Grepping for bugs in PHP

Today I used the following commands to grep through PHP source code to find some bugs. I thought they may be useful to someone else so I thought I would stick them on here. This list is by no means extensive however they are the ones I found most useful.

Find user input/output for possible XSS:

grep -i -r “echo” *
grep -i -r “\$_GET” *
grep -i -r “\$_” * | grep “echo”
grep -i -r “\$_GET” * | grep “echo”
grep -i -r “\$_POST” * | grep “echo”
grep -i -r “\$_REQUEST” * | grep “echo”

Find potential command execution:

grep -i -r “shell_exec(” *
grep -i -r “system(” *
grep -i -r “exec(” *
grep -i -r “popen(” *
grep -i -r “passthru(” *
grep -i -r “proc_open(” *
grep -i -r “pcntl_exec(” *

Find potential code execution:

grep -i -r “eval(” *
grep -i -r “assert(” *
grep -i -r “preg_replace” * | grep “/e”
grep -i -r “create_function(” *

Find potential SQL injection:

grep -i -r “\$sql” *
grep -i -r “\$sql” * | grep “\$_”

Find potential information disclosure:

grep -i -r “phpinfo” *

Find potential development functionality:

grep -i -r “debug” *
grep -i -r “\$_GET['debug']” *
grep -i -r “\$_GET['test']” *

Find potential file inclusion:

grep -i -r “file_include” *
grep -i -r “include(” *
grep -i -r “require(” *
grep -i -r “require(\$file)” *
grep -i -r “include_once(” *
grep -i -r “require_once(” *
grep -i -r “require_once(” * | grep “\$_”

Other:

grep -i -r “header(” * | grep “\$_”

References:
http://stackoverflow.com/questions/3115559/exploitable-php-functions
http://www.bonsai-sec.com/blog/index.php/using-grep-to-find-0days/

EDIT
@securityninja pointed out the RIPS scanner, I can confirm that it is awesome and does the above plus a lot more! (damn ninjas! ;)

8 thoughts on “Grepping for bugs in PHP

  1. Andrew Waite

    Nice list, thanks for sharing with the rest of us.

    Question (if you can answer ;) ) how good are the results you’ve had with this compared to other analysis methods?

    –Andrew Waite

  2. admin Post author

    @Andrew – To be honest I hardly ever do any ‘whitebox’ source code reviews. I think this method however is a good start to get an overview of the application and coding style. I would then move onto automated source code review tools (don’t know which are best). Either way to do a thorough application assessment I think a mixture of white/black box testing is required (gray?).

  3. Pingback: Finding Bugs in PHP Using Grep |  InfoSec Resources

  4. Pingback: PHP Code Review | Gianni Amato

  5. Pingback: Grepping for bugs in PHP | National Cyber Security

Comments are closed.