def run(self, args): if args.get('vector', 'posix_getpwuid') == 'posix_getpwuid': pwdresult = PhpCode( """for($n=0; $n<2000;$n++) { $uid = @posix_getpwuid($n); if ($uid) echo join(':',$uid).PHP_EOL; }""" ).run(args) if not pwdresult: arg_vector = ['-vector', args.get('vector') ] if args.get('vector') else [] pwdresult = ModuleExec('file_read', ['/etc/passwd'] + arg_vector).run() if not pwdresult: return result = '' for line in pwdresult.split('\n'): fields = line.split(':') if len(fields) > 6: uid = int(fields[2]) shell = fields[6] if (args.get('real') and ((uid == 0 or uid > 999) and 'false' not in shell) or not args.get('real')): result += line + '\n' return result.rstrip('\n')
def _check_features(self): features = [ 'expose_php', 'file_uploads', 'register_globals', 'allow_url_fopen', 'display_errors', 'enable_dl', 'safe_mode', 'magic_quotes_gpc', 'allow_url_include', 'session.use_trans_sid' ] feat_found = PhpCode("""foreach ( Array("${ '", "'.join(features) }") as $f) if((bool)ini_get($f)) print($f. "\n");""").run( { 'features' : features } ) result = [] if feat_found: for feat in feat_found.split('\n'): feat_msg = 'feat_' + re.sub('[^a-zA-Z_]', '_', feat) if hasattr(messages.module_audit_phpconf, feat_msg): result.append((feat, getattr(messages.module_audit_phpconf, feat_msg))) return result
def run(self, args): if args.get('vector', 'posix_getpwuid') == 'posix_getpwuid': pwdresult = PhpCode("""for($n=0; $n<2000;$n++) { $uid = @posix_getpwuid($n); if ($uid) echo join(':',$uid).PHP_EOL; }""").run(self.args) if not pwdresult: arg_vector = [ '-vector', args.get('vector') ] if args.get('vector') else [] pwdresult = ModuleExec('file_read', [ '/etc/passwd' ] + arg_vector).run() if not pwdresult: return result = '' for line in pwdresult.split('\n'): fields = line.split(':') if len(fields) > 6: uid = int(fields[2]) shell = fields[6] if ( args.get('real') and ( (uid == 0 or uid > 999) and 'false' not in shell ) or not args.get('real') ): result += line + '\n' return result.rstrip('\n')
def _check_functions(self): functions = { 'info': [ 'apache_get_modules', 'apache_get_version', 'apache_getenv', 'get_loaded_extensions', 'phpinfo', 'phpversion', ], 'files': [ 'chgrp', 'chmod', 'chown', 'copy', 'link', 'mkdir', 'rename', 'rmdir', 'symlink', 'touch', 'unlink', 'posix_mkfifo' ], 'log': ['openlog', 'syslog', 'debugger_off', 'debugger_on', 'closelog'], 'proc_execution': [ 'exec', 'passthru', 'pcntl_exec', 'popen', 'proc_open', 'shell_exec', 'system', 'dotnet_load' ], 'proc_manipulation': [ 'apache_child_terminate', 'apache_note', 'apache_setenv', 'dl', 'proc_close', 'proc_get_status', 'proc_terminate', 'proc_nice', 'putenv', 'virtual' 'posix_kill', 'posix_setpgid', 'posix_setsid', 'posix_setuid', 'runkit_function_rename' ] } result = [] for ftype, flist in functions.items(): func_found = PhpCode( ("foreach ( Array(\"${ '\", \"'.join(functions) }\") as $f) " + "if(function_exists($f)&&is_callable($f)) print($f. \"\\n\");" )).run({'functions': flist}) if func_found: for func_name in func_found.split('\n'): type_msg = 'func_' + re.sub('[^a-zA-Z_]', '_', ftype) if hasattr(messages.module_audit_phpconf, type_msg): msg = getattr(messages.module_audit_phpconf, type_msg) if len(func_name) == 0: msg = '' result.append((func_name, msg)) return result
def _check_classes(self): classes = ['splFileObject', 'COM', 'Java'] class_found = PhpCode( """foreach ( Array("${ '", "'.join(classes) }") as $f) if((bool)class_exists($f)) print($f. "\n");""" ).run({'classes': classes}) result = [] if class_found: for class_name in class_found.split('\n'): class_msg = 'class_' + re.sub('[^a-zA-Z_]', '_', class_name) if hasattr(messages.module_audit_phpconf, class_msg): result.append((class_name, getattr(messages.module_audit_phpconf, class_msg))) return result
def _check_classes(self): classes = [ 'splFileObject', 'COM', 'Java' ] class_found = PhpCode("""foreach ( Array("${ '", "'.join(classes) }") as $f) if((bool)class_exists($f)) print($f. "\n");""").run( { 'classes' : classes } ) result = [] if class_found: for class_name in class_found.split('\n'): class_msg = 'class_' + re.sub('[^a-zA-Z_]', '_', class_name) if hasattr(messages.module_audit_phpconf, class_msg): result.append((class_name, getattr(messages.module_audit_phpconf, class_msg))) return result
def _check_features(self): features = [ 'expose_php', 'file_uploads', 'register_globals', 'allow_url_fopen', 'display_errors', 'enable_dl', 'safe_mode', 'magic_quotes_gpc', 'allow_url_include', 'session.use_trans_sid' ] feat_found = PhpCode( """foreach ( Array("${ '", "'.join(features) }") as $f) if((bool)ini_get($f)) print($f. "\n");""" ).run({'features': features}) result = [] if feat_found: for feat in feat_found.split('\n'): feat_msg = 'feat_' + re.sub('[^a-zA-Z_]', '_', feat) if hasattr(messages.module_audit_phpconf, feat_msg): result.append( (feat, getattr(messages.module_audit_phpconf, feat_msg))) return result
def _check_functions(self): functions = { 'info' : [ 'apache_get_modules', 'apache_get_version', 'apache_getenv', 'get_loaded_extensions', 'phpinfo', 'phpversion', ], 'files' : [ 'chgrp', 'chmod', 'chown', 'copy', 'link', 'mkdir', 'rename', 'rmdir', 'symlink', 'touch', 'unlink', 'posix_mkfifo' ], 'log' : [ 'openlog', 'syslog', 'debugger_off', 'debugger_on', 'closelog' ], 'proc_execution' : [ 'exec', 'passthru', 'pcntl_exec', 'popen', 'proc_open', 'shell_exec', 'system', 'dotnet_load' ], 'proc_manipulation' : [ 'apache_child_terminate', 'apache_note', 'apache_setenv', 'dl', 'proc_close', 'proc_get_status', 'proc_terminate', 'proc_nice', 'putenv', 'virtual' 'posix_kill', 'posix_setpgid', 'posix_setsid', 'posix_setuid', 'runkit_function_rename' ] } result = [] for ftype, flist in functions.items(): func_found = PhpCode("""foreach ( Array("${ '", "'.join(functions) }") as $f) if(function_exists($f)&&is_callable($f)) print($f. "\n");""").run( { 'functions' : flist } ) if func_found: for func_name in func_found.split('\n'): type_msg = 'func_' + re.sub('[^a-zA-Z_]', '_', ftype) if hasattr(messages.module_audit_phpconf, type_msg): result.append((func_name, getattr(messages.module_audit_phpconf, type_msg))) return result