Skip to content
Static Php Analysis and Fuzzer
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
fuzz.py
logHandler.py
main.py
static_scan.py PEP8 Apr 22, 2014

README.md

spaf

Static Php Analysis and Fuzzer

Description :

This tool WILL NOT sploit any php scripts for you. It's a recon and helper tool for preparing pentest on local environment.

The aim of this tool is to identify every entry points of scripts (user-controlled inputs). The included fuzzer send random printable data on each entry point, and then display every triggered logs.

Input arguments :

usage: main.py [-h] -d FOLDER [-f] [-o OUTPUT] [-c COOKIES] [-n NB_TESTS] -u URL [-r] [-l LOG_FILE]

- h, --help : show this help message and exit
- d FOLDER, --directory : Php script folder matching the -u argument
- f, --fuzz : Perform fuzzing on every entry point (optional)
- o OUTPUT, --output : output type (pretty or json)
- c COOKIES, --cookies : cookies to use durng fuzzing (ex : PHPSESSID=1234567890&logged=true )
- n NB_TESTS, --nbtests : Number of random string to send during the fuzzing
- u URL, --url URL : Url matching folder value
- r, --recursive : Recursive file search in folder
- l LOG_FILE, --logfile : If you want to display logs errors triggered by fuzzing, put your error.log full path here

Usage :

####List entry points :

foo@bar ~/spaf> ./main.py -d "/var/www/exemple_script/" -r

[*] Start static scan
[+] /var/www/exemple_script/admin/gauche.php
 | [GET] line 54 : f_sid
[+] /var/www/exemple_script/languages/russian.php
 | [GET] line 168 : id_modif
[+] /var/www/exemple_script/admin/titre.php
 | [GET] line 18 : lang_edit
 | [POST] line 36 : save

####Fuzz entry points :

foo@bar ~/spaf> ./main.py -d "/var/www/exemple_script/" -u "http://localhost/exemple_script/" -r -l "/var/log/apache2/error_log" -f

[*] Start static scan
[*] Start fuzzing
2%
[...]
100%
[+] 200 get : http://localhost/exemple_script/admin/gauche.php
 |
 | f_sid : 0x65492634475f4b355b57456056492a633a51556b6f6f4051335d475279623c3a

[+] 200 get : http://localhost/exemple_script/languages/russian.php
 |
 | id_modif : 0x3124560a5d7343765467295d3d4261447d49273d205f725073606576685b6a4a
 |
 |- logs :
 |
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: chem_absolu in /var/www/exemple_script/languages/russian.php on line 48
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: exemple_script_ext in /var/www/exemple_script/languages/russian.php on line 94
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: exemple_script_version in /var/www/exemple_script/languages/russian.php on line 307
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: exemple_script_version in /var/www/exemple_script/languages/russian.php on line 308
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: exemple_script_version in /var/www/exemple_script/languages/russian.php on line 309
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Notice:  Undefined variable: exemple_script_version in /var/www/exemple_script/languages/russian.php on line 525
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP Stack trace:
 | [Thu Apr 10 14:17:47 2014] [error] [client 127.0.0.1] PHP   1. {main}() /var/www/exemple_script/languages/russian.php:0

[+] 200 post : http://localhost/exemple_script/admin/titre.php
 |
 | save : 0x6539402e583e2b2f5b61724a09357b456b386e5b5b63552a447d232963283453

[+] 200 get : http://localhost/exemple_script/admin/titre.php
 |
 | lang_edit : 0x6539402e583e2b2f5b61724a09357b456b386e5b5b63552a447d232963283453

License :

"THE BEER-WARE LICENSE" (Revision 42):
ganapati@kalkulators.org> wrote this file. As long as you retain this notice you
can do whatever you want with this stuff. If we meet some day, and you think
this stuff is worth it, you can buy me a beer in return. Ganapati
You can’t perform that action at this time.