Recent

Grepping for bugs in PHP

Today I used the following commands to grep through PHP source code to find some bugs. I thought they may be useful to someone else so I thought I would stick them on here. This list is by no means extensive however they are the ones I found most useful.

Find user input/output for possible XSS:

grep -i -r “echo” *
grep -i -r “\$_GET” *
grep -i -r “\$_” * | grep “echo”
grep -i -r “\$_GET” * | grep “echo”
grep -i -r “\$_POST” * | grep “echo”
grep -i -r “\$_REQUEST” * | grep “echo”

Find potential command execution:

grep -i -r “shell_exec(” *
grep -i -r “system(” *
grep -i -r “exec(” *
grep -i -r “popen(” *
grep -i -r “passthru(” *
grep -i -r “proc_open(” *
grep -i -r “pcntl_exec(” *

Find potential code execution:

grep -i -r “eval(” *
grep -i -r “assert(” *
grep -i -r “preg_replace” * | grep “/e”
grep -i -r “create_function(” *

Find potential SQL injection:

grep -i -r “\$sql” *
grep -i -r “\$sql” * | grep “\$_”

Find potential information disclosure:

grep -i -r “phpinfo” *

Find potential development functionality:

grep -i -r “debug” *
grep -i -r “\$_GET['debug']” *
grep -i -r “\$_GET['test']” *

Find potential file inclusion:

grep -i -r “file_include” *
grep -i -r “include(” *
grep -i -r “require(” *
grep -i -r “require(\$file)” *
grep -i -r “include_once(” *
grep -i -r “require_once(” *
grep -i -r “require_once(” * | grep “\$_”

Other:

grep -i -r “header(” * | grep “\$_”

References:
http://stackoverflow.com/questions/3115559/exploitable-php-functions
http://www.bonsai-sec.com/blog/index.php/using-grep-to-find-0days/

EDIT
@securityninja pointed out the RIPS scanner, I can confirm that it is awesome and does the above plus a lot more! (damn ninjas! ;)

Posted on 1 February, 2011 by ethicalhack3r

7 Responses to “Grepping for bugs in PHP”


  1. Andrew Waite


    Nice list, thanks for sharing with the rest of us.

    Question (if you can answer ;) ) how good are the results you’ve had with this compared to other analysis methods?

    –Andrew Waite


    Comment posted on February 1, 2011 at 15:46:23 BST

  2. admin


    @Andrew – To be honest I hardly ever do any ‘whitebox’ source code reviews. I think this method however is a good start to get an overview of the application and coding style. I would then move onto automated source code review tools (don’t know which are best). Either way to do a thorough application assessment I think a mixture of white/black box testing is required (gray?).


    Comment posted on February 1, 2011 at 15:52:54 BST

  3. Finding Bugs in PHP Using Grep |  InfoSec Resources


    [...] For further grep vulnerability finding commands please see my original post on the subject located on my personal blog: http://www.ethicalhack3r.co.uk/security/greping-for-bugs-in-php/ [...]


    Comment posted on March 31, 2011 at 15:52:18 BST

  4. PHP Code Review | Gianni Amato


    [...] doveste ritrovarvi nella mia stessa situazione questa soluzione potrebbe essere un buon punto di partenza. Per memoria riporto di seguito le sintassi di grep [...]


    Comment posted on May 21, 2011 at 11:50:56 BST

  5. lionaneesh


    Thanks for sharing.


    Comment posted on June 15, 2011 at 08:52:37 BST

  6. lionaneesh


    By the way! Can suggest us some more tactics! As grepping would not be enough!


    Comment posted on June 15, 2011 at 11:09:32 BST

  7. Grepping for bugs in PHP | National Cyber Security


    [...] Grepping for bugs in PHP [...]


    Comment posted on July 8, 2011 at 02:34:42 BST

Leave a Reply