Output line number for hits

[mindeffects]

Very cool project!!! Thanks!!! Is it possible to output the line of a hit? Would come in very handy when checking files.

[scr34m]

There are regexp patterns wehere unable to show matching line and the other matching used against whole file so i think this is not really possible, except on a match we try to determine the exact location.

[tonypartridge]

I think on match you should determine the exact location you could also then be able to render this side by side?

[scr34m]

New branch pushed as line-number-argument for testing. Argument name is --line-number, no short version any idea?

Line number shown in the output as the last element, only number ex.:

# ER # {samples/_tickets/20_buwtihsj.php} # str_split(rawurldecode(str_rot13( # 1
# ER # {samples/_tickets/17_01.php} # $f1 = ".ht"; $f2 = "acc"; $f3 = "ess"; # 3

[scr34m]

@mindeffects could you test it?

[mindeffects]

Yes, on a real case! Love this feature! THANKS!!!

What do you think about adding a "--nano" feature for cleaning stuff like a boss? ;-)

If the scan generates an output like this:

# ER # {../www/core/model/phpthumb/phpthumb.class.php} # 4221
# ER # {../www/core/model/aws/sdk.class.php} # 131
# ER # {../www/core/components/phpthumbof/model/aws/sdk.class.php} # 126

What about also generating a file containing this, ready to be executed on the shell:

nano +4221 ../www/core/model/phpthumb/phpthumb.class.php;
nano +131 ../www/core/model/aws/sdk.class.php;
nano +126 ../www/core/components/phpthumbof/model/aws/sdk.class.php;

See where this is going? After a scan you can check all the hits by jumping directly to the line of interest! How great would that be!

Maybe if there was a clean "output" one could use the bash to make things look nice and ready for copy'n'paste, but this would be a very "bold" way:

echo "# ER # {../www/core/model/phpthumb/phpthumb.class.php} # 4221" | awk '{gsub("{","",$4); gsub("}","",$4); print "nano +" $6 " " $4 ";"}'

becomes

nano +4221 ../www/core/model/phpthumb/phpthumb.class.php

And now we could do this:

php7 scan.php --line-number -k -d ../www/ | awk '{gsub("{","",$4); gsub("}","",$4); print "nano +" $6 " \"" $4 "\"; \\"}'

Wow!!! :-D

[mindeffects]

Another thought: Matches in "line 1" should be highlighted since many script prepend their malicious there, making the original code start at line 2.

[scr34m]

I see, smart ;) What do you think about "compact" or "compressed-output" flags instead nano?

[mindeffects]

Thanks! Just making your great stuff a tiny step better.

I just tested it on an infected but "cleared" system and was able to find 2 more bad files within seconds, thanks to nano – and my eyes.

I don't know how to make other editors jump to a certain line... :-( Maybe "--4nano"? Since it really is nano specific. Or "--follow-up-check"?

[mindeffects]

Oh, a little thing: Better use print "nano -c +"... because -c makes nano display line and column of the cursor.

[scr34m]

Well then better approach to make a flag ex. "output-format" and specify keywords to use:

• %L location
• %P file path with name
• %S status error, whitelist ok
• %H hash

Commanline expression:

php scan.php --line-number -k -w --output-format "nano -c +%L %P" -d ../www/

[mindeffects]

Killer! Very cool! Is this already included and testable in the „line number“ branch? Will this go to „master“ soon?

[scr34m]

No, but in the next few days, when done i will leave a comment

[scr34m]

Branch updated with new --output-format argument ex.: php scan.php -d samples/_tickets/ --line-number -k -w --output-format "nano -c +%L %F"

[mindeffects]

Great! I would recommend relabeling %L location to %L line number since "location" can easily be confused with "location of file" AKA "path".

Will there be also "short params" like -L for --line-numberand -o for --output-format? Less typos. ;-)

[scr34m]

Output format variables documented in the README. Arguments updated.

[scr34m]

Merged into master

[mindeffects]

This is my command line of choice: php7 ./scan.php -k -w --line-number --output-format "nano -c +%L \"%F\"; \\" -d "../folder-to-check/"