PHP Hardening Phuzzer
It uses feedback from xdebug and strace to generate random and arbitrary input parameters to a PHP script and find code paths which lead to exploitation. Primarily it's designed to scan for vulnerabilities in PHP scripts which are web accessible but not meant to be run directly.
Features
- Detect input parameters, _GET, _POST, _REQUEST, _COOKIE and _FILES
- Generate random input parameters
- Find unique code paths
- systemcall tracing with strace and dtruss, tested on Linux & OSX
- PHP function call tracing, using Xdebug
TODO
- Make it suck less
- Analysis of collected Phuzz cases/traces, automatic exploit generation
- dtrace and systemtap support
Example
The first request is made to analyse which inputs the script uses.
[Thu Sep 8 17:36:00 2016] 127.0.0.1:36996 [200]: /rce1.phpIt then generates random values for the required parameters, and finds all the PHP and system calls that.
[Thu Sep 8 17:36:00 2016] 127.0.0.1:36998 [200]: /rce1.php?cmd=SWGAGI55
<webroot>/rce1.php
system ( 'SWGAGI55' )
syscalls:
stat ( "/usr/local/sbin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/usr/local/bin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/usr/sbin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/usr/bin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/sbin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/bin/SWGAGI55", 0x7ffff9f76140 )
stat ( "/usr/games/SWGAGI55", 0x7ffff9f76140 )
stat ( "/usr/local/games/SWGAGI55", 0x7ffff9f76140 )Installation
Debian / Ubuntu
sudo apt-get install php5.6-cli php-xdebug
pip install -r requirements.txtsudo sh -c 'echo 0 > /proc/sys/kernel/yama/ptrace_scope' python -mphuzz
OSX
brew install php56 php56-xdebug
pip install -r requirements.txt
python -mphuzzMicrosoft Windows (XP or above)
- Click on
Startbutton (bottom left hand corner of screen) - Click
My Computer - Navigate to
C:\Program Files (Intel X86 Architecture)\Microsoft Internet Explorer Professional Edition 2016\ - Locate
iexplore.exe, you may have to use the scroll bars - Click on it... twice, quickly!
- Wait until new window opens up
- Find the white bar with
http://worldwideweb.msn.com/en-US/infestedmalwaresmegma.exein it - Click the text, just once!
- Press the
CtrlandAbuttons on your keyboard, together, at the same time. - Type in
www.google.com - Wait until your computer starts responding again
- Type in
Self immolation techniques for beginners - Press the
Searchbutton - Follow instructions until warm throughout
TL;DR any ideas on porting this to Win32 API?