-
Notifications
You must be signed in to change notification settings - Fork 1
/
codeAudit.sh
156 lines (111 loc) · 2.71 KB
/
codeAudit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#!/bin/bash
dir=$1
div='------------------------------------'
echo "[*] Checking PHP with Regex:"
echo $div
egrep -r "(\\w*{0}\\w*)\\(.*?\\)" $1/.
echo
echo
echo "[*] Checking PHP for Possible XXE:"
echo $div
grep -r "loadXML" $1/.
grep -r "DOMDocument" $1/.
echo
echo
echo "[*] Checking PHP Command Injection:"
echo $div
declare -a cmdInj=("eval" "system" "shell_exec" "exec" "passthru")
for x in ${cmdInj[*]}; do
echo "[!] Checking $x..."
grep -r "$x" $1/.
echo
done
echo
echo
echo "[*] Checking PHP Deserialization:"
echo $div
grep -r "unserialize" $1/.
echo
echo
echo "[*] Checking PHP :"
echo $div
grep -r "get_file_contents" $1/.
grep -r "include" $1/.
echo
echo
echo "[*] Checking PHP SQL Injection:"
echo $div
declare -a sqli=("mysql_query" "pg_query" "odbc_exec" "mssql_query")
for x in $sqli; do
echo "[!] Checking $x..."
grep -r "$x" $1/.
echo
done
echo
echo
echo "[*] Checking PHP SSRF:"
echo $div
grep -r "curl_setopt" $1/.
grep -r "curl_exec" $1/.
echo
echo
echo $div
echo "....JAVA CHECKS...."
echo $div
echo
echo "XXE"
declare -a xxe=("DocumentBuilderFactory" "SAXParser" "SAXParserFactory")
for x in ${xxe[*]}; do
echo "[!] Checking $x..."
grep -r "$x" $1/.
echo
done
echo
echo "Command Injection"
declare -a javaCmdInj=("Runtime.exec" "ProcessBuilder")
for x in ${javaCmdInj[*]}; do
echo "[!] Checking $x..."
grep -r "$x" $1/.
echo
done
echo
echo "Deserialization"
declare -a javaDeserialize=("readObject" "XMLDecoder" "InputObjectStream" "XStream")
for x in ${javaDeserialize[*]}; do
echo "[!] Checking $x..."
grep -r "$x" $1/.
echo
done
echo
echo "Spring Boot Expression Language Injection"
grep -r "SpelExpressionParser" $1/.
echo
echo $div
echo MORE THINGS TO IMPLEMENT
echo $div
echo
echo real_escape_string
queryDB
query
sql
santitize
grep for url variables related to sensitive requests
php display errors directive:
/etc/php5/apache2/php.ini
display_errors = On
# $_user_location = 'public';
var names like `query` or `qry` or functions containing the word `search` can explain how the application handles user-controlled data
```php
#search for `function *search*` or `function .*search.*`
# DB logging
sudo tail –f /var/log/mysql/mysql.log
## PHP Magic Quotes have been deprecated since version 5.4.0
#! session tokens are interesting to keep track of
# setting up a server to use another server as its dedicated mail server:
`sudo cat /etc/postfix/transport`
...
offsec.local smtp:[192.168.121.106]:587
...
`sudo postmap /etc/postfix/transport`
Java web applications use a deployment descriptor file named `web.xml` to determine how URLs map to servlets, which URLs require auth*, etc.
# Java in jar files -> grep -ir `^.*?query.*?select.*?` . --color