Closed mindeffects closed 6 years ago
There are regexp patterns wehere unable to show matching line and the other matching used against whole file so i think this is not really possible, except on a match we try to determine the exact location.
I think on match you should determine the exact location you could also then be able to render this side by side?
New branch pushed as line-number-argument
for testing.
Argument name is --line-number
, no short version any idea?
Line number shown in the output as the last element, only number ex.:
# ER # {samples/_tickets/20_buwtihsj.php} # str_split(rawurldecode(str_rot13( # 1
# ER # {samples/_tickets/17_01.php} # $f1 = ".ht"; $f2 = "acc"; $f3 = "ess"; # 3
@mindeffects could you test it?
Yes, on a real case! Love this feature! THANKS!!!
What do you think about adding a "--nano" feature for cleaning stuff like a boss? ;-)
If the scan generates an output like this:
# ER # {../www/core/model/phpthumb/phpthumb.class.php} # 4221
# ER # {../www/core/model/aws/sdk.class.php} # 131
# ER # {../www/core/components/phpthumbof/model/aws/sdk.class.php} # 126
What about also generating a file containing this, ready to be executed on the shell:
nano +4221 ../www/core/model/phpthumb/phpthumb.class.php;
nano +131 ../www/core/model/aws/sdk.class.php;
nano +126 ../www/core/components/phpthumbof/model/aws/sdk.class.php;
See where this is going? After a scan you can check all the hits by jumping directly to the line of interest! How great would that be!
Maybe if there was a clean "output" one could use the bash to make things look nice and ready for copy'n'paste, but this would be a very "bold" way:
echo "# ER # {../www/core/model/phpthumb/phpthumb.class.php} # 4221" | awk '{gsub("{","",$4); gsub("}","",$4); print "nano +" $6 " " $4 ";"}'
becomes
nano +4221 ../www/core/model/phpthumb/phpthumb.class.php
And now we could do this:
php7 scan.php --line-number -k -d ../www/ | awk '{gsub("{","",$4); gsub("}","",$4); print "nano +" $6 " \"" $4 "\"; \\"}'
Wow!!! :-D
Another thought: Matches in "line 1" should be highlighted since many script prepend their malicious there, making the original code start at line 2.
I see, smart ;) What do you think about "compact" or "compressed-output" flags instead nano?
Thanks! Just making your great stuff a tiny step better.
I just tested it on an infected but "cleared" system and was able to find 2 more bad files within seconds, thanks to nano – and my eyes.
I don't know how to make other editors jump to a certain line... :-( Maybe "--4nano"? Since it really is nano specific. Or "--follow-up-check"?
Oh, a little thing: Better use print "nano -c +"...
because -c
makes nano display line and column of the cursor.
Well then better approach to make a flag ex. "output-format" and specify keywords to use:
Commanline expression:
php scan.php --line-number -k -w --output-format "nano -c +%L %P" -d ../www/
Killer! Very cool! Is this already included and testable in the „line number“ branch? Will this go to „master“ soon?
No, but in the next few days, when done i will leave a comment
Branch updated with new --output-format
argument ex.: php scan.php -d samples/_tickets/ --line-number -k -w --output-format "nano -c +%L %F"
Great!
I would recommend relabeling %L location
to %L line number
since "location" can easily be confused with "location of file" AKA "path".
Will there be also "short params" like -L
for --line-number
and -o
for --output-format
? Less typos. ;-)
Output format variables documented in the README. Arguments updated.
Merged into master
This is my command line of choice:
php7 ./scan.php -k -w --line-number --output-format "nano -c +%L \"%F\"; \\" -d "../folder-to-check/"
Very cool project!!! Thanks!!! Is it possible to output the line of a hit? Would come in very handy when checking files.