Vulnerability Tester

Description: A source code tester. This searches through code (PHP files in this case) and finds possible vulnerable syntax problems.

<html>
<title>PHP Source Code Checker</title>
<head>
<script language="JavaScript">
function mouseDown_Action(c_id) {
   var obj = document.getElementById(c_id);
   if (obj.style.visibility == 'hidden') {
      obj.style.visibility = 'visible';
      obj.style.position = 'static';
   } else {
      obj.style.visibility = 'hidden';
      obj.style.position = 'absolute';
   }
}
function mouseOver_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
}
function mouseOut_Action(v_id, color) {
   var obj = document.getElementById(v_id);
   obj.style.backgroundColor = color;
}
 
</script>
<style type="text/css">
a:link {text-decoration:none; color: #FFCCCC}
a:visited {text-decoration:none;color: #FFCCCC}
a:hover {text-decoration:none;color: #FFCCCC}
a:active {text-decoration:none;color: #FFCCCC}
a:focus {outline-style: none;}
body {background-color: #000; margin: 4; padding: 0;}
.main_window {
   width:99%;
   border-style:solid;
   border-color: #ccc;
   border-width: 1px;
   padding: 5 5 15 5;
   background-color: #000033;
}
.title_window {
   width: 90%;
   height: auto;
   background-color: #330099;
   text-align: center;
   padding: 5 0 5 0;
   margin: 0 0 10 0;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   font-family: impact;
   font-size: 30;
   color: #FFF;
}
.file_window {
   width: 88%;
   background-color: #339933;
   text-align: left;
   padding: 1 0 1 10;
   margin: 10 0 3 0;
   border-style: solid;
   border-color: #66CC66;
   border-width: 1px;
   color: #CCFFCC;
}
.rfi_window {
   width: 84%;
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF3366;
   border-width: 1px;
   color: #FFCCCC;
   text-decoration:none;
}
.sql_window {
   width: 84%;
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #3399FF;
   border-width: 1px;
   color: #99CCFF;
   text-decoration:none;
}
.rce_window {
   width: 84%;
   background-color: #000   ;
   text-align: left;
   padding: 1 0 1 10;
   margin: 0 0 3 0;
   border-style: solid;
   border-color: #FF9933;
   border-width: 1px;
   color: #FFCC99;
   text-decoration:none;
}
.code_window {
   width: 80%;
   background-color: #333;
   text-align: left;
   padding: 10 10 10 10;
   margin: 5 0 10 0;
   border-style: solid;
   border-color: #003399;
   border-width: 1px;
   color: #CCCCFF;
   visibility:hidden;
   position: absolute;
}
INPUT.user_input {
   margin: 0 0 5 0;
   padding: 0 2 0 2;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
INPUT.button {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
LABEL.button {
   margin: 0 5 0 4;
   color: #CCCCFF;
}
SELECT.user_select {
   margin: 0 0 5 0;
   background-color: #333366;
   border-style: solid;
   border-color: #CCCCFF;
   border-width: 1px;
   color: #CCCCFF;
}
</style>
</head>
<body onload="makerequest('analyze.php', 'analyzing');return false;">
<center>
<div class="main_window">
<div class="title_window">PHP Source Analyzer by Delicon</div>
 
<form name="user_form" action="index.php" method="get">
   <select id="user_select" class="user_select" name="search_style" onmouseover="javascript:mouseOver_Action('user_select', '#333399');" onmouseout="javascript:mouseOut_Action('user_select', '#333366');">
      <option &LT;?PHP IF($_GET["search_style"] == "Directory") { ?> selected="selected" &LT;?PHP } ?>>Directory</option>
      <option &LT;?PHP IF($_GET["search_style"] == "File") { ?> selected="selected" &LT;?PHP } ?>>File</option>
   </select>
   <input id="user_input" class="user_input" value="" name="source_dir" size="80" onmouseover="javascript:mouseOver_Action('user_input', '#333399');" onmouseout="javascript:mouseOut_Action('user_input', '#333366');">
 
   <input id="analyze" class="button" value="Analyse" type="submit" onmouseover="javascript:mouseOver_Action('analyze', '#333399');" onmouseout="javascript:mouseOut_Action('analyze', '#333366');">
   <input id="reset" class="button" type="reset" onmouseover="javascript:mouseOver_Action('reset', '#333399');" onmouseout="javascript:mouseOut_Action('reset', '#333366');"><br />
   <input class="button" type="checkbox" name="RFI"&LT;?PHP IF($_GET["RFI"] == "on") { ECHO "checked"; }?>><label class="button">Remote File Inc.</label>
   <input class="button" type="checkbox" name="SQL"&LT;?PHP IF($_GET["SQL"] == "on") { ECHO "checked"; }?>><label class="button">SQL</label>
   <input class="button" type="checkbox" name="RCE"&LT;?PHP IF($_GET["RCE"] == "on") { ECHO "checked"; }?>><label class="button">Remote Command Execute</label>
 
 
<fieldset style='color:#CCCCFF; border-width:1; border-color:#CCCCFF; width:50%;background-color:#333366; margin:0 0 5 0'>
<legend>Custum Search</legend>
<label class="button">Search String: </label><input id="custom_search" class="user_input"  value="&LT;?PHP IF(ISSET($_GET['custom_search'])) { ECHO $_GET['custom_search']; } ?>"name="custom_search" size="80" onmouseover="javascript:mouseOver_Action('custom_search', '#333399');" onmouseout="javascript:mouseOut_Action('custom_search', '#333366');" style='margin:0;'>
</fieldset>
</form>
&LT;?PHP
 
/*----------------------------------------------------------------------------------------------
DIRECTORY RECURSION FUNCTION
-------------------------------------------------------------------------------------------------*/
IF((!ISSET($_GET["source_dir"])) or ($_GET["source_dir"] == "")) { ?><div class="sql_window">[INFO] Please enter a directory [INFO]</div>&LT;?PHP DIE; }
IF(($_GET["search_style"] == "Directory") and (!IS_DIR($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] &LT;?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a directory [Error]</div>&LT;?PHP DIE;
} ELSE IF (($_GET["search_style"] == "File") and (!IS_FILE($_GET["source_dir"]))) {
   ?><div class="rfi_window">[Error] &LT;?PHP ECHO " " . $_GET["source_dir"] . " "?>does not exist or is not a file [Error]</div>&LT;?PHP DIE;
}
 
$base_dir = $_GET["source_dir"] . "\\";
$dir_listing = array(0 => $base_dir);               //Create array for holding dir_listing first entry is user argument
$php_listing = array();                           //Create array for holding php files found in search
$x = 0;                                       //set counter
 
if($_GET["search_style"] == "Directory") {
while($x < count($dir_listing)) {                     //Loop while the counter is less or equal to array count
$curr_directory = $dir_listing[$x];                     //set curr_directory
$dir_handle[$x] = opendir($curr_directory);               //set the directory handle for opening the dir. according to the counter
   while(false !== ($file = readdir($dir_handle[$x]))) {      //read directory listing and loop till the end
      $curr_file = $curr_directory . $file;
      if(is_dir($curr_file)) {            //check if its a directory
         if(($file != ".") && ($file != "..")) {         //check if its a hidden dire.
            $dir_listing[count($dir_listing)] = $curr_file . "\\";   //add to array . using count adds appends it count is not based on 0 start
         }
      }
      if(is_file($curr_file)) {               //Check if its a file
         if(substr_count($file, ".php")) {      //Check if its a php file
            $php_listing[count($php_listing)] = $curr_file;         //add to files found array php_listing
         }
      }
   }
   closedir($dir_handle[$x]);         //close handle
   $x++;                     //itterate count
}
} else {
   $php_listing[count($php_listing)] = $base_dir;
}
/*-------------------------------------------------------------------------------------------
SOURCE SYNTAX SEARCH FUNCTION
--------------------------------------------------------------------------------------------*/
//Array holding all the strings to search for
if($_GET['custom_search'] <> NULL) {            //Check to see if custome search is set to something other than nothing
   $custom_search = "on";                     //Set custom search on
   $vuln_custom_syntax = $_GET['custom_search'];      //Get was custom search string contains
   $vuln_custom_syntax = explode(',',  $vuln_custom_syntax);      //seperate everything in custom search into an array
   }
 
//Arrays Containing the most common strings to search for
$vuln_rfi_syntax = array("REQUIRE", "INCLUDE", "EMPTY", "READFILE", "FREAD", "FWRITE", "writefile", "FOPEN","_GET", "_POST", "_SESSION", "_REQUEST", "_USER", "EVAL");
$vuln_sql_syntax = array("sql", "dbquery", "query", "WHERE", "SELECT", "DELETE", "INSERT");
$vuln_rce_syntax = array("POPEN", "SYSTEM", "EVAL", "PASSTHRU");
 
 
$vuln_count = 1;      //keeps track of the vulnerablities for the xhtml variables to pass to javascript
for($z=0; $z < count($php_listing); $z++) {
   $vuln_found = array();
   $filename = $php_listing[$z];      //holds the file to search
   $handle = fopen($filename, "r");                                 //opens file for reading only
   $contents = fread($handle, filesize($filename));                     //reads all content to $contents
 
?>
<!--New File Started-->
<div class='file_window'>Filename:&LT;?PHP ECHO " " .  $filename ?></div>
&LT;?PHP
   FCLOSE($handle);                                             //closes file
   $exp_content = EXPLODE("\n", $contents);                           //seperate each line of the file into diff. array keys
 
   FOR($i=0; $i<= COUNT($exp_content); $i++) {                           //loop until the end of the array
      IF(($exp_content[$i] <> "")                                    //check to see if the line is empty, and for unwanted lines comments and such
         and (!STRSTR($exp_content[$i], "//"))                        //check to see if the line is a comment
         and (!STRSTR($exp_content[$i], "/*"))
         and (!STRSTR($exp_content[$i], "* "))
         ) {
      $exp_content[$i] = STRIP_TAGS($exp_content[$i]);                  //strip all html tags before printing out
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR CUSTOM SEARCH STRINGS PROVIDED BY THE USER
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($custom_search == "on") {
      FOR($x=0; $x < COUNT($vuln_custom_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_custom_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v&LT;?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v&LT;?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c&LT;?PHP ECHO $vuln_count?>');"><div id="v&LT;?PHP ECHO $vuln_count?>" class="rce_window">&LT;?PHP ECHO $vuln_line ?>
                  <div id="c&LT;?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               &LT;?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br />";
                  }
?>
   </div></div></a>
&LT;?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE FILE INCLUSION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
//    it also adds it to vuln_found array to double check and see if its a duplicate line. sometimes more than one word is found in a line
//    after it finds a line it prints it out. or at least allows the html to do its thing with the xhtml in it.
//   At the end it prints out the next 20 and it increments the exp_content for not searching (since we already can see it)
//   Then it increments the vuln_count counter which designates the counts on the xhtml
//#########################################################################################
IF($_GET["RFI"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rfi_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rfi_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v&LT;?PHP ECHO $vuln_count?>', '#CC0000');" onmouseout="javascript:mouseOut_Action('v&LT;?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c&LT;?PHP ECHO $vuln_count?>');"><div id="v&LT;?PHP ECHO $vuln_count?>" class="rfi_window">&LT;?PHP ECHO $vuln_line ?>
                  <div id="c&LT;?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               &LT;?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br />";
                  }
?>
   </div></div></a>
&LT;?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR SQL VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["SQL"] == "on") {
   FOR($x=0; $x < COUNT($vuln_sql_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_sql_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v&LT;?PHP ECHO $vuln_count?>', '#666699');" onmouseout="javascript:mouseOut_Action('v&LT;?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c&LT;?PHP ECHO $vuln_count?>');"><div id="v&LT;?PHP ECHO $vuln_count?>" class="sql_window">&LT;?PHP ECHO $vuln_line ?>
                  <div id="c&LT;?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               &LT;?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[$i + $y]) . "<br />";
                  }
?>
   </div></div></a>
&LT;?PHP
}
$vuln_count++;
            }
         }
}
//#########################################################################################
// THIS FOLLOWING FOR LOOP CHECKS FOR REMOTE COMMAND EXECUTION VULNERABILITES
// It loops through each vulnerability for the current line of code from exp_content
// same loop as above with a different array. This seperates
//#########################################################################################
IF($_GET["RCE"] == "on") {
      FOR($x=0; $x < COUNT($vuln_rce_syntax); $x++) {                     //loop through the vuln. array
            IF(SUBSTR_COUNT($exp_content[$i], $vuln_rce_syntax[$x])) {         //check and see if the vulnerable string is found
               $vuln_line = "line# " . $i . ":  " . $exp_content[$i] . "\n\r\n\r";   //hold vulnerable line found in syntax: Line$ code
               IF (!ARRAY_SEARCH($vuln_line, $vuln_found)){            //check to see if it exists already or was already found
                  $vuln_found[COUNT($vuln_found)] = $vuln_line;         //if not then add to vuln_found array for future checks
               ?>
                  <a border="0" onmouseover="javascript:mouseOver_Action('v&LT;?PHP ECHO $vuln_count?>', '#CC6600');" onmouseout="javascript:mouseOut_Action('v&LT;?PHP ECHO $vuln_count?>', '#000');" onmousedown="javascript:mouseDown_Action('c&LT;?PHP ECHO $vuln_count?>');"><div id="v&LT;?PHP ECHO $vuln_count?>" class="rce_window">&LT;?PHP ECHO $vuln_line ?>
                  <div id="c&LT;?PHP ECHO $vuln_count?>" class="code_window"  style="visibility:hidden">
               &LT;?PHP
               FOR($y=0; $y <= 20; $y++) {                        //print the previous/ next 5 lines of code
                     ECHO STRIP_TAGS($exp_content[($i - 11) + $y]) . "<br />";
                  }
?>
   </div></div></a>
&LT;?PHP
}
$vuln_count++;
            }
         }
}
      }
   }
}
?>
</div>
</center>
</body>
</html>

Enjoyed this post? Share it!

 

Leave a comment

Your email address will not be published.