Beispiel #1
0
 def test_vuln_func_get_sources_1(self):
     code = '''
     <?
         $eggs = $_GET['bar'];
         $foo = func($eggs);
         $a = 'ls ' . $foo;
         exec($a);
     ?>
     '''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'bar' in execfunc.vulnsources)
Beispiel #2
0
 def test_vuln_func_get_sources_1(self):
     code = '''
     <?
         $eggs = $_GET['bar'];
         $foo = func($eggs);
         $a = 'ls ' . $foo;
         exec($a);
     ?>
     '''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'bar' in execfunc.vulnsources)
Beispiel #3
0
 def test_vuln_functions_3(self):
     code = '''
     <?php
       $var1 = escapeshellarg($_GET['param']);
       system($var1);
       system(escapeshellarg($_GET['param']));
       system(myfunc(escapeshellarg($_GET['param'])));
     ?>
     '''
     analyzer = PhpSCA(code)
     syscall1, syscall2, syscall3 = analyzer.get_func_calls()
     # Both must be SAFE!
     self.assertEquals(0, len(syscall1.vulntypes))
     self.assertEquals(0, len(syscall2.vulntypes))
     self.assertEquals(0, len(syscall3.vulntypes))
Beispiel #4
0
 def test_vuln_functions_3(self):
     code = '''
     <?php
       $var1 = escapeshellarg($_GET['param']);
       system($var1);
       system(escapeshellarg($_GET['param']));
       system(myfunc(escapeshellarg($_GET['param'])));
     ?>
     '''
     analyzer = PhpSCA(code)
     syscall1, syscall2, syscall3 = analyzer.get_func_calls()
     # Both must be SAFE!
     self.assertEquals(0, len(syscall1.vulntypes))
     self.assertEquals(0, len(syscall2.vulntypes))
     self.assertEquals(0, len(syscall3.vulntypes))
Beispiel #5
0
    def test_vuln_functions_2(self):
        code = '''
        <?
          $foo = $_GET['bar'];
          system('ls ' . $foo);
          echo file_get_contents($foo);
        ?>
        '''
        analyzer = PhpSCA(code)
        syscall, echocall = analyzer.get_func_calls()
        self.assertTrue('OS_COMMANDING' in syscall.vulntypes)
        self.assertTrue('XSS' in echocall.vulntypes)

        #
        # FIXME: Not sure why this is failing... not important at the moment
        #
        raise SkipTest('FIXME')
        self.assertTrue('FILE_DISCLOSURE' in echocall.vulntypes)
Beispiel #6
0
    def test_vuln_functions_2(self):
        code = '''
        <?
          $foo = $_GET['bar'];
          system('ls ' . $foo);
          echo file_get_contents($foo);
        ?>
        '''
        analyzer = PhpSCA(code)
        syscall, echocall = analyzer.get_func_calls()
        self.assertTrue('OS_COMMANDING' in syscall.vulntypes)
        self.assertTrue('XSS' in echocall.vulntypes)

        #
        # FIXME: Not sure why this is failing... not important at the moment
        #
        raise SkipTest('FIXME')
        self.assertTrue('FILE_DISCLOSURE' in echocall.vulntypes)
Beispiel #7
0
 def test_vuln_functions_4(self):
     code = '''
     <?
     $foo = $_GET['foo'];
     if ( $spam == $eggs ){
          $foo = 'ls';
          system($foo);
     }
     else{
          echo $foo;
          system($foo);
     }
     ?>
     '''
     analyzer = PhpSCA(code)
     sys1, echo, sys2 = analyzer.get_func_calls()
     self.assertEquals([], sys1.vulntypes)
     self.assertTrue('XSS' in echo.vulntypes)
     self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
Beispiel #8
0
 def test_vuln_functions_1(self):
     code = '''
     <?php
       $var = $_GET['bleh'];
       if ($x){
           $var = 2;
           // not vuln!
           system($var);
       }
       // vuln for OS COMMANDING!
       system($var);
     ?>
     '''
     analyzer = PhpSCA(code)
     sys1, sys2 = analyzer.get_func_calls()
     # First system call
     self.assertEquals(0, len(sys1.vulntypes))
     # Second system call
     self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
Beispiel #9
0
 def test_vuln_functions_4(self):
     code = '''
     <?
     $foo = $_GET['foo'];
     if ( $spam == $eggs ){
          $foo = 'ls';
          system($foo);
     }
     else{
          echo $foo;
          system($foo);
     }
     ?>
     '''
     analyzer = PhpSCA(code)
     sys1, echo, sys2 = analyzer.get_func_calls()
     self.assertEquals([], sys1.vulntypes)
     self.assertTrue('XSS' in echo.vulntypes)
     self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
Beispiel #10
0
 def test_vuln_functions_1(self):
     code = '''
     <?php
       $var = $_GET['bleh'];
       if ($x){
           $var = 2;
           // not vuln!
           system($var);
       }
       // vuln for OS COMMANDING!
       system($var);
     ?>
     '''
     analyzer = PhpSCA(code)
     sys1, sys2 = analyzer.get_func_calls()
     # First system call
     self.assertEquals(0, len(sys1.vulntypes))
     # Second system call
     self.assertTrue('OS_COMMANDING' in sys2.vulntypes)
Beispiel #11
0
 def test_vuln_func_get_sources_3(self):
     code = '''<? system($_GET['foo']); ?>'''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'foo' in execfunc.vulnsources)
Beispiel #12
0
 def test_vuln_func_get_sources_2(self):
     code = '''<? echo file_get_contents($_REQUEST['file']); ?>'''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'file' in execfunc.vulnsources)
Beispiel #13
0
 def test_vuln_func_get_sources_3(self):
     code = '''<? system($_GET['foo']); ?>'''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'foo' in execfunc.vulnsources)
Beispiel #14
0
 def test_vuln_func_get_sources_2(self):
     code = '''<? echo file_get_contents($_REQUEST['file']); ?>'''
     analyzer = PhpSCA(code)
     execfunc = analyzer.get_func_calls(vuln=True)[0]
     self.assertTrue(
         len(execfunc.vulnsources) == 1 and 'file' in execfunc.vulnsources)