PHP - Website Security Tester Bot
From Global Programming Syntax
Sometimes you will have a website done but don't know how secure it is. Sometimes you just don't have the time to check all those pages. That is why you can use a php security tester bot to scan your website while your website is in a development environment.
To use this script, simply copy the below code into a php file on your development environment and then open it. After that type in the url address to your project and click test and the bot will scan while displaying any findings. So the script is as follows:
<?
set_time_limit(0);
function domain($domainb) {
$bits = explode('/', $domainb);
if ($bits[0]=='http:' || $bits[0]=='https:')
{
return $bits[0].'//'.$bits[2].'/';
} else {
return 'http://'.$bits[0].'/';
}
unset($bits);
}
if (isset($_GET['site'])) {
echo '<head><title>Testing site security - '.domain($_GET['site']).'</title></head><body>';
} else {
echo '<head><title>PHP Site Security Tester</title></head><body>';
}
echo '<center><font size=5 face=\'arial black\'><b>PHP Site Security Tester</b></font><br><form method=\'get\' style=\'margin:0px; padding:0px;\'>
<input type=\'text\' name=\'site\' size=64 value="'.$_GET['site'].'"><input type=\'submit\' value=\'Test\'></form></center>';
if (substr_replace($_GET['site'],'',3)=='ftp') {
exit('You may not connect to the ftp protocole');
}
if (!isset($_GET['site'])) { exit(''); }
$_GET['site']=domain($_GET['site']);
function url_exists($durl)
{
// Version 4.x supported
$handle = curl_init($durl);
if (false === $handle)
{
return false;
}
curl_setopt($handle, CURLOPT_HEADER, true);
curl_setopt($handle, CURLOPT_FAILONERROR, true); // this works
curl_setopt($handle, CURLOPT_HTTPHEADER, Array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15") );
curl_setopt($handle, CURLOPT_NOBODY, true);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$connectable = curl_exec($handle);
curl_close($handle);
if (preg_match('/200 OK/i',substr_replace($connectable,'',30))) {
return true;
} else {
return false;
}
}
//below function will only get links within own domain and not links outside the site.
function getlinks($generateurlf) {
$datac=file_get_contents($generateurlf);
preg_match_all('/(href|src)\=(\"|\')[^\"\'\>]+/i',$datac,$media);
unset($datac);
$datac=preg_replace('/(href|src)(\"|\'|\=\"|\=\')(.*)/i',"$3",$media[0]);
$datab=array();
foreach($datac AS $dfile) {
$generateurle=$generateurlf;
if (!in_array(substr_replace($dfile,'',4),array('http','www.'))) {
if (substr_replace($generateurle,'',0, -1)!=='/') {
$generateurle=preg_replace('/(.*)\/[^\/]+/is', "$1", $generateurle);
} else {
$generateurle=substr_replace($generateurle,'',-1);
}
if (substr_replace($dfile,'',1)=='/') {
if (domain($generateurle)==domain($generateurle.$dfile)) {
if (in_array(strtolower(preg_replace('/(.*)[.]([^.\?]+)(\?(.*))?/','$2',basename($generateurle.$dfile))),
array('html','htm','xhtml','xml','mhtml','xht','mht','asp','aspx','adp','bml','cfm','cgi','ihtml','jsp','las','lasso','lassoapp','pl',
'php','php1','php2','php3','php4','php5','php6','phtml','shtml','search','query','forum','blog','1','2','3','4','5','6','7','8','9',
'10','11','12','13','14','15','16','17','18','19','20','01','02','03','04','05','06','07','08','09','go','page','file'))
|| substr($generateurle.$dfile,-1)=='/' || !preg_match('/[\.]/i',basename($generateurle.$dfile))) {
$datab[]=$generateurle.$dfile;
}
}
} else if (substr_replace($dfile,'',1)=='.') {
while (preg_match('/\.\.\/(.*)/i', $dfile)) {
$dfile=substr_replace($dfile,'',0,3);
$generateurle=preg_replace('/(.*)\/[^\/]+/i', "$1", $generateurle);
}
if (domain($generateurle)==domain($generateurle.'/'.$dfile)) {
if (in_array(strtolower(preg_replace('/(.*)[.]([^.\?]+)(\?(.*))?/','$2',basename($generateurle.'/'.$dfile))),
array('html','htm','xhtml','xml','mhtml','xht','mht','asp','aspx','adp','bml','cfm','cgi','ihtml','jsp','las','lasso','lassoapp','pl',
'php','php1','php2','php3','php4','php5','php6','phtml','shtml','search','query','forum','blog','1','2','3','4','5','6','7','8','9',
'10','11','12','13','14','15','16','17','18','19','20','01','02','03','04','05','06','07','08','09','go','page','file'))
|| substr($generateurle.'/'.$dfile,-1)=='/' || !preg_match('/[\.]/i',basename($generateurle.'/'.$dfile))) {
$datab[]=$generateurle.'/'.$dfile;
}
}
} else {
if (domain($generateurle)==domain($generateurle.'/'.$dfile)) {
if (in_array(strtolower(preg_replace('/(.*)[.]([^.\?]+)(\?(.*))?/','$2',basename($generateurle.'/'.$dfile))),
array('html','htm','xhtml','xml','mhtml','xht','mht','asp','aspx','adp','bml','cfm','cgi','ihtml','jsp','las','lasso','lassoapp','pl',
'php','php1','php2','php3','php4','php5','php6','phtml','shtml','search','query','forum','blog','1','2','3','4','5','6','7','8','9',
'10','11','12','13','14','15','16','17','18','19','20','01','02','03','04','05','06','07','08','09','go','page','file'))
|| substr($generateurle.'/'.$dfile,-1)=='/' || !preg_match('/[\.]/i',basename($generateurle.'/'.$dfile))) {
$datab[]=$generateurle.'/'.$dfile;
}
}
}
} else {
if (domain($generateurle)==domain($dfile)) {
if (in_array(strtolower(preg_replace('/(.*)[.]([^.\?]+)(\?(.*))?/','$2',basename($dfile))),
array('html','htm','xhtml','xml','mhtml','xht','mht','asp','aspx','adp','bml','cfm','cgi','ihtml','jsp','las','lasso','lassoapp','pl',
'php','php1','php2','php3','php4','php5','php6','phtml','shtml','search','query','forum','blog','1','2','3','4','5','6','7','8','9',
'10','11','12','13','14','15','16','17','18','19','20','01','02','03','04','05','06','07','08','09','go','page','file'))
|| substr($dfile,-1)=='/' || !preg_match('/[\.]/i',basename($dfile))) {
$datab[]=$dfile;
}
}
}
}
unset($datac);
unset($dfile);
return $datab;
}
$loopurl['sites']=array($_GET['site']);
foreach (getlinks($_GET['site']) AS $link) {
if (!in_array($link,$loopurl['sites'])) {
$loopurl['sites'][]=$link;
}
}
unset($link);
//linux command
//; echo "<script>aaabbbcccdddeeabcefffggg</script>";
function generate($genurl) {
$data=file_get_contents($genurl);
$urlvars=explode('?',$genurl);
$newurl=$urlvars[0].'?';
$error1='None';
//error1
if (isset($urlvars[1])) {
$urlvar=explode('&',$urlvars[1]);
unset($varb);
foreach ($urlvar AS $var) {
$newurl.=preg_replace('/([^=]+)=(.*)/',"$1=; echo \"<script>aaabbbcccdddeeabcefffggg</script>\";",$var).'&';
$varb=1;
}
unset($var);
if ($varb==1) {
$newurl=substr_replace($newurl,'',-1);
if (url_exists($newurl)) {
$secondarydata=file_get_contents($newurl);
if (preg_match('/\<script\>aaabbbcccdddeeabcefffggg\<\/script\>/is',$secondarydata)) {
$error1='Page open to url injections by injecting code into the page via url.<br>The test url was: '.$newurl;
}
unset($secondarydata);
}
}
unset($varb);
}
unset($newurl);
//error2
preg_match_all('/\<form[^\>]+([^m][^e][^t][^h][^o][^d][^\=]([^\']|[^\"]|[^])([^p][^o][^s][^t]))(.*)\<\/form\>/i',$data,$forms);
$error2='None';
foreach($forms[0] AS $form) {
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)/i',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)/i',"$2",$field);
unset($field);
$newurls=explode('?',$genurl);
$newurl=$newurls[0];
unset($newurls);
$newurl.='?';
foreach ($fields AS $field) {
$newurl.=$field.'='.urlencode('<script>aaabbbcccdddeeabcefffggg</script>').'&';
$varb==1;
}
unset($field);
if ($varb==1) {
$newurl=substr_replace($newurl,'',-1);
if (url_exists($newurl)) {
$secondarydata=file_get_contents($newurl);
if (preg_match('/\<script\>aaabbbcccdddeeabcefffggg\<\/script\>/is',$secondarydata)) {
if ($error2=='None') { $error2='Forms may inject code into your page.<br>The page was: '.$genurl; }
}
unset($secondarydata);
}
}
}
unset($newurl);
unset($form);
unset($forms);
unset($varb);
//error3
$error3='None';
preg_match_all('/\<form(.*)(user|password)(.*)\<\/form\>/is',$data,$forms);
foreach ($forms[0] AS $form) {
if (preg_match('/\<form([^\>]+)method\=(\"|\'|)post/i',$form)) {
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$postvars='';
foreach ($fields AS $field) {
$postvars.=$field.'=\' OR \'1\'=\'1\'&';
$varb=1;
}
unset($field);
if ($varb==1) {
$postvars=substr_replace($postvars,'',-1);
$ch = curl_init();
// set the target url
curl_setopt($ch, CURLOPT_URL,$genurl);
curl_setopt($ch, CURLOPT_HTTPHEADER, Array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15") );
// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postvars);
curl_setopt($ch, CURLOPT_NOBODY, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result= curl_exec ($ch);
curl_close ($ch);
if (!preg_match('/(Log|Sign)([ _])?in/i',$result) && !preg_match('/(Log|Sign)([ _])?out/i',$data) && $result!==$data && !preg_match('/Register/i',$result)) {
if ($error3=='None') { $error3='SQL injections are possible on this page.<br>The page was: '.$genurl; }
}
}
//second attempt
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$postvars='';
foreach ($fields AS $field) {
$postvars.=$field.'=" OR "1"="1"&';
$varb=1;
}
unset($field);
if ($varb==1) {
$postvars=substr_replace($postvars,'',-1);
$ch = curl_init();
// set the target url
curl_setopt($ch, CURLOPT_URL,$genurl);
curl_setopt($ch, CURLOPT_HTTPHEADER, Array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15") );
// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postvars);
curl_setopt($ch, CURLOPT_NOBODY, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result= curl_exec ($ch);
curl_close ($ch);
if (!preg_match('/(Log|Sign)([ _])?in/i',$result) && !preg_match('/(Log|Sign)([ _])?out/i',$data) && $result!==$data && !preg_match('/Register/i',$result)) {
if ($error3=='None') { $error3='SQL injections are possible on this page.<br>The page was: '.$genurl; }
}
}
} else {
//now the $_GET attempt
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$newurls=explode('?',$genurl);
$newurl=$newurls[0];
unset($newurls);
$newurl.='?';
foreach ($fields AS $field) {
$newurl.=$field.'='.urlencode('\' OR \'1\'=\'1\'').'&';
$varb=1;
}
unset($field);
if ($varb==1) {
$newurl=substr_replace($newurl,'',-1);
if (url_exists($newurl)) {
$secondarydata=file_get_contents($newurl);
//change if statement to if access granted
if (!preg_match('/(Log|Sign)([ _])?in/i',$result) && !preg_match('/(Log|Sign)([ _])?out/i',$data) && $result!==$data && !preg_match('/Register/i',$result)) {
if ($error3=='None') { $error3='SQL injections are possible on this page.<br>The page was: '.$genurl; }
}
unset($secondarydata);
}
}
//second attempt
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$newurls=explode('?',$genurl);
$newurl=$newurls[0];
unset($newurls);
$newurl.='?';
foreach ($fields AS $field) {
$newurl.=$field.'='.urlencode('" OR "1"="1"').'&';
$varb=1;
}
unset($field);
if ($varb==1) {
$newurl=substr_replace($newurl,'',-1);
if (url_exists($newurl)) {
$secondarydata=file_get_contents($newurl);
//change if statement to if access granted
if (!preg_match('/(Log|Sign)([ _])?in/i',$result) && !preg_match('/(Log|Sign)([ _])?out/i',$data) && $result!==$data && !preg_match('/Register/i',$result)) {
if ($error3=='None') { $error3='SQL injections are possible on this page.<br>The page was: '.$genurl; }
}
unset($secondarydata);
}
}
}
}
unset($result);
unset($varb);
unset($form);
unset($forms);
//error4
$error4='None';
preg_match_all('/<form(.*)(user|password)(.*)<\/form>/is',$data,$forms);
foreach ($forms[0] AS $form) {
if (preg_match('/\<form([^\>]+)method\=(\"|\'|)post/is',$form)) {
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$postvars='';
foreach ($fields AS $field) {
$postvars.=$field.'=<script>aaabbbcccdddeeabcefffggg</script>&';
$varb=1;
}
unset($field);
if ($varb==1) {
$postvars=substr_replace($postvars,'',-1);
$ch = curl_init($genurl);
// set the target url
curl_setopt($ch, CURLOPT_URL,$genurl);
curl_setopt($ch, CURLOPT_HTTPHEADER, Array("User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15") );
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postvars);
curl_setopt($ch, CURLOPT_NOBODY, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result= curl_exec ($ch);
curl_close ($ch);
if (strpos($result,'<script>aaabbbcccdddeeabcefffggg</script>')!==false) {
if ($error4=='None') { $error4='XSS/code injections are possible on this page.<br>The page was: '.$genurl; }
}
}
} else {
preg_match_all('/(input|textarea)[^\>]+name\=(\"|\'|)[^\'\"\=\>]+/is',$form,$field);
$fields=preg_replace('/(input|textarea)[^\>]+name\=(\"|\'|)(.*)([ ]+[a-zA-Z]+\=)?/i',"$3",$field[0]);
unset($field);
$newurls=explode('?',$genurl);
$newurl=$newurls[0];
unset($newurls);
$newurl.='?';
foreach ($fields AS $field) {
$newurl.=$field.'='.urlencode('<script>aaabbbcccdddeeabcefffggg</script>').'&';
$varb=1;
}
unset($field);
if ($varb==1) {
$newurl=substr_replace($newurl,'',-1);
if (url_exists($newurl)) {
$secondarydata=file_get_contents($newurl);
if (strpos($result,'<script>aaabbbcccdddeeabcefffggg</script>')) {
if ($error4=='None') { $error4='SQL injections are possible on this page.<br>The page was: '.$genurl; }
}
unset($secondarydata);
}
}
}
}
unset($result);
unset($varb);
unset($form);
unset($forms);
unset($data);
return '<tr><td colspan=4 bgcolor="#CCCCCC"><b>'.$genurl.'</b></td></tr>
<tr><td bgcolor="#CCCCCC"><b>Url to page code injections</b></td><td bgcolor="#CCCCCC"><b>$_GET Form to page code injections</b></td>
<td bgcolor="#CCCCCC"><b>Password entry SQL injections</b></td><td bgcolor="#CCCCCC"><b>Password entry XSS/code injections</b></td></tr>
<tr><td>'.$error1.'</td><td>'.$error2.'</td><td>'.$error3.'</td><td>'.$error4.'</td></tr>';
}
echo '<table border=1 cellpadding=0 cellspacing=0 width=100%>';
for ($loopid=0;isset($loopurl['sites'][$loopid]);$loopid++) {
if (url_exists($loopurl['sites'][$loopid])) {
foreach (getlinks($loopurl['sites'][$loopid]) AS $link) {
if (!in_array($link,$loopurl['sites'])) {
$loopurl['sites'][]=$link;
}
}
unset($link);
echo generate($loopurl['sites'][$loopid]);
flush();
}
usleep (5000);
}
echo '</table><b>Data analysis complete.</b></body>';
?>
