def run(self, args):
if args.get('vector', 'posix_getpwuid') == 'posix_getpwuid':
pwdresult = PhpCode(
"""for($n=0; $n<2000;$n++) { $uid = @posix_getpwuid($n); if ($uid) echo join(':',$uid).PHP_EOL; }"""
).run(args)
if not pwdresult:
arg_vector = ['-vector', args.get('vector')
] if args.get('vector') else []
pwdresult = ModuleExec('file_read',
['/etc/passwd'] + arg_vector).run()
if not pwdresult: return
result = ''
for line in pwdresult.split('\n'):
fields = line.split(':')
if len(fields) > 6:
uid = int(fields[2])
shell = fields[6]
if (args.get('real') and
((uid == 0 or uid > 999) and 'false' not in shell)
or not args.get('real')):
result += line + '\n'
return result.rstrip('\n')
def _check_features(self):
features = [
'expose_php',
'file_uploads',
'register_globals',
'allow_url_fopen',
'display_errors',
'enable_dl',
'safe_mode',
'magic_quotes_gpc',
'allow_url_include',
'session.use_trans_sid'
]
feat_found = PhpCode("""foreach ( Array("${ '", "'.join(features) }") as $f) if((bool)ini_get($f)) print($f. "\n");""").run(
{ 'features' : features }
)
result = []
if feat_found:
for feat in feat_found.split('\n'):
feat_msg = 'feat_' + re.sub('[^a-zA-Z_]', '_', feat)
if hasattr(messages.module_audit_phpconf, feat_msg):
result.append((feat, getattr(messages.module_audit_phpconf, feat_msg)))
return result
def run(self, args):
if args.get('vector', 'posix_getpwuid') == 'posix_getpwuid':
pwdresult = PhpCode("""for($n=0; $n<2000;$n++) { $uid = @posix_getpwuid($n); if ($uid) echo join(':',$uid).PHP_EOL; }""").run(self.args)
if not pwdresult:
arg_vector = [ '-vector', args.get('vector') ] if args.get('vector') else []
pwdresult = ModuleExec('file_read', [ '/etc/passwd' ] + arg_vector).run()
if not pwdresult: return
result = ''
for line in pwdresult.split('\n'):
fields = line.split(':')
if len(fields) > 6:
uid = int(fields[2])
shell = fields[6]
if (
args.get('real') and (
(uid == 0 or uid > 999) and
'false' not in shell
)
or not args.get('real')
):
result += line + '\n'
return result.rstrip('\n')
def _check_functions(self):
functions = {
'info': [
'apache_get_modules',
'apache_get_version',
'apache_getenv',
'get_loaded_extensions',
'phpinfo',
'phpversion',
],
'files': [
'chgrp', 'chmod', 'chown', 'copy', 'link', 'mkdir', 'rename',
'rmdir', 'symlink', 'touch', 'unlink', 'posix_mkfifo'
],
'log':
['openlog', 'syslog', 'debugger_off', 'debugger_on', 'closelog'],
'proc_execution': [
'exec', 'passthru', 'pcntl_exec', 'popen', 'proc_open',
'shell_exec', 'system', 'dotnet_load'
],
'proc_manipulation': [
'apache_child_terminate', 'apache_note', 'apache_setenv', 'dl',
'proc_close', 'proc_get_status', 'proc_terminate', 'proc_nice',
'putenv', 'virtual'
'posix_kill', 'posix_setpgid', 'posix_setsid', 'posix_setuid',
'runkit_function_rename'
]
}
result = []
for ftype, flist in functions.items():
func_found = PhpCode(
("foreach ( Array(\"${ '\", \"'.join(functions) }\") as $f) " +
"if(function_exists($f)&&is_callable($f)) print($f. \"\\n\");"
)).run({'functions': flist})
if func_found:
for func_name in func_found.split('\n'):
type_msg = 'func_' + re.sub('[^a-zA-Z_]', '_', ftype)
if hasattr(messages.module_audit_phpconf, type_msg):
msg = getattr(messages.module_audit_phpconf, type_msg)
if len(func_name) == 0:
msg = ''
result.append((func_name, msg))
return result
def _check_classes(self):
classes = ['splFileObject', 'COM', 'Java']
class_found = PhpCode(
"""foreach ( Array("${ '", "'.join(classes) }") as $f) if((bool)class_exists($f)) print($f. "\n");"""
).run({'classes': classes})
result = []
if class_found:
for class_name in class_found.split('\n'):
class_msg = 'class_' + re.sub('[^a-zA-Z_]', '_', class_name)
if hasattr(messages.module_audit_phpconf, class_msg):
result.append((class_name,
getattr(messages.module_audit_phpconf,
class_msg)))
return result
def _check_classes(self):
classes = [
'splFileObject',
'COM',
'Java'
]
class_found = PhpCode("""foreach ( Array("${ '", "'.join(classes) }") as $f) if((bool)class_exists($f)) print($f. "\n");""").run(
{ 'classes' : classes }
)
result = []
if class_found:
for class_name in class_found.split('\n'):
class_msg = 'class_' + re.sub('[^a-zA-Z_]', '_', class_name)
if hasattr(messages.module_audit_phpconf, class_msg):
result.append((class_name, getattr(messages.module_audit_phpconf, class_msg)))
return result
def _check_features(self):
features = [
'expose_php', 'file_uploads', 'register_globals',
'allow_url_fopen', 'display_errors', 'enable_dl', 'safe_mode',
'magic_quotes_gpc', 'allow_url_include', 'session.use_trans_sid'
]
feat_found = PhpCode(
"""foreach ( Array("${ '", "'.join(features) }") as $f) if((bool)ini_get($f)) print($f. "\n");"""
).run({'features': features})
result = []
if feat_found:
for feat in feat_found.split('\n'):
feat_msg = 'feat_' + re.sub('[^a-zA-Z_]', '_', feat)
if hasattr(messages.module_audit_phpconf, feat_msg):
result.append(
(feat, getattr(messages.module_audit_phpconf,
feat_msg)))
return result
def _check_functions(self):
functions = {
'info' : [
'apache_get_modules',
'apache_get_version',
'apache_getenv',
'get_loaded_extensions',
'phpinfo',
'phpversion',
],
'files' : [
'chgrp',
'chmod',
'chown',
'copy',
'link',
'mkdir',
'rename',
'rmdir',
'symlink',
'touch',
'unlink',
'posix_mkfifo'
],
'log' : [
'openlog',
'syslog',
'debugger_off',
'debugger_on',
'closelog'
],
'proc_execution' : [
'exec',
'passthru',
'pcntl_exec',
'popen',
'proc_open',
'shell_exec',
'system',
'dotnet_load'
],
'proc_manipulation' : [
'apache_child_terminate',
'apache_note',
'apache_setenv',
'dl',
'proc_close',
'proc_get_status',
'proc_terminate',
'proc_nice',
'putenv',
'virtual'
'posix_kill',
'posix_setpgid',
'posix_setsid',
'posix_setuid',
'runkit_function_rename'
]
}
result = []
for ftype, flist in functions.items():
func_found = PhpCode("""foreach ( Array("${ '", "'.join(functions) }") as $f) if(function_exists($f)&&is_callable($f)) print($f. "\n");""").run(
{ 'functions' : flist }
)
if func_found:
for func_name in func_found.split('\n'):
type_msg = 'func_' + re.sub('[^a-zA-Z_]', '_', ftype)
if hasattr(messages.module_audit_phpconf, type_msg):
result.append((func_name, getattr(messages.module_audit_phpconf, type_msg)))
return result
