From d505a4bc626dea9d6714c0be7361b3e0f9652465 Mon Sep 17 00:00:00 2001
From: Enzo <enzo@localhost.localdomain>
Date: Sun, 12 Nov 2017 19:19:50 +0100
Subject: [PATCH] =?UTF-8?q?Ajout=20de=20/doc=20&=20/tests/res.=20D=C3=A9bu?=
=?UTF-8?q?t=20de=20d=C3=A9tection=20de=20sign.=20bas=C3=A9e=20sur=20PHPWe?=
=?UTF-8?q?bshellDetector?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
index.php | 4 ++--
src/Analyzer.php | 26 ++++++++++++++++++--
src/util.php | 54 +++++++++++++++++++++++++++++++++++++++++-
tests/AnalyzerTest.php | 4 ++--
4 files changed, 81 insertions(+), 7 deletions(-)
diff --git a/index.php b/index.php
index f320144..2666d66 100644
--- a/index.php
+++ b/index.php
@@ -1,6 +1,6 @@
<?php
- require_once 'const.php';
+ require_once 'src/const.php';
require_once 'src/util.php';
//FIXME remove it
@@ -33,7 +33,7 @@
return "Symlink are not allowed";
}
if(strposOnArray($pFileName, array(" ", '"', "'", "&", "/", "\\", "?", "#", chr(0)))){
- $this->kill("File name contains almost one bad char");
+ $this->kill("File name contains at least one bad char");
}
return 1;
}
diff --git a/src/Analyzer.php b/src/Analyzer.php
index addec08..c3a2aee 100644
--- a/src/Analyzer.php
+++ b/src/Analyzer.php
@@ -1,11 +1,14 @@
<?php
namespace AnalyzerNS;
+require_once 'util.php';
+
class Analyzer
{
private $fileName;
private $fileContent;
+ private $tokens;
public function analyze($pFileName)
{
@@ -14,10 +17,11 @@ class Analyzer
} else {
$this->fileName= $pFileName;
$this->fileContent = file_get_contents($this->fileName);
+ $this->tokens = token_get_all($this->fileContent);
+ //print_r($this->tokens);
}
}
-
-
+
/**
* //FIXME kill properly
* @param string $message
@@ -27,6 +31,24 @@ class Analyzer
die($message);
}
+ /**
+ * Basic. Searches dangerous function names allowing to execute commands
+ * @return boolean. True if dangerous functions are found.
+ */
+ private function searchExecCmdFunctions()
+ {
+ $funcs = array("exec", "passthru", "popen", "proc_open", "pcntl_exec", "shell_exec", "system");
+ if (strposOnArray($this->fileContent, $funcs) === false) {
+ foreach ($this->tokens as $token) {
+ if (!is_array($token) && $token === "`") {
+ return true;
+ }
+ }
+ return false;
+ }
+ return true;
+ }
+
/**
* Searches for non-ASCII characters, often used in obfuscated files
* @return number
diff --git a/src/util.php b/src/util.php
index 0bd7410..dafeca7 100644
--- a/src/util.php
+++ b/src/util.php
@@ -1,5 +1,5 @@
<?php
-namespace Analyzer;
+namespace AnalyzerNS;
/**
* Apply the strpos function with an array of parameters
@@ -18,4 +18,56 @@ function strposOnArray($haystack, $arrayOfWords)
}
return false;
}
+ return true;
+}
+
+/**
+ * Removes all carriage returns and/or line feeds
+ * @param $string
+ * @return NULL|$string
+ */
+function removeCRLF($string)
+{
+ return $string ? str_replace(PHP_EOL, '', $string) : null;
+}
+
+/**
+* Removes whites spaces if the are repeateds
+* @param $string
+* @return NULL|string without repeated white spaces
+*/
+function removeMultiWhiteSpaces($string)
+{
+ return $string ? preg_replace('/\s{2,}/', ' ', $string) : null;
+}
+
+/**
+ * Removes all whites spaces
+ * @param $string
+ * @return NULL|string whitout any white spaces
+ */
+function removeAllWhiteSpaces($string)
+{
+ return $string ? preg_replace('/\s+/', ' ', $string) : null;
+}
+
+/**
+ * Removew white spaces outside strings
+ * @param $string
+ * @return NULL|string
+ */
+function removeWhiteSpacesOutsideString($tokens)
+{
+ if (!$tokens) {
+ return null;
+ }
+ $retString = '';
+ foreach ($tokens as $x) {
+ if (!is_array($x)) {
+ $retString.=$x;
+ } else {
+ $retString.=(is_integer($x[0]) && $x[0] == T_WHITESPACE ? ' ':$x[1]);
+ }
+ }
+ return $retString;
}
diff --git a/tests/AnalyzerTest.php b/tests/AnalyzerTest.php
index 49b17c2..7e880a7 100644
--- a/tests/AnalyzerTest.php
+++ b/tests/AnalyzerTest.php
@@ -12,7 +12,7 @@ class AnalyzerTest extends TestCase
public function testTestMe()
{
$analyzer = new Analyzer();
- $analyzer->analyze(__DIR__."/../src/test.php");
- $this->assertTrue($analyzer->testMe("searchNonASCIIChars") >0);
+ $analyzer->analyze(__DIR__."/res/test.php");
+ $this->assertTrue($analyzer->testMe("searchExecCmdFunctions") >0);
}
}
--
GitLab