- 22 May 2007
- 8
- 1
PHP:
<?php
/***************************************************************************
* PHP Security-Shell RFI Scanner v1.0 *
* *
* Copyright (C) 2007 by pentest *
* *
* http://security-shell.uni.cc *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
***************************************************************************/
$escan_inc_regex = array( '/include(_once)?.\$/ix', '/require(_once)?.\$/ix' );
/* Regex to extract the names of variables */
$escan_var_regex = array( '/\Ainclude(_once)?./is', '/\Arequire(_once)?./is' );
/* Array of file extensions to scan */
$escan_valid_ext = array( 'php' );
/* Maximum size of a file to scan, scans all if 0 */
$escan_max_size = 0;
/* Counter crawled directory */
$escan_dir_count = 0;
/* Perpetual scanned files */
$escan_file_count = 0;
/* Perpetual potential rfi found */
$escan_match_count = 0;
/*Perpetual crawled total bytes */
$escan_byte_count = 0;
escan_banner();
if( $argc < 2 ){
escan_usage($argv[0]);
}
else{
$stime = escan_get_mtime();
escan_recurse_dir( realpath($argv[1]).DIRECTORY_SEPARATOR );
$etime = escan_get_mtime();
print "\n@ Scan report : \n\n" .
"\t$escan_dir_count directory .\n".
"\t$escan_file_count file .\n".
"\t" . escan_format_size($escan_byte_count) . " .\n".
"\t$escan_match_count Potential RFI .\n".
"\t".($etime-$stime) . " Second Processing .\n\n";
}
/* A string formats in a magnitude expressed in bytes */
function escan_format_size($bytes)
{
if( $bytes < 1024 ) return "$bytes bytes";
if( $bytes < 1048576 ) return ($bytes / 1024) . " Kb";
if( $bytes < 1073741824 ) return ($bytes / 1048576) . " Mb";
return ($bytes / 1073741824) . " Gb";
}
/* Returns the timestamp in seconds */
function escan_get_mtime()
{
list($usec, $sec) = explode(" ",microtime());
return ((float)$usec + (float)$sec);
}
/* Extracts line of code inclusion */
function escan_scan_line($content,$offset)
{
list( $line, $dummy ) = explode( ";" , substr($content,$offset,strlen($content)) );
return $line.";";
}
/* Extract the variable name from line of code inclusion */
function escan_parse_var( $line, $regex_id )
{
global $escan_var_regex;
$vars = preg_split($escan_var_regex[$regex_id],$line);
$varname = $vars[1];
$delimiters = " .);";
for( $i = 0; $i < strlen($varname); $i++ ){
for( $j = 0; $j < strlen($delimiters); $j++ ){
if($varname[$i] == $delimiters[$j]){
return substr( $varname, 0, $i );
}
}
}
return $varname;
}
/* Check if the variable $var is defined in $content before position $offset*/
function escan_check_definitions($content,$offset,$var)
{
if( strpos( $var, "->" ) ){
return 1;
}
$chunk = substr($content,0,$offset);
$regex = "/".preg_quote($var,"/")."\s*=/ix";
preg_match( $regex, $chunk,$matches );
return count($matches);
}
/* $file the file to check for potential rfi */
function escan_parse_file($file)
{
global $escan_inc_regex;
global $escan_max_size;
global $escan_file_count;
global $escan_match_count;
global $escan_byte_count;
$fsize = filesize($file);
if( $escan_max_size && $fsize > $escan_max_size ) return;
$escan_file_count++;
$escan_byte_count += $fsize;
$content = @file_get_contents($file);
for( $i = 0; $i < count($escan_inc_regex); $i++ ){
if( preg_match_all( $escan_inc_regex[$i], $content, $matches, PREG_OFFSET_CAPTURE ) ){
$nmatch = count($matches[0]);
for( $j = 0; $j < $nmatch; $j++ ){
$offset = $matches[0][$j][1];
$line = escan_scan_line($content,$offset);
$var = escan_parse_var($line,$i);
if( escan_check_definitions($content,$offset,$var) == 0 )
{
$escan_match_count++;
print "@ $file - \n\t- '$var' The position $offset .\n";
}
}
}
}
}
/* Returns the file extension $fname */
function escan_get_file_ext($fname)
{
if( strchr($fname,'.') ){
return substr($fname,strrpos($fname,'.')+1);
}
else{
return "";
}
}
/* Check if file $fname is a valid extension */
function escan_isvalid_ext($fname)
{
global $escan_valid_ext;
for( $i = 0; $i < count($escan_valid_ext); $i++ ){
if(strstr(escan_get_file_ext($fname),$escan_valid_ext[$i])){
return true;
}
}
return false;
}
/* That function scans directories recursively */
function escan_recurse_dir($dir)
{
global $escan_dir_count;
$escan_dir_count++;
if( $cdir = @dir($dir) ){
while( $entry = $cdir->read() ){
if( $entry != '.' && $entry != '..' ){
if( is_dir($dir.$entry) ){
escan_recurse_dir($dir.$entry.DIRECTORY_SEPARATOR);
}
else{
if( escan_isvalid_ext($dir.$entry) ){
escan_parse_file($dir.$entry);
}
}
}
}
$cdir->close();
}
}
function escan_banner()
{
print "*-----------------------------------------------------*\n" .
"* PHP Security-Shell RFI Scanner v1.0 by pentest *\n" .
"* *\n" .
"* http://security-shell.uni.cc *\n" .
"*-----------------------------------------------------*\n\n";
}
function escan_usage($pname)
{
print "Use : php $pname <dir>\n";
}
?>Only you have to compile the tool, and in the same folder you have to put the script you wanth to scan for find a vulnerability R.F.I
you download some new script like powered by phpbb,
and with this tool we can test locally if is vulnerable to remote file inclusion.
Enjoy and have fun
