{

global $escan_var_regex;

$vars = preg_split($escan_var_regex[$regex_id],$line);

$varname = $vars[1];

$delimiters = " .);";

for( $i = 0; $i < strlen($varname); $i++ ){

for( $j = 0; $j < strlen($delimiters); $j++ ){

if($varname[$i] == $delimiters[$j]){

return substr( $varname, 0, $i );

}

}

}

return $varname;

}

/* controlla se la variabile $var viene definita in $content prima della posizio

ne $offset */

function escan_check_definitions($content,$offset,$var)

{

if( strpos( $var, "->" ) ){

return 1;

}

$chunk = substr($content,0,$offset);

$regex = "/".preg_quote($var,"/")."\s*=/ix";

preg_match( $regex, $chunk,$matches );

return count($matches);

}

/* parserizza il file $file per controllare la presenza di potenziali rfi */

function escan_parse_file($file)

{

global $escan_inc_regex;

global $escan_max_size;

global $escan_file_count;

global $escan_match_count;

global $escan_byte_count;

$fsize = filesize($file);

if( $escan_max_size && $fsize > $escan_max_size ) return;

$escan_file_count++;

$escan_byte_count += $fsize;

$content = @file_get_contents($file);

for( $i = 0; $i < count($escan_inc_regex); $i++ ){

if( preg_match_all( $escan_inc_regex[$i], $content, $matches, PR

EG_OFFSET_CAPTURE ) ){

$nmatch = count($matches[0]);

for( $j = 0; $j < $nmatch; $j++ ){

$offset = $matches[0][$j][1];

$line = escan_scan_line($content,$offset);

$var = escan_parse_var($line,$i);

if( escan_check_definitions($content,$offset,$var) == 0 )

{

$escan_match_count++;

print "@ $file - \n\t- '$var' alla posizione $offset .\n"{ ;

}

}

}

}

}

}

/* restituisce l'estensione del file $fname */

function escan_get_file_ext($fname)

{

if( strchr($fname,'.') ){

return substr($fname,strrpos($fname,'.')+1);

}

else{

return "";

}

}

/* controlla se il file $fname

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...