php-reaper icon indicating copy to clipboard operation
php-reaper copied to clipboard
verified publisher icon emanuil

Use PHP Parser and other library.

Open Rivendall opened this issue 9 years ago • 3 comments

Hello.

You said in your document, use php parser and parse code after analysis. php parser not be able to recognize include, require and etc expression. I want to know, how dose your program recognize path? Did you use other library or tools? or did you develop this part in your app?

Thank you.

Rivendall avatar Jan 23 '17 06:01 Rivendall

I use only PHP-Parser and it works just fine for my needs. I didn't had a need to use other parser so I can't comment on other tools.

This tool analyzes the files one by one, by searching for them in the specified directory (all files that it can find that have php extension). It does not read include and require clauses.

emanuil avatar Jan 24 '17 14:01 emanuil

Thank you for your answer. I understand, but i have a question. Suppose we have a directory with 2 php file, for example test.php and vars.php. As follows: test.php:

<?php
class mytest
{
	public function test1($b)
	{
		$sql=("SELECT user FROM users WHERE id = " . $b);
		$connection->execute($sql);
	}
}
  // SQL Injection
  $id = $_POST['id'];
  $b=$id;
  test1($b);
?>

If use this command: php php-reaper.php -f E:\test\proj\test.php result is: Potential SQL injections in file E:\test\proj\test.php line: 7

It's true. now if test.php be:

<?php
class mytest
{
	public function test1($b)
	{
		$sql=("SELECT user FROM users WHERE id = " . $b);
		$connection->execute($sql);
	}
}
  $b=2;
  test1($b);
?>

Then find SQLI, but it's false. Because $b is const. and now: vars.php:

<?php 
include "test.php";

$b =$_GET['number'];
$testObject = new mytest();
$testObject->test1($b);
?>

with this command: php php-reaper.php -d E:\test\proj dosen't find reference of vulnerability in vars.php and it's not find SQLI in bellow code:

$name = $_GET['username'];
$query = "SELECT password FROM tbl_user WHERE name = '$name' ";
echo $query

How dose it search for this sample? and how to find references of input for vulnerability? Dose it find references? or no, every line, there are any sql injection query with any variables, so it say, it is valneravle?

Thank you.

Rivendall avatar Jan 25 '17 05:01 Rivendall

Thank you for the example.

Since PHP is very dynamic language, using static analysis it's complicated (impossible?) to figure out from where a call to a method has been made.

Because of this, PHP-Reaper only check for constants within the method itself, or within the class of the method.

In your second example file, yes for that specific case there is no SQL injection, but the vulnerability is still there. If test1() is called without a constant from somewhere else, then you'll still have SQL injection.

PHP-Reaper tries to play it safe and will warn you, because even if you don't have a problem now, if you don't fix test1(), you'll have problem in the future.

emanuil avatar Feb 09 '17 15:02 emanuil