8

I'm automating a script which searches through all php files on a big site for dangerous commands. The files which are found will be manually code reviewed.

Does anyone have any recommendations for my script? Is there anything I've forgotten to search for? Please note that this script was put together in 10 minutes, so I'm sure there are a lot of improvements that can be done in order to make it easier and better (like multiple egrep arguments).

find . | grep "php$" | xargs grep -s "eval(" >> /tmp/review.txt
find . | grep "php$" | xargs grep -s "fopen(" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "passthru(" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "exec(" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "proc_" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "dl(" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "require($" >> /tmp/review.txt
find . | grep "php$" | xargs grep -s "require_once($" >> /tmp/review.txt
find . | grep "php$" | xargs grep -s "include($" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "include_once($" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "include($" >> /tmp/review.txt 
find . | grep "php$" | xargs grep -s "query(" >> /tmp/review.txt
schroeder
  • 123,438
  • 55
  • 284
  • 319
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • 1
    Are you doing a review of code developed in-house, or on a hosted environment? – Scott Pack Dec 10 '10 at 14:22
  • Hmmm, I thought ChrisAD wants to find dangerous scripts or backdoors in his site, am I right? If this topic is about code review, then it should be edited and then that's completely another story. –  Dec 10 '10 at 14:34
  • Yes. Sorry for the misunderstanding, but this is about a quick and dirty code review – Chris Dale Dec 10 '10 at 15:12

4 Answers4

8

Definitely this list is not enough. First of all, it is not complete, secondly, different obfuscation methods can be used to hide web-shells, other malicious scripts.

For such purposes long time ago I have written my own PHP-script to look for dangerous places: http://0x416d73.name/proj/fcc.html. It is written on PHP, so don't expect it to be as fast as "find" command. Though, it allows to check file hashes, view which files have appeared, are missing or has changed. I advise you to test it first against some small script, just to feel how it works, before running on production server. Also, specifically for search for vulnerabilities in PHP code, some time ago I have put together some easy bash script - http://privatepaste.com/88a5d5eaa3. It is not complete, might require tuning and criticism from bash guru's :)

If you want to continue on your own script, here is nice list from which you can extract what you need: http://privatepaste.com/dc335ccb86.

Updated: as it figured out, topic is about code review. Above mentioned solutions still makes sense, but then I would like to mention this one project: http://sourceforge.net/projects/rips-scanner/. To my mind, currently it is the best freely available source code analyzer for PHP web applications.

  • 1
    All but the last link in this post are gone. I would recommend Scott Pack's post over anything said in this one. – sholsinger Jul 31 '12 at 13:10
5

While I do not have direct experience using static analysis tools on PHP, it looks like there are a number of tools, both open source and commercial, available for use.

Briefly, it looks like PHPLint should be fairly quick and easy to use. My interpretation indicates that it operates pretty similarly to lint/splint for C, which I have used and was pleased with.

OpenSource

Commercial

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
3

I'm not a PHP whiz, so I dont have much to add in the way of additional things to look for, but you should note that any kind of random whitespace will mess up your findings.
E.g.

fopen  (

won't be found...

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 1
    Very good point Avid. I double checked in some of the code, and some places there is space between function name and the bracket. – Chris Dale Dec 13 '10 at 07:52
  • You definitely should *NOT* be doing this with grep. You should use an actual PHP tokenizer, not a pattern match. (PHP Code Sniffer operates on the token stream, not the source code.) – Mark E. Haase Jan 18 '12 at 13:31
  • Oh, I agree. That was kind of my point, subtle as it was... – AviD Jan 18 '12 at 20:49
2

I think extract is also a dangerous language construct. (Although it's more rarely used than eval(), so not many people realize it.)

You can also try using Php Code Sniffer and writing these as your own 'sniffs'. Here's one I wrote for an open source project I work on.

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24