Ajout de /doc & /tests/res. Début de détection de sign. basée sur PHPWebshellDetector

d505a4bc · Enzo · 1305d0b7 · d505a4bc · d505a4bc · d505a4bc
Commit d505a4bc authored 7 years ago by Enzo
--- a/index.php
+++ b/index.php
 <?php
    
-    require_once 'const.php';
+    require_once 'src/const.php';
    require_once 'src/util.php';

    //FIXME remove it
@@ -33,7 +33,7 @@
            return "Symlink are not allowed";
        }
        if(strposOnArray($pFileName, array(" ", '"', "'", "&", "/", "\\", "?", "#", chr(0)))){
-            $this->kill("File name contains almost one bad char");
+            $this->kill("File name contains at least one bad char");
        }
        return 1;
    }

--- a/src/Analyzer.php
+++ b/src/Analyzer.php
 <?php
 namespace AnalyzerNS;

+require_once 'util.php';
+
 class Analyzer
 {
    
    private $fileName;
    private $fileContent;
+    private $tokens;
    
    public function analyze($pFileName)
    {
@@ -14,10 +17,11 @@ class Analyzer
        } else {
            $this->fileName= $pFileName;
            $this->fileContent = file_get_contents($this->fileName);
+            $this->tokens = token_get_all($this->fileContent);
+            //print_r($this->tokens);
        }
    }
-    
-    
+   
    /**
     * //FIXME kill properly
     * @param string $message
@@ -27,6 +31,24 @@ class Analyzer
        die($message);
    }
    
+    /**
+     * Basic. Searches dangerous function names allowing to execute commands
+     * @return boolean. True if dangerous functions are found.
+     */
+    private function searchExecCmdFunctions()
+    {
+        $funcs = array("exec", "passthru", "popen", "proc_open", "pcntl_exec", "shell_exec", "system");
+        if (strposOnArray($this->fileContent, $funcs) === false) {
+            foreach ($this->tokens as $token) {
+                if (!is_array($token) && $token === "`") {
+                    return true;
+                }
+            }
+            return false;
+        }
+        return true;
+    }
+    
    /**
     * Searches for non-ASCII characters, often used in obfuscated files
     * @return number

--- a/src/util.php
+++ b/src/util.php
 <?php
-namespace Analyzer;
+namespace AnalyzerNS;

 /**
 * Apply the strpos function with an array of parameters
@@ -18,4 +18,56 @@ function strposOnArray($haystack, $arrayOfWords)
        }
        return false;
    }
+    return true;
+}
+
+/**
+ * Removes all carriage returns and/or line feeds
+ * @param $string
+ * @return NULL|$string
+ */
+function removeCRLF($string)
+{
+    return $string ? str_replace(PHP_EOL, '', $string) : null;
+}
+
+/**
+* Removes whites spaces if the are repeateds
+* @param $string
+* @return NULL|string without repeated white spaces
+*/
+function removeMultiWhiteSpaces($string)
+{
+    return $string ? preg_replace('/\s{2,}/', ' ', $string) : null;
+}
+
+/**
+ * Removes all whites spaces
+ * @param $string
+ * @return NULL|string whitout any white spaces
+ */
+function removeAllWhiteSpaces($string)
+{
+    return $string ? preg_replace('/\s+/', ' ', $string) : null;
+}
+
+/**
+ * Removew white spaces outside strings
+ * @param $string
+ * @return NULL|string
+ */
+function removeWhiteSpacesOutsideString($tokens)
+{
+    if (!$tokens) {
+        return null;
+    }
+    $retString = '';
+    foreach ($tokens as $x) {
+        if (!is_array($x)) {
+            $retString.=$x;
+        } else {
+            $retString.=(is_integer($x[0]) && $x[0] == T_WHITESPACE ? ' ':$x[1]);
+        }
+    }
+    return $retString;
 }
--- a/tests/AnalyzerTest.php
+++ b/tests/AnalyzerTest.php
@@ -12,7 +12,7 @@ class AnalyzerTest extends TestCase
    public function testTestMe()
    {
        $analyzer = new Analyzer();
-        $analyzer->analyze(__DIR__."/../src/test.php");
-        $this->assertTrue($analyzer->testMe("searchNonASCIIChars") >0);
+        $analyzer->analyze(__DIR__."/res/test.php");
+        $this->assertTrue($analyzer->testMe("searchExecCmdFunctions") >0);
    }
 }