├── .gitattributes ├── CHANGELOG ├── LICENSE ├── README.md ├── config ├── general.php ├── help.php ├── info.php ├── securing.php ├── sinks.php ├── sources.php └── tokens.php ├── css ├── ayti.css ├── barf.css ├── code-dark.css ├── espresso.css ├── notepad++.css ├── phps.css ├── print.css ├── rips.css ├── rips.png ├── scanning.gif ├── term.css └── twilight.css ├── index.php ├── js ├── exploit.js ├── hotpatch.js ├── netron.js └── script.js ├── lib ├── analyzer.php ├── constructer.php ├── filer.php ├── printer.php ├── scanner.php ├── searcher.php └── tokenizer.php ├── main.php ├── papers ├── 04_5_0.pdf ├── 04_5_slides.pdf ├── 61f05ac238d58194a41323018f7c21907b05.pdf ├── Abstract.pdf ├── LCA 2012_ PHP Static Code Analysis.html ├── LCA 2012_ PHP Static Code Analysis_files │ ├── a.html │ ├── balrog.jpg │ ├── can-patent.png │ ├── cans-pile.jpg │ ├── coke-crushed.jpg │ ├── css.css │ ├── custom-sanitizer.png │ ├── fwse.png │ ├── prettify.txt │ ├── rubbish-bin.png │ ├── rubbish-tip.jpg │ ├── sacrifice.jpg │ ├── securing-gravel.jpg │ ├── slides.txt │ ├── steelin-ur-datax.jpg │ ├── styles.css │ ├── test-1-screenie.png │ └── xkcd-sql.png ├── McRee-toolsmith.pdf ├── POPChainGeneration-CCS14.pdf ├── README.md ├── diss.pdf ├── rips-paper.pdf ├── rips-slides.pdf ├── rips.pdf ├── sanitization_issta15.pdf ├── sec14-paper-dahse.pdf ├── sec14_slides_dahse.pdf └── webshells_www2016.pdf ├── rips_stats.py └── windows ├── code.php ├── exploit.php ├── function.php ├── help.php ├── hotpatch.php └── leakscan.php /.gitattributes: -------------------------------------------------------------------------------- 1 | # Set the default behavior, in case people don't have core.autocrlf set. 2 | * text=auto 3 | 4 | *.css text eol=lf 5 | *.js text eol=lf 6 | *.php text eol=lf 7 | *.py text eol=lf 8 | 9 | # Denote all files that are truly binary and should not be modified. 10 | *.gif binary 11 | *.jpg binary 12 | *.png binary 13 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | RIPS CHANGELOG 2 | =============== 3 | 4 | RIPS 0.55 5 | ---------- 6 | - updated configuration (sources, sinks, sanitization) 7 | - added session fixation detection 8 | - seperated reflection injection from code injection 9 | - changed defaults (subdirs, vuln type) 10 | - referenced user survey 11 | 12 | RIPS 0.54 13 | ---------- 14 | - fixed Javascript errors 15 | - fixed bug with false negatives in non-OOP code after OOP code (thanks to Gareth Heyes) 16 | - improved handling of parse_str() function 17 | - added new taintable $_SERVER parameters to sources (thanks to Mike Brooks) 18 | - added new sinks 19 | 20 | RIPS 0.53 21 | ---------- 22 | - fixed bug with includes (thanks to Ryan Dewhurst) 23 | 24 | RIPS 0.52 25 | ---------- 26 | Code analysis: 27 | - fixed bug where RIPS hangs on includes building a loop 1->2->3->1->2->3->1... (thanks to Michael Hoffmann) 28 | - fixed bug where RIPS string analyzer hangs on certain array keys coming from foreach statements (thanks to Ricky-Lee Birtles) 29 | - fixed bug where RIPS hangs on certain switch statements (thanks to Jay Bonci) 30 | - fixed bug with wrong brace wrapping for "case x;" instead of "case x:" statements 31 | - fixed bug with wrong brace wrapping when if-clause contains only 1 token or in a try/catch block 32 | - fixed bug with parameter count in interprocedural analysis 33 | - fixed bug with register_globals implementation and constants 34 | - fixed bug with tokenizing a do-while in a do-while 35 | - fixed bug with wrong boundary detection when a function is declared in another function 36 | - fixed bug with wrong file pointer of included files, improved include rate 37 | - added auto_prepend/append_file support, improved include_path support (thanks to Jay Bonci) 38 | - added support for func_get_args() and func_get_arg() 39 | - added support for alternative syntax for control structures (while(): ... endwhile;) 40 | - added new sensitive sinks 41 | - added experimental option SCAN_REGISTER_GLOBALS (/config/general.php) 42 | - added parsing errors to verbosity level = debug, improved code stability 43 | 44 | Interface: 45 | - added stylesheet "print" (thanks to Kurt Payne) 46 | - added scrollbars to function code on mouseover 47 | - disabled graphs for large projects (>50 files) due to performance 48 | - improved output when a vulnerability is found multiple times (e.g. by multiple inclusion of a vulnerable file) 49 | - fixed bug with style of multiline comments in code viewer 50 | - optimized code viewer with file preview window 51 | 52 | RIPS 0.51 53 | ---------- 54 | - fixed bug with apache_setenv() for non-Apache webservers 55 | - fixed bug in leakscan preloader 56 | 57 | RIPS 0.50 58 | ---------- 59 | Code analysis: 60 | - added about 30 new sensitive sinks and some new userinput functions 61 | - RIPS now traces codeblocks, not lines anymore 62 | -> code in one line without whitespaces ("obfuscated") is now possible to analyse 63 | -> this also fixes several known bugs 64 | - RIPS now handles arrays and its keys a lot more accurate 65 | -> arrays are handled as variables with saved keys 66 | -> dynamic key values are resolved 67 | -> this also fixes several known bugs 68 | - RIPS is now recoded object oriented 69 | -> structure is better 70 | -> code easier to understand 71 | - fixes bug when an old define is overwritten by a new one 72 | - ignores "@" for correct detection of connected tokens 73 | - added leakscan: trace if return value of tainted sensitive sink is echo'd (non-blind/blind exploitation) 74 | - fixed lots of securing detection bugs 75 | - automatically scans for register_globals implementation (extract, parse_str, $$key = $value, import_request_variables, etc.) 76 | - lots of new testcases added and fixed 77 | - improved reconstruction of file names to be included 78 | - set_time_limit is set to 0 now 79 | 80 | Interface: 81 | - included SaveGraph patch 82 | - added preloader information about current scanning status (thanks for the input, Michael Hoffmann) 83 | - added links to the stats window to other windows 84 | - fixed bug with color highlighting in regex search results 85 | - improved jumping between functions in scan result 86 | - moved http response splitting to clientside vulnerability list 87 | 88 | RIPS 0.40 SaveGraph Patch: 89 | ---------- 90 | - added option to save HTML5 canvas graph as image (feature request by ksaok) 91 | 92 | RIPS 0.40: 93 | ---------- 94 | Code analysis: 95 | - fixed bug with vartrace and different dependencies (if(condition) $var=1; else $var=2;) 96 | - fixed bug with string reconstruction of included files (include("/foo/$var/bar");) 97 | - improved file inclusion rate (name reconstruction, consider include_path, try to guess file) 98 | - fixed bug with usage of defined CONSTANTs (thanks to Dawid) 99 | - fixed bug with successful inclusion and FI vulnerability within one inclusion 100 | - fixed bug with FI vulnerability and function call (require urldecode($_GET['a'])) 101 | - fixed bug with overwritten parameter vars in user-defined function 102 | - fixed bug with two sensitive sinks in one userdefined functions affected by different parameters 103 | - improved ternary operator handling 104 | - added quote analysis for more precise securing detection (mysql_query("SELECT ".addslashes($id)); =vuln) 105 | (still some bugs with quote analysis, TBD) 106 | - added vulnerability type 'Unserialize' to scan for POP gadgets 107 | 108 | Interface: 109 | - fixed bug with exploit creator and error_reporting=on (thanks Gregory and others) 110 | - moved info gathering to seperate verbosity level, removed info about program exits 111 | - added maximize button to code viewer 112 | - added graph for file inclusion visualization 113 | - added graph for function call and vulnerability flow visualization 114 | - added pie chart for result 115 | - grouped vulnerable lines for each vulnerability 116 | - added new color schema 'ayti' and improved other color schemas 117 | - fixed bug with vulnerable functions in the result that have not been called with userinput 118 | - fixed bug with multiline comments in the code viewer 119 | - added link to stats to show only vulns of specific type (click on vulnerability type) 120 | - added color highlighting for regex search results 121 | - changed stylesheet is now tracked permanently by cookie 122 | 123 | RIPS 0.35: 124 | ---------- 125 | - added ini_set("auto_detect_line_endings", true) to support MAC OSX newlines 126 | - added preg_match(_all) support with $matches array 127 | - prevented getmultiline() funtion to recursively loop for more than 10 rows (tracker ID: 3075359, thanks to lexak) 128 | - added vulnerability type 'LDAP Injection' 129 | - fixed bug with wrong detection of user defined securing functions using for-loops 130 | - fixed critical bug with wrong detection of securing during inter-procedual analysis 131 | - fixed bug with not detected function calls in included files and case-sensitive function names 132 | - fixed bug with userinput returned by user-defined functions 133 | 134 | RIPS 0.34: 135 | ---------- 136 | - fixed false positive when userinput is overwritten: $_GET['c']=1; exec($_GET['c']); 137 | - fixed critical bug with missing scan results 138 | - added more database securing and tainting functions (thanks to Yasuo Ohgaki) 139 | 140 | RIPS 0.33: 141 | ---------- 142 | Code analysis: 143 | - added vulnerability type 'XPath Injection' 144 | - implemented $F_INSECURING_STRING (list of functions like urldecode() that can re-taint already sanitized data) 145 | - fixed bug with $GLOBALS[] (ignore previous local vars, accept only global vars) 146 | - improved tainted $_SESSION (=global var) handling 147 | - fixed bug with tainting functions not displayed in the result tree 148 | - fixed bug with differently used quotes in array['"parameter'"] during traceback 149 | - added compact() support 150 | - ignore upper/lowercase in function names because PHP does not (sYsTem()) 151 | - scan for dynamic function calls $variable() (possible code exec) 152 | 153 | Interface: 154 | - added missing taint-highlighting in the first line of PVF tree 155 | - added file list: listing all scanned files and includes 156 | - added list of function calls to each list item of user-defined functions 157 | - added help button for simple visualization, description, example, PoC, patch and securing function list in a new window 158 | - RIPS warns you when scan may last very long (counts files to scan) 159 | - added AJAX interface with scan animation 160 | - added scan result statistics and graphs 161 | - highlight variables onMouseOver in code viewer and scan result. persistent highlight onClick. 162 | - code viewer now supports active jumping between function calls and declarations 163 | (click on function call to jump to declaration, click "return" to jump back to the call) 164 | - added regex search function 165 | - windows are now resizeable 166 | - added curl headers for all tainting $_SERVER parameters in the exploit creator 167 | 168 | RIPS 0.32: 169 | ---------- 170 | Code analysis: 171 | - rebuild PVF config (FILE, CODE and SYSTEM PVF into FILE_READ, FILE_AFFECT, FILE_INCLUDE and EXEC PVF) 172 | - added $_SERVER parameters that are tainting to the config (example: $_SERVER['PHP_SELF'];) 173 | - fixed bug with securing detection of global string securing functions (example: md5($a.$b);) 174 | - fixed bug where the first token of an included file was ignored 175 | 176 | Interface: 177 | - added a little howto to the welcome page 178 | - added more detailed vulnerability types to scan for 179 | - added vulnerability name to each find (name still present during minimization of output block) 180 | - added .phps-tainted-var for highlighting tainting vars in the trace output 181 | - added explaination to inter-procedual analysis results 182 | - added RIPS logo (created by Gareth Heyes, thank you) 183 | - added a option to change the output tree from bottom-up to top-down (requested by Joel, thank you) 184 | - fixed bug with missing link by inter-procedual analysis when function name appeared in the "requires" list 185 | 186 | RIPS 0.31: 187 | ---------- 188 | Code analysis: 189 | - improved RIPS code + performance 190 | (http://code.google.com/speed/articles/optimizing-php.html) 191 | (http://www.wmtips.com/php/tips-optimizing-php-code.htm) 192 | - improved securing detection by detecting automatic type casts 193 | - added connection poisoning PVFs 194 | - added support for $arrays{'a'} with curly braces 195 | - added missing support for tainted OO function with XSS 196 | - added a missing class-to-variable association when using a constructor call instead the keyword 'new' 197 | - fixed bug where successful file inclusions were scanned again for a file inclusion vulnerability 198 | - fixed bugs with detecting commands written over several code lines (reported by Stefan Esser & Pragmatk) 199 | (patch does not solve all multi-line bugs) 200 | - corrected analysis of variables marked as 'global' 201 | 202 | Interface: 203 | - better arranged user input list 204 | - added option to highlight variables in the CodeViewer by click 205 | - added vulnerability type "All" to scan client- and server-side vulns simultaneously 206 | - added missing exploit button for direct-tainted XSS vulnerabilities 207 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RIPS 2 | A static source code analyser for vulnerabilities in PHP scripts 3 | 4 | ## Requirements 5 | * web server: Apache or Nginx recommended 6 | * PHP: latest version recommended 7 | * browser: Firefox recommended 8 | 9 | ## Installation 10 | 1. Download the latest release 11 | 2. Extract the files to your local web server's document root 12 | 3. Make sure your web server has file permissions 13 | 4. Make sure your installation is protected from unauthorized access 14 | 5. Open your browser at http://localhost/rips-xx/ 15 | 16 | ## Usage 17 | Follow the instructions on the main page. 18 | 19 | ## Command Line Interface - CLI 20 | 21 | #### Usage 22 | 23 | See original php-rips scan html form (index.php) for more options. 24 | 25 | ``` 26 | php index.php [option=value] 27 | ``` 28 | 29 | | Options | Value | 30 | | --- | --- | 31 | | loc | target scan file/folder | 32 | | subdir | recurse subdirs \[0\|1] | 33 | | ignore_warning | \[0\|1] | 34 | | vector | scan vectors \[all\|...] | 35 | | verbosity | log verbosity \[0-9] | 36 | | treestyle | html output style \[0\|1] | 37 | | stylesheet | html output stylesheet \[ayti\|...] | 38 | 39 | Example: recursively scan ./code for all vuln. classes 40 | ``` 41 | php index.php loc=./code subdirs=1 vector=all verbosity=2 42 | ``` 43 | 44 | Note: in cli-mode argv wil be parsed into `$_POST` therefore allowing you to set any POST variables. 45 | 46 | #### Jenkins-CI Integration Notes 47 | 48 | 1. install the [html publisher plugin](https://wiki.jenkins-ci.org/display/JENKINS/HTML+Publisher+Plugin) 49 | 2. configure (multiple) scm to clone both this repository and the source you want to scan to distinct folders 50 | 3. add build step: execute shell 51 | 52 | ```bash 53 | # config - remove this if you configure it via jenkins parameterized builds 54 | PATH_RIPS=rips-scanner 55 | PATH_REPORT=report 56 | FILE_REPORT=report.html 57 | PATH_TARGET=code 58 | RIPS_RECURSE_SUBDIR=1 59 | RIPS_VECTOR=all 60 | RIPS_VERBOSITY=2 61 | # copy dependencies 62 | mkdir -p report 63 | cp -r rips-scanner/css report 64 | cp -r rips-scanner/js report 65 | # run analysis 66 | echo "=========================================================" 67 | echo "[**] running scan ... $PATH_TARGET" 68 | echo "=========================================================" 69 | php $PATH_RIPS/index.php ignore_warning=1 loc=$PATH_TARGET subdirs=$RIPS_RECURSE_SUBDIR vector=$RIPS_VECTOR verbosity=$RIPS_VERBOSITY treestyle=1 stylesheet=ayti > $PATH_REPORT/$FILE_REPORT 70 | echo "=========================================================" 71 | echo "[**] scan done ... check out $PATH_REPORT/$FILE_REPORT" 72 | echo "=========================================================" 73 | ``` 74 | 75 | 4. add build step: execute python 76 | 77 | ```python 78 | import os, sys 79 | import rips_stats as rips 80 | if __name__=="__main__": 81 | report = os.path.join(os.environ.get("PATH_REPORT","report"),os.environ.get("FILE_REPORT","report.html")) 82 | sys.exit(rips.main([report])) 83 | ``` 84 | 85 | 5. add post-build step: publish html, select folder 'report' name 'vulnerability-report'. A new clickable action icon 'vulnerability-report' will appear that points at the archived scan result. 86 | 87 | ## Development 88 | The `community` branch of RIPS is forked from version 0.55 and is not officially supported by RIPS Technologies. 89 | 90 | A completely rebuilt solution is available from RIPS Technologies that overcomes fundamental limitations in the open source version and performs state-of-the-art security analysis. 91 | 92 | | Compared Feature | RIPS 0.5 | Next Generation | 93 | | --- | --- | --- | 94 | | Supported PHP Language | PHP 3-4, no OOP | all, PHP 3-7 | 95 | | Static Code Analysis | Only Token-based | Full | 96 | | Analysis Precision | Low | Very High | 97 | | PHP Version Specific Analysis | No | Yes | 98 | | Scales to Large Codesizes | No | Yes | 99 | | API / CLI Support | No | Yes | 100 | | Continuous Integration | No | Yes | 101 | | Compliance / Standards | No | Yes | 102 | | Store Analysis Results | No | Yes | 103 | | Export Analysis Results | No | Yes | 104 | | Issue Review System | No | Yes | 105 | | Realtime Results | No | Yes | 106 | | Vulnerability Trends | No | Yes | 107 | | Detects Latest Risks | No | Yes | 108 | | Detects Complex Vulnerabilities | Limited | Yes | 109 | | Supported Issue Types | 15 | >140 | 110 | | Speed | Fast | Fast | 111 | 112 | Learn more about the next generation of RIPS at https://www.ripstech.com/product/datasheets/. 113 | -------------------------------------------------------------------------------- /config/general.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | if (php_sapi_name() === 'cli') 18 | define("MODE_CLI",1); 19 | 20 | #error_reporting(E_ALL); 21 | error_reporting(E_ERROR | E_PARSE); 22 | // various settings making flush() work correctly 23 | if(function_exists('apache_setenv')) 24 | apache_setenv('no-gzip', 1); 25 | if (!defined("MODE_CLI")) 26 | ini_set('zlib.output_compression', 0); 27 | ini_set('zlib.output_compression', 0); 28 | ini_set('implicit_flush', 0); 29 | ini_set('output_buffering', 0); 30 | 31 | ini_set('short_open_tag', 1); // who knows if I use them ;) 32 | ini_set('auto_detect_line_endings', 1); // detect newlines in MAC files 33 | ini_set("memory_limit","1000M"); // set memory size to 1G 34 | set_time_limit(0); // 5 minutes 35 | 36 | if (extension_loaded('tokenizer') === false) 37 | { 38 | echo 'Please enable the PHP tokenizer extension to run RIPS.'; 39 | exit; 40 | } 41 | 42 | define('VERSION', '0.55'); // RIPS version to be displayed 43 | define('MAXTRACE', 30); // maximum of parameter traces per sensitive sink 44 | if (!defined("MODE_CLI")) 45 | define('WARNFILES', 50); // warn user if amount of files to scan is higher than this value, also limits the graphs so they dont get too confusing and prevents browser hanging 46 | else 47 | define('WARNFILES', 500000); // only warn if more than 500k files 48 | define('BASEDIR', ''); // default directory shown 49 | define('PHPDOC', 'http://php.net/'); // PHP documentation link 50 | define('MAX_ARRAY_ELEMENTS', 50); // maximum array(1,2,3,4,...) elements to be indexed 51 | define('MAX_ARRAY_KEYS', 10); // maximum array key $array[1][2][3][4].. 52 | define('PRELOAD_SHOW_LINE', 500); // every X line a preloader information is added 53 | 54 | define('SCAN_REGISTER_GLOBALS', false); // EXPERIMENTAL: scan as if register_globals=on 55 | 56 | $FILETYPES = array( // filetypes to scan 57 | '.php', 58 | '.inc', 59 | '.phps', 60 | '.php4', 61 | '.php5', 62 | //'.html', 63 | //'.htm', 64 | //'.txt', 65 | '.phtml', 66 | '.tpl', 67 | '.cgi', 68 | '.test', 69 | '.module', 70 | '.plugin' 71 | ); 72 | 73 | // available stylesheets (filename without .css ending) 74 | // more colors at http://wiki.macromates.com/Themes/UserSubmittedThemes 75 | $stylesheets = array( 76 | 'print', 77 | 'phps', 78 | 'code-dark', 79 | 'twilight', 80 | 'espresso', 81 | 'term', 82 | 'barf', 83 | 'notepad++', 84 | 'ayti' 85 | ); 86 | 87 | // track chosen stylesheet permanently 88 | if(isset($_POST['stylesheet']) && $_POST['stylesheet'] !== $_COOKIE['stylesheet']) 89 | $_COOKIE['stylesheet'] = $_POST['stylesheet']; 90 | $default_stylesheet = isset($_COOKIE['stylesheet']) ? $_COOKIE['stylesheet'] : 'ayti'; 91 | setcookie("stylesheet", $default_stylesheet); 92 | 93 | $default_vector = 'all'; 94 | -------------------------------------------------------------------------------- /config/help.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | $HELP_XSS = array( 19 | 'description' => 'An attacker might execute arbitrary HTML/JavaScript Code in the clients browser context with this security vulnerability. User tainted data is embedded into the HTML output by the application and rendered by the users browser, thus allowing an attacker to embed and render malicious code. Preparing a malicious link will lead to an execution of this malicious code in another users browser context when clicking the link. This can lead to local website defacement, phishing or cookie stealing and session hijacking.', 20 | 'link' => 'https://www.owasp.org/index.php/XSS', 21 | 'code' => '', 22 | 'poc' => '/index.php?name=', 23 | 'patchtext' => 'Encode all user tainted data with PHP buildin functions before embedding the data into the output. Make sure to set the parameter ENT_QUOTES to avoid an eventhandler injections to existing HTML attributes and specify the correct charset.', 24 | 'patch' => '' 25 | ); 26 | 27 | $HELP_HTTP_HEADER = array( 28 | 'description' => 'An attacker can inject arbitrary headers to the HTTP response header. This can be abused for a redirect when injecting a "Location:" header or help within a session fixation attack when the "Set-Cookie:" header is added. Additionally, the HTTP response can be overwritten and JavaScript can be injected leading to Cross-Site Scripting attacks. In PHP version below 4.4.2 or 5.1.2 the characters \n\r (LF CR) can be used for header line termination (cross-browser). In PHP below 5.4 the character \r (CR) can still be used for header line termination (Chrome, IE).', 29 | 'link' => 'https://www.owasp.org/index.php/HTTP_Response_Splitting', 30 | 'code' => '', 31 | 'poc' => '/index.php?url=a%0a%0dContent-Type:%20text/html%0a%0d%0a%0d', 32 | 'patchtext' => 'Update PHP to prevent header injection or implement a whitelist.', 33 | 'patch' => '' 34 | ); 35 | 36 | $HELP_SESSION_FIXATION = array( 37 | 'description' => 'An attacker can force a user to use a specific session id. Once the user logs in, the attacker can use the previously fixated session id to access the account.', 38 | 'link' => 'https://www.owasp.org/index.php/Session_fixation', 39 | 'code' => '', 40 | 'poc' => '/index.php?sessid=1f3870be274f6c49b3e31a0c6728957f', 41 | 'patchtext' => 'Do not use a session token supplied by the user.', 42 | 'patch' => 'No code.' 43 | ); 44 | 45 | $HELP_CODE = array( 46 | 'description' => 'An attacker might execute arbitrary PHP code with this vulnerability. User tainted data is embedded into a function that compiles PHP code on the run and executes it thus allowing an attacker to inject own PHP code that will be executed. This vulnerability can lead to full server compromise.', 47 | 'link' => 'https://www.owasp.org/index.php/Code_Injection', 48 | 'code' => '', 49 | 'poc' => '/index.php?color=\';phpinfo();//', 50 | 'patchtext' => 'Build a whitelist for positive code with regular expressions (e.g. alphanumeric only) or arrays. Do not try to blacklist for evil PHP code.', 51 | 'patch' => '' 52 | ); 53 | 54 | $HELP_REFLECTION = array( 55 | 'description' => 'An attacker might execute arbitrary functions with this vulnerability. User tainted data is used as a function name. This can lead to unexpected behaviour of the application.', 56 | 'link' => 'https://www.owasp.org/index.php/Reflection_injection', 57 | 'code' => '', 58 | 'poc' => '/index.php?func=phpinfo', 59 | 'patchtext' => 'Build a whitelist for allowed functions.', 60 | 'patch' => '' 61 | ); 62 | 63 | $HELP_FILE_INCLUDE = array( 64 | 'description' => 'An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.', 65 | 'link' => 'http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/', 66 | 'code' => '', 67 | 'poc' => '/index.php?file=../../../../../../../etc/passwd', 68 | 'patchtext' => 'Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions.', 69 | 'patch' => '' 70 | ); 71 | 72 | $HELP_FILE_READ = array( 73 | 'description' => 'An attacker might read local files with this vulnerability. User tainted data is used when creating the file name that will be opened and read, thus allowing an attacker to read source code and other arbitrary files on the webserver that might lead to new attack vectors. In example the attacker can detect new vulnerabilities in source code files or read user credentials.', 74 | 'link' => '', 75 | 'code' => '', 76 | 'poc' => '/index.php?file=../../../../../../../etc/passwd', 77 | 'patchtext' => 'Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions.', 78 | 'patch' => '' 79 | ); 80 | 81 | $HELP_FILE_AFFECT = array( 82 | 'description' => 'An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.', 83 | 'link' => '', 84 | 'code' => '', 85 | 'poc' => '/index.php?file=shell.php&data=', 86 | 'patchtext' => 'Build a whitelist for positive file names. Do not only limit the file name to specific paths or extensions. If you write into PHP files make sure an attacker can not write own PHP code. Use a whitelist with arrays or regular expressions (e.g. alphanumeric only).', 87 | 'patch' => '' 88 | ); 89 | 90 | $HELP_EXEC = array( 91 | 'description' => 'An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise.', 92 | 'link' => '', 93 | 'code' => '', 94 | 'poc' => '/index.php?mode=1;sleep 10;', 95 | 'patchtext' => 'Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.', 96 | 'patch' => '' 97 | ); 98 | 99 | $HELP_DATABASE = array( 100 | 'description' => 'An attacker might execute arbitrary SQL commands on the database server with this vulnerability. User tainted data is used when creating the database query that will be executed on the database management system (DBMS). An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system depending on the query, DBMS and configuration.', 101 | 'link' => 'https://www.owasp.org/index.php/SQL_Injection', 102 | 'code' => '', 103 | 'poc' => '/index.php?id=1 OR 1=1-- -', 104 | 'patchtext' => 'Always embed expected strings into quotes and escape the string with a PHP buildin function before embedding it to the query. Always embed expected integers without quotes and typecast the data to integer before embedding it to the query. Escaping data but embedding it without quotes is not safe.', 105 | 'patch' => '' 106 | ); 107 | 108 | $HELP_XPATH = array( 109 | 'description' => 'An attacker might execute arbitrary XPath expressions with this vulnerability. User tainted data is used when creating the XPath expression that will be executed on a XML resource. An attacker can inject own XPath syntax to read arbitrary XML entries.', 110 | 'link' => 'http://packetstormsecurity.org/files/view/33380/Blind_XPath_Injection_20040518.pdf', 111 | 'code' => 'xpath_eval("//user[name/text()=\'" . $_GET["name"] . "\']/account/text()"); ?>', 112 | 'poc' => '/index.php?name=\' or \'\'=\'', 113 | 'patchtext' => 'Always embed expected strings into quotes and escape the string with a PHP buildin function before embedding it to the expression. Always embed expected integers without quotes and typecast the data to integer before embedding it to the expression. Escaping data but embedding it without quotes is not safe.', 114 | 'patch' => 'xpath_eval("//user[name/text()=\'" . addslashes($_GET["name"]) . "\']/account/text()"); ?>' 115 | ); 116 | 117 | $HELP_LDAP = array( 118 | 'description' => 'An attacker might execute arbitrary LDAP expressions with this vulnerability. User tainted data is used when creating a LDAP filter that will be executed on a LDAP server. An attacker can inject own LDAP syntax to read arbitrary LDAP entries.', 119 | 'link' => 'http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf', 120 | 'code' => '', 121 | 'poc' => '/index.php?person=*', 122 | 'patchtext' => 'Expected strings are not embedded into quotes in LDAP. Limit the input character set to alphanumeric (if possible) to prevent an injection of filter syntax.', 123 | 'patch' => '' 124 | ); 125 | 126 | $HELP_CONNECT = array( 127 | 'description' => 'An attacker might change connection handling parameters or data that is being transfered with this vulnerability. User tainted data is used when selecting parameters or creating data that will be transfered thus allowing an attacker to change them. Depending on the type of connection this might lead to further attacks.', 128 | 'link' => '', 129 | 'code' => 'Can not be generalized.', 130 | 'poc' => 'Can not be generalized.', 131 | 'patchtext' => 'Can not be generalized.', 132 | 'patch' => 'Can not be generalized.' 133 | ); 134 | 135 | $HELP_POP = array( 136 | 'description' => 'When userinput is parsed by the unserialize() function an attacker may abuse this by supplying serialized objects that will be used in the current application scope. These objects can only be instances of classes of this application. Several gadgets such as __wakeup() or __destruct() functions of those classes will be automatically called when the object is resurrected during the unserialization and object variables specified by the attacker may lead to vulnerabilities in those gadgets.', 137 | 'link' => 'https://media.blackhat.com/bh-us-10/presentations/Esser/BlackHat-USA-2010-Esser-Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits-slides.pdf', 138 | 'code' => 'file, $this->data); 145 | } 146 | } 147 | $a = unserialize($_GET["s"]); 148 | ?>', 149 | 'poc' => '/index.php?s=O:3:"foo":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:29:"";}', 150 | 'patchtext' => 'Prevent using unserialize because it contains much more flaws.', 151 | 'patch' => 'No code.' 152 | ); 153 | -------------------------------------------------------------------------------- /config/info.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | final class Info 19 | { 20 | // interesting functions, output and comment them if seen 21 | public static $F_INTEREST = array( 22 | 'phpinfo' => 'phpinfo() detected', 23 | 'registerPHPFunctions' => 'registerPHPFunctions() allows code exec in XML', 24 | 'session_start' => 'uses sessions', 25 | #'session_destroy' => 'session_destroy(), delete arbitrary file in PHP 5.1.2', 26 | 'dbase_open' => 'using DBMS dBase', 27 | 'dbplus_open' => 'using DBMS DB++', 28 | 'dbplus_ropen' => 'using DBMS DB++', 29 | 'fbsql_connect' => 'using DBMS FrontBase' , 30 | 'ifx_connect' => 'using DBMS Informix', 31 | 'db2_connect' => 'using DBMS IBM DB2', 32 | 'db2_pconnect' => 'using DBMS IBM DB2', 33 | 'ftp_connect' => 'using FTP server', 34 | 'ftp_ssl_connect' => 'using FTP server', 35 | 'ingres_connect' => 'using DBMS Ingres', 36 | 'ingres_pconnect' => 'using DBMS Ingres', 37 | 'ldap_connect' => 'using LDAP server', 38 | 'msession_connect' => 'using msession server', 39 | 'msql_connect' => 'using DBMS mSQL', 40 | 'msql_pconnect' => 'using DBMS mSQL', 41 | 'mssql_connect' => 'using DBMS MS SQL', 42 | 'mssql_pconnect' => 'using DBMS MS SQL', 43 | 'mysql_connect' => 'using DBMS MySQL', 44 | #'mysql_escape_string' => 'insecure mysql_escape_string', 45 | 'mysql_pconnect' => 'using DBMS MySQL', 46 | 'mysqli' => 'using DBMS MySQL, MySQLi Extension', 47 | 'mysqli_connect' => 'using DBMS MySQL, MySQLi Extension', 48 | 'mysqli_real_connect' => 'using DBMS MySQL, MySQLi Extension', 49 | 'oci_connect' => 'using DBMS Oracle OCI8', 50 | 'oci_new_connect' => 'using DBMS Oracle OCI8', 51 | 'oci_pconnect' => 'using DBMS Oracle OCI8', 52 | 'ocilogon' => 'using DBMS Oracle OCI8', 53 | 'ocinlogon' => 'using DBMS Oracle OCI8', 54 | 'ociplogon' => 'using DBMS Oracle OCI8', 55 | 'ora_connect' => 'using DBMS Oracle', 56 | 'ora_pconnect' => 'using DBMS Oracle', 57 | 'ovrimos_connect' => 'using DBMS Ovrimos SQL', 58 | 'pg_connect' => 'using DBMS PostgreSQL', 59 | 'pg_pconnect' => 'using DBMS PostgreSQL', 60 | 'sqlite_open' => 'using DBMS SQLite', 61 | 'sqlite_popen' => 'using DBMS SQLite', 62 | 'SQLite3' => 'using DBMS SQLite3', 63 | 'sybase_connect' => 'using DBMS Sybase', 64 | 'sybase_pconnect' => 'using DBMS Sybase', 65 | 'TokyoTyrant' => 'using DBMS TokyoTyrant', 66 | 'xptr_new_context' => 'using XML document', 67 | 'xpath_new_context' => 'using XML document' 68 | ); 69 | 70 | // interesting functions for POP/Unserialze 71 | public static $F_INTEREST_POP = array( 72 | '__autoload' => 'function __autoload', 73 | '__destruct' => 'POP gagdet __destruct', 74 | '__wakeup' => 'POP gagdet __wakeup', 75 | '__toString' => 'POP gagdet __toString', 76 | '__call' => 'POP gagdet __call', 77 | '__callStatic' => 'POP gagdet __callStatic', 78 | '__get' => 'POP gagdet __get', 79 | '__set' => 'POP gagdet __set', 80 | '__isset' => 'POP gagdet __isset', 81 | '__unset' => 'POP gagdet __unset' 82 | ); 83 | 84 | } 85 | -------------------------------------------------------------------------------- /config/securing.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // securing functions in if-clause 19 | // list not used, all if clause dependencies detected anyway 20 | $F_SECURING_BOOL = array( 21 | 'is_bool', 22 | 'is_double', 23 | 'is_float', 24 | 'is_real', 25 | 'is_long', 26 | 'is_int', 27 | 'is_integer', 28 | 'is_null', 29 | 'is_numeric', 30 | 'is_finite', 31 | 'is_infinite', 32 | 'ctype_alnum', 33 | 'ctype_alpha', 34 | 'ctype_cntrl', 35 | 'ctype_digit', 36 | 'ctype_xdigit', 37 | 'ctype_upper', 38 | 'ctype_lower', 39 | 'ctype_space', 40 | 'in_array', 41 | 'preg_match', 42 | 'preg_match_all', 43 | 'fnmatch', 44 | 'ereg', 45 | 'eregi' 46 | ); 47 | 48 | // securing functions for every vulnerability 49 | $F_SECURING_STRING = array( 50 | 'intval', 51 | 'floatval', 52 | 'doubleval', 53 | 'filter_input', 54 | 'urlencode', 55 | 'rawurlencode', 56 | 'round', 57 | 'floor', 58 | 'strlen', 59 | 'strrpos', 60 | 'strpos', 61 | 'strftime', 62 | 'strtotime', 63 | 'md5', 64 | 'md5_file', 65 | 'sha1', 66 | 'sha1_file', 67 | 'crypt', 68 | 'crc32', 69 | 'hash', 70 | 'mhash', 71 | 'hash_hmac', 72 | 'password_hash', 73 | 'mcrypt_encrypt', 74 | 'mcrypt_generic', 75 | 'base64_encode', 76 | 'ord', 77 | 'sizeof', 78 | 'count', 79 | 'bin2hex', 80 | 'levenshtein', 81 | 'abs', 82 | 'bindec', 83 | 'decbin', 84 | 'dechex', 85 | 'decoct', 86 | 'hexdec', 87 | 'rand', 88 | 'max', 89 | 'min', 90 | 'metaphone', 91 | 'tempnam', 92 | 'soundex', 93 | 'money_format', 94 | 'number_format', 95 | 'date_format', 96 | 'filetype', 97 | 'nl_langinfo', 98 | 'bzcompress', 99 | 'convert_uuencode', 100 | 'gzdeflate', 101 | 'gzencode', 102 | 'gzcompress', 103 | 'http_build_query', 104 | 'lzf_compress', 105 | 'zlib_encode', 106 | 'imap_binary', 107 | 'iconv_mime_encode', 108 | 'bson_encode', 109 | 'sqlite_udf_encode_binary', 110 | 'session_name', 111 | 'readlink', 112 | 'getservbyport', 113 | 'getprotobynumber', 114 | 'gethostname', 115 | 'gethostbynamel', 116 | 'gethostbyname', 117 | ); 118 | 119 | // functions that insecures the string again 120 | $F_INSECURING_STRING = array( 121 | 'base64_decode', 122 | 'htmlspecialchars_decode', 123 | 'html_entity_decode', 124 | 'bzdecompress', 125 | 'chr', 126 | 'convert_uudecode', 127 | 'gzdecode', 128 | 'gzinflate', 129 | 'gzuncompress', 130 | 'lzf_decompress', 131 | 'rawurldecode', 132 | 'urldecode', 133 | 'zlib_decode', 134 | 'imap_base64', 135 | 'imap_utf7_decode', 136 | 'imap_mime_header_decode', 137 | 'iconv_mime_decode', 138 | 'iconv_mime_decode_headers', 139 | 'hex2bin', 140 | 'quoted_printable_decode', 141 | 'imap_qprint', 142 | 'mb_decode_mimeheader', 143 | 'bson_decode', 144 | 'sqlite_udf_decode_binary', 145 | 'utf8_decode', 146 | 'recode_string', 147 | 'recode' 148 | ); 149 | 150 | // securing functions for XSS 151 | $F_SECURING_XSS = array( 152 | 'htmlentities', 153 | 'htmlspecialchars', 154 | 'highlight_string', 155 | ); 156 | 157 | // securing functions for SQLi 158 | $F_SECURING_SQL = array( 159 | 'addslashes', 160 | 'dbx_escape_string', 161 | 'db2_escape_string', 162 | 'ingres_escape_string', 163 | 'maxdb_escape_string', 164 | 'maxdb_real_escape_string', 165 | 'mysql_escape_string', 166 | 'mysql_real_escape_string', 167 | 'mysqli_escape_string', 168 | 'mysqli_real_escape_string', 169 | 'pg_escape_string', 170 | 'pg_escape_bytea', 171 | 'sqlite_escape_string', 172 | 'sqlite_udf_encode_binary', 173 | 'cubrid_real_escape_string', 174 | ); 175 | 176 | // securing functions for RCE with e-modifier in preg_** 177 | $F_SECURING_PREG = array( 178 | 'preg_quote' 179 | ); 180 | 181 | // securing functions for file handling 182 | $F_SECURING_FILE = array( 183 | 'basename', 184 | 'dirname', 185 | 'pathinfo' 186 | ); 187 | 188 | // securing functions for OS command execution 189 | $F_SECURING_SYSTEM = array( 190 | 'escapeshellarg', 191 | 'escapeshellcmd' 192 | ); 193 | 194 | // securing XPath injection 195 | $F_SECURING_XPATH = array( 196 | 'addslashes' 197 | ); 198 | 199 | // securing LDAP injection 200 | $F_SECURING_LDAP = array( 201 | ); 202 | 203 | // all specific securings 204 | $F_SECURES_ALL = array_merge( 205 | $F_SECURING_XSS, 206 | $F_SECURING_SQL, 207 | $F_SECURING_PREG, 208 | $F_SECURING_FILE, 209 | $F_SECURING_SYSTEM, 210 | $F_SECURING_XPATH 211 | ); 212 | 213 | // securing functions that work only when embedded in quotes 214 | $F_QUOTE_ANALYSIS = $F_SECURING_SQL; 215 | -------------------------------------------------------------------------------- /config/sources.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | final class Sources 19 | { 20 | // userinput variables 21 | public static $V_USERINPUT = array( 22 | '$_GET', 23 | '$_POST', 24 | '$_COOKIE', 25 | '$_REQUEST', 26 | '$_FILES', 27 | '$_SERVER', 28 | '$HTTP_GET_VARS', 29 | '$HTTP_POST_VARS', 30 | '$HTTP_COOKIE_VARS', 31 | '$HTTP_REQUEST_VARS', 32 | '$HTTP_POST_FILES', 33 | '$HTTP_SERVER_VARS', 34 | '$HTTP_RAW_POST_DATA', 35 | '$argc', 36 | '$argv' 37 | ); 38 | 39 | public static $V_SERVER_PARAMS = array( 40 | 'HTTP_ACCEPT', 41 | 'HTTP_ACCEPT_LANGUAGE', 42 | 'HTTP_ACCEPT_ENCODING', 43 | 'HTTP_ACCEPT_CHARSET', 44 | 'HTTP_CONNECTION', 45 | 'HTTP_HOST', 46 | 'HTTP_KEEP_ALIVE', 47 | 'HTTP_REFERER', 48 | 'HTTP_USER_AGENT', 49 | 'HTTP_X_FORWARDED_FOR', 50 | // all HTTP_ headers can be tainted 51 | 'PHP_AUTH_DIGEST', 52 | 'PHP_AUTH_USER', 53 | 'PHP_AUTH_PW', 54 | 'AUTH_TYPE', 55 | 'QUERY_STRING', 56 | 'REQUEST_METHOD', 57 | 'REQUEST_URI', // partly urlencoded 58 | 'PATH_INFO', 59 | 'ORIG_PATH_INFO', 60 | 'PATH_TRANSLATED', 61 | 'REMOTE_HOSTNAME', 62 | 'PHP_SELF' 63 | ); 64 | 65 | // file content as input 66 | public static $F_FILE_INPUT = array( 67 | 'bzread', 68 | 'dio_read', 69 | 'exif_imagetype', 70 | 'exif_read_data', 71 | 'exif_thumbnail', 72 | 'fgets', 73 | 'fgetss', 74 | 'file', 75 | 'file_get_contents', 76 | 'fread', 77 | 'get_meta_tags', 78 | 'glob', 79 | 'gzread', 80 | 'readdir', 81 | 'read_exif_data', 82 | 'scandir', 83 | 'zip_read' 84 | ); 85 | 86 | // database content as input 87 | public static $F_DATABASE_INPUT = array( 88 | 'mysql_fetch_array', 89 | 'mysql_fetch_assoc', 90 | 'mysql_fetch_field', 91 | 'mysql_fetch_object', 92 | 'mysql_fetch_row', 93 | 'pg_fetch_all', 94 | 'pg_fetch_array', 95 | 'pg_fetch_assoc', 96 | 'pg_fetch_object', 97 | 'pg_fetch_result', 98 | 'pg_fetch_row', 99 | 'sqlite_fetch_all', 100 | 'sqlite_fetch_array', 101 | 'sqlite_fetch_object', 102 | 'sqlite_fetch_single', 103 | 'sqlite_fetch_string' 104 | ); 105 | 106 | // other functions as input 107 | public static $F_OTHER_INPUT = array( 108 | 'get_headers', 109 | 'getallheaders', 110 | 'get_browser', 111 | 'getenv', 112 | 'gethostbyaddr', 113 | 'runkit_superglobals', 114 | 'import_request_variables' 115 | ); 116 | 117 | // 'getenv' and 'apache_getenv' 118 | // will be automatically added if 'putenv' or 'apache_setenv' with userinput is found 119 | } 120 | -------------------------------------------------------------------------------- /config/tokens.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // define own token for include ending 19 | define('T_INCLUDE_END', 10000); 20 | 21 | // added in php 5.3 22 | if ( ! defined('T_GOTO')) define('T_GOTO', 10001); 23 | if ( ! defined('T_NAMESPACE')) define('T_NAMESPACE', 10002); 24 | if ( ! defined('T_NS_C')) define('T_NS_C', 10003); 25 | if ( ! defined('T_NS_SEPARATOR')) define('T_NS_SEPARATOR', 10004); 26 | if ( ! defined('T_USE')) define('T_USE', 10005); 27 | 28 | // added in php 5.4 29 | if ( ! defined('T_INSTEADOF')) define('T_INSTEADOF', 10006); 30 | if ( ! defined('T_TRAIT')) define('T_TRAIT', 10007); 31 | if ( ! defined('T_TRAIT_C')) define('T_TRAIT_C', 10008); 32 | 33 | // added in php 5.5 34 | if ( ! defined('T_FINALLY')) define('T_FINALLY', 10009); 35 | if ( ! defined('T_YIELD')) define('T_YIELD', 10010); 36 | if ( ! defined('T_YIELD_FROM')) define('T_YIELD_FROM', 10011); 37 | 38 | // added in php 5.6 39 | if ( ! defined('T_ELLIPSIS')) define('T_ELLIPSIS', 10012); 40 | if ( ! defined('T_POW')) define('T_POW', 10013); 41 | if ( ! defined('T_POW_EQUAL')) define('T_POW_EQUAL', 10014); 42 | 43 | // added in php 7.0 44 | if ( ! defined('T_COALESCE')) define('T_COALESCE', 10015); 45 | if ( ! defined('T_SPACESHIP')) define('T_SPACESHIP', 10016); 46 | 47 | // added in php 7.4 48 | if ( ! defined('T_COALESCE_EQUAL')) define('T_COALESCE_EQUAL', 10017); 49 | if ( ! defined('T_FN')) define('T_FN', 10018); 50 | 51 | // added in php 8.0 52 | if ( ! defined('T_ATTRIBUTE')) define('T_ATTRIBUTE', 10019); 53 | if ( ! defined('T_MATCH')) define('T_MATCH', 10020); 54 | if ( ! defined('T_NAME_FULLY_QUALIFIED')) define('T_NAME_FULLY_QUALIFIED', 10021); 55 | if ( ! defined('T_NAME_QUALIFIED')) define('T_NAME_QUALIFIED', 10022); 56 | if ( ! defined('T_NAME_RELATIVE')) define('T_NAME_RELATIVE', 10023); 57 | if ( ! defined('T_NULLSAFE_OBJECT_OPERATOR')) define('T_NULLSAFE_OBJECT_OPERATOR', 10024); 58 | 59 | // added in php 8.1 60 | if ( ! defined('T_ENUM')) define('T_ENUM', 10025); 61 | if ( ! defined('T_READONLY')) define('T_READONLY', 10026); 62 | if ( ! defined('T_AMPERSAND_NOT_FOLLOWED_BY_VAR_OR_VARARG')) define('T_AMPERSAND_NOT_FOLLOWED_BY_VAR_OR_VARARG', 10027); 63 | if ( ! defined('T_AMPERSAND_FOLLOWED_BY_VAR_OR_VARARG')) define('T_AMPERSAND_FOLLOWED_BY_VAR_OR_VARARG', 10028); 64 | 65 | final class Tokens 66 | { 67 | // tokens to ignore while scanning 68 | public static $T_IGNORE = array( 69 | T_BAD_CHARACTER, 70 | T_DOC_COMMENT, 71 | T_COMMENT, 72 | //T_ML_COMMENT, 73 | T_INLINE_HTML, 74 | T_WHITESPACE, 75 | T_OPEN_TAG, 76 | //T_CLOSE_TAG, 77 | ); 78 | 79 | // code blocks that should be ignored as requirement 80 | public static $T_LOOP_CONTROL = array( 81 | //T_DO, // removed, because DO..WHILE is rewritten to WHILE 82 | T_WHILE, 83 | T_FOR, 84 | T_FOREACH, 85 | ); 86 | 87 | // control structures 88 | public static $T_FLOW_CONTROL = array( 89 | T_IF, 90 | T_SWITCH, 91 | T_CASE, 92 | T_ELSE, 93 | T_ELSEIF, 94 | ); 95 | 96 | // variable assignment tokens 97 | public static $T_ASSIGNMENT = array( 98 | T_AND_EQUAL, 99 | T_CONCAT_EQUAL, 100 | T_DIV_EQUAL, 101 | T_MINUS_EQUAL, 102 | T_MOD_EQUAL, 103 | T_MUL_EQUAL, 104 | T_OR_EQUAL, 105 | T_PLUS_EQUAL, 106 | T_POW_EQUAL, 107 | T_SL_EQUAL, 108 | T_SR_EQUAL, 109 | T_XOR_EQUAL, 110 | T_COALESCE_EQUAL, 111 | ); 112 | 113 | // variable assignment tokens that prevent tainting 114 | public static $T_ASSIGNMENT_SECURE = array( 115 | T_DIV_EQUAL, 116 | T_MINUS_EQUAL, 117 | T_MOD_EQUAL, 118 | T_MUL_EQUAL, 119 | T_OR_EQUAL, 120 | T_PLUS_EQUAL, 121 | T_POW_EQUAL, 122 | T_SL_EQUAL, 123 | T_SR_EQUAL, 124 | T_XOR_EQUAL, 125 | ); 126 | 127 | // condition operators 128 | public static $T_OPERATOR = array( 129 | T_IS_EQUAL, 130 | T_IS_GREATER_OR_EQUAL, 131 | T_IS_IDENTICAL, 132 | T_IS_NOT_EQUAL, 133 | T_IS_NOT_IDENTICAL, 134 | T_IS_SMALLER_OR_EQUAL, 135 | T_SPACESHIP, 136 | T_COALESCE, 137 | ); 138 | 139 | // all function call tokens 140 | public static $T_FUNCTIONS = array( 141 | T_STRING, // all functions 142 | T_EVAL, 143 | T_INCLUDE, 144 | T_INCLUDE_ONCE, 145 | T_REQUIRE, 146 | T_REQUIRE_ONCE, 147 | ); 148 | 149 | // including operation tokens 150 | public static $T_INCLUDES = array( 151 | T_INCLUDE, 152 | T_INCLUDE_ONCE, 153 | T_REQUIRE, 154 | T_REQUIRE_ONCE, 155 | ); 156 | 157 | // XSS affected operation tokens 158 | public static $T_XSS = array( 159 | T_PRINT, 160 | T_ECHO, 161 | T_OPEN_TAG_WITH_ECHO, 162 | T_EXIT, 163 | ); 164 | 165 | // securing operation tokens 166 | public static $T_CASTS = array( 167 | T_BOOL_CAST, 168 | T_DOUBLE_CAST, 169 | T_INT_CAST, 170 | T_UNSET_CAST, 171 | T_UNSET, 172 | ); 173 | 174 | // tokens that will have a space before and after in the output, besides $T_OPERATOR and $T_ASSIGNMENT 175 | public static $T_SPACE_WRAP = array( 176 | T_AS, 177 | T_BOOLEAN_AND, 178 | T_BOOLEAN_OR, 179 | T_LOGICAL_AND, 180 | T_LOGICAL_OR, 181 | T_LOGICAL_XOR, 182 | T_SL, 183 | T_SR, 184 | T_CASE, 185 | T_ELSE, 186 | T_GLOBAL, 187 | T_NEW, 188 | ); 189 | 190 | // arithmetical operators to detect automatic typecasts 191 | public static $T_ARITHMETIC = array( 192 | T_INC, 193 | T_DEC, 194 | ); 195 | 196 | // arithmetical operators to detect automatic typecasts 197 | public static $S_ARITHMETIC = array( 198 | '+', 199 | '-', 200 | '*', 201 | '/', 202 | '%', 203 | T_POW, 204 | ); 205 | 206 | // strings that will have a space before and after in the output besides $S_ARITHMETIC 207 | public static $S_SPACE_WRAP = array( 208 | '.', 209 | '=', 210 | '>', 211 | '<', 212 | ':', 213 | '?', 214 | ); 215 | } 216 | -------------------------------------------------------------------------------- /css/ayti.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .vulnblock { 20 | background-color:#223344; 21 | color:#FFCC44; 22 | font-weight:bold; 23 | } 24 | 25 | .codebox { 26 | margin-bottom: 10px; 27 | background-color: #101820; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #101820; 32 | } 33 | 34 | .markline { 35 | background-color: #334455; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #888;} 43 | 44 | .link 45 | {color: #6262F0; font-weight:bold;} 46 | 47 | .vulntitle, .code { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: white; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #FFFFFF;} 77 | /*E1E1F9*/ 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-boolean-or, 117 | .phps-t-boolean-and, 118 | .phps-t-global, 119 | .phps-t-logical-and, 120 | .phps-t-logical-or, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | .phps-t-line, 141 | .phps-t-dir, 142 | .phps-t-func-c, .phps-t-class-c, 143 | .phps-t-method-c, 144 | .phps-t-ns-c 145 | {color: #9467FC;} 146 | 147 | .phps-t-const 148 | {color: #CF6A4C;} 149 | 150 | .phps-t-variable, 151 | .phps-t-variable-marked, 152 | .phps-t-string-varname, 153 | .funclistline 154 | {color: #768FEB;} 155 | 156 | .phps-t-variable-marked 157 | {background-color:darkred;} 158 | 159 | .phps-tainted-var 160 | {color: #AAC8FD;} 161 | 162 | .phps-t-lnumber 163 | {color: #CF6A4C} 164 | 165 | .phps-t-encapsed-and-whitespace, 166 | .phps-t-constant-encapsed-string 167 | {color: #FFCE42;} 168 | /* FFCE42 */ 169 | .phps-t-inline-html 170 | {color: #FFCE42;} 171 | 172 | .phps-t-comment, 173 | .phps-t-ml-comment, 174 | .phps-t-doc-comment 175 | {color: #3F4852} 176 | -------------------------------------------------------------------------------- /css/barf.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color: #1D261B; 8 | } 9 | 10 | input[type="text"],select { 11 | color: #000 !important; 12 | background: #99A298 !important; 13 | } 14 | 15 | 16 | .userinput, .persistent { 17 | list-style-type: disc; 18 | color:white; 19 | } 20 | .validated { 21 | list-style-type: disc; 22 | color:red; 23 | } 24 | .functioninput { 25 | list-style-type: disc; 26 | color:yellow; 27 | } 28 | 29 | .codebox { 30 | margin-bottom: 10px; 31 | background-color: #0D1219; 32 | } 33 | 34 | .vulnblock { 35 | background-color:#283325; 36 | color:#94F877; 37 | font-weight:bold; 38 | } 39 | 40 | .windowcontent, #funccodecontent, #funccodetitle, .funclistcontent { 41 | background-color: #0D1219; 42 | } 43 | 44 | .markline { 45 | background-color: #243245; 46 | } 47 | 48 | .requires 49 | {color: #697B8F; font-weight:bold;} 50 | 51 | .linenr 52 | {color: #888;} 53 | 54 | .link 55 | {color: #EEF2F7; font-weight:bold;} 56 | 57 | .code, .vulntitle { 58 | font-size:9pt; 59 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 60 | } 61 | 62 | .code, 63 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 64 | {color: #EEF2F7; } 65 | 66 | .phps-t-string, 67 | .phps-t-eval, 68 | .phps-t-print, 69 | .phps-t-include, 70 | .phps-t-include-once, 71 | .phps-t-require, 72 | .phps-t-require-once, 73 | .phps-t-isset, 74 | .phps-t-empty, 75 | .phps-t-while, 76 | .phps-t-do, 77 | .phps-t-exit, 78 | .phps-t-try, 79 | .phps-t-catch, 80 | .phps-t-unset, 81 | .phps-t-list, 82 | .phps-t-array, 83 | .phps-t-echo, 84 | .phps-t-start-heredoc, 85 | .phps-t-end-heredoc, 86 | .phps-t-if, 87 | .phps-t-for, 88 | .phps-t-foreach, 89 | .phps-t-else, 90 | .phps-t-elseif, 91 | .phps-t-switch, 92 | .phps-t-bool-cast, 93 | .phps-t-double-cast, 94 | .phps-t-int-cast, 95 | .phps-t-unset-cast, 96 | .phps-t-file, 97 | .phps-t-line, 98 | .phps-t-dir, 99 | .phps-t-func-c, .phps-t-class-c, 100 | .phps-t-method-c, 101 | .phps-t-ns-c 102 | {color: #EFF3F8;} 103 | 104 | .phps-t-open-tag, 105 | .phps-t-close-tag, 106 | .phps-t-and-equal, 107 | .phps-t-concat-equal, 108 | .phps-t-div-equal, 109 | .phps-t-minus-equal, 110 | .phps-t-mod-equal, 111 | .phps-t-mul-equal, 112 | .phps-t-or-equal, 113 | .phps-t-plus-equal, 114 | .phps-t-sl-equal, 115 | .phps-t-sr-equal, 116 | .phps-t-xor-equal, 117 | .phps-t-is-equal, 118 | .phps-t-is-greater-or-equal, 119 | .phps-t-is-identical, 120 | .phps-t-is-not-equal, 121 | .phps-t-is-not-identical, 122 | .phps-t-inc, 123 | .phps-t-dec, 124 | .phps-t-object-operator, 125 | .phps-t-double-colon, 126 | .phps-t-paamayim-nekudotayim, 127 | .phps-t-exclaim, 128 | .phps-t-double-arrow, 129 | .phps-t-as, 130 | .phps-t-or, 131 | .phps-t-case, 132 | .phps-t-default, 133 | .phps-t-break, 134 | .phps-t-continue, 135 | .phps-t-goto, 136 | .phps-t-and, 137 | .phps-t-xor, 138 | .phps-t-global, 139 | .phps-t-logical-and, 140 | .phps-t-logical-or, 141 | .phps-t-boolean-or, 142 | .phps-t-boolean-and, 143 | .phps-t-use, 144 | .phps-t-var 145 | {color: #697A8E;} 146 | 147 | .phps-t-function, 148 | .phps-t-public, 149 | .phps-t-private, 150 | .phps-t-protected, 151 | .phps-t-static, 152 | .phps-t-class, 153 | .phps-t-new, 154 | .phps-t-const, 155 | .phps-t-return 156 | {color: #94F877;} 157 | 158 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 159 | {color: #708E67;} 160 | 161 | .phps-t-variable-marked 162 | {background-color:darkred;} 163 | 164 | .phps-tainted-var 165 | {color: #7FC16B;} 166 | 167 | .phps-t-lnumber 168 | {color: #EEF2F7} 169 | 170 | .phps-t-encapsed-and-whitespace, 171 | .phps-t-constant-encapsed-string 172 | {color: #5C81B3;} 173 | 174 | .phps-t-inline-html 175 | {color: #F9EE98;} 176 | 177 | .phps-t-comment, 178 | .phps-t-ml-comment, 179 | .phps-t-doc-comment 180 | {color: #6E6E6E;} 181 | -------------------------------------------------------------------------------- /css/code-dark.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color:#010101; 8 | } 9 | 10 | 11 | input[type="text"],select { 12 | color: #000 !important; 13 | background-color:#797979 !important; 14 | } 15 | 16 | .userinput, .persistent { 17 | list-style-type: disc; 18 | color:white; 19 | } 20 | .validated { 21 | list-style-type: disc; 22 | color:red; 23 | } 24 | .functioninput { 25 | list-style-type: disc; 26 | color:yellow; 27 | } 28 | 29 | .codebox { 30 | margin-bottom: 10px; 31 | background-color: #222222; 32 | } 33 | 34 | .vulnblock { 35 | background-color:#111111; 36 | color:#FBFB97; 37 | font-weight:bold; 38 | } 39 | 40 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 41 | background-color: #222222; 42 | } 43 | 44 | 45 | .code, .vulntitle 46 | {font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; font-size:9pt; } 47 | 48 | .markline { 49 | background-color: #531107; 50 | } 51 | 52 | .requires, 53 | .linenr 54 | {color: #888888;} 55 | 56 | .link 57 | {color:#D78787; font-weight:bold; text-decoration:underline;} 58 | 59 | .code, 60 | .phps-code, 61 | .phps-t-dollar-open-curly-braces, 62 | .phps-t-curly-open, 63 | .phps-t-open-tag, 64 | .phps-t-close-tag, 65 | .phps-t-and-equal, 66 | .phps-t-concat-equal, 67 | .phps-t-div-equal, 68 | .phps-t-minus-equal, 69 | .phps-t-mod-equal, 70 | .phps-t-mul-equal, 71 | .phps-t-or-equal, 72 | .phps-t-plus-equal, 73 | .phps-t-sl-equal, 74 | .phps-t-sr-equal, 75 | .phps-t-xor-equal, 76 | .phps-t-is-equal, 77 | .phps-t-is-greater-or-equal, 78 | .phps-t-is-identical, 79 | .phps-t-is-not-equal, 80 | .phps-t-is-not-identical, 81 | .phps-t-inc, 82 | .phps-t-dec, 83 | .phps-t-object-operator, 84 | .phps-t-double-colon, 85 | .phps-t-paamayim-nekudotayim 86 | {color: #D78787;} 87 | 88 | .phps-t-if, 89 | .phps-t-while, 90 | .phps-t-do, 91 | .phps-t-exit, 92 | .phps-t-try, 93 | .phps-t-catch, 94 | .phps-t-isset, 95 | .phps-t-exclaim, 96 | .phps-t-for, 97 | .phps-t-foreach, 98 | .phps-t-return, 99 | .phps-t-double-arrow, 100 | .phps-t-as, 101 | .phps-t-or, 102 | .phps-t-case, 103 | .phps-t-default, 104 | .phps-t-break, 105 | .phps-t-continue, 106 | .phps-t-goto, 107 | .phps-t-and, 108 | .phps-t-boolean-or, 109 | .phps-t-boolean-and, 110 | .phps-t-logical-or, 111 | .phps-t-logical-and, 112 | .phps-t-xor, 113 | .phps-t-global, 114 | .phps-t-and, 115 | .phps-t-isset, 116 | .phps-t-empty, 117 | .phps-t-unset, 118 | .phps-t-else, 119 | .phps-t-elseif, 120 | .phps-t-switch, 121 | .phps-t-array, 122 | .phps-t-bool-cast, 123 | .phps-t-double-cast, 124 | .phps-t-int-cast, 125 | .phps-t-unset-cast, 126 | .phps-t-file, 127 | .phps-t-line, 128 | .phps-t-dir, 129 | .phps-t-func-c, .phps-t-class-c, 130 | .phps-t-method-c, 131 | .phps-t-ns-c 132 | {color: #87AFD7;} 133 | 134 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 135 | {color: #AFAFD7;} 136 | 137 | .phps-t-variable-marked 138 | {background-color:darkred;} 139 | 140 | .phps-tainted-var 141 | {color: #5959E2;} 142 | 143 | .phps-t-string, 144 | .phps-t-eval, 145 | .phps-t-const 146 | {color: #D7AFD7;} 147 | 148 | .phps-t-lnumber 149 | {color: #D7AF87;} 150 | 151 | .phps-t-encapsed-and-whitespace, 152 | .phps-t-constant-encapsed-string 153 | {color: #FFFFAF;} 154 | 155 | .phps-t-echo, 156 | .phps-t-start-heredoc, 157 | .phps-t-end-heredoc, 158 | .phps-t-function, 159 | .phps-t-public, 160 | .phps-t-private, 161 | .phps-t-protected, 162 | .phps-t-static, 163 | .phps-t-class, 164 | .phps-t-new, 165 | .phps-t-print, 166 | .phps-t-include, 167 | .phps-t-include-once, 168 | .phps-t-require, 169 | .phps-t-require-once, 170 | .phps-t-use 171 | {color: #AFD787;} 172 | 173 | .phps-t-inline-html 174 | {color: #D0D0D0;} 175 | 176 | .phps-t-comment, 177 | .phps-t-ml-comment, 178 | .phps-t-doc-comment 179 | {color: #808080} 180 | -------------------------------------------------------------------------------- /css/espresso.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .menu { 7 | background-color: #351F12; 8 | } 9 | 10 | 11 | input[type="text"],select { 12 | color: #000 !important; 13 | background: #968B85 !important; 14 | } 15 | 16 | 17 | .userinput, .persistent { 18 | list-style-type: disc; 19 | color:white; 20 | } 21 | .validated { 22 | list-style-type: disc; 23 | color:red; 24 | } 25 | .functioninput { 26 | list-style-type: disc; 27 | color:yellow; 28 | } 29 | 30 | .codebox { 31 | margin-bottom: 10px; 32 | background-color: #2A211C; 33 | } 34 | 35 | .vulnblock { 36 | background-color:#23150D; 37 | color:#049B0A; 38 | font-weight:bold; 39 | } 40 | 41 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 42 | background-color: #2A211C; 43 | } 44 | 45 | .markline { 46 | background-color: #1E3F06; 47 | } 48 | 49 | .requires 50 | {color: #43A8ED; font-weight:bold;} 51 | 52 | .linenr 53 | {color: #888;} 54 | 55 | .link 56 | {color: #2F5FE0; font-weight:bold;} 57 | 58 | .code, .vulntitle { 59 | font-size:9pt; 60 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 61 | } 62 | 63 | .code, 64 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 65 | {color: #BDAE9D; } 66 | 67 | .phps-t-string, 68 | .phps-t-eval, 69 | .phps-t-print, 70 | .phps-t-include, 71 | .phps-t-include-once, 72 | .phps-t-require, 73 | .phps-t-require-once, 74 | .phps-t-isset, 75 | .phps-t-empty, 76 | .phps-t-while, 77 | .phps-t-do, 78 | .phps-t-exit, 79 | .phps-t-try, 80 | .phps-t-catch, 81 | .phps-t-unset, 82 | .phps-t-list, 83 | .phps-t-array, 84 | .phps-t-echo, 85 | .phps-t-start-heredoc, 86 | .phps-t-end-heredoc 87 | {color: #FFCE42;} 88 | 89 | 90 | .phps-t-open-tag, 91 | .phps-t-close-tag, 92 | .phps-t-and-equal, 93 | .phps-t-concat-equal, 94 | .phps-t-div-equal, 95 | .phps-t-minus-equal, 96 | .phps-t-mod-equal, 97 | .phps-t-mul-equal, 98 | .phps-t-or-equal, 99 | .phps-t-plus-equal, 100 | .phps-t-sl-equal, 101 | .phps-t-sr-equal, 102 | .phps-t-xor-equal, 103 | .phps-t-is-equal, 104 | .phps-t-is-greater-or-equal, 105 | .phps-t-is-identical, 106 | .phps-t-is-not-equal, 107 | .phps-t-is-not-identical, 108 | .phps-t-inc, 109 | .phps-t-dec, 110 | .phps-t-object-operator, 111 | .phps-t-double-colon, 112 | .phps-t-paamayim-nekudotayim, 113 | .phps-t-if, 114 | .phps-t-switch, 115 | .phps-t-exclaim, 116 | .phps-t-for, 117 | .phps-t-foreach, 118 | .phps-t-return, 119 | .phps-t-double-arrow, 120 | .phps-t-as, 121 | .phps-t-or, 122 | .phps-t-case, 123 | .phps-t-default, 124 | .phps-t-break, 125 | .phps-t-continue, 126 | .phps-t-goto, 127 | .phps-t-and, 128 | .phps-t-xor, 129 | .phps-t-global, 130 | .phps-t-logical-and, 131 | .phps-t-logical-or, 132 | .phps-t-boolean-or, 133 | .phps-t-boolean-and, 134 | .phps-t-else, 135 | .phps-t-elseif, 136 | .phps-t-use, 137 | .phps-t-var, 138 | .phps-t-function, 139 | .phps-t-public, 140 | .phps-t-private, 141 | .phps-t-protected, 142 | .phps-t-static, 143 | .phps-t-class, 144 | .phps-t-new, 145 | .phps-t-bool-cast, 146 | .phps-t-double-cast, 147 | .phps-t-int-cast, 148 | .phps-t-unset-cast, 149 | .phps-t-file, 150 | .phps-t-line, 151 | .phps-t-dir, 152 | .phps-t-func-c, .phps-t-class-c, 153 | .phps-t-method-c, 154 | .phps-t-ns-c 155 | {color: #43A8ED; font-weight: bold; } 156 | 157 | .phps-t-const 158 | {color: #C5656B;} 159 | 160 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-tainted-var 161 | {color: #0066FF;} 162 | 163 | .phps-t-variable-marked 164 | {background-color:darkred;color:#4B91FB;} 165 | 166 | .phps-tainted-var 167 | {color: #4B91FB;} 168 | 169 | .phps-t-lnumber 170 | {color: #C4BDA1;} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #EEEEEE;} 175 | 176 | .phps-t-inline-html 177 | {color: #F9EE98;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #534A44; font-style: italic;} 183 | -------------------------------------------------------------------------------- /css/notepad++.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | body, html { 7 | color: #111111; 8 | } 9 | 10 | .textcolor { 11 | color: #ffffff; 12 | } 13 | 14 | .darkcolor { 15 | color: black; 16 | } 17 | 18 | .userinput, .persistent { 19 | list-style-type: disc; 20 | color:grey; 21 | } 22 | .validated { 23 | list-style-type: disc; 24 | color:red; 25 | } 26 | .functioninput { 27 | list-style-type: disc; 28 | color:yellow; 29 | } 30 | 31 | .vulnblock { 32 | background-color:#D4D0C8; 33 | color:black; 34 | font-weight:bold; 35 | } 36 | 37 | .codebox { 38 | margin-bottom: 10px; 39 | background-color: #ffffff; 40 | } 41 | 42 | .windowcontent, #funccodecontent, #funccodetitle, .funclistcontent { 43 | background-color: #ffffff; 44 | opacity:0.95; 45 | } 46 | 47 | .markline { 48 | background-color: #EF9486; 49 | } 50 | 51 | .requires 52 | {color: #000000; font-weight:bold;} 53 | 54 | .linenr 55 | {color: #808080;} 56 | 57 | .link 58 | {color: #0000FF; font-weight:bold;} 59 | 60 | 61 | .code, .vulntitle { 62 | font-size:9pt; 63 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 64 | } 65 | 66 | .code, 67 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 68 | {color: #8000FF; font-weight: bold;} 69 | 70 | .phps-t-string, 71 | .phps-t-eval 72 | {color: #000000; font-weight: bold;} 73 | 74 | .phps-t-and-equal, 75 | .phps-t-concat-equal, 76 | .phps-t-div-equal, 77 | .phps-t-minus-equal, 78 | .phps-t-mod-equal, 79 | .phps-t-mul-equal, 80 | .phps-t-or-equal, 81 | .phps-t-plus-equal, 82 | .phps-t-sl-equal, 83 | .phps-t-sr-equal, 84 | .phps-t-xor-equal, 85 | .phps-t-is-equal, 86 | .phps-t-is-greater-or-equal, 87 | .phps-t-is-identical, 88 | .phps-t-is-not-equal, 89 | .phps-t-is-not-identical, 90 | .phps-t-inc, 91 | .phps-t-dec, 92 | .phps-t-object-operator, 93 | .phps-t-double-colon, 94 | .phps-t-paamayim-nekudotayim, 95 | .phps-t-double-arrow, 96 | .phps-t-boolean-or, 97 | .phps-t-boolean-and 98 | {color: #8000FF;} 99 | 100 | .phps-t-print, 101 | .phps-t-include, 102 | .phps-t-include-once, 103 | .phps-t-require, 104 | .phps-t-require-once, 105 | .phps-t-isset, 106 | .phps-t-empty, 107 | .phps-t-while, 108 | .phps-t-do, 109 | .phps-t-exit, 110 | .phps-t-try, 111 | .phps-t-catch, 112 | .phps-t-unset, 113 | .phps-t-list, 114 | .phps-t-array, 115 | .phps-t-echo, 116 | .phps-t-if, 117 | .phps-t-switch, 118 | .phps-t-isset, 119 | .phps-t-exclaim, 120 | .phps-t-for, 121 | .phps-t-foreach, 122 | .phps-t-return, 123 | .phps-t-as, 124 | .phps-t-or, 125 | .phps-t-logical-and, 126 | .phps-t-logical-or, 127 | .phps-t-boolean-or, 128 | .phps-t-boolean-and, 129 | .phps-t-case, 130 | .phps-t-default, 131 | .phps-t-break, 132 | .phps-t-continue, 133 | .phps-t-goto, 134 | .phps-t-and, 135 | .phps-t-xor, 136 | .phps-t-global, 137 | .phps-t-else, 138 | .phps-t-elseif, 139 | .phps-t-use, 140 | .phps-t-var, 141 | .phps-t-function, 142 | .phps-t-public, 143 | .phps-t-private, 144 | .phps-t-protected, 145 | .phps-t-static, 146 | .phps-t-class, 147 | .phps-t-new, 148 | .phps-t-bool-cast, 149 | .phps-t-double-cast, 150 | .phps-t-int-cast, 151 | .phps-t-unset-cast, 152 | .phps-t-file, 153 | .phps-t-line, 154 | .phps-t-dir, 155 | .phps-t-func-c, 156 | .phps-t-class-c, 157 | .phps-t-method-c, 158 | .phps-t-ns-c 159 | {color: #0000FF; font-weight:bold;} 160 | 161 | .phps-t-open-tag, 162 | .phps-t-close-tag 163 | {color: #FF0000; font-weight:bold;} 164 | 165 | .phps-t-const 166 | {color: #000000;} 167 | 168 | .phps-t-variable, .phps-t-string-varname, .funclistline, .phps-t-variable-marked 169 | {color: #000080;} 170 | 171 | .phps-t-variable-marked 172 | {background-color:#F5A69A;} 173 | 174 | .phps-tainted-var 175 | {color: #0606Ed;} 176 | 177 | .phps-t-lnumber 178 | {color: #FF8000} 179 | 180 | .phps-t-encapsed-and-whitespace, 181 | .phps-t-constant-encapsed-string, 182 | .phps-t-start-heredoc, 183 | .phps-t-end-heredoc 184 | {color: #4A4A4A;} 185 | 186 | .phps-t-inline-html 187 | {color: #000000; font-weight:bold;} 188 | 189 | .phps-t-comment, 190 | .phps-t-ml-comment, 191 | .phps-t-doc-comment 192 | {color: #63C763; font-weight:normal;} 193 | -------------------------------------------------------------------------------- /css/phps.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | body, html { 7 | color: #111111; 8 | } 9 | 10 | .textcolor { 11 | color: #ffffff; 12 | } 13 | 14 | .darkcolor { 15 | color: black; 16 | } 17 | 18 | .userinput, .persistent { 19 | list-style-type: disc; 20 | color:white; 21 | } 22 | .validated { 23 | list-style-type: disc; 24 | color:red; 25 | } 26 | .functioninput { 27 | list-style-type: disc; 28 | color:yellow; 29 | } 30 | 31 | .codebox { 32 | margin-bottom: 10px; 33 | background-color: #C4CDD1; 34 | } 35 | 36 | .vulnblock { 37 | background-color:#ABBBC3; 38 | color:black; 39 | font-weight:bold; 40 | } 41 | 42 | .windowcontent , #funccodecontent, #funccodetitle, .funclistcontent { 43 | background-color: #C4CDD1; 44 | opacity:0.92; 45 | } 46 | 47 | .markline { 48 | background-color: #F98888; 49 | } 50 | 51 | .code, .vulntitle { 52 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 53 | font-size:9pt; 54 | color: #007700; 55 | } 56 | 57 | .requires, 58 | .linenr 59 | {color: black; font-weight:bold;} 60 | 61 | .link 62 | {font-weight:bold; color: #0000BB;} 63 | 64 | .phps-code, 65 | .phps-t-dollar-open-curly-braces, 66 | .phps-t-curly-open, 67 | .phps-t-open-tag, 68 | .phps-t-close-tag, 69 | .phps-t-and-equal, 70 | .phps-t-concat-equal, 71 | .phps-t-div-equal, 72 | .phps-t-minus-equal, 73 | .phps-t-mod-equal, 74 | .phps-t-mul-equal, 75 | .phps-t-or-equal, 76 | .phps-t-plus-equal, 77 | .phps-t-sl-equal, 78 | .phps-t-sr-equal, 79 | .phps-t-xor-equal, 80 | .phps-t-is-equal, 81 | .phps-t-is-greater-or-equal, 82 | .phps-t-is-identical, 83 | .phps-t-is-not-equal, 84 | .phps-t-is-not-identical, 85 | .phps-t-inc, 86 | .phps-t-dec, 87 | .phps-t-object-operator, 88 | .phps-t-double-colon, 89 | .phps-t-paamayim-nekudotayim, 90 | .phps-t-if, 91 | .phps-t-switch, 92 | .phps-t-while, 93 | .phps-t-do, 94 | .phps-t-exit, 95 | .phps-t-try, 96 | .phps-t-catch, 97 | .phps-t-isset, 98 | .phps-t-exclaim, 99 | .phps-t-for, 100 | .phps-t-foreach, 101 | .phps-t-return, 102 | .phps-t-double-arrow, 103 | .phps-t-as, 104 | .phps-t-or, 105 | .phps-t-case, 106 | .phps-t-default, 107 | .phps-t-break, 108 | .phps-t-continue, 109 | .phps-t-goto, 110 | .phps-t-and, 111 | .phps-t-xor, 112 | .phps-t-global, 113 | .phps-t-logical-and, 114 | .phps-t-logical-or, 115 | .phps-t-boolean-or, 116 | .phps-t-boolean-and, 117 | .phps-t-empty, 118 | .phps-t-unset, 119 | .phps-t-else, 120 | .phps-t-elseif, 121 | .phps-t-list, 122 | .phps-t-array, 123 | .phps-t-echo, 124 | .phps-t-start-heredoc, 125 | .phps-t-end-heredoc, 126 | .phps-t-function, 127 | .phps-t-public, 128 | .phps-t-private, 129 | .phps-t-protected, 130 | .phps-t-static, 131 | .phps-t-class, 132 | .phps-t-new, 133 | .phps-t-print, 134 | .phps-t-include, 135 | .phps-t-include-once, 136 | .phps-t-require, 137 | .phps-t-require-once, 138 | .phps-t-use, 139 | .phps-t-var, 140 | .phps-t-bool-cast, 141 | .phps-t-double-cast, 142 | .phps-t-int-cast, 143 | .phps-t-unset-cast, 144 | .phps-t-boolean-or, 145 | .phps-t-boolean-and, 146 | .phps-t-file, 147 | .phps-t-line, 148 | .phps-t-dir, 149 | .phps-t-func-c, 150 | .phps-t-class-c, 151 | .phps-t-method-c, 152 | .phps-t-ns-c 153 | {color: #007700;} 154 | 155 | .phps-t-const, 156 | .phps-t-variable, 157 | .phps-t-string-varname, 158 | .phps-t-string, 159 | .phps-t-eval, 160 | .phps-t-lnumber, 161 | .funclistline, 162 | .phps-t-variable-marked, 163 | .phps-tainted-var 164 | {color: #0000BB;} 165 | 166 | .phps-t-variable-marked 167 | {background-color:#F5A69A;} 168 | 169 | .phps-tainted-var 170 | {font-weight:bold;} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #DD0000;} 175 | 176 | .phps-t-inline-html 177 | {color: #000000;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #FF8000} 183 | -------------------------------------------------------------------------------- /css/print.css: -------------------------------------------------------------------------------- 1 | html, body, div, span, applet, object, iframe, 2 | h1, h2, h3, h4, h5, h6, p, blockquote, pre, 3 | a, abbr, acronym, address, big, cite, code, 4 | del, dfn, em, img, ins, kbd, q, s, samp, 5 | small, strike, strong, sub, sup, tt, var, 6 | b, u, i, center, 7 | dl, dt, dd, ol, ul, li, 8 | fieldset, form, label, legend, 9 | table, caption, tbody, tfoot, thead, tr, th, td, 10 | article, aside, canvas, details, embed, 11 | figure, figcaption, footer, header, hgroup, 12 | menu, nav, output, ruby, section, summary, 13 | time, mark, audio, video { 14 | background-color: white; 15 | color: black; 16 | } 17 | 18 | #scrollwindow { 19 | background-color: grey; 20 | opacity:0.22; 21 | } 22 | 23 | div.menu { 24 | background-color: white; 25 | border: 0px; 26 | } 27 | 28 | div.stats { 29 | background-color: white; 30 | color: black; 31 | position: relative; 32 | margin-bottom: 15px; 33 | } 34 | div#window1, 35 | div#window2, 36 | div#window3, 37 | div#window4, 38 | div#window5 { 39 | display: none; 40 | } 41 | div.vulnblock { 42 | background-color: white !important; 43 | color: white; 44 | } 45 | div.codebox { 46 | margin-bottom: 1px; 47 | background-color: white; 48 | } 49 | div.vulnblock span { 50 | color: black; 51 | } 52 | div.vulnblock span.phps-t-constant-encapsed-string, 53 | div.vulnblock span.phps-t-encapsed-and-whitespace, 54 | div.vulnblock span.phps-t-comment, 55 | div.vulnblock span.phps-t-ml-comment, 56 | div.vulnblock span.phps-t-doc-comment { 57 | color: #999999; 58 | } 59 | div.buttonbox { 60 | display: none; 61 | } 62 | div.help, 63 | div.fileico, 64 | div.minusico, 65 | div.exploit, 66 | div.dataleak { 67 | display: none; 68 | } 69 | input.button[value=x] { 70 | display: none; 71 | } 72 | -------------------------------------------------------------------------------- /css/rips.css: -------------------------------------------------------------------------------- 1 | body, html { 2 | font-family: helvetica; 3 | background-color: #DFDFDF; 4 | padding: 0; 5 | margin: 0; 6 | color: #DFDFDF; 7 | } 8 | 9 | .menu { 10 | background-color: #223344; 11 | padding: 8px; 12 | padding-bottom: 0px; 13 | border: 1px solid black; 14 | } 15 | 16 | .logo { 17 | margin-top:5px; 18 | background-image: url(rips.png); 19 | background-repeat: no-repeat; 20 | height: 52px; 21 | width: 150px; 22 | text-align: right; 23 | font-size: 12px; 24 | display:table-cell; 25 | vertical-align:bottom; 26 | } 27 | 28 | a#logo { 29 | color:#FFCC44; 30 | text-decoration: none; 31 | } 32 | 33 | .scanning, .stats { 34 | margin-left:35%; 35 | border:3px solid black; 36 | position:absolute; 37 | opacity: .94; 38 | background-color: #223344; 39 | color:white; 40 | } 41 | 42 | .stats { 43 | width:290px; 44 | font-size: 12px; 45 | padding:5px; 46 | } 47 | 48 | .scanning { 49 | height:200px; 50 | width:300px; 51 | margin-top:100px; 52 | display:none; 53 | text-align:center; 54 | font-size: 22px; 55 | font-weight:bold; 56 | background-image: url(scanning.gif); 57 | background-repeat: no-repeat; 58 | background-position: 105px 60px; 59 | } 60 | 61 | .scanned { 62 | position: absolute; 63 | background-color: #FFCC44; 64 | height:5px; 65 | width:75px; 66 | margin-left:113px; 67 | margin-top:70px; 68 | opacity: .50; 69 | } 70 | 71 | .scanfile, .scantimeleft { 72 | font-size: 10px; 73 | font-weight:normal; 74 | text-align:center; 75 | position:absolute; 76 | } 77 | 78 | .scanprogress { 79 | position:absolute; 80 | margin-top:80px; 81 | width:100%; 82 | text-align:center; 83 | font-size: 12px; 84 | color:black; 85 | } 86 | 87 | .scantimeleft { 88 | bottom:5px; 89 | width:100%; 90 | } 91 | 92 | .scanfile { 93 | margin-right:5px; 94 | margin-left:5px; 95 | } 96 | 97 | .diagram { 98 | height:70px; 99 | width:80px; 100 | } 101 | 102 | .warning { 103 | font-size:12px; 104 | } 105 | 106 | .chart { 107 | background-color: #FFCC44; 108 | height:10px; 109 | float:left; 110 | margin-right:5px; 111 | } 112 | 113 | .menushade { 114 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAAJCAYAAAGEQXZyAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAO0lEQVR42mJgYGBYCxBAQMzAAhBAIMIJIIBARA1AAIEIaYAAAhHTAAKIGUgIAQQQiPgHEEAg4jtAgAEARKoEMfjevaIAAAAASUVORK5CYII='); 115 | height: 9px; 116 | } 117 | 118 | .menushade { 119 | margin-top:0px; 120 | margin-bottom: 30px; 121 | width: 100%; 122 | margin-left: auto; 123 | margin-right: auto; 124 | } 125 | 126 | .fileico { 127 | height: 13px; 128 | width: 14px; 129 | background-position: 2px 0px; 130 | background-repeat: no-repeat; 131 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAANCAYAAACQN/8FAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA00lEQVR42mJkYGD4z4AF/P//nxGZDxBATFBBFAwC8vLy/ydMmAA3BCCAoOpQAUzs8ePH//v7+8FCAAHECBVEsZaRkZHh0aNHDL9+/WK4ceMGw+3btxkAAginiTDMxsYGpgECCG7ilStXGFhYWMAmcnJywjzEoKCgALYBIICwWo0OQAoBAogFmYMjmMA0QADBFYIczczMjKLo379/cDZAAMGt5uXlZWBnZ4ebDBL7/fs3w8ePH8FiAAEEN/HkyZNwz2AzESCAiPYMQAAx4oprdAAQYABoKoXcYicJaAAAAABJRU5ErkJggg=='); 132 | } 133 | 134 | .minusico { 135 | height: 13px; 136 | width: 14px; 137 | background-position: 2px 1px; 138 | background-repeat: no-repeat; 139 | background-image: url('data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAAsAAAALCAYAAACprHcmAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA0klEQVR42mJMS0v7z0AEYGRkZAAIIBYQMXXqVAZmZmYMBX///gXTILn09HQGgAACK8amEAQ+fPgApgUEBMA0QAAxMZAAAAKI5ffv3zglhYWFUfgAAcTCysrK8OfPH4a8vDywAEgzBwcHw/fv3+HOmzFjBpgGCCCWf//+MbCwsDBMmzYNw+T////DQwIEAAII7OZv376BTQdh9OCCKQQBgAAiyYMAAcTCxMTEwMbGxvDr1y+IANBJuMIbIIDAbs7NzWUA0XDrgAaAPAryPLLbAQIMAKuVPnnja7mZAAAAAElFTkSuQmCC'); 140 | } 141 | 142 | .plusico { 143 | height: 11px; 144 | width: 14px; 145 | background-position: 2px 1px; 146 | background-repeat: no-repeat; 147 | background-image: url('data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAAsAAAALCAYAAACprHcmAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAA3ElEQVR42mJMS0v7z0AEYGRkZAAIIBYQMXXqVAZmZmYMBX///gXTILn09HQGgABiAilGV5iamgqmP3z4AMYwTQABxMRAAgAIIJbfv3/jlBQWFkbhAwQQCysrK8OfP38Y8vLywAIgzRwcHAwpKSlw582YMQNMAwQQy79//xhYWFgYpk2bhuLmOXPmMPz//x8eEiAAEEBgN3/79g1sOgijBxdMIQgABBBJHgQIIBYmJiYGNjY2hl+/fkEEgE6aPXs21vAGCCCwm3NzcxlANNw6oAEgj4I8DwIwtwMEGACwW0hYY16C/gAAAABJRU5ErkJggg=='); 148 | } 149 | 150 | .exploit { 151 | height: 13px; 152 | width: 13px; 153 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA0AAAANCAYAAABy6+R8AAAACXBIWXMAAA9hAAAPYQGoP6dpAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACfElEQVR42mL8//8/AzJ4kl/8/9PRYwyM7BwMf//8YWBiYWEQjgxhEM/JZoSpAQggFmQN1wzM/v/5/p1BrCCHgdPQkOHXhw8Mr9ZtZLjb2sXw/cXr/wotDWCNAAHEBNNwxdH1P7eVBYP2qSMMjP/+M7zq7Wf4sHY9g0RCPIPmsYMMD1evZrjX3Q92FkAAMYCcB8KXLOxAtvx/mJX7/wwD+/8L+ib/T4jJ/d/PyPb/wZr1/69PnPJ/j6zCf5BagAACa7jiH/L/fmPz/1cr1/w/wcDy/0Fb5/83p8/9f7J9x/9jppb/94lJ/b+7fef/HTKK/x/OX/QGIIDAzvty8xoDi4wMw8uFixlYjYwZOE2MGO5FRDK83rqDQbqrg+HH63cMP56/ZOAyNWR4ffggA0AAgTWxcnMz/AF68cf79wws0jIMn67fYnhz9ybDhzNnGRhExRgYeLgY/nz7ysDIxQ1U84kBIIDAmhhFpRgYmVgY2LQ0Gd6fOMrAoq7GIDdlJoNkVSXDu9VrGf58/sTwj5+P4dudewyCmuoMAAEE1sSuJM/w8dIlBtHMDIafHz4xPO/sYWCXl2P4ce0qw6OWJgYOC1OgInaGr9euMWi1NosABBAjLHIPaOj+11i/muHDsRMMD8rKGf7+/AYMJCYGNnV1BulJkxhezZ8LjMirDI7HjzECBBA8cqVjohjOmVkxKE+bzKC6eyfDzxcvGf6xsTAwcfIyvJgzi+HXsWMMHjevgSMXIIAYkZPR+bS0/w9nz2UQiYhiYJKVYfj15i3D+x3bGf69fccQ/PMrPBkBBBAjetoDgXOp6Z+/PXzM8PfzZwZ+CzMGg/5eXmR5gAADAJdYBF9ow6CbAAAAAElFTkSuQmCC'); 154 | } 155 | 156 | .help { 157 | height: 14px; 158 | width: 14px; 159 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAYAAAAfSC3RAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAC8klEQVR42mL8//8/AwwcvfNL+d///1H//v2PA9IS//79Y/j77/8LIL0ISC/zNuC/C1MLEECMMI0Hbn4PBmqYLC/MIsn4/y/D379/weJMTEwMv4DMa0++Pf/7719umKXYWpA4QACBNe65+jUYKLhQXYKV++OX7wzXH39lePT2K8g2BjF+NgZtaT4GIQEOhmM3Pnz9+/dffLKL3FqAAGLceuGjEtAph7Wk2aVevv/GsPvKawZJflYGT0Mphv9AeObOe4az998x2KuLMEiLcDPsufjqGVCzLUAAMf34+StGUZRV6sPnnww7Lrxk+PblJ0O0rTyDEA8bgzAPO4O7gTgDG+N/hoPXXjK8A6oxVOSX+vr9ZwxAAAA5AMb/Avb4+10FAv8A0d/wAPf4+gD7/v0A7vP6AL/T6ADK2+sAAQAAAD4rFADw9PUAzt/sABAMBAD19/pdAgio8Zc0I9BJD15/YvgDDJBff34xdKy9wMDE+I9BX0GQ4dO33wyPXn1h+PvnH8OD5+8ZWICB9eX7T2mAAGL59v0nAyhg/wDxrz9ANjBAQHwbLQmG90Bn96w+z/Dj1x8GUNj/ARr2H+hsoI0MAAHEAiSe/vr7V0UaGGqfPn9j+PfvDwMo/kpmHQVHx9/ffxiApoEDSlJCmOH7z98MQMueAgQQE9Daxc9ef2UwUBRkYGWEKPz/9x9DW6IFQ0uCOcMfoEF/gBpBcWuqLs5w6+F7BqD3FgMEEBPQxiUbj91/xsLEwOBpIsPAysLI8OfPb4YV+28wrDpwE5II/v1mcDdXZWBlZmJYsOPqM2CALgEIIHACSOjaF/wHmAAy/XS4fwNtO3blCcOjF+8Z/gEDRFqcn8FKW5qBhYWZoWnBia/AhBJ/aGLYWoAAgie5oPptoNQzOdReRVJdXoiBnY0ZLP79xx+GK3dfM8zbfuU5MEnmHp8aCU5yAAHEiJzIXUvXKQOTGTCR/4sDpg5gIv8PTHb/XgAT/CIge9mZmTHwRA4QYABQyY5ecbnnNAAAAABJRU5ErkJggg=='); 160 | } 161 | 162 | .hotpatch { 163 | height: 15px; 164 | width: 15px; 165 | margin-top: -1px; 166 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPCAYAAAFM0aXcAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACw0lEQVR42mL8//8/AwgABBDTxxcv97/vZvsPEECMMBGAAGL536Py/8P/RwwAAcTwZdWcQ3+iVf+/9mP8/86S5T9AAIGVfJ4j+/+vkDbDw9VnvwAEEFwPDAAEEMv/XJP/bx+dA3N4ijYfAAggFgb5DwzMcixgAQ57b0eAAGJheCjAwGgmwMDALQIWBAggBpAZIPzj2ukGoG0Nl5xMP/ytd/9wVI774c8fPxMAAgAhAN7/BPjBtb/6679A/cqOAP3zAAAVgIsA5CUyACouAA/37+9iAogBqGrOh+cv/n+aLfP//eGk/w+f7wOzQRhkMkAAwa0ACnwAKn4D48MwQABh+AMZAAQQC4zxfXJxw4/lkwL4lBQVrj0XYODQMZ4CEECM/3KM//97/4nh/ec7cB3fJ2xk4IkOYgAIIKbfPcfggl+11Bi+zdzL8J+Th+Gv6F8GgAAC6wSFzodX9xg+F+1l4F3sDlcMEEBgnR+VVICeZWFg/P6FgdEyFoxZBMUZAAIIrPOjGQMD88+XDH/ZxSFBKSbNcC165V2AAAL751ZexlNg8H1A9ydAAOH1JyEAEEAsQP/v4Lh10P2/sAjDFx0dBp4rV+CS/+/cY/h07z6c/3bpAQbhaAcwm61wxlmAAGJh1HNi/3dyMwMDMKz+ftsF9JQRAyyhgIEogsnO8A4cRKAgk9DR/wwQQCyMYuIMTIJ8DJ/tHRi4fdsY7j47DUlhT04w/AKmBN4+Z6ghLAw80/0ZGNQZGPj+3mJgVNJ7DxBALECCDRRD3Bs2MTA92MAgLvCT4c/7l2D1v1R3MrCoSYP5oOD9b+gHFmd8/4CBjZ0tCCCAwAEGStOg4P6hEMnwRcaCQeTpPAbmG7sgQY8MFPUZGO5fBDMFYs8wAgQQWPNlZ7NTQL6pluQHhm8O38GSsDh7PPUdg1JG+hvu0GRR9NAGCDAAI6Y+qpsRI6MAAAAASUVORK5CYII='); 167 | } 168 | 169 | .dataleak { 170 | height: 15px; 171 | width: 13px; 172 | margin-top: -1px; 173 | margin-left: 3px; 174 | background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAwAAAARCAYAAADpPU2iAAAACXBIWXMAAAsTAAALEwEAmpwYAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAACBklEQVR42mL4//8/Azq+fevW/4WLFvzHJgcQQAzYBJubm/6zsrJg1QAQQEwMWMCOa7cZftsEYJNiAAggrDYwzDzwn+He//+7163GsAUggDBsuHRk/38mG3sGFRYGhmUHj2JYABBAKLo3b9r4n6F73f+ar///LwUJrLvz3zk0/P/fn9/hNgEEEMKG37/+zz97jYHBzJVBnYuB4R9ITEOZYa+EEcOUvh64MoAAgpsuZu/+n/Hw+/+5QNOXAwUqvwAFzwHxdSBec/X/p7evwbYABBATTNcrh1gGA3UBBkug6cc+MTDMuA8UZwTiH0Csr8XQ0dEOVgoQQGANB3ZsZeAMjWTw5mVg+AUMpGn3GBje/0Ly6DcGhslXHjPcvHjuP0AAMf7/9++/Z2AQg8DC9Qxa7AwMddehJsMAiP0TiC8eYki5sIoBIICYGBgZGcVFRRi+An157B0D1LdIAOSGF0D86R0DLwc7A0AAMYI88vDmtf8Kn9UYGDiBgf8bOcyB+DIQ/2VgEF3iyXBjyWwGgAAC+0FeXYuRaXotA8PnjwwMbEhOeQC1QfgTQ0eYL4OQpAwjQAChRNzeHdv+Szj5/GfYdPc/w44n/xnKJv238fX7f+7oIXjEAQQQ2EnI4Om92/8zqxoYfv/7x+BspMtQUFDAwMLBBQ8GgADC0ICITaDvmZgZ0aUAAgwA5489hLuadr8AAAAASUVORK5CYII='); 175 | } 176 | 177 | .fileico, .minusico, .plusico, .exploit, .help, .hotpatch, .dataleak { 178 | margin-left: 2px; 179 | cursor:pointer; 180 | float:left; 181 | } 182 | 183 | 184 | .vulntitle { 185 | margin-left: 20px; 186 | } 187 | 188 | #window1, #window2, #window3, #window4, #window5 { 189 | display:none; 190 | position:absolute; 191 | top:200px; 192 | right:200px; 193 | } 194 | 195 | #funccode { 196 | display:none; 197 | position:absolute; 198 | } 199 | 200 | #funccodecontent { 201 | border: 1px solid #888; 202 | opacity: .96; 203 | max-height: 250px; 204 | overflow-y: scroll; 205 | } 206 | 207 | #funccodetitle { 208 | border: 1px solid #888; 209 | padding: 4px; 210 | } 211 | 212 | .windowtitlebar, .funclisttitlebar { 213 | background: #364C63; 214 | height:30px; 215 | border: 2px solid black; 216 | color: #FFFFFF; 217 | z-index:3; 218 | cursor: move; 219 | white-space:nowrap; 220 | width:100%; 221 | } 222 | 223 | .windowtitle, .funclisttitle { 224 | margin-left:20px; 225 | height:30px; 226 | color: #DFDFDF; 227 | font-weight:bold; 228 | font-size:14px; 229 | padding-top:7px; 230 | margin-bottom:-7px; 231 | overflow:hidden; 232 | white-space:nowrap; 233 | } 234 | 235 | #scrolldiv { 236 | border-left: 2px solid black; 237 | width:84px; 238 | height:100%; 239 | position:relative; 240 | float:left; 241 | background-color: black; 242 | } 243 | 244 | #scrollwindow { 245 | height:50px; 246 | width:100%; 247 | position:absolute; 248 | } 249 | 250 | #scrollcode { 251 | width:85px; 252 | height:100%; 253 | overflow:hidden; 254 | } 255 | 256 | #scrollcode table { 257 | font-size:.15em; 258 | } 259 | #scrollcode td { 260 | padding: 0px; 261 | margin: 0px; 262 | line-height:0.02; 263 | height:0.02em; 264 | } 265 | 266 | .closebutton, .maxbutton { 267 | height:15px; 268 | width:15px; 269 | top:10px; 270 | position:absolute; 271 | } 272 | 273 | .maxbutton { 274 | right:40px; 275 | } 276 | 277 | .closebutton { 278 | right:20px; 279 | } 280 | 281 | .windowcontent, .funclistcontent { 282 | overflow:auto; 283 | opacity: .98; 284 | border-left: 2px solid black; 285 | border-right: 2px solid black; 286 | height: 100%; 287 | width:100%; 288 | } 289 | 290 | #windowcontent1 { 291 | float:left; 292 | margin-left:84px; 293 | position:absolute; 294 | width:516px; 295 | } 296 | 297 | .return { 298 | display:none; 299 | position:absolute; 300 | margin-top:-2px; 301 | margin-left:20px; 302 | font-size:16px; 303 | font-family: monospace; 304 | font-weight:bold; 305 | cursor:pointer; 306 | } 307 | 308 | .windowfooter , .funclistfooter { 309 | cursor:se-resize; 310 | background: #364C63; 311 | height:15px; 312 | border: 2px solid black; 313 | width:100%; 314 | } 315 | 316 | .funclistline { 317 | cursor: pointer; 318 | } 319 | 320 | .exploittitlebox { 321 | background-color: black; 322 | padding-left: 10px; 323 | margin-top: 10px; 324 | font-weight: bold; 325 | width: 390px; 326 | } 327 | 328 | .exploittitle { 329 | color:white; 330 | font-weight: bold; 331 | white-space: nowrap; 332 | width: 350px; 333 | float: left; 334 | } 335 | 336 | .exploitbox { 337 | width: 400px; 338 | } 339 | 340 | .exploitcontentbox { 341 | border: 2px solid black; 342 | background-color: #333333; 343 | padding: 3px; 344 | } 345 | 346 | .helptitle, .helpbox { 347 | border:1px solid black; 348 | padding-left:10px; 349 | padding-right:10px 350 | } 351 | 352 | .helptitle { 353 | background-color: #364C63; 354 | } 355 | 356 | .helpbox { 357 | background-color: #333333; 358 | } 359 | 360 | .linenrcolumn { 361 | text-align:right; 362 | } 363 | 364 | .filebox { 365 | margin-left: 20px; 366 | margin-right: 20px; 367 | color: black; 368 | } 369 | 370 | table { 371 | font-size: 14; 372 | } 373 | 374 | 375 | .menutable { 376 | color: #C0C0C0; 377 | } 378 | 379 | input[type="text"],select { 380 | color: #000 !important; 381 | background: #989FA2 !important; 382 | font-size:12px; 383 | padding:2px; 384 | border:1px solid #000; 385 | } 386 | 387 | .closebutton,.maxbutton, 388 | .Button { 389 | background-color:#454545; 390 | color:#fff; 391 | border:1px solid #000; 392 | } 393 | 394 | .Defined { 395 | text-decoration: none; 396 | color:#0000FF; 397 | } 398 | 399 | label { 400 | padding:10px; 401 | margin:10px; 402 | } 403 | 404 | img { 405 | border:0; 406 | } 407 | 408 | ul { 409 | list-style-type:none; 410 | } 411 | 412 | hr { 413 | border:1px solid black; 414 | } 415 | 416 | a { 417 | color: #DFDFDF; 418 | } 419 | 420 | .filename 421 | { 422 | text-decoration:underline; 423 | font-weight:bold; 424 | } 425 | 426 | .codebox { 427 | margin-bottom: 10px; 428 | background-color: #DFDFDF; 429 | } 430 | 431 | .vulnblocktitle { 432 | margin-left: 20px; 433 | font-size: 10pt; 434 | padding:5px; 435 | width:200px; 436 | } 437 | 438 | .vulnblock { 439 | border:1px solid black; 440 | } 441 | 442 | #filecanvas , #functioncanvas{ 443 | display:none; 444 | } 445 | 446 | .jumplink { 447 | position:absolute; 448 | margin-top:-40px; 449 | } 450 | -------------------------------------------------------------------------------- /css/rips.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/css/rips.png -------------------------------------------------------------------------------- /css/scanning.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/css/scanning.gif -------------------------------------------------------------------------------- /css/term.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .vulnblock { 20 | background-color:#223344; 21 | color:#FFF; 22 | font-weight:bold; 23 | } 24 | 25 | .codebox { 26 | margin-bottom: 10px; 27 | background-color: #101820; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #101820; 32 | } 33 | 34 | .markline { 35 | background-color: #0A212C; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #444;} 43 | 44 | .link 45 | {color: #DC578C; font-weight:bold;} 46 | 47 | .code, .vulntitle { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: #B5C9C9; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #FFFFFF;} 77 | /*E1E1F9*/ 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-global, 117 | .phps-t-logical-and, 118 | .phps-t-logical-or, 119 | .phps-t-boolean-or, 120 | .phps-t-boolean-and, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | .phps-t-line, 141 | .phps-t-dir, 142 | .phps-t-func-c, .phps-t-class-c, 143 | .phps-t-method-c, 144 | .phps-t-ns-c 145 | {color: #CF628D;} 146 | 147 | .phps-t-const 148 | {color: #CF628D;} 149 | 150 | .phps-t-variable, 151 | .phps-t-variable-marked, 152 | .phps-t-string-varname, 153 | .funclistline 154 | {color: #1487BD;} 155 | 156 | .phps-t-variable-marked 157 | {background-color:#132F3C;} 158 | 159 | .phps-tainted-var 160 | {color: #1AA9EC;} 161 | 162 | .phps-t-lnumber 163 | {color: #CF6A4C} 164 | 165 | .phps-t-encapsed-and-whitespace, 166 | .phps-t-constant-encapsed-string 167 | {color: #6C8EB7;} 168 | /* FFCE42 */ 169 | .phps-t-inline-html 170 | {color: #FFCE42;} 171 | 172 | .phps-t-comment, 173 | .phps-t-ml-comment, 174 | .phps-t-doc-comment 175 | {color: #2C425D} 176 | -------------------------------------------------------------------------------- /css/twilight.css: -------------------------------------------------------------------------------- 1 | #scrollwindow { 2 | background-color: grey; 3 | opacity:0.22; 4 | } 5 | 6 | .userinput, .persistent { 7 | list-style-type: disc; 8 | color:white; 9 | } 10 | .validated { 11 | list-style-type: disc; 12 | color:red; 13 | } 14 | .functioninput { 15 | list-style-type: disc; 16 | color:yellow; 17 | } 18 | 19 | .codebox { 20 | margin-bottom: 10px; 21 | background-color: #141414; 22 | } 23 | 24 | .vulnblock { 25 | background-color:#151D24; 26 | color:#FFCC44; 27 | font-weight:bold; 28 | } 29 | 30 | .windowcontent, .filecanvas, #funccodecontent, #funccodetitle, .funclistcontent { 31 | background-color: #141414; 32 | } 33 | 34 | .markline { 35 | background-color: #531107; 36 | } 37 | 38 | .requires 39 | {color: #D2A8A1; font-weight:bold;} 40 | 41 | .linenr 42 | {color: #888;} 43 | 44 | .link 45 | {color: #CF6A4C; font-weight:bold;} 46 | 47 | .code, .vulntitle { 48 | font-size:9pt; 49 | font-family: "Bitstream Vera Sans Mono", "Monaco", "Courier New", monospace; 50 | } 51 | 52 | .code, 53 | .phps-code, .phps-t-curly-open, .phps-t-dollar-open-curly-braces, .vulntitle 54 | {color: white; } 55 | 56 | .phps-t-string, 57 | .phps-t-eval, 58 | .phps-t-print, 59 | .phps-t-include, 60 | .phps-t-include-once, 61 | .phps-t-require, 62 | .phps-t-require-once, 63 | .phps-t-isset, 64 | .phps-t-empty, 65 | .phps-t-while, 66 | .phps-t-do, 67 | .phps-t-try, 68 | .phps-t-catch, 69 | .phps-t-exit, 70 | .phps-t-unset, 71 | .phps-t-list, 72 | .phps-t-array, 73 | .phps-t-echo, 74 | .phps-t-start-heredoc, 75 | .phps-t-end-heredoc 76 | {color: #DAD085;} 77 | 78 | 79 | .phps-t-open-tag, 80 | .phps-t-close-tag, 81 | .phps-t-and-equal, 82 | .phps-t-concat-equal, 83 | .phps-t-div-equal, 84 | .phps-t-minus-equal, 85 | .phps-t-mod-equal, 86 | .phps-t-mul-equal, 87 | .phps-t-or-equal, 88 | .phps-t-plus-equal, 89 | .phps-t-sl-equal, 90 | .phps-t-sr-equal, 91 | .phps-t-xor-equal, 92 | .phps-t-is-equal, 93 | .phps-t-is-greater-or-equal, 94 | .phps-t-is-identical, 95 | .phps-t-is-not-equal, 96 | .phps-t-is-not-identical, 97 | .phps-t-object-operator, 98 | .phps-t-double-colon, 99 | .phps-t-paamayim-nekudotayim, 100 | .phps-t-if, 101 | .phps-t-isset, 102 | .phps-t-exclaim, 103 | .phps-t-for, 104 | .phps-t-foreach, 105 | .phps-t-return, 106 | .phps-t-double-arrow, 107 | .phps-t-as, 108 | .phps-t-or, 109 | .phps-t-case, 110 | .phps-t-default, 111 | .phps-t-break, 112 | .phps-t-continue, 113 | .phps-t-goto, 114 | .phps-t-and, 115 | .phps-t-xor, 116 | .phps-t-global, 117 | .phps-t-logical-and, 118 | .phps-t-logical-or, 119 | .phps-t-boolean-or, 120 | .phps-t-boolean-and, 121 | .phps-t-else, 122 | .phps-t-elseif, 123 | .phps-t-switch, 124 | .phps-t-use, 125 | .phps-t-var, 126 | .phps-t-inc, 127 | .phps-t-dec, 128 | .phps-t-function, 129 | .phps-t-public, 130 | .phps-t-private, 131 | .phps-t-protected, 132 | .phps-t-static, 133 | .phps-t-class, 134 | .phps-t-new, 135 | .phps-t-bool-cast, 136 | .phps-t-double-cast, 137 | .phps-t-int-cast, 138 | .phps-t-unset-cast, 139 | .phps-t-file, 140 | 141 | .phps-t-line, 142 | 143 | .phps-t-dir, 144 | 145 | .phps-t-func-c, 146 | 147 | .phps-t-class-c, 148 | 149 | .phps-t-method-c, 150 | 151 | .phps-t-ns-c 152 | {color: #9B703F;} 153 | 154 | .phps-t-const 155 | {color: #CF6A4C;} 156 | 157 | .phps-t-variable, 158 | .phps-t-variable-marked, 159 | .phps-t-string-varname, 160 | .funclistline 161 | {color: #7587A6;} 162 | 163 | .phps-t-variable-marked 164 | {background-color:darkred;} 165 | 166 | .phps-tainted-var 167 | {color: #9ABDFB;} 168 | 169 | .phps-t-lnumber 170 | {color: #CF6A4C} 171 | 172 | .phps-t-encapsed-and-whitespace, 173 | .phps-t-constant-encapsed-string 174 | {color: #8F9D6A;} 175 | 176 | .phps-t-inline-html 177 | {color: #F9EE98;} 178 | 179 | .phps-t-comment, 180 | .phps-t-ml-comment, 181 | .phps-t-doc-comment 182 | {color: #5F5A60} 183 | -------------------------------------------------------------------------------- /index.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | include 'config/general.php'; 19 | if (defined("MODE_CLI")) 20 | parse_str(implode('&', array_slice($argv, 1)), $_POST); // parse commandline into $_POST 21 | 22 | ?> 23 | 24 | 25 | 26 | \n"; 33 | } 34 | ?> 35 | 36 | 37 | 38 | 39 | RIPS - A static source code analyser for vulnerabilities in PHP scripts 40 | 41 | 42 | 43 |
44 |
45 | 46 | 153 | 157 |
47 | 48 | 49 | 50 | 52 | 54 | 55 | 56 | 57 | 76 | 79 | 114 | 115 | 116 | 117 | 118 | 134 | 137 | 140 | 143 | 144 |
path / file: 51 | subdirs 53 |
verbosity level: 58 | 75 | 77 | vuln type: 78 | 80 | 113 |
code style: 119 | 129 | 133 | 135 | /regex/: 136 | 138 | 139 | 141 | 142 |
145 | 152 | 		154 | 155 | 156 |
158 |
159 | 160 |
161 |
162 |
163 | 164 |
scanning ... 165 |
166 |
167 | 168 |
169 | 170 | 176 |
177 |

Quickstart:

178 |

Locate your local PHP source code path/file (e.g. /var/www/project1/ or /var/www/index.php), choose the vulnerability type you are looking for and click scan!
179 | Check subdirs to include all subdirectories into the scan. It is recommended to scan only the root directory of your project. Files in subdirectories will be automatically scanned by RIPS when included by the PHP code. However enabling subdirs can improve the scan result and the include success rate (shown in the result).

180 |

Advanced:

181 |

Debug errors or improve your scan result by choosing a different verbosity level (default level 1 is recommended).
182 | After the scan finished 4 new button will appear in the upper right. You can select between different types of vulnerabilities that have been found by clicking on their name in the stats window. You can click user input in the upper right to get a list of entry points, functions for a list and graph of all user defined functions or files for a list and graph of all scanned files and their includes. All lists are referenced to the Code Viewer.

183 |

Style:

184 |

Change the syntax highlighting schema on-the-fly by selecting a different code style.
185 | Before scanning you can choose which way the code flow should be displayed: bottom-up or top-down.

186 |

Icons:

187 |
    188 |
  • User input has been found in this line. Potential entry point for vulnerability exploitation.
    • 189 |
  • Vulnerability exploitation depends on the parameters passed to the function declared in this line. Have a look at the calls in the scan result.
    Click or to jump to the next declaration or call of this function.
    • 190 |
  • User-implemented securing has been detected in this line. This may prevent exploitation.
    • 191 |
192 |

Options:

193 |
    194 |
  •  Click the file icon to open the Code Viewer to review the original code. A new window will be opened with all relevant lines highlighted.
    195 | Highlight variables temporarily by mouseover or persistently by clicking on the variable. Jump into the code of a user-defined function by clicking on the call. Click return on the bottom of the code viewer to jump back. This also works for nested function calls.
    • 196 |
  •  Click the minimize icon to hide a specific code trace. You may display it later by clicking the icon again.
    • 197 |
  •  Click the target icon to open the Exploit Creator. A new window will open where you can enter exploit details and create PHP Curl exploit code.
    • 198 |
  •  Click the help icon to get a description, example code, example exploitation, patch and related securing functions for this vulnerability type.
    • 199 |
  •  Click the data leak icon to check if the output of the tainted sink leaks somewhere (is embedded to the HTTP response via echo/print).
    • 200 |
201 |

Hints:

202 |
    203 |
  • RIPS implements static source code analysis. It only scans source code files and will not execute the code.
    • 204 |
  • Object-oriented code (classes) is not supported in this version.
    • 205 |
  • Make sure RIPS has file permissions on the files to be scanned.
    • 206 |
  • Don't leave the webinterface of RIPS open to the public internet. Use it on your local webserver only.
    • 207 |
  • Only tested with Firefox.
    • 208 |
209 |
210 | 211 | 214 |
215 | 216 | 217 | 218 | -------------------------------------------------------------------------------- /js/exploit.js: -------------------------------------------------------------------------------- 1 | /** 2 | RIPS - A static source code analyser for vulnerabilities in PHP scripts 3 | by Johannes Dahse (johannes.dahse@rub.de) 4 | **/ 5 | 6 | function editExploit() 7 | { 8 | document.getElementById('exploitcode').style.display = "none"; 9 | document.getElementById('exploitbuild').style.display = "block"; 10 | } 11 | 12 | function deleteMethod(method) 13 | { 14 | document.getElementById(method+'box').style.display = "none"; 15 | } 16 | 17 | function getQuery(method) 18 | { 19 | var query = ""; 20 | var elements = document.getElementById(method).elements; 21 | for(var i=0;i"; 45 | output = output + "
//

$target = $argv[1];

"; 46 | 47 | var target = document.getElementById('target').value; 48 | var cookiejar = document.getElementById('cookiejar').value; 49 | var exectime = document.getElementById('exectime').value; 50 | var ssl = document.getElementById('ssl').checked 51 | var auth = document.getElementById('auth').checked 52 | 53 | if(document.getElementById('$_FILES') != undefined) 54 | output = output + "$postData = array();
$postData[ 'file' ] = \"@" + document.getElementById('$_FILES').elements[0].value + "\";

"; 55 | 56 | if(auth) 57 | { 58 | output = output + "$username = \"\";
$password = \"\";

"; 59 | } 60 | 61 | output = output + "$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
"; 62 | 63 | if(document.getElementById('$_GET') != undefined) 64 | { 65 | var getquery = getQuery('$_GET'); 66 | output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + '?' + getquery + "\");
"; 67 | output = output + "curl_setopt($ch, CURLOPT_HTTPGET, 1);
"; 68 | } 69 | else 70 | { 71 | output = output + "curl_setopt($ch, CURLOPT_URL, \"" + target + "\");
"; 72 | } 73 | 74 | output = output + "curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\");
"; 75 | 76 | 77 | if(document.getElementById('$_POST') != undefined || document.getElementById('$_FILES') != undefined) 78 | output = output + "curl_setopt($ch, CURLOPT_POST, 1);
"; 79 | 80 | if(document.getElementById('$_POST') != undefined) 81 | { 82 | var postquery = getQuery('$_POST'); 83 | output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, \"" + postquery + "\");
"; 84 | } 85 | 86 | if(document.getElementById('$_FILES') != undefined) 87 | output = output + "curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
"; 88 | 89 | if(document.getElementById('$_COOKIE') != undefined) 90 | { 91 | var cookie = getQuery('$_COOKIE'); 92 | output = output + "curl_setopt($ch, CURLOPT_COOKIE, \"" + cookie + "\");
"; 93 | } 94 | 95 | if(document.getElementById('$_SERVER') != undefined) 96 | { 97 | var elements = document.getElementById('$_SERVER').elements; 98 | for(var i=0;i"; 102 | else if(elements[i].name == 'HTTP_ACCEPT') 103 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept: "+elements[i].value+"\");
"; 104 | else if(elements[i].name == 'HTTP_ACCEPT_LANGUAGE') 105 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Language: "+elements[i].value+"\");
"; 106 | else if(elements[i].name == 'HTTP_ACCEPT_ENCODING') 107 | output = output + "curl_setopt($ch, CURLOPT_ENCODING, \""+elements[i].value+"\");
"; 108 | else if(elements[i].name == 'HTTP_ACCEPT_CHARSET') 109 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Accept-Charset: "+elements[i].value+"\");
"; 110 | else if(elements[i].name == 'HTTP_KEEP_ALIVE') 111 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, array(\"Connection: keep-alive\", \"Keep-Alive: "+elements[i].value+"\"));
"; 112 | else if(elements[i].name == 'HTTP_CONNECTION') 113 | output = output + "curl_setopt($ch, CURLOPT_HTTPHEADER, \"Connection: "+elements[i].value+"\");
"; 114 | } 115 | } 116 | 117 | 118 | if(exectime != "") 119 | output = output + "curl_setopt($ch, CURLOPT_TIMEOUT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, " + exectime + ");
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, " + exectime + ");
"; 120 | 121 | if(cookiejar != "") 122 | output = output + "curl_setopt($ch, CURLOPT_COOKIEJAR, \"" + cookiejar + "\");
"; 123 | 124 | if(ssl) 125 | { 126 | output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
"; 127 | output = output + "curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
"; 128 | output = output + "curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
"; 129 | } 130 | 131 | if(auth) 132 | { 133 | output = output + "curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
"; 134 | output = output + "curl_setopt($ch, CURLOPT_USERPWD, \"$username:$password\");
"; 135 | } 136 | 137 | output = output + "$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
"; 138 | output = output + "
echo $buf;
"; 139 | 140 | var exploitdiv = document.getElementById('exploitcode'); 141 | exploitdiv.innerHTML = output; 142 | exploitdiv.style.display = "block"; 143 | document.getElementById('exploitbuild').style.display = "none"; 144 | } 145 | 146 | function setssl() 147 | { 148 | var targetelement = document.getElementById('target'); 149 | var newset; 150 | var oldset = targetelement.value; 151 | if(document.getElementById('ssl').checked) 152 | { 153 | oldset = oldset.replace(/https:/, "http:"); 154 | newset = oldset.replace(/http:/, "https:"); 155 | } else 156 | { 157 | newset = oldset.replace(/https/, "http"); 158 | } 159 | targetelement.value = newset; 160 | } 161 | -------------------------------------------------------------------------------- /js/hotpatch.js: -------------------------------------------------------------------------------- 1 | function getParams(method) 2 | { 3 | var query = ""; 4 | var elements = document.getElementById(method).elements; 5 | for(var i=0;i $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; classtype:attempted-recon;) 38 | 39 | 40 | // mod_security 41 | 42 | // SERVER 43 | SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" 44 | "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'4'" 45 | 46 | http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/04-rules.html 47 | */ 48 | -------------------------------------------------------------------------------- /lib/analyzer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | class Analyzer 19 | { 20 | // reconstructs string from a list of tokens 21 | static function get_tokens_value($file_name, $tokens, $var_declares, $var_declares_global, $tokenid, $start=0, $stop=0, $source_functions=array()) 22 | { 23 | $value = ''; 24 | if(!$stop) $stop = count($tokens); 25 | // check all tokens until instruction ends 26 | for($i=$start; $i<$stop; $i++) 27 | { 28 | if( is_array($tokens[$i]) ) 29 | { 30 | // trace variables for its values 31 | if( $tokens[$i][0] === T_VARIABLE 32 | || ($tokens[$i][0] === T_STRING 33 | && $tokens[$i+1] !== '(' ) ) 34 | { 35 | if(!in_array($tokens[$i][1], Sources::$V_USERINPUT)) 36 | { 37 | // constant CONSTANTS 38 | if ($tokens[$i][1] === 'DIRECTORY_SEPARATOR') 39 | $value .= '/'; 40 | else if ($tokens[$i][1] === 'PATH_SEPARATOR') 41 | $value .= ';'; 42 | // global $varname -> global scope, CONSTANTS 43 | else if( (isset($tokens[$i-1]) && is_array($tokens[$i-1]) && $tokens[$i-1][0] === T_GLOBAL) || $tokens[$i][1][0] !== '$' ) 44 | $value .= self::get_var_value($file_name, $tokens[$i], $var_declares_global, $var_declares_global, $tokenid); 45 | // local scope 46 | else 47 | $value .= self::get_var_value($file_name, $tokens[$i], $var_declares, $var_declares_global, $tokenid); 48 | } else 49 | { 50 | if(isset($tokens[$i][3])) 51 | $parameter_name = str_replace(array("'",'"'), '', $tokens[$i][3][0]); 52 | else 53 | $parameter_name = ''; 54 | 55 | // mark userinput for quote analysis 56 | if( ($tokens[$i][1] !== '$_SERVER' || (empty($parameter_name) || in_array($parameter_name, Sources::$V_SERVER_PARAMS) || substr($parameter_name,0,5) === 'HTTP_')) 57 | && !((is_array($tokens[$i-1]) 58 | && in_array($tokens[$i-1][0], Tokens::$T_CASTS)) 59 | || (is_array($tokens[$i+1]) 60 | && in_array($tokens[$i+1][0], Tokens::$T_ARITHMETIC))) ) 61 | $value.='$_USERINPUT'; 62 | else 63 | $value.='1'; 64 | } 65 | } 66 | // add strings 67 | // except first string of define('var', 'value') 68 | else if( $tokens[$i][0] === T_CONSTANT_ENCAPSED_STRING 69 | && !($tokens[$i-2][0] === T_STRING && $tokens[$i-2][1] === 'define')) 70 | { 71 | // add string without quotes 72 | $value .= substr($tokens[$i][1], 1, -1); 73 | } 74 | // add directory name dirname(__FILE__) 75 | else if( $tokens[$i][0] === T_FILE 76 | && ($tokens[$i-2][0] === T_STRING && $tokens[$i-2][1] === 'dirname')) 77 | { 78 | // overwrite value because __FILE__ is absolute 79 | // add slash just to be sure 80 | $value = dirname($file_name).'/'; 81 | } 82 | // add numbers 83 | else if( $tokens[$i][0] === T_LNUMBER || $tokens[$i][0] === T_DNUMBER || $tokens[$i][0] === T_NUM_STRING ) 84 | { 85 | $value .= round($tokens[$i][1]); 86 | } 87 | else if( $tokens[$i][0] === T_ENCAPSED_AND_WHITESPACE ) 88 | { 89 | $value .= $tokens[$i][1]; 90 | } 91 | // if in foreach($bla as $key=>$value) dont trace $key, $value back 92 | else if( $tokens[$i][0] === T_AS ) 93 | { 94 | break; 95 | } 96 | // function calls 97 | else if($tokens[$i][0] === T_STRING && $tokens[$i+1] === '(') 98 | { 99 | // stop if strings are fetched from database/file (otherwise SQL query will be added) 100 | if (in_array($tokens[$i][1], Sources::$F_DATABASE_INPUT) || in_array($tokens[$i][1], Sources::$F_FILE_INPUT) || isset(Info::$F_INTEREST[$tokens[$i][1]])) 101 | { 102 | break; 103 | } 104 | // add userinput for functions that return userinput 105 | else if(in_array($tokens[$i][1], $source_functions)) 106 | { 107 | $value .= '$_USERINPUT'; 108 | } 109 | } 110 | } 111 | } 112 | 113 | return $value; 114 | 115 | } 116 | 117 | // traces values of variables and reconstructs string 118 | static function get_var_value($file_name, $var_token, $var_declares, $var_declares_global, $last_token_id, $source_functions=array()) 119 | { 120 | $var_value = ''; 121 | 122 | // CONSTANTS 123 | if($var_token[1][0] !== '$') 124 | $var_token[1] = strtoupper($var_token[1]); 125 | 126 | // check if var declaration could be found for this var 127 | if( isset($var_declares[$var_token[1]]) ) 128 | { 129 | foreach($var_declares[$var_token[1]] as $var_declare) 130 | { 131 | // check if array keys are the same (if it is an array) 132 | $array_key_diff = false; 133 | if( isset($var_token[3]) && !empty($var_declare->array_keys) ) 134 | $array_key_diff = array_diff_assoc($var_token[3], $var_declare->array_keys); 135 | 136 | if( $var_declare->id < $last_token_id && empty($array_key_diff)) 137 | $var_value .= self::get_tokens_value($file_name, $var_declare->tokens, $var_declares, $var_declares_global, $var_declare->id, $var_declare->tokenscanstart, $var_declare->tokenscanstop, $source_functions); 138 | 139 | if($var_value) 140 | break; 141 | } 142 | } 143 | return $var_value; 144 | } 145 | 146 | // get end of codeblock (Detect brace ending, ignore new brace opening and closing in between) 147 | static function getBraceEnd($tokens, $i) 148 | { 149 | $c=1; 150 | $newbraceopen = 1; 151 | while( !($newbraceopen === 0 || $tokens[$i + $c] === ';') ) 152 | { 153 | // watch function calls in function call 154 | if( $tokens[$i + $c] === '(' ) 155 | { 156 | $newbraceopen++; 157 | } 158 | else if( $tokens[$i + $c] === ')' ) 159 | { 160 | $newbraceopen--; 161 | } 162 | if($c>50)break; 163 | $c++; 164 | } 165 | return $c; 166 | } 167 | 168 | static function get_ini_paths($path) 169 | { 170 | if(!preg_match('/([;\\\\]|\W*[C-Z]{1}:)/', $path)) 171 | $path = str_replace(':', ';', $path); 172 | return explode(';', $path); 173 | } 174 | } 175 | -------------------------------------------------------------------------------- /lib/constructer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // variable declarations = childs 19 | class VarDeclare 20 | { 21 | public $id; 22 | public $tokens; 23 | public $tokenscanstart; 24 | public $tokenscanstop; 25 | public $value; 26 | public $comment; 27 | public $line; 28 | public $marker; 29 | public $dependencies; 30 | public $stopvar; 31 | public $array_keys; 32 | 33 | function __construct($tokens = array(), $comment = '') 34 | { 35 | $this->id = 0; 36 | $this->tokens = $tokens; 37 | $this->tokenscanstart = 0; 38 | $this->tokenscanstop = count($tokens); 39 | $this->value = ''; 40 | $this->comment = $comment; 41 | $this->line = ''; 42 | $this->marker = 0; 43 | $this->dependencies = array(); 44 | $this->stopvar = false; 45 | $this->array_keys = array(); 46 | } 47 | } 48 | 49 | // group vulnerable parts to one vulnerability trace 50 | class VulnBlock 51 | { 52 | public $uid; 53 | public $vuln; 54 | public $category; 55 | public $treenodes; 56 | public $sink; 57 | public $dataleakvar; 58 | public $alternates; 59 | 60 | function __construct($uid = '', $category = 'match', $sink = '') 61 | { 62 | $this->uid = $uid; 63 | $this->vuln = false; 64 | $this->category = $category; 65 | $this->treenodes = array(); 66 | $this->sink = $sink; 67 | $this->dataleakvar = array(); 68 | $this->alternates = array(); 69 | } 70 | } 71 | 72 | // used to store new finds 73 | class VulnTreeNode 74 | { 75 | public $id; 76 | public $value; 77 | public $dependencies; 78 | public $title; 79 | public $name; 80 | public $marker; 81 | public $lines; 82 | public $filename; 83 | public $children; 84 | public $funcdepend; 85 | public $funcparamdepend; 86 | public $foundcallee; 87 | public $get; 88 | public $post; 89 | public $cookie; 90 | public $files; 91 | public $server; 92 | 93 | function __construct($value = null) 94 | { 95 | $this->id = 0; 96 | $this->value = $value; 97 | $this->title = ''; 98 | $this->dependencies = array(); 99 | $this->name = ''; 100 | $this->marker = 0; 101 | $this->lines = array(); 102 | $this->filename = ''; 103 | $this->children = array(); 104 | $this->funcdepend = ''; 105 | $this->funcparamdepend = null; 106 | $this->foundcallee = false; 107 | } 108 | } 109 | 110 | // information gathering finds 111 | class InfoTreeNode 112 | { 113 | public $value; 114 | public $dependencies; 115 | public $name; 116 | public $lines; 117 | public $title; 118 | public $filename; 119 | 120 | function __construct($value = null) 121 | { 122 | $this->title = 'File Inclusion'; 123 | $this->value = $value; 124 | $this->dependencies = array(); 125 | $this->name = ''; 126 | $this->lines = array(); 127 | $this->filename = ''; 128 | } 129 | } 130 | 131 | // function declaration 132 | class FunctionDeclare 133 | { 134 | public $value; 135 | public $tokens; 136 | public $name; 137 | public $line; 138 | public $marker; 139 | public $parameters; 140 | 141 | function __construct($tokens) 142 | { 143 | $this->value = ''; 144 | $this->tokens = $tokens; 145 | $this->name = ''; 146 | $this->line = 0; 147 | $this->marker = 0; 148 | $this->parameters = array(); 149 | } 150 | } 151 | -------------------------------------------------------------------------------- /lib/filer.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | // get all php files from directory, including all subdirectories 19 | function read_recursiv($path, $scan_subdirs) 20 | { 21 | $result = array(); 22 | 23 | $handle = opendir($path); 24 | 25 | if ($handle) 26 | { 27 | while (false !== ($file = readdir($handle))) 28 | { 29 | if ($file !== '.' && $file !== '..') 30 | { 31 | $name = $path . '/' . $file; 32 | if (is_dir($name) && $scan_subdirs) 33 | { 34 | $ar = read_recursiv($name, true); 35 | foreach ($ar as $value) 36 | { 37 | if(in_array(substr($value, strrpos($value, '.')), $GLOBALS['FILETYPES'])) 38 | $result[] = $value; 39 | } 40 | } else if(in_array(substr($name, strrpos($name, '.')), $GLOBALS['FILETYPES'])) 41 | { 42 | $result[] = $name; 43 | } 44 | } 45 | } 46 | } 47 | closedir($handle); 48 | return $result; 49 | } 50 | -------------------------------------------------------------------------------- /lib/searcher.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | function searchFile($file_name, $search) 19 | { 20 | $search = str_replace('/', '.', $search); 21 | $lines = file($file_name); 22 | $block = new VulnBlock('Search hits'); 23 | for($i=0; $i'); 30 | $line = highlightline($tokens, '', $i+1, $search); 31 | 32 | $line = preg_replace("/(>[^<]*)(".preg_quote(trim($matches[0]), '/').")/i", "$1$2", $line); 33 | $new_find = new VulnTreeNode($line); 34 | $new_find->filename = $file_name; 35 | $new_find->title = 'Regular expression match'; 36 | $new_find->lines[] = $i+1; 37 | 38 | $block->treenodes[] = $new_find; 39 | $block->vuln = true; 40 | } 41 | } 42 | $id = (isset($GLOBALS['output'][$file_name])) ? count($GLOBALS['output'][$file_name]) : 0; 43 | $GLOBALS['output'][$file_name][$id] = $block; 44 | } 45 | -------------------------------------------------------------------------------- /main.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | ############################### INCLUDES ################################ 19 | 20 | include('config/general.php'); // general settings 21 | include('config/sources.php'); // tainted variables and functions 22 | include('config/tokens.php'); // tokens for lexical analysis 23 | include('config/securing.php'); // securing functions 24 | include('config/sinks.php'); // sensitive sinks 25 | include('config/info.php'); // interesting functions 26 | 27 | include('lib/constructer.php'); // classes 28 | include('lib/filer.php'); // read files from dirs and subdirs 29 | include('lib/tokenizer.php'); // prepare and fix token list 30 | include('lib/analyzer.php'); // string analyzers 31 | include('lib/scanner.php'); // provides class for scan 32 | include('lib/printer.php'); // output scan result 33 | include('lib/searcher.php'); // search functions 34 | 35 | ############################### MAIN #################################### 36 | 37 | $start = microtime(TRUE); 38 | 39 | $output = array(); 40 | $info = array(); 41 | $scanned_files = array(); 42 | 43 | if(!empty($_POST['loc'])) 44 | { 45 | $location = realpath($_POST['loc']); 46 | 47 | if(is_dir($location)) 48 | { 49 | $scan_subdirs = isset($_POST['subdirs']) ? $_POST['subdirs'] : false; 50 | $files = read_recursiv($location, $scan_subdirs); 51 | 52 | if(count($files) > WARNFILES && !isset($_POST['ignore_warning'])) 53 | die('warning:'.count($files)); 54 | } 55 | else if(is_file($location) && in_array(substr($location, strrpos($location, '.')), $FILETYPES)) 56 | { 57 | $files[0] = $location; 58 | } 59 | else 60 | { 61 | $files = array(); 62 | } 63 | 64 | 65 | // SCAN 66 | if(empty($_POST['search'])) 67 | { 68 | $user_functions = array(); 69 | $user_functions_offset = array(); 70 | $user_input = array(); 71 | 72 | $file_sinks_count = array(); 73 | $count_xss=$count_sqli=$count_fr=$count_fa=$count_fi=$count_exec=$count_code=$count_eval=$count_xpath=$count_ldap=$count_con=$count_other=$count_pop=$count_inc=$count_inc_fail=$count_header=$count_sf=$count_ri=0; 74 | 75 | $verbosity = isset($_POST['verbosity']) ? $_POST['verbosity'] : 1; 76 | $scan_functions = array(); 77 | $info_functions = Info::$F_INTEREST; 78 | 79 | if($verbosity != 5) 80 | { 81 | switch($_POST['vector']) 82 | { 83 | case 'xss': $scan_functions = $F_XSS; break; 84 | case 'httpheader': $scan_functions = $F_HTTP_HEADER; break; 85 | case 'fixation': $scan_functions = $F_SESSION_FIXATION; break; 86 | case 'code': $scan_functions = $F_CODE; break; 87 | case 'ri': $scan_functions = $F_REFLECTION; break; 88 | case 'file_read': $scan_functions = $F_FILE_READ; break; 89 | case 'file_affect': $scan_functions = $F_FILE_AFFECT; break; 90 | case 'file_include':$scan_functions = $F_FILE_INCLUDE; break; 91 | case 'exec': $scan_functions = $F_EXEC; break; 92 | case 'database': $scan_functions = $F_DATABASE; break; 93 | case 'xpath': $scan_functions = $F_XPATH; break; 94 | case 'ldap': $scan_functions = $F_LDAP; break; 95 | case 'connect': $scan_functions = $F_CONNECT; break; 96 | case 'other': $scan_functions = $F_OTHER; break; 97 | case 'unserialize': { 98 | $scan_functions = $F_POP; 99 | $info_functions = Info::$F_INTEREST_POP; 100 | $source_functions = array('unserialize'); 101 | $verbosity = 2; 102 | } 103 | break; 104 | case 'client': 105 | $scan_functions = array_merge( 106 | $F_XSS, 107 | $F_HTTP_HEADER, 108 | $F_SESSION_FIXATION 109 | ); 110 | break; 111 | case 'server': 112 | $scan_functions = array_merge( 113 | $F_CODE, 114 | $F_REFLECTION, 115 | $F_FILE_READ, 116 | $F_FILE_AFFECT, 117 | $F_FILE_INCLUDE, 118 | $F_EXEC, 119 | $F_DATABASE, 120 | $F_XPATH, 121 | $F_LDAP, 122 | $F_CONNECT, 123 | $F_POP, 124 | $F_OTHER 125 | ); break; 126 | case 'all': 127 | default: 128 | $scan_functions = array_merge( 129 | $F_XSS, 130 | $F_HTTP_HEADER, 131 | $F_SESSION_FIXATION, 132 | $F_CODE, 133 | $F_REFLECTION, 134 | $F_FILE_READ, 135 | $F_FILE_AFFECT, 136 | $F_FILE_INCLUDE, 137 | $F_EXEC, 138 | $F_DATABASE, 139 | $F_XPATH, 140 | $F_LDAP, 141 | $F_CONNECT, 142 | $F_POP, 143 | $F_OTHER 144 | ); break; 145 | } 146 | } 147 | 148 | if($_POST['vector'] !== 'unserialize') 149 | { 150 | $source_functions = Sources::$F_OTHER_INPUT; 151 | // add file and database functions as tainting functions 152 | if( $verbosity > 1 && $verbosity < 5 ) 153 | { 154 | $source_functions = array_merge(Sources::$F_OTHER_INPUT, Sources::$F_FILE_INPUT, Sources::$F_DATABASE_INPUT); 155 | } 156 | } 157 | 158 | $overall_time = 0; 159 | $timeleft = 0; 160 | $file_amount = count($files); 161 | if (defined("MODE_CLI")) 162 | echo "\n
"; //hide metadata 163 | 164 | for($fit=0; $fit<$file_amount; $fit++) 165 | { 166 | // for scanning display 167 | $thisfile_start = microtime(TRUE); 168 | $file_scanning = $files[$fit]; 169 | 170 | echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' . "\n"; 171 | @ob_flush(); 172 | flush(); 173 | 174 | // scan 175 | $scan = new Scanner($file_scanning, $scan_functions, $info_functions, $source_functions); 176 | $scan->parse(); 177 | $scanned_files[$file_scanning] = $scan->inc_map; 178 | 179 | $overall_time += microtime(TRUE) - $thisfile_start; 180 | // timeleft = average_time_per_file * file_amount_left 181 | $timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2); 182 | } 183 | #die("done"); 184 | echo "STATS_DONE.\n"; 185 | if (defined("MODE_CLI")) 186 | echo "\n
"; //hide metadata 187 | @ob_flush(); 188 | flush(); 189 | 190 | } 191 | // SEARCH 192 | else if(!empty($_POST['regex'])) 193 | { 194 | $count_matches = 0; 195 | $verbosity = 0; 196 | foreach($files as $file_name) 197 | { 198 | searchFile($file_name, $_POST['regex']); 199 | } 200 | } 201 | } 202 | 203 | $elapsed = microtime(TRUE) - $start; 204 | 205 | ################################ RESULT ################################# 206 | ?> 207 |
208 |
209 |
210 | 211 | 212 |
213 | 214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 | 223 |
↵ return
224 |
225 |
226 | 227 |
228 |
229 |
230 | 231 |
232 |
233 |
234 |
235 | 236 |
237 |
238 |
239 | user defined functions and calls 240 |
241 | 242 |
243 |
244 |
245 | 246 | 247 | 248 | (graph not available in debug mode)'; ?> 249 |
250 | 253 | 254 | 255 |
256 |
257 |
258 | 259 |
260 |
261 |
262 | user input 263 |
264 | 265 |
266 |
267 | 270 |
271 |
272 |
273 | 274 |
275 |
276 |
277 | scanned files and includes 278 |
279 | 280 |
281 |
282 |
283 | 284 | 285 | 286 |
287 | 290 | 291 | 292 |
293 |
294 |
295 | 296 |
297 |
298 |
299 |
300 | 301 |
302 | 303 | 304 | 305 | 306 | 307 |
Result
308 |
309 | 310 | 0) 316 | { 317 | if($count_code > 0) 318 | statsRow(1, $NAME_CODE, $count_code, $count_all); 319 | if($count_exec > 0) 320 | statsRow(2, $NAME_EXEC, $count_exec, $count_all); 321 | if($count_con > 0) 322 | statsRow(3, $NAME_CONNECT, $count_con, $count_all); 323 | if($count_fr > 0) 324 | statsRow(4, $NAME_FILE_READ, $count_fr, $count_all); 325 | if($count_fi > 0) 326 | statsRow(5, $NAME_FILE_INCLUDE, $count_fi, $count_all); 327 | if($count_fa > 0) 328 | statsRow(6, $NAME_FILE_AFFECT, $count_fa, $count_all); 329 | if($count_ldap > 0) 330 | statsRow(7, $NAME_LDAP, $count_ldap, $count_all); 331 | if($count_sqli > 0) 332 | statsRow(8, $NAME_DATABASE, $count_sqli, $count_all); 333 | if($count_xpath > 0) 334 | statsRow(9, $NAME_XPATH, $count_xpath, $count_all); 335 | if($count_xss > 0) 336 | statsRow(10, $NAME_XSS, $count_xss, $count_all); 337 | if($count_header > 0) 338 | statsRow(11, $NAME_HTTP_HEADER, $count_header, $count_all); 339 | if($count_sf > 0) 340 | statsRow(12, $NAME_SESSION_FIXATION, $count_sf, $count_all); 341 | if($count_other > 0) 342 | statsRow(13, $NAME_OTHER, $count_other, $count_all); 343 | if($count_ri > 0) 344 | statsRow(14, $NAME_REFLECTION, $count_ri, $count_all); 345 | if($count_pop > 0) 346 | statsRow(15, $NAME_POP, $count_pop, $count_all); 347 | echo ''; 348 | } else 349 | { 350 | echo ''; 351 | } 352 | } else 353 | { 354 | echo ''; 355 | } 356 | 357 | echo '
Sum:',$count_all,'
No vulnerabilities found.
',(($count_matches == 0) ? 'No' : $count_matches),' matches found.
', 358 | ''; 359 | if(empty($_POST['search'])) 360 | { 361 | echo '', 373 | '', 379 | '', 380 | '', 381 | '', 382 | '
Scanned files:',count($files),'
Include success:'; 362 | 363 | if($count_inc > 0) 364 | { 365 | echo ($count_inc_success=$count_inc-$count_inc_fail).'/'.$count_inc, 366 | ' ('.$round_inc_success=round(($count_inc_success/$count_inc)*100,0).'%)'; 367 | } else 368 | { 369 | echo 'No includes.'; 370 | } 371 | 372 | echo '
Considered sinks:',count($scan_functions),''; 374 | if(empty($_POST['search']) && $count_all > 0) 375 | { 376 | echo '
'; 377 | } 378 | echo '
User-defined functions:'.(count($user_functions_offset)-(count($user_functions_offset)>0?1:0)).'
Unique sources:'.count($user_input).'
Sensitive sinks:'.(is_array($file_sinks_count) ? array_sum($file_sinks_count) : 0).'
'; 383 | 384 | // output info gathering 385 | if( !empty($info) || ($count_inc>0 && $round_inc_success < 75 && !$scan_subdirs && count($files)>1) ) 386 | { 387 | $info = array_unique($info); 388 | echo ''; 389 | foreach($info as $detail) 390 | { 391 | echo ''; 392 | } 393 | if($count_inc>0 && $round_inc_success < 75 && !$scan_subdirs && count($files)>1) 394 | { 395 | echo ''; 396 | } 397 | echo '
Info:',$detail,'
Info:Your include success is low. Enable subdirs for better filename guesses.
'; 398 | } 399 | 400 | echo '
Get the next generation of RIPS
with state-of-the-art code analysis!
'; 401 | } 402 | ?> 403 | 404 | 405 |
Scan time:
406 | 407 |
408 | 409 | 413 | -------------------------------------------------------------------------------- /papers/04_5_0.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/04_5_0.pdf -------------------------------------------------------------------------------- /papers/04_5_slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/04_5_slides.pdf -------------------------------------------------------------------------------- /papers/61f05ac238d58194a41323018f7c21907b05.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/61f05ac238d58194a41323018f7c21907b05.pdf -------------------------------------------------------------------------------- /papers/Abstract.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/Abstract.pdf -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/a.html: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/balrog.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/balrog.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/can-patent.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/can-patent.png -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/cans-pile.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/cans-pile.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/coke-crushed.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/coke-crushed.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/css.css: -------------------------------------------------------------------------------- 1 | @font-face { 2 | font-family: 'Droid Sans Mono'; 3 | font-style: normal; 4 | font-weight: 400; 5 | src: local('Droid Sans Mono'), local('DroidSansMono'), url(http://themes.googleusercontent.com/static/fonts/droidsansmono/v4/ns-m2xQYezAtqh7ai59hJaH0X__W3S3MJL29bc5CWfs.woff) format('woff'); 6 | } 7 | @font-face { 8 | font-family: 'Open Sans'; 9 | font-style: normal; 10 | font-weight: 400; 11 | src: local('Open Sans'), local('OpenSans'), url(http://themes.googleusercontent.com/static/fonts/opensans/v6/cJZKeOuBrn4kERxqtaUH3bO3LdcAZYWl9Si6vvxL-qU.woff) format('woff'); 12 | } 13 | @font-face { 14 | font-family: 'Open Sans'; 15 | font-style: normal; 16 | font-weight: 600; 17 | src: local('Open Sans Semibold'), local('OpenSans-Semibold'), url(http://themes.googleusercontent.com/static/fonts/opensans/v6/MTP_ySUJH_bn48VBG8sNSqRDOzjiPcYnFooOUGCOsRk.woff) format('woff'); 18 | } 19 | @font-face { 20 | font-family: 'Open Sans'; 21 | font-style: italic; 22 | font-weight: 400; 23 | src: local('Open Sans Italic'), local('OpenSans-Italic'), url(http://themes.googleusercontent.com/static/fonts/opensans/v6/xjAJXh38I15wypJXxuGMBrrIa-7acMAeDBVuclsi6Gc.woff) format('woff'); 24 | } 25 | @font-face { 26 | font-family: 'Open Sans'; 27 | font-style: italic; 28 | font-weight: 600; 29 | src: local('Open Sans Semibold Italic'), local('OpenSans-SemiboldItalic'), url(http://themes.googleusercontent.com/static/fonts/opensans/v6/PRmiXeptR36kaC0GEAetxuw_rQOTGi-AJs5XCWaKIhU.woff) format('woff'); 30 | } 31 | -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/custom-sanitizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/custom-sanitizer.png -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/fwse.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/fwse.png -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/rubbish-bin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/rubbish-bin.png -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/rubbish-tip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/rubbish-tip.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/sacrifice.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/sacrifice.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/securing-gravel.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/securing-gravel.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/slides.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Google HTML5 slides template 3 | 4 | Authors: Luke Mahé (code) 5 | Marcin Wichary (code and design) 6 | 7 | Dominic Mazzoni (browser compatibility) 8 | Charles Chen (ChromeVox support) 9 | 10 | URL: http://code.google.com/p/html5slides/ 11 | */ 12 | 13 | var PERMANENT_URL_PREFIX = 'http://html5slides.googlecode.com/svn/trunk/'; 14 | 15 | var SLIDE_CLASSES = ['far-past', 'past', 'current', 'next', 'far-next']; 16 | 17 | var PM_TOUCH_SENSITIVITY = 15; 18 | 19 | var curSlide; 20 | 21 | /* ---------------------------------------------------------------------- */ 22 | /* classList polyfill by Eli Grey 23 | * (http://purl.eligrey.com/github/classList.js/blob/master/classList.js) */ 24 | 25 | if (typeof document !== "undefined" && !("classList" in document.createElement("a"))) { 26 | 27 | (function (view) { 28 | 29 | var 30 | classListProp = "classList" 31 | , protoProp = "prototype" 32 | , elemCtrProto = (view.HTMLElement || view.Element)[protoProp] 33 | , objCtr = Object 34 | strTrim = String[protoProp].trim || function () { 35 | return this.replace(/^\s+|\s+$/g, ""); 36 | } 37 | , arrIndexOf = Array[protoProp].indexOf || function (item) { 38 | for (var i = 0, len = this.length; i < len; i++) { 39 | if (i in this && this[i] === item) { 40 | return i; 41 | } 42 | } 43 | return -1; 44 | } 45 | // Vendors: please allow content code to instantiate DOMExceptions 46 | , DOMEx = function (type, message) { 47 | this.name = type; 48 | this.code = DOMException[type]; 49 | this.message = message; 50 | } 51 | , checkTokenAndGetIndex = function (classList, token) { 52 | if (token === "") { 53 | throw new DOMEx( 54 | "SYNTAX_ERR" 55 | , "An invalid or illegal string was specified" 56 | ); 57 | } 58 | if (/\s/.test(token)) { 59 | throw new DOMEx( 60 | "INVALID_CHARACTER_ERR" 61 | , "String contains an invalid character" 62 | ); 63 | } 64 | return arrIndexOf.call(classList, token); 65 | } 66 | , ClassList = function (elem) { 67 | var 68 | trimmedClasses = strTrim.call(elem.className) 69 | , classes = trimmedClasses ? trimmedClasses.split(/\s+/) : [] 70 | ; 71 | for (var i = 0, len = classes.length; i < len; i++) { 72 | this.push(classes[i]); 73 | } 74 | this._updateClassName = function () { 75 | elem.className = this.toString(); 76 | }; 77 | } 78 | , classListProto = ClassList[protoProp] = [] 79 | , classListGetter = function () { 80 | return new ClassList(this); 81 | } 82 | ; 83 | // Most DOMException implementations don't allow calling DOMException's toString() 84 | // on non-DOMExceptions. Error's toString() is sufficient here. 85 | DOMEx[protoProp] = Error[protoProp]; 86 | classListProto.item = function (i) { 87 | return this[i] || null; 88 | }; 89 | classListProto.contains = function (token) { 90 | token += ""; 91 | return checkTokenAndGetIndex(this, token) !== -1; 92 | }; 93 | classListProto.add = function (token) { 94 | token += ""; 95 | if (checkTokenAndGetIndex(this, token) === -1) { 96 | this.push(token); 97 | this._updateClassName(); 98 | } 99 | }; 100 | classListProto.remove = function (token) { 101 | token += ""; 102 | var index = checkTokenAndGetIndex(this, token); 103 | if (index !== -1) { 104 | this.splice(index, 1); 105 | this._updateClassName(); 106 | } 107 | }; 108 | classListProto.toggle = function (token) { 109 | token += ""; 110 | if (checkTokenAndGetIndex(this, token) === -1) { 111 | this.add(token); 112 | } else { 113 | this.remove(token); 114 | } 115 | }; 116 | classListProto.toString = function () { 117 | return this.join(" "); 118 | }; 119 | 120 | if (objCtr.defineProperty) { 121 | var classListPropDesc = { 122 | get: classListGetter 123 | , enumerable: true 124 | , configurable: true 125 | }; 126 | try { 127 | objCtr.defineProperty(elemCtrProto, classListProp, classListPropDesc); 128 | } catch (ex) { // IE 8 doesn't support enumerable:true 129 | if (ex.number === -0x7FF5EC54) { 130 | classListPropDesc.enumerable = false; 131 | objCtr.defineProperty(elemCtrProto, classListProp, classListPropDesc); 132 | } 133 | } 134 | } else if (objCtr[protoProp].__defineGetter__) { 135 | elemCtrProto.__defineGetter__(classListProp, classListGetter); 136 | } 137 | 138 | }(self)); 139 | 140 | } 141 | /* ---------------------------------------------------------------------- */ 142 | 143 | /* Slide movement */ 144 | 145 | function getSlideEl(no) { 146 | if ((no < 0) || (no >= slideEls.length)) { 147 | return null; 148 | } else { 149 | return slideEls[no]; 150 | } 151 | }; 152 | 153 | function updateSlideClass(slideNo, className) { 154 | var el = getSlideEl(slideNo); 155 | 156 | if (!el) { 157 | return; 158 | } 159 | 160 | if (className) { 161 | el.classList.add(className); 162 | } 163 | 164 | for (var i in SLIDE_CLASSES) { 165 | if (className != SLIDE_CLASSES[i]) { 166 | el.classList.remove(SLIDE_CLASSES[i]); 167 | } 168 | } 169 | }; 170 | 171 | function updateSlides() { 172 | for (var i = 0; i < slideEls.length; i++) { 173 | switch (i) { 174 | case curSlide - 2: 175 | updateSlideClass(i, 'far-past'); 176 | break; 177 | case curSlide - 1: 178 | updateSlideClass(i, 'past'); 179 | break; 180 | case curSlide: 181 | updateSlideClass(i, 'current'); 182 | break; 183 | case curSlide + 1: 184 | updateSlideClass(i, 'next'); 185 | break; 186 | case curSlide + 2: 187 | updateSlideClass(i, 'far-next'); 188 | break; 189 | default: 190 | updateSlideClass(i); 191 | break; 192 | } 193 | } 194 | 195 | triggerLeaveEvent(curSlide - 1); 196 | triggerEnterEvent(curSlide); 197 | 198 | window.setTimeout(function() { 199 | // Hide after the slide 200 | disableSlideFrames(curSlide - 2); 201 | }, 301); 202 | 203 | enableSlideFrames(curSlide - 1); 204 | enableSlideFrames(curSlide + 2); 205 | 206 | if (isChromeVoxActive()) { 207 | speakAndSyncToNode(slideEls[curSlide]); 208 | } 209 | 210 | updateHash(); 211 | }; 212 | 213 | function buildNextItem() { 214 | var toBuild = slideEls[curSlide].querySelectorAll('.to-build'); 215 | 216 | if (!toBuild.length) { 217 | return false; 218 | } 219 | 220 | toBuild[0].classList.remove('to-build'); 221 | 222 | if (isChromeVoxActive()) { 223 | speakAndSyncToNode(toBuild[0]); 224 | } 225 | 226 | return true; 227 | }; 228 | 229 | function prevSlide() { 230 | if (curSlide > 0) { 231 | curSlide--; 232 | 233 | updateSlides(); 234 | } 235 | }; 236 | 237 | function nextSlide() { 238 | if (buildNextItem()) { 239 | return; 240 | } 241 | 242 | if (curSlide < slideEls.length - 1) { 243 | curSlide++; 244 | 245 | updateSlides(); 246 | } 247 | }; 248 | 249 | /* Slide events */ 250 | 251 | function triggerEnterEvent(no) { 252 | var el = getSlideEl(no); 253 | if (!el) { 254 | return; 255 | } 256 | 257 | var onEnter = el.getAttribute('onslideenter'); 258 | if (onEnter) { 259 | new Function(onEnter).call(el); 260 | } 261 | 262 | var evt = document.createEvent('Event'); 263 | evt.initEvent('slideenter', true, true); 264 | evt.slideNumber = no + 1; // Make it readable 265 | 266 | el.dispatchEvent(evt); 267 | }; 268 | 269 | function triggerLeaveEvent(no) { 270 | var el = getSlideEl(no); 271 | if (!el) { 272 | return; 273 | } 274 | 275 | var onLeave = el.getAttribute('onslideleave'); 276 | if (onLeave) { 277 | new Function(onLeave).call(el); 278 | } 279 | 280 | var evt = document.createEvent('Event'); 281 | evt.initEvent('slideleave', true, true); 282 | evt.slideNumber = no + 1; // Make it readable 283 | 284 | el.dispatchEvent(evt); 285 | }; 286 | 287 | /* Touch events */ 288 | 289 | function handleTouchStart(event) { 290 | if (event.touches.length == 1) { 291 | touchDX = 0; 292 | touchDY = 0; 293 | 294 | touchStartX = event.touches[0].pageX; 295 | touchStartY = event.touches[0].pageY; 296 | 297 | document.body.addEventListener('touchmove', handleTouchMove, true); 298 | document.body.addEventListener('touchend', handleTouchEnd, true); 299 | } 300 | }; 301 | 302 | function handleTouchMove(event) { 303 | if (event.touches.length > 1) { 304 | cancelTouch(); 305 | } else { 306 | touchDX = event.touches[0].pageX - touchStartX; 307 | touchDY = event.touches[0].pageY - touchStartY; 308 | } 309 | }; 310 | 311 | function handleTouchEnd(event) { 312 | var dx = Math.abs(touchDX); 313 | var dy = Math.abs(touchDY); 314 | 315 | if ((dx > PM_TOUCH_SENSITIVITY) && (dy < (dx * 2 / 3))) { 316 | if (touchDX > 0) { 317 | prevSlide(); 318 | } else { 319 | nextSlide(); 320 | } 321 | } 322 | 323 | cancelTouch(); 324 | }; 325 | 326 | function cancelTouch() { 327 | document.body.removeEventListener('touchmove', handleTouchMove, true); 328 | document.body.removeEventListener('touchend', handleTouchEnd, true); 329 | }; 330 | 331 | /* Preloading frames */ 332 | 333 | function disableSlideFrames(no) { 334 | var el = getSlideEl(no); 335 | if (!el) { 336 | return; 337 | } 338 | 339 | var frames = el.getElementsByTagName('iframe'); 340 | for (var i = 0, frame; frame = frames[i]; i++) { 341 | disableFrame(frame); 342 | } 343 | }; 344 | 345 | function enableSlideFrames(no) { 346 | var el = getSlideEl(no); 347 | if (!el) { 348 | return; 349 | } 350 | 351 | var frames = el.getElementsByTagName('iframe'); 352 | for (var i = 0, frame; frame = frames[i]; i++) { 353 | enableFrame(frame); 354 | } 355 | }; 356 | 357 | function disableFrame(frame) { 358 | frame.src = 'about:blank'; 359 | }; 360 | 361 | function enableFrame(frame) { 362 | var src = frame._src; 363 | 364 | if (frame.src != src && src != 'about:blank') { 365 | frame.src = src; 366 | } 367 | }; 368 | 369 | function setupFrames() { 370 | var frames = document.querySelectorAll('iframe'); 371 | for (var i = 0, frame; frame = frames[i]; i++) { 372 | frame._src = frame.src; 373 | disableFrame(frame); 374 | } 375 | 376 | enableSlideFrames(curSlide); 377 | enableSlideFrames(curSlide + 1); 378 | enableSlideFrames(curSlide + 2); 379 | }; 380 | 381 | function setupInteraction() { 382 | /* Clicking and tapping */ 383 | 384 | var el = document.createElement('div'); 385 | el.className = 'slide-area'; 386 | el.id = 'prev-slide-area'; 387 | el.addEventListener('click', prevSlide, false); 388 | document.querySelector('section.slides').appendChild(el); 389 | 390 | var el = document.createElement('div'); 391 | el.className = 'slide-area'; 392 | el.id = 'next-slide-area'; 393 | el.addEventListener('click', nextSlide, false); 394 | document.querySelector('section.slides').appendChild(el); 395 | 396 | /* Swiping */ 397 | 398 | document.body.addEventListener('touchstart', handleTouchStart, false); 399 | } 400 | 401 | /* ChromeVox support */ 402 | 403 | function isChromeVoxActive() { 404 | if (typeof(cvox) == 'undefined') { 405 | return false; 406 | } else { 407 | return true; 408 | } 409 | }; 410 | 411 | function speakAndSyncToNode(node) { 412 | if (!isChromeVoxActive()) { 413 | return; 414 | } 415 | 416 | cvox.ChromeVox.navigationManager.switchToStrategy( 417 | cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); 418 | cvox.ChromeVox.navigationManager.syncToNode(node); 419 | cvox.ChromeVoxUserCommands.finishNavCommand(''); 420 | var target = node; 421 | while (target.firstChild) { 422 | target = target.firstChild; 423 | } 424 | cvox.ChromeVox.navigationManager.syncToNode(target); 425 | }; 426 | 427 | function speakNextItem() { 428 | if (!isChromeVoxActive()) { 429 | return; 430 | } 431 | 432 | cvox.ChromeVox.navigationManager.switchToStrategy( 433 | cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); 434 | cvox.ChromeVox.navigationManager.next(true); 435 | if (!cvox.DomUtil.isDescendantOfNode( 436 | cvox.ChromeVox.navigationManager.getCurrentNode(), slideEls[curSlide])){ 437 | var target = slideEls[curSlide]; 438 | while (target.firstChild) { 439 | target = target.firstChild; 440 | } 441 | cvox.ChromeVox.navigationManager.syncToNode(target); 442 | cvox.ChromeVox.navigationManager.next(true); 443 | } 444 | cvox.ChromeVoxUserCommands.finishNavCommand(''); 445 | }; 446 | 447 | function speakPrevItem() { 448 | if (!isChromeVoxActive()) { 449 | return; 450 | } 451 | 452 | cvox.ChromeVox.navigationManager.switchToStrategy( 453 | cvox.ChromeVoxNavigationManager.STRATEGIES.LINEARDOM, 0, true); 454 | cvox.ChromeVox.navigationManager.previous(true); 455 | if (!cvox.DomUtil.isDescendantOfNode( 456 | cvox.ChromeVox.navigationManager.getCurrentNode(), slideEls[curSlide])){ 457 | var target = slideEls[curSlide]; 458 | while (target.lastChild){ 459 | target = target.lastChild; 460 | } 461 | cvox.ChromeVox.navigationManager.syncToNode(target); 462 | cvox.ChromeVox.navigationManager.previous(true); 463 | } 464 | cvox.ChromeVoxUserCommands.finishNavCommand(''); 465 | }; 466 | 467 | /* Hash functions */ 468 | 469 | function getCurSlideFromHash() { 470 | var slideNo = parseInt(location.hash.substr(1)); 471 | 472 | if (slideNo) { 473 | curSlide = slideNo - 1; 474 | } else { 475 | curSlide = 0; 476 | } 477 | }; 478 | 479 | function updateHash() { 480 | location.replace('#' + (curSlide + 1)); 481 | }; 482 | 483 | /* Event listeners */ 484 | 485 | function handleBodyKeyDown(event) { 486 | switch (event.keyCode) { 487 | case 39: // right arrow 488 | case 13: // Enter 489 | case 32: // space 490 | case 34: // PgDn 491 | nextSlide(); 492 | event.preventDefault(); 493 | break; 494 | 495 | case 37: // left arrow 496 | case 8: // Backspace 497 | case 33: // PgUp 498 | prevSlide(); 499 | event.preventDefault(); 500 | break; 501 | 502 | case 40: // down arrow 503 | if (isChromeVoxActive()) { 504 | speakNextItem(); 505 | } else { 506 | nextSlide(); 507 | } 508 | event.preventDefault(); 509 | break; 510 | 511 | case 38: // up arrow 512 | if (isChromeVoxActive()) { 513 | speakPrevItem(); 514 | } else { 515 | prevSlide(); 516 | } 517 | event.preventDefault(); 518 | break; 519 | } 520 | }; 521 | 522 | function addEventListeners() { 523 | document.addEventListener('keydown', handleBodyKeyDown, false); 524 | }; 525 | 526 | /* Initialization */ 527 | 528 | function addPrettify() { 529 | var els = document.querySelectorAll('pre'); 530 | for (var i = 0, el; el = els[i]; i++) { 531 | if (!el.classList.contains('noprettyprint')) { 532 | el.classList.add('prettyprint'); 533 | } 534 | } 535 | 536 | var el = document.createElement('script'); 537 | el.type = 'text/javascript'; 538 | el.src = PERMANENT_URL_PREFIX + 'prettify.js'; 539 | el.onload = function() { 540 | prettyPrint(); 541 | } 542 | document.body.appendChild(el); 543 | }; 544 | 545 | function addFontStyle() { 546 | var el = document.createElement('link'); 547 | el.rel = 'stylesheet'; 548 | el.type = 'text/css'; 549 | el.href = 'http://fonts.googleapis.com/css?family=' + 550 | 'Open+Sans:regular,semibold,italic,italicsemibold|Droid+Sans+Mono'; 551 | 552 | document.body.appendChild(el); 553 | }; 554 | 555 | function addGeneralStyle() { 556 | var el = document.createElement('link'); 557 | el.rel = 'stylesheet'; 558 | el.type = 'text/css'; 559 | el.href = PERMANENT_URL_PREFIX + 'styles.css'; 560 | document.body.appendChild(el); 561 | 562 | var el = document.createElement('meta'); 563 | el.name = 'viewport'; 564 | el.content = 'width=1100,height=750'; 565 | document.querySelector('head').appendChild(el); 566 | 567 | var el = document.createElement('meta'); 568 | el.name = 'apple-mobile-web-app-capable'; 569 | el.content = 'yes'; 570 | document.querySelector('head').appendChild(el); 571 | }; 572 | 573 | function makeBuildLists() { 574 | for (var i = curSlide, slide; slide = slideEls[i]; i++) { 575 | var items = slide.querySelectorAll('.build > *'); 576 | for (var j = 0, item; item = items[j]; j++) { 577 | if (item.classList) { 578 | item.classList.add('to-build'); 579 | } 580 | } 581 | } 582 | }; 583 | 584 | function handleDomLoaded() { 585 | slideEls = document.querySelectorAll('section.slides > article'); 586 | 587 | setupFrames(); 588 | 589 | addFontStyle(); 590 | addGeneralStyle(); 591 | addPrettify(); 592 | addEventListeners(); 593 | 594 | updateSlides(); 595 | 596 | setupInteraction(); 597 | makeBuildLists(); 598 | 599 | document.body.classList.add('loaded'); 600 | }; 601 | 602 | function initialize() { 603 | getCurSlideFromHash(); 604 | 605 | if (window['_DEBUG']) { 606 | PERMANENT_URL_PREFIX = '../'; 607 | } 608 | 609 | if (window['_DCL']) { 610 | handleDomLoaded(); 611 | } else { 612 | document.addEventListener('DOMContentLoaded', handleDomLoaded, false); 613 | } 614 | } 615 | 616 | // If ?debug exists then load the script relative instead of absolute 617 | if (!window['_DEBUG'] && document.location.href.indexOf('?debug') !== -1) { 618 | document.addEventListener('DOMContentLoaded', function() { 619 | // Avoid missing the DomContentLoaded event 620 | window['_DCL'] = true 621 | }, false); 622 | 623 | window['_DEBUG'] = true; 624 | var script = document.createElement('script'); 625 | script.type = 'text/javascript'; 626 | script.src = '../slides.js'; 627 | var s = document.getElementsByTagName('script')[0]; 628 | s.parentNode.insertBefore(script, s); 629 | 630 | // Remove this script 631 | s.parentNode.removeChild(s); 632 | } else { 633 | initialize(); 634 | } 635 | -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/steelin-ur-datax.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/steelin-ur-datax.jpg -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/styles.css: -------------------------------------------------------------------------------- 1 | /* 2 | Google HTML5 slides template 3 | 4 | Authors: Luke Mahé (code) 5 | Marcin Wichary (code and design) 6 | 7 | Dominic Mazzoni (browser compatibility) 8 | Charles Chen (ChromeVox support) 9 | 10 | URL: http://code.google.com/p/html5slides/ 11 | */ 12 | 13 | /* Framework */ 14 | 15 | html { 16 | height: 100%; 17 | } 18 | 19 | body { 20 | margin: 0; 21 | padding: 0; 22 | 23 | display: block !important; 24 | 25 | height: 100%; 26 | min-height: 740px; 27 | 28 | overflow-x: hidden; 29 | overflow-y: auto; 30 | 31 | background: rgb(215, 215, 215); 32 | background: -o-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); 33 | background: -moz-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); 34 | background: -webkit-radial-gradient(rgb(240, 240, 240), rgb(190, 190, 190)); 35 | background: -webkit-gradient(radial, 50% 50%, 0, 50% 50%, 500, from(rgb(240, 240, 240)), to(rgb(190, 190, 190))); 36 | 37 | -webkit-font-smoothing: antialiased; 38 | } 39 | 40 | .slides { 41 | width: 100%; 42 | height: 100%; 43 | left: 0; 44 | top: 0; 45 | 46 | position: absolute; 47 | 48 | -webkit-transform: translate3d(0, 0, 0); 49 | } 50 | 51 | .slides > article { 52 | display: block; 53 | 54 | position: absolute; 55 | overflow: hidden; 56 | 57 | width: 900px; 58 | height: 700px; 59 | 60 | left: 50%; 61 | top: 50%; 62 | 63 | margin-left: -450px; 64 | margin-top: -350px; 65 | 66 | padding: 40px 60px; 67 | 68 | box-sizing: border-box; 69 | -o-box-sizing: border-box; 70 | -moz-box-sizing: border-box; 71 | -webkit-box-sizing: border-box; 72 | 73 | border-radius: 10px; 74 | -o-border-radius: 10px; 75 | -moz-border-radius: 10px; 76 | -webkit-border-radius: 10px; 77 | 78 | background-color: white; 79 | 80 | box-shadow: 0 2px 6px rgba(0, 0, 0, .1); 81 | border: 1px solid rgba(0, 0, 0, .3); 82 | 83 | transition: transform .3s ease-out; 84 | -o-transition: -o-transform .3s ease-out; 85 | -moz-transition: -moz-transform .3s ease-out; 86 | -webkit-transition: -webkit-transform .3s ease-out; 87 | } 88 | .slides.layout-widescreen > article { 89 | margin-left: -550px; 90 | width: 1100px; 91 | } 92 | .slides.layout-faux-widescreen > article { 93 | margin-left: -550px; 94 | width: 1100px; 95 | 96 | padding: 40px 160px; 97 | } 98 | 99 | .slides.template-default > article:not(.nobackground):not(.biglogo) { 100 | background: url(images/google-logo-small.png) 710px 625px no-repeat; 101 | 102 | background-color: white; 103 | } 104 | 105 | .slides.template-io2011 > article:not(.nobackground):not(.biglogo) { 106 | background: url(images/colorbar.png) 0 600px repeat-x, 107 | url(images/googleio-logo.png) 640px 625px no-repeat; 108 | 109 | background-size: 100%, 225px; 110 | 111 | background-color: white; 112 | } 113 | .slides.layout-widescreen > article:not(.nobackground):not(.biglogo), 114 | .slides.layout-faux-widescreen > article:not(.nobackground):not(.biglogo) { 115 | background-position-x: 0, 840px; 116 | } 117 | 118 | /* Clickable/tappable areas */ 119 | 120 | .slide-area { 121 | z-index: 1000; 122 | 123 | position: absolute; 124 | left: 0; 125 | top: 0; 126 | width: 150px; 127 | height: 700px; 128 | 129 | left: 50%; 130 | top: 50%; 131 | 132 | cursor: pointer; 133 | margin-top: -350px; 134 | 135 | tap-highlight-color: transparent; 136 | -o-tap-highlight-color: transparent; 137 | -moz-tap-highlight-color: transparent; 138 | -webkit-tap-highlight-color: transparent; 139 | } 140 | #prev-slide-area { 141 | margin-left: -550px; 142 | } 143 | #next-slide-area { 144 | margin-left: 400px; 145 | } 146 | .slides.layout-widescreen #prev-slide-area, 147 | .slides.layout-faux-widescreen #prev-slide-area { 148 | margin-left: -650px; 149 | } 150 | .slides.layout-widescreen #next-slide-area, 151 | .slides.layout-faux-widescreen #next-slide-area { 152 | margin-left: 500px; 153 | } 154 | 155 | /* Slide styles */ 156 | 157 | .slides.template-default article.biglogo { 158 | background: white url(images/google-logo.png) 50% 50% no-repeat; 159 | } 160 | 161 | .slides.template-io2011 article.biglogo { 162 | background: white url(images/googleio-logo.png) 50% 50% no-repeat; 163 | 164 | background-size: 600px; 165 | } 166 | 167 | /* Slides */ 168 | 169 | .slides > article { 170 | display: none; 171 | } 172 | .slides > article.far-past { 173 | display: block; 174 | transform: translate(-2040px); 175 | -o-transform: translate(-2040px); 176 | -moz-transform: translate(-2040px); 177 | -webkit-transform: translate3d(-2040px, 0, 0); 178 | } 179 | .slides > article.past { 180 | display: block; 181 | transform: translate(-1020px); 182 | -o-transform: translate(-1020px); 183 | -moz-transform: translate(-1020px); 184 | -webkit-transform: translate3d(-1020px, 0, 0); 185 | } 186 | .slides > article.current { 187 | display: block; 188 | transform: translate(0); 189 | -o-transform: translate(0); 190 | -moz-transform: translate(0); 191 | -webkit-transform: translate3d(0, 0, 0); 192 | } 193 | .slides > article.next { 194 | display: block; 195 | transform: translate(1020px); 196 | -o-transform: translate(1020px); 197 | -moz-transform: translate(1020px); 198 | -webkit-transform: translate3d(1020px, 0, 0); 199 | } 200 | .slides > article.far-next { 201 | display: block; 202 | transform: translate(2040px); 203 | -o-transform: translate(2040px); 204 | -moz-transform: translate(2040px); 205 | -webkit-transform: translate3d(2040px, 0, 0); 206 | } 207 | 208 | .slides.layout-widescreen > article.far-past, 209 | .slides.layout-faux-widescreen > article.far-past { 210 | display: block; 211 | transform: translate(-2260px); 212 | -o-transform: translate(-2260px); 213 | -moz-transform: translate(-2260px); 214 | -webkit-transform: translate3d(-2260px, 0, 0); 215 | } 216 | .slides.layout-widescreen > article.past, 217 | .slides.layout-faux-widescreen > article.past { 218 | display: block; 219 | transform: translate(-1130px); 220 | -o-transform: translate(-1130px); 221 | -moz-transform: translate(-1130px); 222 | -webkit-transform: translate3d(-1130px, 0, 0); 223 | } 224 | .slides.layout-widescreen > article.current, 225 | .slides.layout-faux-widescreen > article.current { 226 | display: block; 227 | transform: translate(0); 228 | -o-transform: translate(0); 229 | -moz-transform: translate(0); 230 | -webkit-transform: translate3d(0, 0, 0); 231 | } 232 | .slides.layout-widescreen > article.next, 233 | .slides.layout-faux-widescreen > article.next { 234 | display: block; 235 | transform: translate(1130px); 236 | -o-transform: translate(1130px); 237 | -moz-transform: translate(1130px); 238 | -webkit-transform: translate3d(1130px, 0, 0); 239 | } 240 | .slides.layout-widescreen > article.far-next, 241 | .slides.layout-faux-widescreen > article.far-next { 242 | display: block; 243 | transform: translate(2260px); 244 | -o-transform: translate(2260px); 245 | -moz-transform: translate(2260px); 246 | -webkit-transform: translate3d(2260px, 0, 0); 247 | } 248 | 249 | /* Styles for slides */ 250 | 251 | .slides > article { 252 | font-family: 'Open Sans', Arial, sans-serif; 253 | 254 | color: rgb(102, 102, 102); 255 | text-shadow: 0 1px 1px rgba(0, 0, 0, .1); 256 | 257 | font-size: 30px; 258 | line-height: 36px; 259 | 260 | letter-spacing: -1px; 261 | } 262 | 263 | b { 264 | font-weight: 600; 265 | } 266 | 267 | .blue { 268 | color: rgb(0, 102, 204); 269 | } 270 | .yellow { 271 | color: rgb(255, 211, 25); 272 | } 273 | .green { 274 | color: rgb(0, 138, 53); 275 | } 276 | .red { 277 | color: rgb(255, 0, 0); 278 | } 279 | .black { 280 | color: black; 281 | } 282 | .white { 283 | color: white; 284 | } 285 | 286 | a { 287 | color: rgb(0, 102, 204); 288 | } 289 | a:visited { 290 | color: rgba(0, 102, 204, .75); 291 | } 292 | a:hover { 293 | color: black; 294 | } 295 | 296 | p { 297 | margin: 0; 298 | padding: 0; 299 | 300 | margin-top: 20px; 301 | } 302 | p:first-child { 303 | margin-top: 0; 304 | } 305 | 306 | h1 { 307 | font-size: 60px; 308 | line-height: 60px; 309 | 310 | padding: 0; 311 | margin: 0; 312 | margin-top: 200px; 313 | padding-right: 40px; 314 | 315 | font-weight: 600; 316 | 317 | letter-spacing: -3px; 318 | 319 | color: rgb(51, 51, 51); 320 | } 321 | 322 | h2 { 323 | font-size: 45px; 324 | line-height: 45px; 325 | 326 | position: absolute; 327 | bottom: 150px; 328 | 329 | padding: 0; 330 | margin: 0; 331 | padding-right: 40px; 332 | 333 | font-weight: 600; 334 | 335 | letter-spacing: -2px; 336 | 337 | color: rgb(51, 51, 51); 338 | } 339 | 340 | h3 { 341 | font-size: 30px; 342 | line-height: 36px; 343 | 344 | padding: 0; 345 | margin: 0; 346 | padding-right: 40px; 347 | 348 | font-weight: 600; 349 | 350 | letter-spacing: -1px; 351 | 352 | color: rgb(51, 51, 51); 353 | } 354 | 355 | article.fill h3 { 356 | background: rgba(255, 255, 255, .75); 357 | padding-top: .2em; 358 | padding-bottom: .3em; 359 | margin-top: -.2em; 360 | margin-left: -60px; 361 | padding-left: 60px; 362 | margin-right: -60px; 363 | padding-right: 60px; 364 | } 365 | 366 | ul { 367 | list-style: none; 368 | margin: 0; 369 | padding: 0; 370 | 371 | margin-top: 40px; 372 | 373 | margin-left: .75em; 374 | } 375 | ul:first-child { 376 | margin-top: 0; 377 | } 378 | ul ul { 379 | margin-top: .5em; 380 | } 381 | li { 382 | padding: 0; 383 | margin: 0; 384 | 385 | margin-bottom: .5em; 386 | } 387 | li::before { 388 | content: '·'; 389 | 390 | width: .75em; 391 | margin-left: -.75em; 392 | 393 | position: absolute; 394 | } 395 | 396 | pre { 397 | font-family: 'Droid Sans Mono', 'Courier New', monospace; 398 | 399 | font-size: 20px; 400 | line-height: 28px; 401 | padding: 5px 10px; 402 | 403 | letter-spacing: -1px; 404 | 405 | margin-top: 40px; 406 | margin-bottom: 40px; 407 | 408 | color: black; 409 | background: rgb(240, 240, 240); 410 | border: 1px solid rgb(224, 224, 224); 411 | box-shadow: inset 0 2px 6px rgba(0, 0, 0, .1); 412 | 413 | overflow: hidden; 414 | } 415 | 416 | code { 417 | font-size: 95%; 418 | font-family: 'Droid Sans Mono', 'Courier New', monospace; 419 | 420 | color: black; 421 | } 422 | 423 | iframe { 424 | width: 100%; 425 | 426 | height: 620px; 427 | 428 | background: white; 429 | border: 1px solid rgb(192, 192, 192); 430 | margin: -1px; 431 | /*box-shadow: inset 0 2px 6px rgba(0, 0, 0, .1);*/ 432 | } 433 | 434 | h3 + iframe { 435 | margin-top: 40px; 436 | height: 540px; 437 | } 438 | 439 | article.fill iframe { 440 | position: absolute; 441 | left: 0; 442 | top: 0; 443 | width: 100%; 444 | height: 100%; 445 | 446 | border: 0; 447 | margin: 0; 448 | 449 | border-radius: 10px; 450 | -o-border-radius: 10px; 451 | -moz-border-radius: 10px; 452 | -webkit-border-radius: 10px; 453 | 454 | z-index: -1; 455 | } 456 | 457 | article.fill img { 458 | position: absolute; 459 | left: 0; 460 | top: 0; 461 | min-width: 100%; 462 | min-height: 100%; 463 | 464 | border-radius: 10px; 465 | -o-border-radius: 10px; 466 | -moz-border-radius: 10px; 467 | -webkit-border-radius: 10px; 468 | 469 | z-index: -1; 470 | } 471 | img.centered { 472 | margin: 0 auto; 473 | display: block; 474 | } 475 | 476 | table { 477 | width: 100%; 478 | border-collapse: collapse; 479 | margin-top: 40px; 480 | } 481 | th { 482 | font-weight: 600; 483 | text-align: left; 484 | } 485 | td, 486 | th { 487 | border: 1px solid rgb(224, 224, 224); 488 | padding: 5px 10px; 489 | vertical-align: top; 490 | } 491 | 492 | .source { 493 | position: absolute; 494 | left: 60px; 495 | top: 644px; 496 | padding-right: 175px; 497 | 498 | font-size: 15px; 499 | letter-spacing: 0; 500 | line-height: 18px; 501 | } 502 | 503 | q { 504 | display: block; 505 | font-size: 60px; 506 | line-height: 72px; 507 | 508 | margin-left: 20px; 509 | 510 | margin-top: 100px; 511 | margin-right: 150px; 512 | } 513 | q::before { 514 | content: '“'; 515 | 516 | position: absolute; 517 | display: inline-block; 518 | margin-left: -2.1em; 519 | width: 2em; 520 | text-align: right; 521 | 522 | font-size: 90px; 523 | color: rgb(192, 192, 192); 524 | } 525 | q::after { 526 | content: '”'; 527 | 528 | position: absolute; 529 | margin-left: .1em; 530 | 531 | font-size: 90px; 532 | color: rgb(192, 192, 192); 533 | } 534 | div.author { 535 | text-align: right; 536 | font-size: 40px; 537 | 538 | margin-top: 20px; 539 | margin-right: 150px; 540 | } 541 | div.author::before { 542 | content: '—'; 543 | } 544 | 545 | /* Size variants */ 546 | 547 | article.smaller p, 548 | article.smaller ul { 549 | font-size: 20px; 550 | line-height: 24px; 551 | letter-spacing: 0; 552 | } 553 | article.smaller table { 554 | font-size: 20px; 555 | line-height: 24px; 556 | letter-spacing: 0; 557 | } 558 | article.smaller pre { 559 | font-size: 15px; 560 | line-height: 20px; 561 | letter-spacing: 0; 562 | } 563 | article.smaller q { 564 | font-size: 40px; 565 | line-height: 48px; 566 | } 567 | article.smaller q::before, 568 | article.smaller q::after { 569 | font-size: 60px; 570 | } 571 | 572 | /* Builds */ 573 | 574 | .build > * { 575 | transition: opacity 0.5s ease-in-out 0.2s; 576 | -o-transition: opacity 0.5s ease-in-out 0.2s; 577 | -moz-transition: opacity 0.5s ease-in-out 0.2s; 578 | -webkit-transition: opacity 0.5s ease-in-out 0.2s; 579 | } 580 | 581 | .to-build { 582 | opacity: 0; 583 | } 584 | 585 | /* Pretty print */ 586 | 587 | .prettyprint .str, /* string content */ 588 | .prettyprint .atv { /* a markup attribute value */ 589 | color: rgb(0, 138, 53); 590 | } 591 | .prettyprint .kwd, /* a keyword */ 592 | .prettyprint .tag { /* a markup tag name */ 593 | color: rgb(0, 102, 204); 594 | } 595 | .prettyprint .com { /* a comment */ 596 | color: rgb(127, 127, 127); 597 | font-style: italic; 598 | } 599 | .prettyprint .lit { /* a literal value */ 600 | color: rgb(127, 0, 0); 601 | } 602 | .prettyprint .pun, /* punctuation, lisp open bracket, lisp close bracket */ 603 | .prettyprint .opn, 604 | .prettyprint .clo { 605 | color: rgb(127, 127, 127); 606 | } 607 | .prettyprint .typ, /* a type name */ 608 | .prettyprint .atn, /* a markup attribute name */ 609 | .prettyprint .dec, 610 | .prettyprint .var { /* a declaration; a variable name */ 611 | color: rgb(127, 0, 127); 612 | } 613 | -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/test-1-screenie.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/test-1-screenie.png -------------------------------------------------------------------------------- /papers/LCA 2012_ PHP Static Code Analysis_files/xkcd-sql.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/LCA 2012_ PHP Static Code Analysis_files/xkcd-sql.png -------------------------------------------------------------------------------- /papers/McRee-toolsmith.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/McRee-toolsmith.pdf -------------------------------------------------------------------------------- /papers/POPChainGeneration-CCS14.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/POPChainGeneration-CCS14.pdf -------------------------------------------------------------------------------- /papers/README.md: -------------------------------------------------------------------------------- 1 | # Papers by Johannes Dahse 2 | 3 | 2016 4 | * [Static detection of complex vulnerabilities in modern PHP applications](https://d-nb.info/1099703417/34) (dissertation) 5 | * [No Honor Among Thieves: A Large-Scale Analysis of Malicious Web Shells](http://www.cyber-investigator.org/wp-content/uploads/2016/04/webshells_www2016.pdf) 6 | 7 | 2015 8 | * [Experience report: an empirical study of PHP security mechanism usage](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/05/27/sanitization_issta15.pdf) 9 | * [Security Analysis of PHP Bytecode Protection Mechanisms](https://pdfs.semanticscholar.org/0c37/61f05ac238d58194a41323018f7c21907b05.pdf) 10 | 11 | 2014 12 | * [Code Reuse Attacks in PHP: Automated POP Chain Generation](https://www.ei.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf) 13 | * [Simulation of Built-in PHP Features for Precise Static Code Analysis](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/04_5_0.pdf) [Slides](http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/04_5_slides.pdf) 14 | * [Static Detection of Second-Order Vulnerabilities in Web Applications](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-dahse.pdf) [Slides](https://www.usenix.org/sites/default/files/conference/protected-files/sec14_slides_dahse.pdf) 15 | 16 | 2010 17 | * [RIPS - A static source code analyser for vulnerabilities in PHP scripts](https://sourceforge.net/projects/rips-scanner/files/rips-paper.pdf/download) (seminar work) 18 | * [RIPS - A static source code analyser for vulnerabilities in PHP scripts](http://php-security.org/downloads/rips.pdf) [Slides](https://websec.files.wordpress.com/2010/11/rips-slides.pdf) 19 | 20 | # Other Sources 21 | 22 | 2012 23 | * [linux.com.au 2012: Finding Vulnerabilities in PHP code](http://peter.serwylo.com/?p=115) [YouTube](https://www.youtube.com/watch?v=zrXFGjJyP8M) 24 | 25 | 2011 26 | * [toolsmith: RIPS - A static source code analyser for vulnerabilities in PHP scripts](http://www.issa.org/resource/resmgr/PDF/McRee-toolsmith.pdf) 27 | -------------------------------------------------------------------------------- /papers/diss.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/diss.pdf -------------------------------------------------------------------------------- /papers/rips-paper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/rips-paper.pdf -------------------------------------------------------------------------------- /papers/rips-slides.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/rips-slides.pdf -------------------------------------------------------------------------------- /papers/rips.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/rips.pdf -------------------------------------------------------------------------------- /papers/sanitization_issta15.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/sanitization_issta15.pdf -------------------------------------------------------------------------------- /papers/sec14-paper-dahse.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/sec14-paper-dahse.pdf -------------------------------------------------------------------------------- /papers/sec14_slides_dahse.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/sec14_slides_dahse.pdf -------------------------------------------------------------------------------- /papers/webshells_www2016.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/robocoder/rips-scanner/41d23237883f8c6121d6e4d25888b95b903dacf3/papers/webshells_www2016.pdf -------------------------------------------------------------------------------- /rips_stats.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: UTF-8 -*- 3 | # Author : tintinweb@oststrom.com 4 | # 5 | # minimal dependencies, we do not require a fully blown html parser, beautifulsoup 6 | # and others 7 | import sys, re, os 8 | 9 | STATS_BEGIN = '
' 10 | STATS_END = '
' 11 | 12 | def getargs(): 13 | ''' 14 | minimalistic argparse 15 | ''' 16 | args = [] 17 | options = [] 18 | if len(sys.argv) <= 1: 19 | print """Usage: %s [, ...]"""%sys.argv[0] 20 | exit(1) 21 | for a in sys.argv[1:]: 22 | if a.startswith("--"): 23 | options.append(a) 24 | else: 25 | args.append(a) 26 | return args, options 27 | 28 | def extract_td_single(column_name,data): 29 | ''' 30 | utility function to extract data column text 31 | ''' 32 | d = re.findall(r'%s]*>([^<]+)'%column_name,data,re.MULTILINE|re.DOTALL) 33 | if d: 34 | return d[0] 35 | return '' 36 | 37 | def main(args, options=[]): 38 | errcode = 0 39 | stats={} 40 | 41 | for file in args: 42 | print "[*] processing '%s'"%file 43 | if not os.path.isfile(file): 44 | print "[!!] file not found/not a file - '%s'"%file 45 | continue 46 | with open(file,'r') as f: 47 | data = None 48 | # performance - reduce regex searchspace; extract stats div 49 | for line in f.readlines(): 50 | if data: 51 | data += line 52 | if STATS_BEGIN in line: 53 | data = line[line.index(STATS_BEGIN):] 54 | continue 55 | if STATS_END in line: 56 | break 57 | if data: 58 | print "[**] extracting data" 59 | x = re.findall(r'Sum:(\d+)', data) 60 | stats['hits'] = int(x[0]) if x else 0 # if Sum: is missing, there were not vulns. 61 | stats['cats'] = re.findall(r'catshow\(\'([^\']+)', data) 62 | stats['num_cats']=len(stats['cats']) 63 | x = re.findall(r'(\d+\.\d+) seconds',data) 64 | stats['scantime'] = x[0] if x else None 65 | 66 | for s in ("Scanned files:", "Include success:", "Considered sinks:", 67 | "User-defined functions:","Unique sources:","Sensitive sinks:"): 68 | stats[s] = extract_td_single(s, data).strip() 69 | 70 | 71 | stats['dummy']='' 72 | print "[***] Results" 73 | print """[ ] Scanned Files: %(Scanned files:)20s 74 | [ ] Include Success: %(Include success:)20s 75 | [ ] Time Elapsed: %(scantime)19ss 76 | 77 | [ ] Considered sinks: %(Considered sinks:)20s 78 | [ ] User-defined functions: %(User-defined functions:)20s 79 | [ ] Unique sources: %(Unique sources:)20s 80 | [ ] Sensitive sinks: %(Sensitive sinks:)20s 81 | 82 | [ ] Hits: %(hits)20s 83 | [ ] Categories: %(num_cats)20s"""%stats 84 | for c in stats.get("cats",[]): 85 | print " %50s"%("%s [+]"%c) 86 | errcode+=stats.get('hits',0) 87 | 88 | 89 | return errcode 90 | 91 | if __name__=='__main__': 92 | args, options = getargs() 93 | sys.exit(main(args,options)) 94 | 95 | 96 | -------------------------------------------------------------------------------- /windows/code.php: -------------------------------------------------------------------------------- 1 | 2 | . 16 | 17 | **/ 18 | 19 | include('../config/general.php'); 20 | 21 | // prepare output to style with CSS 22 | function highlightline($line, $line_nr, $marklines, $in_comment) 23 | { 24 | $tokens = @token_get_all(''); 25 | $output = (in_array($line_nr, $marklines)) ? ''; 97 | return $in_comment; 98 | } 99 | 100 | // print source code and mark lines 101 | 102 | $file = $_GET['file']; 103 | $marklines = explode(',', $_GET['lines']); 104 | $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 105 | 106 | 107 | if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 108 | { 109 | $lines = file($file); 110 | 111 | // place line numbers in extra table for more elegant copy/paste without line numbers 112 | echo '
' : '
'; 26 | 27 | for($i=0; $i', '', $tokens[$i][1]); 35 | } 36 | if($tokens[$i] === '/' && $tokens[$i-1] === '*') 37 | { 38 | $in_comment = false; 39 | } 40 | 41 | if($i == count($tokens)-1 && $tokens[$i-1][0] !== T_CLOSE_TAG) 42 | $tokens[$i][1] = str_replace('?'.'>', '', $tokens[$i][1]); 43 | 44 | if($in_comment) 45 | { 46 | if($tokens[$i][1] !== '') 47 | { 48 | $trimmed = is_array($tokens[$i]) ? trim($tokens[$i][1]) : trim($tokens[$i]); 49 | $output .= ''; 50 | $output .= empty($trimmed) ? ' ' : htmlentities($trimmed, ENT_QUOTES, 'utf-8'); 51 | $output .= ''; 52 | } 53 | } 54 | else if($tokens[$i] === '/' && $tokens[$i-1] === '*') 55 | $output .= '*/'; 56 | else if (is_string($tokens[$i])) 57 | { 58 | $output .= ''; 59 | $output .= htmlentities(trim($tokens[$i]), ENT_QUOTES, 'utf-8'); 60 | $output .= ''; 61 | } 62 | else if (is_array($tokens[$i]) 63 | && $tokens[$i][0] !== T_OPEN_TAG 64 | && $tokens[$i][0] !== T_CLOSE_TAG) 65 | { 66 | if ($tokens[$i][0] !== T_WHITESPACE) 67 | { 68 | $text = ''; 82 | } 83 | else 84 | { 85 | $text = str_replace(' ', ' ', $tokens[$i][1]); 86 | $text = str_replace("\t", str_repeat(' ', 8), $text); 87 | } 88 | 89 | $output .= $text; 90 | } 91 | } 92 | 93 | if(strstr($line, '*/')) 94 | $in_comment = false; 95 | 96 | echo $output.'
'; 113 | for($i=1, $max=count($lines); $i<=$max;$i++) 114 | echo "'; 115 | echo '
$i
'; 116 | 117 | $in_comment = false; 118 | for($i=0; $i<$max; $i++) 119 | { 120 | $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment); 121 | } 122 | } else 123 | { 124 | echo ''; 125 | } 126 | ?> 127 |
Invalid file specified.
128 |
129 | -------------------------------------------------------------------------------- /windows/exploit.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | if(!empty($_GET['file'])) 19 | { 20 | $file = $_GET['file']; 21 | ?> 22 | 23 |
24 | 25 |
26 | #!/usr/bin/php -f
27 | <?php
28 | #
29 | # curl exploit
30 | #

31 |
32 | 33 |
34 |
35 |
36 |
general settings:
37 |
38 |
39 | 40 |
41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 |
URL:
COOKIEJAR:
Max Exec Time: (s)
SSL: BasicAuth:
59 |
60 |
61 | 62 | 70 | 71 |
72 |
73 |
parameter:
74 | 75 |
76 |
77 | 78 |
79 |
80 | 81 | \n", 90 | "\t\n", 91 | ''; 92 | } else 93 | { 94 | echo "\n\n"; 95 | } 96 | } 97 | ?> 98 |
$param:
You can taint \$_SERVER['$param'] by editing the target URL.
99 |
100 |
101 |
102 | 114 | 115 |   116 |

117 |
118 | 119 | 120 | ?> 121 |
122 | 129 | -------------------------------------------------------------------------------- /windows/function.php: -------------------------------------------------------------------------------- 1 | 2 | . 16 | 17 | **/ 18 | 19 | include('../config/general.php'); 20 | 21 | // prepare output to style with CSS 22 | function highlightline($line, $line_nr) 23 | { 24 | $tokens = @token_get_all(''); 25 | $output = "'; 54 | } 55 | 56 | // print function code 57 | 58 | $file = $_GET['file']; 59 | $start = (int)$_GET['start']; 60 | $end = (int)$_GET['end']; 61 | $ext = '.'.pathinfo($file, PATHINFO_EXTENSION); 62 | 63 | 64 | if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES)) 65 | { 66 | $lines = file($file); 67 | 68 | if( isset($lines[$start]) && isset($lines[$end]) ) 69 | { 70 | for($i=$start; $i<=$end; $i++) 71 | { 72 | echo highlightline($lines[$i], $i); 73 | } 74 | } else 75 | { 76 | echo ''; 77 | } 78 | } else 79 | { 80 | echo ''; 81 | } 82 | ?> 83 |
$line_nr   "; 26 | 27 | foreach ($tokens as $token) 28 | { 29 | if (is_string($token)) 30 | { 31 | $output .= ''; 32 | $output .= htmlentities($token, ENT_QUOTES, 'utf-8'); 33 | $output .= ''; 34 | } 35 | else if (is_array($token) 36 | && $token[0] !== T_OPEN_TAG 37 | && $token[0] !== T_CLOSE_TAG) 38 | { 39 | if ($token[0] !== T_WHITESPACE) 40 | { 41 | $text = ''; 42 | $text.= htmlentities($token[1], ENT_QUOTES, 'utf-8').''; 43 | } 44 | else 45 | { 46 | $text = str_replace(' ', ' ', $token[1]); 47 | $text = str_replace("\t", str_repeat(' ', 8), $text); 48 | } 49 | 50 | $output .= $text; 51 | } 52 | } 53 | return $output.'
Sorry, wrong file referenced.
Sorry, no file referenced.
84 | -------------------------------------------------------------------------------- /windows/help.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | include '../config/general.php'; 19 | include '../config/securing.php'; 20 | include '../config/sinks.php'; 21 | include '../config/tokens.php'; 22 | include '../config/sources.php'; 23 | include '../config/help.php'; 24 | include '../lib/printer.php'; 25 | 26 | $function = htmlentities($_GET['function'], ENT_QUOTES, 'utf-8'); 27 | $type = htmlentities($_GET['type'], ENT_QUOTES, 'utf-8'); 28 | $type = explode(" (", $type); 29 | $type = $type[0]; 30 | 31 | switch($type) 32 | { 33 | case $NAME_XSS: $HELP = $HELP_XSS; 34 | $FUNCS = $F_SECURING_XSS; 35 | break; 36 | case $NAME_HTTP_HEADER: $HELP = $HELP_HTTP_HEADER; 37 | $FUNCS = array(); 38 | break; 39 | case $NAME_SESSION_FIXATION: $HELP = $HELP_SESSION_FIXATION; 40 | $FUNCS = array(); 41 | break; 42 | case $NAME_CODE: $HELP = $HELP_CODE; 43 | $FUNCS = $F_SECURING_PREG; 44 | break; 45 | case $NAME_REFLECTION: $HELP = $HELP_REFLECTION; 46 | $FUNCS = array(); 47 | break; 48 | case $NAME_FILE_INCLUDE: $HELP = $HELP_FILE_INCLUDE; 49 | $FUNCS = $F_SECURING_FILE; 50 | break; 51 | case $NAME_FILE_READ: $HELP = $HELP_FILE_READ; 52 | $FUNCS = $F_SECURING_FILE; 53 | break; 54 | case $NAME_FILE_AFFECT: $HELP = $HELP_FILE_AFFECT; 55 | $FUNCS = $F_SECURING_FILE; 56 | break; 57 | case $NAME_EXEC: $HELP = $HELP_EXEC; 58 | $FUNCS = $F_SECURING_SYSTEM; 59 | break; 60 | case $NAME_DATABASE: $HELP = $HELP_DATABASE; 61 | $FUNCS = $F_SECURING_SQL; 62 | break; 63 | case $NAME_XPATH: $HELP = $HELP_XPATH; 64 | $FUNCS = $F_SECURING_XPATH; 65 | break; 66 | case $NAME_LDAP: $HELP = $HELP_LDAP; 67 | $FUNCS = $F_SECURING_LDAP; 68 | break; 69 | case $NAME_CONNECT: $HELP = $HELP_CONNECT; 70 | $FUNCS = array(); 71 | break; 72 | case $NAME_POP: $HELP = $HELP_POP; 73 | $FUNCS = array(); 74 | break; 75 | default: 76 | $HELP = array( 77 | 'description' => 'No description available for this vulnerability.', 78 | 'link' => '', 79 | 'code' => 'Not available.', 80 | 'poc' => 'Not available.' 81 | ); 82 | break; 83 | } 84 | ?> 85 | 86 |
87 |

88 |

vulnerability concept:

89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 115 | 116 | 119 | 120 | 123 | 124 |
sourcesinkvulnerability
100 |
    101 | $_GET'; 104 | if($_GET['post']) 105 | echo '
  • $_POST
    • ';; 106 | if($_GET['cookie']) 107 | echo '
  • $_COOKIE
    • '; 108 | if($_GET['files']) 109 | echo '
  • $_FILES
    • '; 110 | if($_GET['server']) 111 | echo '
  • $_SERVER
    • '; 112 | ?> 113 |
114 |

+

 117 | '.$function.'()'; ?> 118 |

=

 121 | 122 |
125 | 126 |

vulnerability description:

127 |

128 |

here."; ?>

129 | 130 |

vulnerable example code:

131 |
132 | 133 |

proof of concept:

134 |

135 | 136 |

patch:

137 |

138 |
139 | 140 |

related securing functions:

141 |
    142 | '.$func."\n"; 148 | } 149 | } else 150 | { 151 | echo 'None.'; 152 | } 153 | ?> 154 |
155 |
156 | -------------------------------------------------------------------------------- /windows/hotpatch.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | if(!empty($_GET['file'])) 19 | { 20 | $file = $_GET['file']; 21 | ?> 22 | 23 |
24 | 25 | 26 |
27 | 28 | Create mod_security rule. 29 | 30 | ' 35 | .'' 36 | .'' 37 | .''; 38 | } 39 | 40 | function creatediv($method, $name) 41 | { 42 | if(!empty($method)) 43 | { 44 | $method = htmlentities($method, ENT_QUOTES, 'utf-8'); 45 | ?> 46 | 47 |
48 |
49 |
parameter:
50 | 51 |
52 |
53 | 54 |
55 |
56 | 57 | \n", 65 | "\t", 66 | "\n", 67 | ''; 68 | } else 69 | { 70 | echo "\n\n"; 71 | } 72 | } 73 | ?> 74 |
$param:".getFilterOptions($method.$param)."
You can taint \$_SERVER['$param'] by editing the target URL.
75 |
76 |
77 |
78 | 90 | 91 |   92 |

93 |
94 | 95 |
96 | 97 |
98 | 99 | 106 | 107 |
108 | -------------------------------------------------------------------------------- /windows/leakscan.php: -------------------------------------------------------------------------------- 1 | . 15 | 16 | **/ 17 | 18 | ############################### INCLUDES ################################ 19 | 20 | include('../config/general.php'); // general settings 21 | include('../config/sources.php'); // tainted variables and functions 22 | include('../config/tokens.php'); // tokens for lexical analysis 23 | include('../config/securing.php'); // securing functions 24 | include('../config/sinks.php'); // sensitive sinks 25 | include('../config/info.php'); // interesting functions 26 | 27 | include('../lib/constructer.php'); // classes 28 | include('../lib/filer.php'); // read files from dirs and subdirs 29 | include('../lib/tokenizer.php'); // prepare and fix token list 30 | include('../lib/analyzer.php'); // string analyzers 31 | include('../lib/scanner.php'); // scan for sinks in token list 32 | include('../lib/printer.php'); // output scan result 33 | include('../lib/searcher.php'); // search functions 34 | 35 | ############################### MAIN #################################### 36 | 37 | $start = microtime(TRUE); 38 | 39 | $output = array(); 40 | $info = array(); 41 | $scanned_files = array(); 42 | 43 | if(!empty($_POST['loc'])) 44 | { 45 | $location = realpath($_POST['loc']); 46 | 47 | if(is_dir($location)) 48 | { 49 | $scan_subdirs = isset($_POST['subdirs']) ? $_POST['subdirs'] : false; 50 | $files = read_recursiv($location, $scan_subdirs); 51 | 52 | if(count($files) > WARNFILES && !isset($_POST['ignore_warning'])) 53 | die('warning:'.count($files)); 54 | } 55 | else if(is_file($location) && in_array(substr($location, strrpos($location, '.')), $FILETYPES)) 56 | { 57 | $files[0] = $location; 58 | } 59 | else 60 | { 61 | $files = array(); 62 | } 63 | 64 | // SCAN 65 | $user_functions = array(); 66 | $user_functions_offset = array(); 67 | $file_sinks_count = array(); 68 | $user_input = array(); 69 | 70 | $count_xss=$count_sqli=$count_fr=$count_fa=$count_fi=$count_exec=$count_code=$count_eval=$count_xpath=$count_ldap=$count_con=$count_other=$count_pop=$count_inc=$count_inc_fail=$count_header=0; 71 | 72 | $verbosity = 3; 73 | 74 | $scan_functions = array_merge($F_XSS, $F_HTTP_HEADER, $F_SESSION_FIXATION); 75 | $F_USERINPUT = array(); 76 | $V_USERINPUT = array($_POST['varname']); 77 | $F_SECURING_XSS = array(); 78 | $_POST['vector'] = 'client'; 79 | 80 | $overall_time = 0; 81 | $timeleft = 0; 82 | $file_amount = count($files); 83 | 84 | for($fit=0; $fit<$file_amount; $fit++) 85 | { 86 | // for scanning display 87 | $thisfile_start = microtime(TRUE); 88 | $file_scanning = $files[$fit]; 89 | 90 | echo ($fit) . '|' . $file_amount . '|' . $file_scanning . '|' . $timeleft . '|' ."\n"; 91 | @ob_flush(); 92 | flush(); 93 | 94 | $scan = new Scanner($file_scanning, $scan_functions, array(), array()); 95 | $scan->parse(); 96 | 97 | $overall_time += microtime(TRUE) - $thisfile_start; 98 | // timeleft = average_time_per_file * file_amount_left 99 | $timeleft = round(($overall_time/($fit+1)) * ($file_amount - $fit+1),2); 100 | } 101 | echo "STATS_DONE.\n"; 102 | @ob_flush(); 103 | flush(); 104 | } 105 | 106 | $elapsed = microtime(TRUE) - $start; 107 | 108 | ################################ RESULT ################################# 109 | 110 | $treestyle = $_POST['treestyle']; 111 | 112 | function checkLeak($tree, $line, $varname) 113 | { 114 | if($tree->children) 115 | { 116 | foreach ($tree->children as $child) 117 | { 118 | // really dirty :( 119 | if(preg_match("/$line:.*markVariable\('$varname/", $child->value)) 120 | return true; 121 | return checkLeak($child, $line, $varname); 122 | } 123 | } 124 | return false; 125 | } 126 | 127 | // check for line leaks found in vulnblock 128 | function lineLeakes($line, $var, $block) 129 | { 130 | foreach($block->treenodes as $tree) 131 | { 132 | if(checkLeak($tree, $line, $var)) 133 | return true; 134 | } 135 | return false; 136 | } 137 | 138 | if(!empty($output)) 139 | { 140 | $nr=0; 141 | reset($output); 142 | do 143 | { 144 | if(key($output) != "" && !empty($output[key($output)]) ) 145 | { 146 | foreach($output[key($output)] as $vulnBlock) 147 | { 148 | if(lineLeakes($_POST['line'], str_replace('$','',$_POST['varname']), $vulnBlock)) 149 | { 150 | $nr++; 151 | echo '
', 152 | '
Data Leak
', 154 | '
'; 155 | 156 | if($treestyle == 2) 157 | krsort($vulnBlock->treenodes); 158 | 159 | foreach($vulnBlock->treenodes as $tree) 160 | { 161 | echo '
',"\n", 162 | '
',"\n", 163 | '
'."\n", 167 | '

',"\n"; 169 | 170 | echo '		The return value of the sensitive sink is embedded into the HTML output.', 171 | '
',"\n"; 172 | 173 | if($treestyle == 1) 174 | traverseBottomUp($tree); 175 | else if($treestyle == 2) 176 | traverseTopDown($tree); 177 | 178 | echo '
  • ',"\n"; 179 | dependenciesTraverse($tree); 180 | echo '
',"\n", '
',"\n", '
',"\n"; 181 | } 182 | echo '
',"\n"; 183 | } 184 | } 185 | 186 | } 187 | } 188 | while(next($output)); 189 | } 190 | ?> 191 | --------------------------------------------------------------------------------