-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
12 lines (12 loc) · 1.39 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
I encountered this situation in a whitebox pentest. The entire web application was written in PHP and had numerous SQLi vulenrabilities. However, I needed to see every place where the SQLi could be exploited (see the scale of the vuln), and the vulnerable code was included all over the web app.
Specifically, I discovered a file at code_base/functions/title.php that had the following code:
<?php if (isset($_GET["val"]))
{
$title = selections("select * from menus where id = ".$_GET["val"]);
$title2 = mysql_fetch_array($title);
?>
In this case, a URL variable of "val" would be passed, unsanitized, into a SQL Query. This meant that title.php was vulnerable to SQLi. However, it got worse. Numerous other files included title.php in code like this:
<? include("../functions/title.php"); ?>
And then other files included THOSE files that included title.php, and so on and so forth. So I wrote this script to scrub a PHP codebase and figure out how far a vulnerability spread via include()/require()/include_once()/require_once() statements.
This script, infection_spread.py does exactly that. To use, you need to change the ROOT_DIR global var to reflect where your codebase is and change the SEARCH_STRING global var to reflect the full path to the vulnerable code file.
The script will run, and will output the list of infected files into infected_files.txt, indented to show where the infection spread from.