def _print_ast(self, page, indice):
ret = ''
i = 0
#print prettyText("[*] Start for %s" % str(indice),'red')
if page != None:
if isinstance(page,list):
#print prettyText("[**] List %s" % str(page),'yellow')
for l in page:
cur = list(indice)
cur.append(i)
i = i + 1
ret = ret + self._print_ast(l, cur)
elif isinstance(page, phply.phpast.Node):
#print prettyText("[**]\t Node %s" % str(page), 'blue')
ret = prettyText(str(indice),'red') + '\t' * len(indice) + prettyText(str(type(page)),'green') + '\n'
j = 0
for k in page.__dict__.keys():
if k != 'lineno':
l = page.__dict__[k]
cur = list(indice)
cur.append(j)
j = j + 1
#print prettyText("[**]\t Node cur : %s || j : %s" % (str(cur), str(j-1)), ['blue', 'bold'])
ret = ret + self._print_ast(l,cur)
else:
#print prettyText("[**] Other %s" % str(page), 'white')
ret = prettyText(str(indice),'red') + '\t' * len(indice) + prettyText(str(type(page)),'blue') + prettyText(':','cyan') + str(page) + '\n'
return ret
def parseFound(found, params):
output = ''
for k in found.keys():
for l in found[k]:
output = output + prettyText(k,'magenta') + prettyText(':','cyan') + prettyText(l.lineno, 'green') + prettyText(': ','cyan') + prettyText(l, 'white') + prettyText(str(params),'red') + '\n'
return output
def parseFound(found, params):
output = ''
for k in found.keys():
for l in found[k]:
output = output + prettyText(k,'magenta') + prettyText(':','cyan') + prettyText(l.lineno, 'green') + prettyText(': ','cyan') + prettyText(l, 'white') + prettyText(str(params),'red') + '\n'
return output
def getSolution(reprs,offset,his):
debugListHex(reprs,"reprs:",2)
debugListHex(offset,"offset:",2)
sol = dict()
sol2 = dict()
for rg in range(len(reprs)):
r = reprs[rg]
of = offset[rg]
#print prettyText("searching for 0x%02x <= 0x%02x" % (r,of),"red")
tPath = Tree(name=r)
tPath.add_features(value=r)
for h in his[:-1]:
#print prettyText("in H","red")
for leaf in tPath.get_leaves():
r = leaf.value
#print prettyText("leaves: %s" % str(tPath.get_leaves()),"cyan")
for line in h.history:
res, alph, past, method = line[0], line[1], line[2], line[3].func_name
#debug("0x%02x = 0x%02x %s. (0x%02x)" % (res,alph,method,past),2)
#print prettyText("comparing res=0x%02x ?= r=0x%02x" % (res,r),"yellow")
if res == r:
n = leaf.add_child(name=alph)
n.add_features(function=method,value=past)
#print tPath.get_ascii(attributes=['name','function','value'])
lf = tPath.get_leaves()[0]
anc = lf.get_ancestors()[:-1]
llf = [lf,]
llf.extend(anc)
vls = [c.name for c in llf]
sol[rg] = llf
for i in sol:
vls = [(c.name, c.function) for c in sol[i]]
sol2["method"] = []
for j in range(len(vls)):
sol2["method"].append(sol[i][0].function)
if sol2.has_key(j):
sol2[j].append(vls[j][0])
else:
sol2[j] = []
sol2[j].append(vls[j][0])
print prettyText("Solution:","red")
info("PUSH\t\t0x%02x%02x%02x%02x" % (offset[0],offset[1],offset[2],offset[3]))
test = []
test.append(offset[0] * 0x01000000 + offset[1] * 0x00010000 + offset[2] * 0x00000100 + offset[3] * 0x00000001)
for m in range(len(sol2["method"])):
test.append(sol2[m][0] * 0x01000000 + sol2[m][1] * 0x00010000 + sol2[m][2] * 0x00000100 + sol2[m][3] * 0x00000001)
info("%s\t\t\t0x%02x%02x%02x%02x" % (sol2["method"][m],sol2[m][0],sol2[m][1],sol2[m][2],sol2[m][3]))
info("RESULT\t\t0x%08x" % (reprs[0] * 0x01000000 + reprs[1] * 0x00010000 + reprs[2] * 0x00000100 + reprs[3] * 0x00000001))
testResult(test,(reprs[0] * 0x01000000 + reprs[1] * 0x00010000 + reprs[2] * 0x00000100 + reprs[3] * 0x00000001))
def printCode(self,printlineno=True):
if printlineno:
codes = self.file_content.split('\n')
lineno = 1
for l in codes:
print prettyText(lineno,'green') + prettyText(': ','cyan') + prettyText(l,'white')
lineno += 1
else:
print self.file_content
def analyse(path):
print prettyText("[*] Parsing Project at %s ..." % path,'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !",'blue')
print prettyText("[*] Searching for dangerous methods",'blue')
for category in vulndb.A_F_ALL.keys():
print prettyText("[**] Category: %s" % category,['yellow','bold'])
for method in vulndb.A_F_ALL[category].keys():
print prettyText("[***] Method: %s" % str(method),['yellow'])
found = search(p,functionClassFilter,method)
print parseFound(found,vulndb.A_F_ALL[category][method])
def analyse(path):
print prettyText("[*] Parsing Project at %s ..." % path, 'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !", 'blue')
print prettyText("[*] Searching for dangerous methods", 'blue')
for category in vulndb.A_F_ALL.keys():
print prettyText("[**] Category: %s" % category, ['yellow', 'bold'])
for method in vulndb.A_F_ALL[category].keys():
print prettyText("[***] Method: %s" % str(method), ['yellow'])
found = search(p, functionClassFilter, method)
print parseFound(found, vulndb.A_F_ALL[category][method])
def addAssignment(self,blob):
#print prettyText("[GTST] Assign: '%s' = '%s'" % (str(blob.node), str(blob.expr)),'blue')
nodes = core.search.search(blob.node,core.filters.classFilter,vulndb.T_VARS)
exprs = core.search.search(blob.expr,core.filters.classFilter,vulndb.T_VARS)
#TODO: still need to implement function assignment
#functions = core.search.search(blob.expr,core.filters.classFilter,phply.phpast.FunctionCall)
#print prettyText("==+==",'red')
#print "Nodes: %s" % str(nodes)
#print "Exprs: %s" % str(exprs)
if nodes != None and exprs != None:
for v in nodes:
for e in exprs:
try:
#if v in symbol table, else do nothing
if self.inSymbolTable(v):
v2 = self.inSymbolTable(v)
#if e in symbol table, propagate tain
if self.inSymbolTable(e):
e2 = self.inSymbolTable(e)
#propagate direct taint
self.symbolTable[v2] += self.symbolTable[e2]
#propagate taint for elements of array
if isinstance(v, phply.phpast.ArrayOffset):
if self.inSymbolTable(v.node):
v3 = self.inSymbolTable(v.node)
self.symbolTable[v3] += self.symbolTable[v2]
elif isinstance(e, phply.phpast.ArrayOffset):
if self.inSymbolTable(e.node):
e2 = self.inSymbolTable(e.node)
self.symbolTable[v2] += self.symbolTable[e2]
if isinstance(v, phply.phpast.ArrayOffset):
if self.inSymbolTable(v.node):
v3 = self.inSymbolTable(v.node)
self.symbolTable[v3] += self.symbolTable[v2]
else:
print prettyText("Case 3", 'red')
print self
except KeyError, e:
###TODO correct this !!!
#print "[GTST] v: %s |||| v.node: %s" % (str(v),str(v.node))
print prettyText("[-] Key Error (Unexpected error, Bug) :%s" % str(e),['red','bold'])
def __str__(self):
a = ''
for v in self.symbolTable:
if self.symbolTable[v] == 0:
hilight_color = ['red']
else:
hilight_color = ['red', 'bold']
#variables
if isinstance(v, phply.phpast.Variable):
try:
name = v.name
a += prettyText("[*] " + str(name) + " (Variable): ",['cyan'])+prettyText(str(self.symbolTable[v]) + "\n",hilight_color)
except AttributeError:
#weir variables
name = v
a += prettyText("[*] " + str(name) ,['cyan']) + prettyText(" (Variable_complex): ",['yellow'])+prettyText(str(self.symbolTable[v]) + "\n",hilight_color)
#arrays
elif isinstance(v, phply.phpast.ArrayOffset):
try:
name = v.node.name
a += prettyText("[*] " + str(name) + "[" + str(v.expr) + "] (ArrayOffset): ",['cyan','bold'])+prettyText(str(self.symbolTable[v]) + "\n",hilight_color)
except AttributeError:
#complicated arrays
name = v
a += prettyText("[*] " + str(name),['cyan','bold']) + prettyText(" (ArrayOffset_Complex): ",['yellow','bold']) + prettyText(str(self.symbolTable[v]) + "\n",hilight_color)
return a
def searchMethod(path,method):
print prettyText("[*] Parsing Project at %s ..." % path,'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !",'blue')
print prettyText("[***] Method: %s" % str(method),['yellow'])
found = search(p,functionClassFilter,method)
print parseFound(found,"Custom")
def searchMethod(path, method):
print prettyText("[*] Parsing Project at %s ..." % path, 'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !", 'blue')
print prettyText("[***] Method: %s" % str(method), ['yellow'])
found = search(p, functionClassFilter, method)
print parseFound(found, "Custom")
def analyse(path, method):
print prettyText("[*] Parsing Project at %s ..." % path, 'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !", 'blue')
print prettyText("[*] Searching for calls to %s" % method, 'blue')
found = search(p, functionMethodFilter, method)
print parseFound(found)
def __init__(self,file_name):
self.file_name = file_name
try:
o = open(file_name,'r')
self.file_content = o.read()
#o.close()
try:
lexer = phplex.lexer.clone()
self.parsed_content = parser.parse(self.file_content, lexer=lexer)
resolve_magic_constants(self.parsed_content)
print prettyText("[+] SUCCESS parsing %s" % self.file_name,'green')
except Exception, err:
print prettyText("[-] ERROR parsing %s (%s)" % (self.file_name, str(err)),'red')
self.parsed_content = []
except Exception, err:
print prettyText("[-] ERROR openning file: %s (%s)" % (self.file_name, str(err)),'yellow')
def debug(description, level=1):
if debugMode and level >= debugLevel:
print prettyText("[D] %s" % description, "green")
def info(description):
print prettyText("[*] %s" % description, "blue")
def usage():
print prettyText(
"%s --alphabet <alphabet_word_file> --word <word_hex> --list <function_list>"
% sys.argv[0], "green")
print prettyText("--alphabet, -a : TODO", "green")
print prettyText("--word, -w : TODO", "green")
print prettyText("--list, -l : TODO", "green")
print prettyText("--offset, -o : TODO", "green")
print prettyText("--mutation, -m : TODO", "green")
print prettyText("--help, -h : this help", "green")
print prettyText(
"example: %s --alphabet alphabet.txt --word 12131415 --list add,sub" %
sys.argv[0], "green")
def debugListHex(pos, description, level=1):
if debugMode and level >= debugLevel:
print prettyText(
"[D] %s %s" % (description, str([hex(c) for c in pos])), "green")
def resolveInclude(project, page):
"""
This function returns all pages that are included in page, search is done in project
"""
#extract include and require statements
listInc = core.search.search(page, core.filters.classFilter,
[phply.phpast.Include, phply.phpast.Require])
currentPageName = page.file_name.replace(project.folder_name, '')
currentDirName = os.path.dirname(currentPageName)
# return page list
incPageList = []
for blob in listInc:
fileName = blob.expr
if type(fileName) is str:
if fileName.startswith('.'):
fileName = fileName[1:]
if not fileName.startswith('/'):
fileName = '/' + fileName
realFileName = os.path.join(currentDirName,
fileName.split('/')[-1])
if realFileName in project.pages.keys():
print prettyText(
"[+] Found %s (%s)" % (fileName, realFileName), 'green')
incPageList.append(project.pages[realFileName])
elif fileName in project.pages.keys():
print prettyText(
"[+] Found II %s (%s)" % (fileName, realFileName),
['green', 'bold'])
incPageList.append(project.pages[fileName])
else:
'''
#searching for filename only, might return false positives
lstSimilars = utils.mostSimilar(fileName, project.pages.keys())
found = False
for l in lstSimilars:
print "[***] FOUND %s === %s (%s)" % (fileName, l, currentDirName)
incPageList.append(project.pages[l])
found = True
if not found:
print prettyText("[-] Not found %s (%s)" % (fileName, currentDirName), 'red')
'''
print prettyText(
"[-] Not found %s (%s)" % (fileName, realFileName), 'red')
else:
#incStrs = core.search.search(fileName, core.filters.classFilter, str)
print prettyText(
"[-] Resolving this Include is not implemented yet !",
'yellow')
print prettyText("[-] Blob: ", 'yellow') + prettyText(
"%s" % str(blob), 'blue')
#print prettyText("[-] str: ", 'yellow') + prettyText("%s" % str(incStrs), 'blue')
return incPageList
except:
error("ete2 not installed")
error(
"try: easy_install -U ete2 or apt-get install python-ete2 to install ete2"
)
exit(1)
debug("Parsing options ...")
try:
opts, args = getopt.getopt(sys.argv[1:], "ha:w:l:d:o:m:", [
"help", "alphabet=", "word=", "list=", "debug=", "offset=",
"mutation="
])
except getopt.GetoptError, err:
print prettyText(str(err), "red")
sys.exit(2)
initialAlphabet = []
word = [] #word to search ['\x12','\x13','\x14','\x15']
funcList = []
offset = [0x00, 0x00, 0x00, 0x00]
mutationLimit = 0
representation = [] #list of word representation to search for
debug(opts)
for o, a in opts:
if o in ("-h", "--help"):
usage()
sys.exit()
elif o in ("-a", "--alphabet"):
def analyse(path):
print prettyText("[*] Parsing Project at %s ..." % path,'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !",'blue')
'''
print prettyText("[*] Searching for dangerous methods",'blue')
for category in vulndb.A_F_ALL.keys():
print prettyText("[**] Category: %s" % category,['yellow','bold'])
for method in vulndb.A_F_ALL[category].keys():
print prettyText("[***] Method: %s" % str(method),['yellow'])
found = search(p,functionClassFilter,method)
print parseFound(found,vulndb.A_F_ALL[category][method])
'''
print prettyText("[*] Searching for dangerous methods inheritence",'blue')
files = search(p,classFilter, phply.phpast.Function)
for name in files:
print prettyText('[*] File: %s' % name,['yellow','bold'])
functions = files[name]
#print functions
for l in functions:
paramsList = search(l,classFilter, phply.phpast.FormalParameter)
functionInputParams = dict()
for p in paramsList:
functionInputParams[p] = "ANY"
#print functionInputParams
tst = generateTST(l,functionInputParams)
#print tst
#search a method and propagate taint
for kcat in vulndb.A_F_ALL.keys():
cat = vulndb.A_F_ALL[kcat]
#print prettyText('[*] Category: %s' % kcat,'red')
for e in cat:
#print prettyText('[*] Method: %s' % str(e),'blue')
functions = search(l, functionFilter, e)
#print '-'*5
for f in functions:
for pos in cat[e]:
try:
#print prettyText('[*] FOUND : ' + str(f.params[pos].node) + ':' + str(tst.getTaint(f.params[pos].node)), 'green')
if tst.getTaint(f.params[pos].node) > 0:
print '-'*5
print prettyText('[*] Category: %s' % kcat,'red')
print prettyText('[*] Method: %s' % str(e),'blue')
print prettyText("[+] FOUND: %s" % str(l.name), 'green')
print '-'*5
except IndexError, AttributeError:
print prettyText('[!] ERROR: %s' % str(f), 'red')
found = search(p, functionClassFilter, method)
print parseFound(found, "Custom")
def parseFound(found, params):
output = ''
for k in found.keys():
for l in found[k]:
output = output + prettyText(k, 'magenta') + prettyText(
':', 'cyan') + prettyText(l.lineno, 'green') + prettyText(
': ', 'cyan') + prettyText(l, 'white') + prettyText(
str(params), 'red') + '\n'
return output
def usage():
u = "%s <PHP_Project_Path>" % sys.argv[0]
u += "<PHP_Project_Path> <Method_Name>"
return u
if __name__ == '__main__':
if len(sys.argv) < 3:
print prettyText(usage(), 'blue')
else:
#analyse(sys.argv[1])
project = sys.argv[1]
method = sys.argv[2]
searchMethod(project, method)
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !",'blue')
print prettyText("[***] Method: %s" % str(method),['yellow'])
found = search(p,functionClassFilter,method)
print parseFound(found,"Custom")
def parseFound(found, params):
output = ''
for k in found.keys():
for l in found[k]:
output = output + prettyText(k,'magenta') + prettyText(':','cyan') + prettyText(l.lineno, 'green') + prettyText(': ','cyan') + prettyText(l, 'white') + prettyText(str(params),'red') + '\n'
return output
def usage():
u = "%s <PHP_Project_Path>" % sys.argv[0]
u += "<PHP_Project_Path> <Method_Name>"
return u
if __name__ == '__main__':
if len(sys.argv) < 3:
print prettyText(usage(),'blue')
else:
#analyse(sys.argv[1])
project = sys.argv[1]
method = sys.argv[2]
searchMethod(project, method)
def analyse(path):
print prettyText("[*] Parsing Project at %s ..." % path, 'blue')
p = parser.PHPProject(path)
print prettyText("[*] Parsing Completed !", 'blue')
'''
print prettyText("[*] Searching for dangerous methods",'blue')
for category in vulndb.A_F_ALL.keys():
print prettyText("[**] Category: %s" % category,['yellow','bold'])
for method in vulndb.A_F_ALL[category].keys():
print prettyText("[***] Method: %s" % str(method),['yellow'])
found = search(p,functionClassFilter,method)
print parseFound(found,vulndb.A_F_ALL[category][method])
'''
print prettyText("[*] Searching for dangerous methods inheritence", 'blue')
files = search(p, classFilter, phply.phpast.Function)
for name in files:
print prettyText('[*] File: %s' % name, ['yellow', 'bold'])
functions = files[name]
#print functions
for l in functions:
paramsList = search(l, classFilter, phply.phpast.FormalParameter)
functionInputParams = dict()
for p in paramsList:
functionInputParams[p] = "ANY"
#print functionInputParams
tst = generateTST(l, functionInputParams)
#print tst
#search a method and propagate taint
for kcat in vulndb.A_F_ALL.keys():
cat = vulndb.A_F_ALL[kcat]
#print prettyText('[*] Category: %s' % kcat,'red')
for e in cat:
#print prettyText('[*] Method: %s' % str(e),'blue')
functions = search(l, functionFilter, e)
#print '-'*5
for f in functions:
for pos in cat[e]:
try:
#print prettyText('[*] FOUND : ' + str(f.params[pos].node) + ':' + str(tst.getTaint(f.params[pos].node)), 'green')
if tst.getTaint(f.params[pos].node) > 0:
print '-' * 5
print prettyText('[*] Category: %s' % kcat,
'red')
print prettyText('[*] Method: %s' % str(e),
'blue')
print prettyText(
"[+] FOUND: %s" % str(l.name), 'green')
print '-' * 5
except IndexError, AttributeError:
print prettyText('[!] ERROR: %s' % str(f),
'red')
def error(description):
print prettyText("[-] %s" % description, "red")
def resolveInclude(project,page):
"""
This function returns all pages that are included in page, search is done in project
"""
#extract include and require statements
listInc = core.search.search(page,core.filters.classFilter,[phply.phpast.Include,phply.phpast.Require])
currentPageName = page.file_name.replace(project.folder_name,'')
currentDirName = os.path.dirname(currentPageName)
# return page list
incPageList = []
for blob in listInc:
fileName = blob.expr
if type(fileName) is str:
if fileName.startswith('.'):
fileName = fileName[1:]
if not fileName.startswith('/'):
fileName = '/' + fileName
realFileName = os.path.join( currentDirName, fileName.split('/')[-1])
if realFileName in project.pages.keys():
print prettyText("[+] Found %s (%s)" % (fileName, realFileName), 'green')
incPageList.append(project.pages[realFileName])
elif fileName in project.pages.keys():
print prettyText("[+] Found II %s (%s)" % (fileName, realFileName), ['green','bold'])
incPageList.append(project.pages[fileName])
else:
'''
#searching for filename only, might return false positives
lstSimilars = utils.mostSimilar(fileName, project.pages.keys())
found = False
for l in lstSimilars:
print "[***] FOUND %s === %s (%s)" % (fileName, l, currentDirName)
incPageList.append(project.pages[l])
found = True
if not found:
print prettyText("[-] Not found %s (%s)" % (fileName, currentDirName), 'red')
'''
print prettyText("[-] Not found %s (%s)" % (fileName, realFileName), 'red')
else:
#incStrs = core.search.search(fileName, core.filters.classFilter, str)
print prettyText("[-] Resolving this Include is not implemented yet !", 'yellow')
print prettyText("[-] Blob: ", 'yellow') + prettyText("%s" % str(blob), 'blue')
#print prettyText("[-] str: ", 'yellow') + prettyText("%s" % str(incStrs), 'blue')
return incPageList
def usage():
print prettyText("%s --alphabet <alphabet_word_file> --word <word_hex> --list <function_list>" % sys.argv[0],"green")
print prettyText("--alphabet : TODO","green")
print prettyText("--word : TODO","green")
print prettyText("--list : TODO","green")
print prettyText("--offset : TODO","green")
print prettyText("example: %s --alphabet alphabet.txt --word 12131415 --list add,sub" % sys.argv[0],"green")
