Skip to content

Commit

Permalink
feat: add functions link and improve severity report of encoded funct…
Browse files Browse the repository at this point in the history 
…ions
  • Loading branch information
@marcocesarato
marcocesarato committed Dec 31, 2020
1 parent f472f01 commit c42a339
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 30 deletions.
69 changes: 43 additions & 26 deletions src/Scanner.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -826,10 +826,10 @@ public function scanFile($info)
$contentDecoded = $deobfuscator->decode($contentDeobfuscated);

$contents = [
$contentRaw, // Original content
$contentClean, // Cleaned content
$contentDeobfuscated, // Deobfuscated content
$contentDecoded, // Decoded content
'raw' => $contentRaw, // Original content
'cleaned' => $contentClean, // Cleaned content
'deobfuscated' => $contentDeobfuscated, // Deobfuscated content
'decoded' => $contentDecoded, // Decoded content
];

/**
Expand All @@ -854,11 +854,14 @@ public function scanFile($info)
'key' => $key,
'level' => $exploit['level'],
'output' => $matchDescription,
'description' => $exploit['description'],
'line' => $lineNumber,
'pattern' => $pattern,
'match' => $lastMatch,
'exploit' => $exploit,
];
if (isset($exploit['link'])) {
$patternFound[$patternFoundKey]['link'] = $exploit['link'];
}
}
};
// Check exploits
Expand All @@ -878,7 +881,13 @@ public function scanFile($info)
foreach ($functions as $funcRaw) {
$lastMatch = null;
$func = preg_quote(trim($funcRaw), '/');
$checkFunction = function ($match, $pattern, $level = Definitions::LVL_WARNING, $type = '') use ($contentRaw, $funcRaw, &$patternFound) {
$checkFunction = function (
$match,
$pattern,
$level = Definitions::LVL_WARNING,
$descriptionPrefix = '',
$type = ''
) use ($contentRaw, $funcRaw, &$patternFound) {
$suffix = '';
if (!empty($type)) {
$suffix = '_' . $type;
Expand All @@ -901,9 +910,11 @@ public function scanFile($info)
'key' => $funcKey,
'level' => $level,
'output' => $matchDescription,
'description' => $descriptionPrefix . ' `' . $funcRaw . '`',
'line' => $lineNumber,
'pattern' => $pattern,
'match' => $lastMatch,
'link' => 'https://www.php.net/' . $funcRaw,
];
}
};
Expand All @@ -914,10 +925,21 @@ public function scanFile($info)
if (in_array($funcRaw, self::$functions)) {
// Check raw functions
$regexPattern = "/(?:^|[\s\r\n]+|[^a-zA-Z0-9_>]+)(" . $func . "[\s\r\n]*\((?<=\().*?(?=\))\))/si";
foreach ($contents as $content) {
foreach ($contents as $contentType => $content) {
if (@preg_match_all($regexPattern, $content, $matches, PREG_OFFSET_CAPTURE)) {
foreach ($matches[0] as $match) {
$checkFunction($match, $regexPattern);
$descriptionPrefix = 'Potentially dangerous function';
$severity = Definitions::LVL_WARNING;
if ($contentType === 'decoded') {
$severity = Definitions::LVL_DANGEROUS;
$descriptionPrefix = 'Encoded Function';
}
$checkFunction(
$match,
$regexPattern,
$severity,
$descriptionPrefix
);
}
}
}
Expand All @@ -927,35 +949,28 @@ public function scanFile($info)
* Encoded functions.
*/
if (in_array($funcRaw, self::$functionsEncoded)) {
$decoders = [
$encoders = [
'str_rot13',
'base64_decode',
'strrev',
];
foreach ($decoders as $decoder) {
foreach ($encoders as $encoder) {
// Check encoded functions
$regexPatternEncoded = '/' . @$decoder($funcRaw) . '/s';
foreach ($contents as $content) {
$regexPatternEncoded = '/' . @$encoder($funcRaw) . '/s';
foreach ($contents as $contentType => $content) {
if (@preg_match_all($regexPatternEncoded, $content, $matches, PREG_OFFSET_CAPTURE)) {
foreach ($matches[0] as $match) {
$checkFunction($match, $regexPatternEncoded, Definitions::LVL_DANGEROUS, $decoder);
$checkFunction(
$match,
$regexPatternEncoded,
Definitions::LVL_DANGEROUS,
'Encoded Function',
$encoder
);
}
}
}
}

// Check hex functions
$funcHex = bin2hex($funcRaw);
$funcHex = chunk_split($funcHex, 2, '\x');
$funcHex = '\x' . substr($funcHex, 0, -2);
$regexPatternHex = '/(' . preg_quote($funcHex, '/') . ')/si';
foreach ($contents as $content) {
if (@preg_match_all($regexPatternHex, $content, $matches, PREG_OFFSET_CAPTURE)) {
foreach ($matches[0] as $match) {
$checkFunction($match, $regexPatternHex, Definitions::LVL_DANGEROUS, 'hex');
}
}
}
}
}

Expand All @@ -981,6 +996,7 @@ public function scanFile($info)
'key' => $key,
'level' => Definitions::LVL_DANGEROUS,
'output' => $matchDescription,
'description' => 'Sign definition `' . $key . '`',
'line' => $lineNumber,
'pattern' => $regexPattern,
'match' => $lastMatch,
Expand All @@ -1006,6 +1022,7 @@ public function scanFile($info)
'key' => $key,
'level' => Definitions::LVL_DANGEROUS,
'output' => $description,
'description' => 'LFI (Local File Inclusion), through an infected file with icon, allow remote attackers to inject and execute arbitrary commands or code on the target machine',
'line' => '',
'pattern' => '',
'match' => '',
Expand Down
8 changes: 4 additions & 4 deletions src/Templates/Report.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,11 @@ public function generate($output)
}

$description = '-';
if (isset($item['exploit'])) {
$description = '<p>' . htmlentities($item['exploit']['description']) . '</p>';
if (isset($item['description'])) {
$description = '<p>' . htmlentities($item['description']) . '</p>';

if (isset($item['exploit']['link'])) {
$links = explode(',', $item['exploit']['link']);
if (isset($item['link'])) {
$links = explode(',', $item['link']);
foreach ($links as $key => $link) {
$links[$key] = '<a href="' . $link . '" target="_blank" class="text-primary">' . $link . '</a>';
}
Expand Down

0 comments on commit c42a339

Please sign in to comment.