PHP Scanner
ID: php-scanner
Severity: info
Author: geeknik
Tags: php,file
Description
Section titled “Description”YAML Source
Section titled “YAML Source”id: php-scanner
info: name: PHP Scanner author: geeknik severity: info tags: php,filefile: - extensions: - html - htm - phtml - php - php3 - php4 - php5 - phps - cgi - inc - tpl - test - module - plugin
extractors: - type: regex # Investigate for possible SQL Injection # Likely vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = $user_id"); # Likely not Vulnerable: $dbConn->GetRow("SELECT * FROM users WHERE id = ?", array('$user_id')); regex: - '(?i)getone|getrow|getall|getcol|getassoc|execute|replace'
- type: regex # Warn when var_dump is found regex: - 'var_dump'
- type: regex # Warn when display_errors is enabled manually regex: - 'display_errors'
- type: regex # Avoid the use of eval() regex: - 'eval' - 'eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))'
- type: regex # Avoid the use of exit or die() regex: - 'exit' - 'die'
- type: regex # Avoid the use of logical operators (ex. using and over &&) regex: - 'and'
- type: regex # Avoid the use of the ereg* functions (now deprecated) regex: - 'ereg'
- type: regex # Ensure that the second parameter of extract is set to not overwrite (not EXTR_OVERWRITE) regex: - 'extract'
- type: regex # Checking output methods (echo, print, printf, print_r, vprintf, sprintf) that use variables in their options regex: - 'echo' - 'print' - 'printf' - 'print_r' - 'vprintf' - 'sprintf'
- type: regex # Ensuring you're not using echo with file_get_contents regex: - 'file_get_contents'
- type: regex # Testing for the system execution functions and shell exec (backticks) regex: - '\\`'
- type: regex # Use of readfile, readlink and readgzfile regex: - 'readfile' - 'readlink' - 'readgzfile'
- type: regex # Using parse_str or mb_parse_str (writes values to the local scope) regex: - 'parse_st' - 'mb_parse_str'
- type: regex # Using session_regenerate_id either without a parameter or using false regex: - 'session_regenerate'
- type: regex # Avoid use of $_REQUEST (know where your data is coming from) regex: - '\\$_REQUEST'
- type: regex # Don't use mysql_real_escape_string regex: - 'mysql_real_escape_string'
- type: regex # Avoiding use of import_request_variables regex: - 'import_request_variables'
- type: regex # Avoid use of GLOBALS regex: - 'GLOBALS'
- type: regex regex: - '_GET'
- type: regex regex: - '_POST'
- type: regex regex: - '_COOKIE'
- type: regex regex: - '_SESSION'
- type: regex # Ensure the use of type checking validating against booleans (===) regex: - '\\=\\=\\='
- type: regex # Ensure that the /e modifier isn't used in regular expressions (execute) regex: - '\\/e'
- type: regex # Using concatenation in header() calls regex: - 'header'
- type: regex # Avoiding the use of $http_raw_post_data regex: - '\\$http_raw_post_data'
- type: regex # interesting functions for POP/Unserialize regex: - "__autoload" - "__destruct" - "__wakeup" - "__toString" - "__call" - "__callStatic" - "__get" - "__set" - "__isset" - "__unset"
- type: regex # phpinfo detected regex: - "phpinfo"
- type: regex # registerPHPFunctions() allows code exec in XML regex: - "registerPHPFunctions"
- type: regex regex: - "session_start"
- type: regex # dBase DBMS regex: - "dbase_open"
- type: regex # DB++ DBMS regex: - "dbplus_open" - "dbplus_ropen"
- type: regex # Frontbase DBMS regex: - "fbsql_connect"
- type: regex # Informix DBMS regex: - "ifx_connect"
- type: regex # IBM DB2 DBMS regex: - "db2_(p?)connect"
- type: regex # FTP server regex: - "ftp_(ssl_)?connect"
- type: regex # Ingres DBMS regex: - "ingres_(p?)connect"
- type: regex # LDAP server regex: - "ldap_connect"
- type: regex # msession server regex: - "msession_connect"
- type: regex # mSQL DBMS regex: - "msql_(p?)connect"
- type: regex # MsSQL DBMS regex: - "mssql_(p?)connect"
- type: regex # MySQL DBMS regex: - "mysql_(p?)connect"
- type: regex # MySQLi Extension regex: - "mysqli((_real)?_connect)?|_query"
- type: regex # Oracle OCI8 DBMS regex: - "oci|(_new?)|_connect|(n?|p?)logon"
- type: regex # Oracle DBMS regex: - "ora_(p?)connect"
- type: regex # Ovrimos SQL DBMS regex: - "ovrimos_connect"
- type: regex # PostgreSQL DBMS regex: - "pg_(p?)connect"
- type: regex # SQLite DBMS regex: - "sqlite_(p?)open"
- type: regex # SQLite3 DBMS regex: - "SQLite3"
- type: regex # Sybase DBMS regex: - "sybase_(p?)connect"
- type: regex # TokyoTyrant DBMS regex: - "TokyoTyrant"
- type: regex # XML document regex: - "x(ptr|path)_new_context"
- type: regex # Investigate if GetTableFields is called safely regex: - "GetTableFields"
- type: regex regex: - "ini_get.*magic_quotes_gpc.*"# digest: 490a0046304402203f6811dc2a15f2567e7db40b36375c46eea0111cfa90c277dfb7c22c0606a9a702205fd1e3744793a2404c0ec8337066156d584806f08bffe5cfbc508686a2de3925:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "file/php/php-scanner.yaml"