Array("GET"), "\$_POST" => Array("POST"), "\$_COOKIE" => Array("Cookie"), "\$_REQUEST" => Array("ANY")); $_ENV['functions'] = Array( "mysql_query" => Array("SQL_Query", Array(1), false, "database=mysql"), "sesam_query" => Array("SQL_Query", Array(1), false), "db2_exec" => Array("SQL_Query", Array(2), false), "pg_query_params" => Array("SQL_Query", Array(1, 2), false, "database=pg"), "pg_query" => Array("SQL_Query", Array(1, 2), false, "database=pg"), "pg_prepare" => Array("SQL_Query", Array(2, 3), false, "database=pg"), "pg_send_prepare" => Array("SQL_Query", Array(3), false, "database=pg"), "pg_send_query_params" => Array("SQL_Query", Array(2), false, "database=pg"), "pg_send_query" => Array("SQL_Query", Array(1, 2), false, "database=pg"), "sqlite_array_query" => Array("SQL_Query", Array(1, 2), false, "database=sqlite"), "sqlite_query" => Array("SQL_Query", Array(1, 2), false, "database=sqlite"), "sqlite_single_query" => Array("SQL_Query", Array(1, 2), false, "database=sqlite"), "sqlite_unbuffered_query" => Array("SQL_Query", Array(1, 2), false, "database=sqlite"), "mysql_unbuffered_query" => Array("SQL_Query", Array(1), false, "database=mysql"), "sqlite_exec" => Array("SQL_Query", Array(1, 2), false, "database=sqlite"), "mysqli_query" => Array("SQL_Query", Array(2), false, "database=mysql"), "mysqli_prepare" => Array("SQL_Query", Array(2), false, "database=mysql"), "mssql_query" => Array("SQL_Query", Array(1), false, "database=mssql"), "mysqli_stmt_prepare" => Array("SQL_Query", Array(2), false, "database=mysql"), "maxdb_stmt_prepare" => Array("SQL_Query", Array(2), false), "ingres_query" => Array("SQL_Query", Array(1), false), "maxdb_prepare" => Array("SQL_Query", Array(2), false), "ifx_query" => Array("SQL_Query", Array(1), false), "ifx_prepare" => Array("SQL_Query", Array(1), false), "oci_parse" => Array("SQL_Query", Array(1), false, "database=oracle"), "ora_parse" => Array("SQL_Query", Array(1), false, "database=oracle"), "ociparse" => Array("SQL_Query", Array(1), false, "database=oracle"), "ibase_query" => Array("SQL_Query", Array(2), false), "ibase_prepare" => Array("SQL_Query", Array(1, 2, 3), false), "msql_query" => Array("SQL_Query", Array(1), false), "maxdb_real_query" => Array("SQL_Query", Array(2), false), "dbx_query" => Array("SQL_Query", Array(2), false), "ora_do" => Array("SQL_Query", Array(2), false, "database=oracle"), "odbc_prepare" => Array("SQL_Query", Array(2), false), "odbc_exec" => Array("SQL_Query", Array(2), false), "sybase_query" => Array("SQL_Query", Array(1), false, "database=sybase"), "fopen" => Array("", Array(), "callback_fopen"), "readfile" => Array("File_Open", Array(1, 2), false), "file" => Array("File_Open", Array(1), false), "file_get_contents" => Array("File_Open", Array(1), false), "highlight_file" => Array("File_Open", Array(1), false), "file_put_contents" => Array("Create_File", Array(1), false), "file_exists" => Array("", Array(), "callback_file_exists_or_is_file"), "is_file" => Array("", Array(), "callback_file_exists_or_is_file"), "system" => Array("Sys_Command", Array(1), false), "exec" => Array("Sys_Command", Array(1), false), "shell_exec" => Array("Sys_Command", Array(1), false), "passthru" => Array("Sys_Command", Array(1), false), "popen" => Array("Sys_Command", Array(1), false), "mail" => Array("Send_Mail", Array(1, 2, 3, 4), false), "header" => Array("Set_Header", Array(1), "callback_header"), "set_error_handler" => Array("", Array(), "callback_set_error_handler"), "get_included_files" => Array("", Array(), "callback_get_included_files"), "unserialize" => Array("Unserialize", Array(1), false), "curl_exec" => Array("", Array(), "callback_curl_exec"), "unlink" => Array("Delete_File", Array(1), false), "mkdir" => Array("Create_File", Array(1), false), "move_uploaded_file" => Array("", Array(), "callback_move_uploaded_file"), "rmdir" => Array("Delete_File", Array(1), false), "create_function" => Array("Create_Function", Array(1, 2), false), "preg_replace" => Array("", Array(), "callback_preg_replace"), "fwrite" => Array("", Array(), "callback_fwrite_or_fprintf_or_fputs"), "fputs" => Array("", Array(), "callback_fwrite_or_fprintf_or_fputs"), "fprintf" => Array("", Array(), "callback_fwrite_or_fprintf_or_fputs") ); $_ENV["MySQLi"] = Array("query" => Array("SQL_Query", Array(1), false, "MySQLi", "database=mysql"),); $_ENV["fopened_files"] = Array(); $_ENV["parent_directory"] = dirname($_SERVER["SCRIPT_FILENAME"]) . "/"; if (!function_exists("sys_get_temp_dir")) { if (!empty($_ENV["TMP"])) { $_ENV["tmp_folder_path"] = realpath($_ENV["TMP"]); } else if (!empty($_ENV["TMPDIR"])) { $_ENV["tmp_folder_path"] = realpath($_ENV["TMPDIR"]); } else if (!empty($_ENV["TEMP"])) { $_ENV["tmp_folder_path"] = realpath($_ENV["TEMP"]); } else { $tempfile_name = tempnam(md5(uniqid(rand(), false)), ""); if ($tempfile_name) { $realpath = realpath(dirname($tempfile_name)); unlink($tempfile_name); $_ENV["tmp_folder_path"] = $realpath; } else { $_ENV["tmp_folder_path"] = false; } } } else { $_ENV["tmp_folder_path"] = sys_get_temp_dir(); } if ($_ENV["tmp_folder_path"]) { $_ENV["tmp_folder_path"] = str_replace("\\", "/", $_ENV["tmp_folder_path"]); if (substr($_ENV["tmp_folder_path"], -1) !== "/") $_ENV["tmp_folder_path"] .= "/"; } $_ENV["has_tmp_folder"] = (bool)$_ENV["tmp_folder_path"]; $_ENV["error_reporting_value"] = ini_get("error_reporting"); $_ENV["errno_to_text"] = array( E_ERROR => "Error", E_WARNING => "Warning", E_PARSE => "Parsing Error", E_NOTICE => "Notice", E_CORE_ERROR => "Core Error", E_CORE_WARNING => "Core Warning", E_COMPILE_ERROR => "Compile Error", E_COMPILE_WARNING => "Compile Warning", E_USER_ERROR => "User Error", E_USER_WARNING => "User Warning", E_USER_NOTICE => "User Notice", E_STRICT => "Runtime Notice", E_RECOVERABLE_ERROR => "Catchable Fatal Error" ); } function error_handler($errno, $errstr, $errfile, $errline) { if ($errno != E_NOTICE && $errno != E_STRICT && $errno != E_WARNING && $errno != E_RECOVERABLE_ERROR) { fprintf_wrapper_debug("Error: " . $errstr . " Type: " . $_ENV['errno_to_text'][$errno] . " Line $errline, File $errfile"); acuaspect_output(); } if ($errno == E_USER_ERROR || $errno == E_ERROR) acuaspect_output(); if (is_array($_ENV['_AAS11']) && count($_ENV['_AAS11']) > 0) { if (is_string($_ENV['_AAS11'][0]) && function_exists($_ENV['_AAS11'][0])) { if (!isset($_ENV['_AAS11'][1]) || ($_ENV['_AAS11'][1] & $errno != 0)) { custom_call_user_func_array($_ENV['_AAS11'][0], func_get_args()); } } elseif (is_array($_ENV['_AAS11'][0]) && is_object($_ENV['_AAS11'][0][0])) { if (!isset($_ENV['_AAS11'][1]) || ($_ENV['_AAS11'][1] & $errno != 0)) { call_user_func_array(array($_ENV['_AAS11'][0][0], $_ENV['_AAS11'][0][1]), func_get_args()); } } } else if (($errno & $_ENV["error_reporting_value"]) != 0) { switch ($errno) { case E_USER_ERROR: case E_RECOVERABLE_ERROR: case E_ERROR: echo "Fatal error: $errstr in " . $_SERVER["SCRIPT_FILENAME"] . " on line $errline
\n"; break; case E_USER_WARNING: case E_WARNING: echo "Warning: $errstr in " . $_SERVER["SCRIPT_FILENAME"] . " on line $errline
\n"; break; case E_USER_NOTICE: case E_NOTICE: case E_STRICT: break; default: echo "Unknown error type $errno: $errstr in " . $_SERVER["SCRIPT_FILENAME"] . " on line $errline
\n"; break; } } return true; } function custom_call_user_func_array($function_name, $param_arr) { switch (count($param_arr)) { case 0: return $function_name(); break; case 1: return $function_name($param_arr[0]); break; case 2: return $function_name($param_arr[0], $param_arr[1]); break; case 3: return $function_name($param_arr[0], $param_arr[1], $param_arr[2]); break; case 4: return $function_name($param_arr[0], $param_arr[1], $param_arr[2], $param_arr[3]); break; case 5: return $function_name($param_arr[0], $param_arr[1], $param_arr[2], $param_arr[3], $param_arr[4]); break; default: return call_user_func_array($function_name, $param_arr); break; } } function output_ob_buffer_as_webpage($text_to_append = null) { global $__ACUNETIX_TestForGlobalOverwrite; if (isset($__ACUNETIX_TestForGlobalOverwrite) && $__ACUNETIX_TestForGlobalOverwrite === "ACUNETIX_TestForGlobalOverwrite") { log_issue("Global_Overwrite", "Global variable has been overwritten", $_SERVER["SCRIPT_FILENAME"], -1, ""); } acuaspect_output(); fprintf_wrapper_debug("Exiting ..."); $output_buffer = ""; while (($buffer = ob_get_clean()) !== false) { $output_buffer .= $buffer; } $output_buffer .= $text_to_append; header("Content-Length: " . strlen_or_mb_strlen($output_buffer), true); echo $output_buffer; if ($_ENV['_AAS10'] !== false) { fclose($_ENV['_AAS10']); } die(); } function empty_error_handler($errno, $errstr) { } function get_text_repr_require($processed_filename, $line_number, $show_file_now_found_msg, $_AAS59, $function_name, $filename) { log_issue("PHP_File_Include", "$filename", $processed_filename, $line_number, "\"$function_name\" was called."); if (strpos($filename, "acu_phpaspect.php") !== false || strpos($filename, "ACUSTART") !== false || strpos($filename, "ACUEND") !== false) { return ""; } $file_content = false; if (($filename_realpath = realpath($filename)) === false || !file_exists($filename_realpath)) { set_error_handler("empty_error_handler"); $file_content = @file_get_contents($filename, true); restore_error_handler(); if ($file_content !== false) { $include_path = explode(PATH_SEPARATOR, ini_get("include_path")); foreach ($include_path as $folder) { if (($filename_realpath = realpath("$folder/$filename")) !== false) { if (file_exists($filename_realpath)) { break; } } } } else { $file_exists = true; if ($filename[0] !== "." && $filename[0] !== "/" && $filename[0] !== "\\") { $filename_realpath = realpath(dirname($processed_filename) . "/" . $filename); if ($filename_realpath !== false && file_exists($filename_realpath)) $file_exists = false; } if ($file_exists) { log_issue("Include_Error", "$filename", $processed_filename, $line_number, "Acunetix sensor failed to find file \"$filename\" included by \"$function_name\" from file \"$processed_filename\"."); if ($show_file_now_found_msg) { output_ob_buffer_as_webpage("File not found $filename"); } else { return ""; } } } } $filename_realpath = str_replace("\\", "/", $filename_realpath); if ($file_content === false) $file_content = @file_get_contents($filename_realpath, true); fprintf_wrapper_debug("$processed_filename on line $line_number included $filename by $function_name real path: $filename_realpath"); $already_analysed = in_array($filename_realpath, $_ENV['analysed_files']); if ($_AAS59 && $already_analysed) { return ""; } elseif (!$already_analysed) { array_push($_ENV['analysed_files'], $filename_realpath); } $_ENV['_AAS68'] = $filename_realpath; $instrumented_file = new InstrumentedFile($filename_realpath); $instrumented_file->analyse_source_code($file_content); $return_value = $instrumented_file->file_content; unset($instrumented_file); return $return_value; } function analyse_and_log_eval($filename, $line_number, $textual_representation) { $return_value = ""; if (is_array($textual_representation) && count($textual_representation) >= 1) { log_issue("PHP_Code_Eval", $textual_representation[0], $filename, $line_number); $instrumented_file = new InstrumentedFile($filename, "", false, true); $instrumented_file->analyse_source_code($textual_representation[0]); $return_value = $instrumented_file->file_content; unset($instrumented_file); } return $return_value; } function callback_file_exists_or_is_file($_AAS61, $line_number, $function_name, $param_array) { if (is_array($param_array) && count($param_array) == 1 && (strpos($param_array[0], "ACUSTARTFILE") !== false || strpos($param_array[0], "ACUENDFILE") !== false)) { if (strpos($param_array[0], "ACUSTARTFILECREATE") !== false || strpos($param_array[0], "ACUENDFILECREATE") !== false) { return false; } else { return true; } } else { return custom_call_user_func_array($function_name, $param_array); } } function callback_preg_replace($_AAS61, $line_number, $function_name, $param_array) { if (is_array($param_array) && count($param_array) >= 3) { $stacktrace = get_stacktrace(); if ($stacktrace != "") $msg = Array("\"$function_name\" was called.\r\n$stacktrace"); else $msg = Array("\"$function_name\" was called."); if ($param_array[0] == "ACUSTART") { array_push($msg, "Regex pattern is controllable"); log_issue("Preg_Replace_Warning", Array($param_array[0], $param_array[1], substr($param_array[2], 0, 128)), $_AAS61, $line_number, $msg); } else if (strpos($param_array[1], "ACUSTART") !== false) { $regexp_delimiter = substr($param_array[0], 0, 1); if (!ctype_alnum($regexp_delimiter) && $regexp_delimiter != "\\") { $end_of_regexp_index = strrpos($param_array[0], $regexp_delimiter); $modifiers = substr($param_array[0], -strlen_or_mb_strlen($param_array[0]) + $end_of_regexp_index); if ($end_of_regexp_index && strpos($modifiers, "e") !== false) { array_push($msg, "Replacement is controllable and /e is used"); log_issue("Preg_Replace_Warning", Array($param_array[0], $param_array[1], substr($param_array[2], 0, 128)), $_AAS61, $line_number, $msg); } } } if (strpos($param_array[2], "ACUSTART") !== false) { $regexp_delimiter = substr($param_array[0], 0, 1); if (!ctype_alnum($regexp_delimiter) && $regexp_delimiter != "\\") { $end_of_regexp_index = strrpos($param_array[0], $regexp_delimiter); $modifiers = substr($param_array[0], -strlen_or_mb_strlen($param_array[0]) + $end_of_regexp_index); if ($end_of_regexp_index && strpos($modifiers, "e") !== false) { array_push($msg, "Text is controllable and /e is used"); log_issue("Preg_Replace_Warning", Array($param_array[0], $param_array[1], substr($param_array[2], 0, 128)), $_AAS61, $line_number, $msg); } } } } return custom_call_user_func_array($function_name, $param_array); } function callback_curl_exec($_AAS61, $_AAS75, $function_name, $param_array) { if (count($param_array) > 0 && is_resource($param_array[0]) && defined("CURLINFO_EFFECTIVE_URL")) { $last_effective_url = curl_getinfo($param_array[0], CURLINFO_EFFECTIVE_URL); $stacktrace = get_stacktrace(); if ($stacktrace != "") $msg = Array("\"$function_name\" was called.\r\n$stacktrace"); else $msg = Array("\"$function_name\" was called."); log_issue("CURL_Exec", Array($last_effective_url), $_AAS61, $_AAS75, $msg); } return custom_call_user_func_array($function_name, $param_array); } function callback_header($_AAS61, $_AAS75, $function_name, $param_array) { if (array_key_exists($function_name, $_ENV['functions'])) { $function_info = $_ENV['_AAS16'][$function_name]; } else { $function_info = false; } if ($function_info !== false) { $stacktrace = get_stacktrace(); if ($stacktrace != "") $msg = Array("\"$function_name\" was called.\r\n$stacktrace"); else $msg = Array("\"$function_name\" was called."); for ($i = 3; $i < count($function_info); $i++) { if (isset($function_info[$i])) { array_push($msg, $function_info[$i]); } } log_issue($function_info[0], $param_array, $_AAS61, $_AAS75, $msg); if (stripos($param_array[0], "content-length") === false) { return custom_call_user_func_array($function_name, $param_array); } else { return true; } } else { return custom_call_user_func_array($function_name, $param_array); } } function callback_set_error_handler($filename, $line_number, $function_name, $_AAS77) { fprintf_wrapper_debug("$function_name called from $filename line $line_number"); $_ENV['_AAS11'] = $_AAS77; return true; } function acunetix_function_wrapper($filename, $lineno, $function_name, $param_array) { if (!is_string($function_name)) { if (is_callable($function_name)) { return call_user_func_array($function_name, $param_array); } else { return false; } } if (array_key_exists($function_name, $_ENV['functions'])) { $function_infos = $_ENV['_AAS16'][$function_name]; } else { $function_infos = false; } if ($function_infos !== false) { if ($function_infos[2] !== false && function_exists($function_infos[2])) { return $function_infos[2]($filename, $lineno, $function_name, $param_array); } else { $are_param_not_controllable = true; $_AAS89 = Array(); for ($j = 0; $j < count($param_array); $j++) { if ($are_param_not_controllable and ( (is_string($param_array[$j]) && strpos($param_array[$j], "ACUSTART") !== false) || (is_string($param_array[$j]) && strpos($param_array[$j], "ACUEND") !== false) ) ) $are_param_not_controllable = false; if (in_array($j + 1, $function_infos[1])) array_push($_AAS89, substr($param_array[$j], 0, 1024 * 1024)); } $stacktrace = get_stacktrace(); if ($stacktrace != "") $message = Array("\"$function_name\" was called.\r\n$stacktrace"); else $message = Array("\"$function_name\" was called."); for ($i = 3; $i < count($function_infos); $i++) { if (isset($function_infos[$i])) { array_push($message, $function_infos[$i]); } } log_issue($function_infos[0], $_AAS89, $filename, $lineno, $message); if ($are_param_not_controllable) return custom_call_user_func_array($function_name, $param_array); else return false; } } else { return custom_call_user_func_array($function_name, $param_array); } } function mysqli_callback($file_name, $line_number, $object, $method, $_AAS77) { $is_call_safe = true; if (array_key_exists($method, $_ENV["MySQLi"])) { $function_info = $_ENV["MySQLi"][$method]; } else { $function_info = false; } // Are we dealing with a MySQli object? if ($function_info !== false && isset($function_info[3]) && is_object($object) && ($object instanceof $function_info[3])) { for ($i = 0; $i < count($_AAS77); $i++) { if ($is_call_safe && (strpos($_AAS77[$i], "ACUSTART") !== false || strpos($_AAS77[$i], "ACUEND") !== false)) { $is_call_safe = false; break; } } $_AAS89 = Array(); for ($i = 0; $i < count($_AAS77); $i++) { if (in_array($i + 1, $function_info[1])) array_push($_AAS89, $_AAS77[$i]); } $msg = Array("\"$method\" member function was called."); for ($i = 4; $i < count($function_info); $i++) { if (isset($function_info[$i])) { array_push($msg, $function_info[$i]); } } log_issue($function_info[0], $_AAS89, $file_name, $line_number, $msg); } if ($is_call_safe) { return call_user_func_array(array($object, $method), $_AAS77); } else { return false; } } function variable_access($_AAS61, $line_number, $index, $_AAS93) { $verb = $_ENV['verbs'][$index]; if (isset($verb)) { log_issue("Var_Access", Array($verb[0], $_AAS93), $_AAS61, $line_number); } return $_AAS93; } function callback_fopen($_AAS61, $_AAS75, $function_name, $param_array) { $opened_filename = $param_array[0]; $opened_mode = $param_array[1]; $stacktrace = get_stacktrace(); if ($stacktrace != "") $msg = Array("\"$function_name\" was called.\r\n$stacktrace"); else $msg = Array("\"$function_name\" was called."); if (strpos($opened_mode, 'w') !== false || strpos($opened_mode, 'a') !== false || strpos($opened_mode, 'x') !== false) { log_issue('Create_File', Array($opened_filename), $_AAS61, $_AAS75, $msg); } else { log_issue('File_Open', Array($opened_filename), $_AAS61, $_AAS75, $msg); } if (!(strpos($param_array[0], "ACUSTART") !== false || strpos($param_array[0], "ACUEND") !== false)) { $file_handler = custom_call_user_func_array($function_name, $param_array); $_ENV["fopened_files"][(int)$file_handler] = $opened_filename; return $file_handler; } else { return false; } } function callback_fwrite_or_fprintf_or_fputs($_AAS61, $_AAS75, $function_name, $param_array) { $_AAS97 = $_ENV["fopened_files"][(int)$param_array[0]]; if (isset($_AAS97)) { if (strcasecmp($function_name, "fprintf") === 0) { $tmp = array_shift($param_array); $string_to_write_to_the_file = custom_call_user_func_array("sprintf", $param_array); array_unshift($param_array, $tmp); } else { $string_to_write_to_the_file = $param_array[1]; } $stacktrace = get_stacktrace(); if ($stacktrace != "") $msg = Array("\"$function_name\" was called.\r\n$stacktrace"); else $msg = Array("\"$function_name\" was called."); if (($acustart_position = strpos($string_to_write_to_the_file, "ACUSTART")) !== false) { $string_to_write_to_the_file = substr($string_to_write_to_the_file, $acustart_position, 512); log_issue('File_Write', Array($_AAS97, $string_to_write_to_the_file), $_AAS61, $_AAS75, $msg); } elseif (($acustart_position = strpos($string_to_write_to_the_file, "ACUEND")) !== false) { $string_to_write_to_the_file = substr($string_to_write_to_the_file, max(0, $acustart_position - 512 + strlen_or_mb_strlen("ACUEND")), 512); log_issue('File_Write', Array($_AAS97, $string_to_write_to_the_file), $_AAS61, $_AAS75, $msg); } } return custom_call_user_func_array($function_name, $param_array); } function callback_move_uploaded_file($_AAS61, $_AAS75, $function_name, $param_array) { $return_value = custom_call_user_func_array($function_name, $param_array); if ($return_value && ($file_realpath = realpath($param_array[1])) !== false) { $file_realpath = strtr($file_realpath, "\\", "/"); $stacktrace = get_stacktrace(); $normalized_realpath = strtr(realpath($_SERVER['DOCUMENT_ROOT']), "\\", "/"); if (substr($normalized_realpath, -1, 1) !== "/") $normalized_realpath .= "/"; $_AAS102 = false; if (strpos($file_realpath, $normalized_realpath) === 0) { $_AAS102 = substr($file_realpath, strlen_or_mb_strlen($normalized_realpath) - 1); } if ($_AAS102) { log_issue('File_Upload', Array($_AAS102), $_AAS61, $_AAS75, Array("\"$file_realpath\" was uploaded (platform PHP).\r\n$stacktrace")); } else { log_issue('Create_File', $param_array, $_AAS61, $_AAS75, Array("\"$function_name\" was called.\r\n$stacktrace")); } } return $return_value; } function callback_get_included_files($_AAS61, $_AAS75, $_AAS60, $_AAS77) { return ($_ENV['analysed_files']); } function fprintf_wrapper_debug2($msg) { if ($_ENV['_AAS10'] !== false) { @fprintf($_ENV['_AAS10'], "%s\n", $msg); } } function fprintf_wrapper_debug($message) { if ($_ENV['_AAS10'] !== false) { @fprintf($_ENV['_AAS10'], "%s\n", $message); } } function strlen_or_mb_strlen($str) { if (extension_loaded('mbstring') && ((int)ini_get('mbstring.func_overload') & 2)) { return mb_strlen($str, 'latin1'); } else { return strlen($str); } } function log_issue($vuln_type, $filename_or_resource_or_zone, $_AAS107, $line_number, $details = "") { $buffer = ""; $buffer .= sprintf("%08X%s", strlen_or_mb_strlen($vuln_type), $vuln_type); if (is_array($filename_or_resource_or_zone)) { $buffer .= "a" . sprintf("%08X", count($filename_or_resource_or_zone)); for ($i = 0; $i < count($filename_or_resource_or_zone); $i++) { $buffer .= sprintf("%08X%s", strlen_or_mb_strlen($filename_or_resource_or_zone[$i]), $filename_or_resource_or_zone[$i]); } } elseif ($filename_or_resource_or_zone !== "") { $buffer .= "s" . sprintf("%08X%s", strlen_or_mb_strlen($filename_or_resource_or_zone), $filename_or_resource_or_zone); } else { $buffer .= "n"; } $buffer .= sprintf("%08X%s%08X", strlen_or_mb_strlen($_AAS107), $_AAS107, $line_number); if (is_array($details)) { $buffer .= "a" . sprintf("%08X", count($details)); for ($i = 0; $i < count($details); $i++) { $buffer .= sprintf("%08X%s", strlen_or_mb_strlen($details[$i]), $details[$i]); } } elseif ($details !== "") { $buffer .= "s" . sprintf("%08X%s", strlen_or_mb_strlen($details), $details); } else { $buffer .= "n"; } if (strlen($_ENV['_AAS13']) > 0x500000) { $temporary_file = @tmpfile(); if ($temporary_file) { $_ENV['tempfile_name'] = $temporary_file; fwrite($_ENV['tempfile_name'], $_ENV['_AAS13']); $_ENV['_AAS13'] = ''; } } if (isset($_ENV['tempfile_name']) && $_ENV['tempfile_name']) { fwrite($_ENV['tempfile_name'], $buffer); } else { $_ENV['_AAS13'] .= $buffer; } fprintf_wrapper_debug("_AAS50: Key=$vuln_type"); } function acuaspect_output() { if (isset($_ENV['tempfile_name']) && $_ENV['tempfile_name']) { @fseek($_ENV['tempfile_name'], 0); echo(""); @fclose($_ENV['tempfile_name']); unset($_ENV['tempfile_name']); } else { $_AAS112 = strlen_or_mb_strlen($_ENV['_AAS13']); echo ""; $_ENV['_AAS13'] = ""; } } function get_filelist($directory, $recursive) { $return_value = Array(); if (substr($directory, -1) != "/") $directory .= "/"; if (is_dir($directory) && $fd = @opendir($directory)) { while (($filename = readdir($fd)) !== false) { if (is_dir($directory . $filename) && $filename != "." && $filename != "..") { array_push($return_value, str_replace($_ENV['parent_directory'], "", $directory . $filename . "/")); if ($recursive) $return_value = array_merge($return_value, get_filelist($directory . $filename, $recursive)); } elseif (is_file($directory . $filename) && ($filename !== basename(__FILE__))) { array_push($return_value, str_replace($_ENV['parent_directory'], "", $directory . $filename)); } } } return $return_value; } function get_configuration_security_issues() { $issues_array = Array(); if (($display_errors_value = ini_get('display_errors')) != 0) array_push($issues_array, 'display_errors=' . $display_errors_value); if (strtolower(ini_get('register_globals')) == "on") array_push($issues_array, 'register_globals_on=on'); if (strtolower(ini_get('magic_quotes_gpc')) == "off") array_push($issues_array, 'magic_gpc_off=off'); if ((bool)ini_get('allow_url_fopen')) array_push($issues_array, 'allow_url_fopen_on=On'); if ((bool)ini_get('allow_url_include')) array_push($issues_array, 'allow_url_include_on=On'); if ((bool)ini_get('session.use_trans_sid')) array_push($issues_array, 'session.use_trans_sid_on=On'); if (ini_get('open_basedir') == '') array_push($issues_array, 'open_basedir_not_set='); if ((bool)ini_get('enable_dl') && (bool)ini_get('safe_mode')) array_push($issues_array, 'enable_dl_safe_mode_on='); array_push($issues_array, "php_version=" . phpversion()); if (count($issues_array) > 0) log_issue("Aspect_Alerts", $issues_array, $_SERVER["SCRIPT_FILENAME"], 0); } function get_stacktrace($_AAS120 = true) { if (!function_exists("debug_backtrace")) return ""; $debug_backtrace = debug_backtrace(); $backtrace_len = count($debug_backtrace) - 1; if ($_AAS120) { while ($backtrace_len >= 0 && $debug_backtrace[$backtrace_len]["function"] === "eval") $backtrace_len--; if ($backtrace_len <= 0) return ""; } $return_value = ""; $stackstace_depth_counter = 1; for ($i = 0; $i <= $backtrace_len; $i++) { if ( $_AAS120 && (strpos($debug_backtrace[$i]["function"], "_AAS") !== false || strpos($debug_backtrace[$i]["function"], "call_user_func_array") !== false) || strpos($debug_backtrace[$i]["function"], "call_user_method_array") !== false) { continue; } $class = isset($debug_backtrace[$i]["class"]) ? $debug_backtrace[$i]["class"] . "::" : ""; $textual_representation = isset($debug_backtrace[$i]["function"]) ? $debug_backtrace[$i]["function"] : "[Unknown function]"; if (isset($debug_backtrace[$i]["args"])) { $textual_representation .= "("; for ($j = 0; $j < count($debug_backtrace[$i]["args"]); $j++) { $arg_type = gettype($debug_backtrace[$i]["args"][$j]); $textual_representation .= "[$arg_type] "; switch ($arg_type) { case "array": $textual_representation .= "count=" . count($debug_backtrace[$i]["args"][$j]); break; case "object": $textual_representation .= "class=" . get_class($debug_backtrace[$i]["args"][$j]); break; case "string": $textual_representation .= "\"" . str_replace(Array("\r\n", "\n", "\r"), Array("\\n", "\\n", "\\n"), $debug_backtrace[$i]["args"][$j]) . "\""; break; case "boolean": $textual_representation .= $debug_backtrace[$i]["args"][$j] ? "true" : "false"; break; default: $textual_representation .= $debug_backtrace[$i]["args"][$j]; } if ($j < count($debug_backtrace[$i]["args"]) - 1) $textual_representation .= ", "; } $textual_representation .= ")"; } else { $textual_representation .= "()"; } $return_value .= " $stackstace_depth_counter. $class$textual_representation"; $stackstace_depth_counter++; if ($i < $backtrace_len) $return_value .= "\r\n"; } if ($return_value != "") return "Stack trace:\r\n" . $return_value; else return ""; } function get_GET_parameters_urlencoded() { $return_value = ""; foreach ($_GET as $key => $value) { $return_value .= rawurlencode($key) . "=" . rawurlencode($value) . "&"; } if ($return_value != "") $return_value = substr($return_value, 0, -1); return $return_value; } class InstrumentedFile { private $filename; private $tokens; private $nb_tokens; public $file_content; private $return_true; private $is_in_a_php_tag; private $cache_already_existing = false; private $cached_filename; private $closing_php_tag; private $dirname; private function fprintf_wrapper_debug_method($str) { fprintf_wrapper_debug($str); } public function InstrumentedFile($filename, $closing_php_tag = '?>', $should_return_true = true, $is_in_a_php_tag = false) { $this->filename = $filename; $this->dirname = dirname($filename); $this->file_content = ""; $this->closing_php_tag = $closing_php_tag; $this->return_true = $should_return_true; $this->is_in_a_php_tag = $is_in_a_php_tag; } private function get_text_filename_or_folder($token) { if (is_string($token)) { return $token; } else { switch ($token[0]) { case T_FILE: return '"' . $this->filename . '"'; break; case T_DIR: return '"' . $this->dirname . '"'; break; default: return $token[1]; } } } private function get_str_text_representation(&$counter) { $return_value = "\""; $counter++; while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; if (is_string($token)) { $return_value .= $token; if ($token == "\"") break; } else { $return_value .= $token[1]; } $counter++; } return $return_value; } private function get_require_text_representation(&$counter) { $function_name = ""; $_AAS58 = ""; $_AAS59 = ""; $token = $this->tokens[$counter]; $line_number = isset($token[2]) ? $token[2] : 0; switch ($token[0]) { case T_INCLUDE: $function_name = "include"; $_AAS58 = "false"; $_AAS59 = "false"; break; case T_INCLUDE_ONCE: $function_name = "include_once"; $_AAS58 = "false"; $_AAS59 = "true"; break; case T_REQUIRE: $function_name = "require"; $_AAS58 = "true"; $_AAS59 = "false"; break; case T_REQUIRE_ONCE: $function_name = "require_once"; $_AAS58 = "true"; $_AAS59 = "true"; break; } $msg = ""; $brackets_number = 0; $questionmark = false; $counter++; while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; if (is_string($token)) { if ($token === "(") { $brackets_number++; } elseif ($token === ")") { $brackets_number--; } elseif ($token === "?") { $questionmark = true; } elseif ($token === ":") { if ($questionmark === false) { $counter--; break; } else { $questionmark = false; } } if ($brackets_number < 0 || $token === ";") { $counter--; break; } } elseif (is_array($token)) { if ($token[0] === T_CLOSE_TAG) { $counter--; break; } } $msg .= $this->get_token_textual_representation_at_index($counter); $counter++; } return "eval(get_text_repr_require(\"$this->filename\",$line_number,$_AAS58,$_AAS59,\"$function_name\",$msg))"; } private function skip_comments_tokens(&$counter) { while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; if (is_array($token) && ($token[0] === T_COMMENT || $token[0] === T_ML_COMMENT || $token[0] === T_DOC_COMMENT || $token[0] === T_WHITESPACE)) $counter++; else break; } } private function get_index_of_corresponding_closing_moustache_or_bracket(&$counter, $opening_paren, $closing_paren, &$has_no_comment, &$textual_representation) { $textual_representation = ""; $has_no_comment = true; $paren_counter = 1; while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; if ($token === $opening_paren) $paren_counter++; if ($token === $closing_paren) $paren_counter--; if ($paren_counter <= 0) break; if ($token === ";") { return false; } else { if (is_array($token) && $token[0] !== T_COMMENT && $token[0] !== T_ML_COMMENT && $token[0] !== T_DOC_COMMENT && $token[0] !== T_WHITESPACE && $token[0] !== T_CONSTANT_ENCAPSED_STRING) $has_no_comment = false; $textual_representation .= $this->get_token_textual_representation_at_index($counter); } $counter++; } return true; } private function get_textual_representation_between_parenthesis(&$counter, &$textual_representation) { $textual_representation = ""; $counter++; $parenthesis_counter = 1; while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; if ($token === "(") $parenthesis_counter++; elseif ($token === ")") $parenthesis_counter--; if ($parenthesis_counter <= 0) break; $textual_representation .= $this->get_token_textual_representation_at_index($counter); $counter++; } return true; } private function get_string_text_representation(&$counter) { $token = $this->tokens[$counter]; $textual_token = $token[1]; if (array_key_exists($textual_token, $_ENV['functions'])) { $line_number = isset($token[2]) ? $token[2] : 0; $_counter = $counter + 1; $this->skip_comments_tokens($_counter); $token = $this->tokens[$_counter]; if ($token === "(") { $textual_representation = ""; if ($this->get_textual_representation_between_parenthesis($_counter, $textual_representation)) { $counter = $_counter; return "acunetix_function_wrapper(\"$this->filename\",$line_number,\"$textual_token\",Array($textual_representation))"; } } } return $textual_token; } private function get_oop_related_text_representation(&$counter, $string_representation) { $counter++; $return_value = "$string_representation"; while ($counter < $this->nb_tokens) { $token = $this->tokens[$counter]; $return_value .= $this->get_text_filename_or_folder($token); if (!is_array($token)) { break; } elseif ($token[0] !== T_WHITESPACE) { break; } $counter++; } return $return_value; } private function escape_slashes_and_dollars($str) { $return_value = ""; for ($i = 0; $i < strlen_or_mb_strlen($str); $i++) { switch ($str[$i]) { case "\\": $return_value .= "\\\\"; break; case "$": $return_value .= "\\\$"; break; default: $return_value .= $str[$i]; } } return $return_value; } private function get_variable_text_representation(&$counter) { $token = $this->tokens[$counter]; $return_value = $token[1]; $line_number = isset($token[2]) ? $token[2] : 0; $_counter = $counter + 1; $this->skip_comments_tokens($_counter); while ($_counter < $this->nb_tokens) { $token = $this->tokens[$_counter]; if ($token === "{" || $token === "[") { // array dereference $_counter++; $has_no_comment = false; $textual_representation = ""; $closing_paren = ($token === "{") ? "}" : "]"; $idx_corresponding_moustache_or_bracket = $this->get_index_of_corresponding_closing_moustache_or_bracket($_counter, $token, $closing_paren, $has_no_comment, $textual_representation); $verb = false; if (array_key_exists($return_value, $_ENV['verbs'])) { $verb = $_ENV['verbs'][$return_value]; } // Is it GET/POST/COOKIE/... ? if ($idx_corresponding_moustache_or_bracket && isset($verb) && $verb !== false) { if ($has_no_comment) { log_issue("Var_Reference", Array($verb[0], trim($textual_representation, "\"'")), $this->filename, $line_number); } $return_value .= "[variable_access(\"$this->filename\", $line_number, \"" . $this->escape_slashes_and_dollars($return_value) . "\", $textual_representation)]"; $counter = $_counter; } elseif ($idx_corresponding_moustache_or_bracket) { $return_value .= "[$textual_representation]"; $counter = $_counter; } else { $counter = $_counter - 1; break; } } elseif ($token === "(") { // usage of a variable as a function $text_repr = ""; if ($this->get_textual_representation_between_parenthesis($_counter, $text_repr)) { $return_value = "acunetix_function_wrapper(\"$this->filename\",$line_number,$return_value,Array($text_repr))"; } else { $return_value .= "("; } $counter = $_counter; break; } elseif (is_array($token) && $token[0] === T_OBJECT_OPERATOR) { // `->`, usage of a variable as a class instance $_counter++; $this->skip_comments_tokens($_counter); $token = $this->tokens[$_counter]; if (is_array($token) && $token[0] === T_STRING) { $method = $token[1]; $this->skip_comments_tokens($_counter); $_counter++; $token = $this->tokens[$_counter]; if ($token === "(") { // usage of a method, and not an attribute $text_repr = ""; if ($this->get_textual_representation_between_parenthesis($_counter, $text_repr)) { if (array_key_exists($method, $_ENV["functions"])) { //is it a call to MySQLi->query ? $return_value = "mysqli_callback(\"$this->filename\",$line_number,$return_value,\"$method\",Array($text_repr))"; } else { $return_value .= "->$method($text_repr)"; } $counter = $_counter; } else { $return_value .= "->$method"; } } else { break; } } else { break; } } else { break; } $_counter++; } return $return_value; } private function get_eval_textual_representation(&$counter) { $token = $this->tokens[$counter]; $return_value = "eval"; $line_number = isset($token[2]) ? $token[2] : 0; $_counter = $counter + 1; $this->skip_comments_tokens($_counter); $token = $this->tokens[$_counter]; if ($token === "(") { $textual_representation = ""; if ($this->get_textual_representation_between_parenthesis($_counter, $textual_representation)) { $counter = $_counter; $return_value .= "(analyse_and_log_eval(\"$this->filename\", $line_number, Array($textual_representation)))"; } } return $return_value; } private function return_output_ob_buffer_as_webpage_as_str(&$counter) { $return_value = "output_ob_buffer_as_webpage"; $counter++; $this->skip_comments_tokens($counter); if ($this->tokens[$counter] !== "(") { $return_value .= "()"; } $counter--; return $return_value; } private function get_token_textual_representation_at_index(&$counter) { $return_value = ""; $token = $this->tokens[$counter]; if (is_string($token)) { switch ($token) { case "\"": $return_value = $this->get_str_text_representation($counter); break; default: $return_value .= $this->get_text_filename_or_folder($token); } } else { switch ($token[0]) { case T_INCLUDE: case T_INCLUDE_ONCE: case T_REQUIRE: case T_REQUIRE_ONCE: $return_value .= $this->get_require_text_representation($counter); break; case T_VARIABLE: $return_value .= $this->get_variable_text_representation($counter); break; case T_FUNCTION: $return_value .= $this->get_oop_related_text_representation($counter, "function"); break; case T_NEW: $return_value .= $this->get_oop_related_text_representation($counter, "new"); break; case T_CLASS: $return_value .= $this->get_oop_related_text_representation($counter, "class"); break; case T_DOUBLE_COLON: $return_value .= $this->get_oop_related_text_representation($counter, "::"); break; case T_OBJECT_OPERATOR: $return_value .= $this->get_oop_related_text_representation($counter, "->"); break; case T_EXTENDS: $return_value .= $this->get_oop_related_text_representation($counter, "extends"); break; case T_STRING: $return_value .= $this->get_string_text_representation($counter); break; case T_WHITESPACE: $return_value .= " "; break; case T_EVAL: $return_value .= $this->get_eval_textual_representation($counter); break; case T_EXIT: $return_value .= $this->return_output_ob_buffer_as_webpage_as_str($counter); break; case T_HALT_COMPILER: $counter = $this->nb_tokens; break; case T_START_HEREDOC: case T_END_HEREDOC: $return_value .= $token[1] . "\n"; break; default: if ($token[0] === T_OPEN_TAG) { $this->is_in_a_php_tag = true; } elseif ($token[0] === T_CLOSE_TAG) { $this->is_in_a_php_tag = false; } $return_value .= $this->get_text_filename_or_folder($token); } } return $return_value; } public function analyse_source_code($source_code) { if ($_ENV["has_tmp_folder"]) { $this->cached_filename = $_ENV['tmp_folder_path'] . "_AAS166" . md5($source_code . $this->filename); if (file_exists($this->cached_filename)) { $this->cache_already_existing = true; } } else { $this->cached_filename = ""; } if ($this->cache_already_existing) { $this->fprintf_wrapper_debug_method("Loading from cache."); if ($cache_fd = @fopen($this->cached_filename, "rb")) { $first_char_of_the_cache = fread($cache_fd, 1); $this->is_in_a_php_tag = ($first_char_of_the_cache === "1"); $file_size = filesize($this->cached_filename) - 1; if ($file_size > 0) { $this->file_content = @fread($cache_fd, $file_size); } else { $this->file_content = ""; } } else { $this->fprintf_wrapper_debug_method("Unable to load from cache file."); $this->cache_already_existing = false; } } if (!$this->cache_already_existing) { $this->fprintf_wrapper_debug_method("Processing file \"$this->filename\" ..."); $this->tokens = token_get_all($source_code); $this->nb_tokens = count($this->tokens); $i = 0; while ($i < $this->nb_tokens) { $this->file_content .= $this->get_token_textual_representation_at_index($i); $i++; } if ($this->cached_filename !== "") { $this->fprintf_wrapper_debug_method("Saving cache for \"$this->filename\""); if ($cache_fd = @fopen($this->cached_filename, "w+")) { @fprintf($cache_fd, "%s%s", $this->is_in_a_php_tag ? "1" : "0", $this->file_content); @fclose($cache_fd); } else { $this->fprintf_wrapper_debug_method("Unable to create cache file."); } } } $this->file_content = $this->closing_php_tag . $this->file_content; if ($this->return_true) { if ($this->is_in_a_php_tag) $this->file_content .= "return true;"; else $this->file_content .= ""; } } } if ($_ENV["sensor_enabled"]) { set_error_handler("error_handler"); fprintf_wrapper_debug("Called with " . $_SERVER["REQUEST_METHOD"] . " method for URI: " . $_SERVER["REQUEST_URI"]); log_issue("PONG", "", "", 0); if (isset($_SERVER["HTTP_ACUNETIX_ASPECT_QUERIES"])) { $acunetix_aspect_queries = explode(";", $_SERVER["HTTP_ACUNETIX_ASPECT_QUERIES"]); for ($i = 0; $i < count($acunetix_aspect_queries); $i++) { switch (strtolower($acunetix_aspect_queries[$i])) { case "filelist": if (strcasecmp(basename($_SERVER["SCRIPT_FILENAME"]), basename($_SERVER["PHP_SELF"])) == 0) { log_issue("File_List", get_filelist($_ENV['parent_directory'], true), $_SERVER["SCRIPT_FILENAME"], 0); } break; case "aspectalerts": get_configuration_security_issues(); break; } } } if (isset($_SERVER["REDIRECT_STATUS"]) && isset($_SERVER["REDIRECT_URL"]) && $_SERVER["REDIRECT_STATUS"] == 200) { log_issue("Script_Name", $_SERVER["SCRIPT_NAME"], $_SERVER["SCRIPT_FILENAME"], 0); if (count($_GET) > 0) log_issue("Script_Query", get_GET_parameters_urlencoded(), $_SERVER["SCRIPT_FILENAME"], 0); } array_push($_ENV['analysed_files'], $_SERVER["SCRIPT_FILENAME"]); $instrumented_file = new InstrumentedFile($_SERVER["SCRIPT_FILENAME"]); $instrumented_file->analyse_source_code(file_get_contents($_SERVER["SCRIPT_FILENAME"])); $file_content = $instrumented_file->file_content; unset($instrumented_file); ob_start(); acuaspect_output(); @eval($file_content); output_ob_buffer_as_webpage(); } __halt_compiler(); 5f4dcc3b5aa765d61d8327deb882cf99