progpilot icon indicating copy to clipboard operation
progpilot copied to clipboard
verified publisher icon designsecurity

Error when trying to run

Open LeandroRodriguesProg opened this issue 7 years ago • 6 comments

Hi,

I have downloaded the 0.4 release and when I run the following command, php progpilot_v0.4.0.phar , I got an error: Fatal error: Default value for parameters with a class type hint can only be NULL in phar:://test/php/docker/htdocs/progpilot_v0.4.0.phar/vendor/symfony/console/Application.php on line 85

Can anyone tell me what's wrong?

LeandroRodriguesProg avatar Dec 18 '18 12:12 LeandroRodriguesProg

Hi, what version of PHP do you use ?

https://github.com/designsecurity/progpilot/blob/master/docs/FAQ.md

The minimum version of PHP needed to run Progpilot is 7.0.25

Eric

eric-therond avatar Dec 18 '18 14:12 eric-therond

Hi, what version of PHP do you use ?

https://github.com/designsecurity/progpilot/blob/master/docs/FAQ.md

The minimum version of PHP needed to run Progpilot is 7.0.25

Eric

It was the version in fact. I have updated to 7.1.22 and it works as expected.

Thanks a lot.

LeandroRodriguesProg avatar Dec 18 '18 15:12 LeandroRodriguesProg

There is any list of the vulnerabilities that progpilot can detect?? I have a SQL INJECTION vulnerability that does not detect. Can be because I'm using SQLLite3 as a "database"?

LeandroRodriguesProg avatar Dec 18 '18 15:12 LeandroRodriguesProg

To know and extend the list of vulnerabilities that progpilot can detect, you could look in each sinks.json and rules.json files in this folder and frameworks folder : https://github.com/designsecurity/progpilot/tree/master/package/src/uptodate_data/php the documentation about these files : https://github.com/designsecurity/progpilot/blob/master/docs/SPECIFY_ANALYSIS.md https://github.com/designsecurity/progpilot/blob/master/docs/CUSTOM_ANALYSIS.md

you could also share your code and I will look why your sql injection is not detected

Eric

eric-therond avatar Dec 18 '18 18:12 eric-therond

Thanks @eric-therond.

Here is the code that I'm using.

`

$db = new SQLite3($DB_FILE_ABSOLUTE_PATH); 
$password = $_POST['v_password'];
$username = $_POST['v_username'];
     //	...
$sql = 'SELECT salt FROM users where username = \''. $username . '\' limit 1';

$user = $db->querySingle($sql, true); 
if(empty($user)){
	//.........
	$db->close();
	return;
}
$hashedPassword = hash("sha256", "....");
$sql = 'SELECT username FROM users where username = \''. $username . '\' and password = \'' . $hashedPassword. '\' limit 1';

$user = $db->querySingle($sql, true); `

As you can see it's I can, with Username field, perform sql injection

LeandroRodriguesProg avatar Dec 18 '18 18:12 LeandroRodriguesProg

Thanks for the bug report SQLite3 was not supported and there was also another bug I have used your code as a new test case : https://github.com/designsecurity/progpilot/blob/master/projects/tests/tests/data/sink9.php

It's fixed, you could fetch the last version of progpilot If everything is ok you can close the issue and don't hesitate to test Progpilot deeper

Eric

eric-therond avatar Dec 19 '18 18:12 eric-therond