-
Notifications
You must be signed in to change notification settings - Fork 70
/
index.php
217 lines (196 loc) · 9.93 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
<?php
/**
RIPS - A static source code analyser for vulnerabilities in PHP scripts
by Johannes Dahse (johannes.dahse@rub.de)
Copyright (C) 2012 Johannes Dahse
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, see <http://www.gnu.org/licenses/>.
**/
include 'config/general.php';
if (defined("MODE_CLI"))
parse_str(implode('&', array_slice($argv, 1)), $_POST); // parse commandline into $_POST
?><html>
<head>
<meta charset="UTF-8">
<link rel="stylesheet" type="text/css" href="css/rips.css" />
<?php
foreach($stylesheets as $stylesheet)
{
echo "\t<link type=\"text/css\" href=\"css/$stylesheet.css\" rel=\"";
if($stylesheet != $default_stylesheet) echo "alternate ";
echo "stylesheet\" title=\"$stylesheet\" />\n";
}
?>
<script src="js/script.js"></script>
<script src="js/exploit.js"></script>
<script src="js/hotpatch.js"></script>
<script src="js/netron.js"></script>
<title>RIPS - A static source code analyser for vulnerabilities in PHP scripts</title>
</head>
<body>
<div class="menu">
<div style="float:left; width:100%;">
<table width="100%">
<tr><td width="75%" nowrap>
<table class="menutable" width="50%" style="float:left;">
<tr>
<td nowrap><b>path / file:</b></td>
<td colspan="3" nowrap><input type="text" size=80 id="location" value="<?php echo BASEDIR; ?>" title="enter path to PHP file(s)" placeholder="/var/www/">
</td>
<td nowrap><input type="checkbox" id="subdirs" value="1" title="check to scan subdirectories" checked/>subdirs
</td>
</tr>
<tr>
<td nowrap>verbosity level:</td>
<td nowrap>
<select id="verbosity" style="width:100%" title="select verbosity level">
<?php
$verbosities = array(
1 => '1. user tainted only',
2 => '2. file/DB tainted +1',
3 => '3. show secured +1,2',
4 => '4. untainted +1,2,3',
5 => '5. debug mode'
);
foreach($verbosities as $level=>$description)
{
echo "<option value=\"$level\">$description</option>\n";
}
?>
</select>
</td>
<td align="right" nowrap>
vuln type:
</td>
<td>
<select id="vector" style="width:100%" title="select vulnerability type to scan">
<?php
$vectors = array(
'all' => 'All',
'server' => 'All server-side',
'code' => '- Code Execution',
'exec' => '- Command Execution',
'file_read' => '- File Disclosure',
'file_include' => '- File Inclusion',
'file_affect' => '- File Manipulation',
'ldap' => '- LDAP Injection',
'unserialize' => '- PHP Object Injection',
'connect' => '- Protocol Injection',
'ri' => '- Reflection Injection',
'database' => '- SQL Injection',
'xpath' => '- XPath Injection',
'other' => '- other',
'client' => 'All client-side',
'xss' => '- Cross-Site Scripting',
'httpheader' => '- HTTP Response Splitting',
'fixation' => '- Session Fixation',
//'crypto' => 'Crypto hints'
);
foreach($vectors as $vector=>$description)
{
echo "<option value=\"$vector\" ";
if($vector == $default_vector) echo 'selected';
echo ">$description</option>\n";
}
?>
</select>
</td>
<td><input type="button" value="scan" style="width:100%" class="Button" onClick="scan(false);" title="start scan" /></td>
</tr>
<tr>
<td nowrap>code style:</td>
<td nowrap>
<select name="stylesheet" id="css" onChange="setActiveStyleSheet(this.value);" style="width:49%" title="select color schema for scan result">
<?php
foreach($stylesheets as $stylesheet)
{
echo "<option value=\"$stylesheet\" ";
if($stylesheet == $default_stylesheet) echo 'selected';
echo ">$stylesheet</option>\n";
}
?>
</select>
<select id="treestyle" style="width:49%" title="select direction of code flow in scan result">
<option value="1">bottom-up</option>
<option value="2">top-down</option>
</select>
</td>
<td align="right">
/regex/:
</td>
<td>
<input type="text" id="search" style="width:100%" />
</td>
<td>
<input type="button" class="Button" style="width:100%" value="search" onClick="search()" title="search code by regular expression" />
</td>
</tr>
</table>
<div id="options" style="margin-top:-10px; display:none; text-align:center;" >
<p class="textcolor">windows</p>
<input type="button" class="Button" style="width:50px" value="files" onClick="openWindow(5);eval(document.getElementById('filegraph_code').innerHTML);" title="show list of scanned files" />
<input type="button" class="Button" style="width:80px" value="user input" onClick="openWindow(4)" title="show list of user input" /><br />
<input type="button" class="Button" style="width:50px" value="stats" onClick="document.getElementById('stats').style.display='block';" title="show scan statistics" />
<input type="button" class="Button" style="width:80px" value="functions" onClick="openWindow(3);eval(document.getElementById('functiongraph_code').innerHTML);" title="show list of user-defined functions" />
</div>
</td>
<td width="25%" align="center" valign="center" nowrap>
<!-- Logo by Gareth Heyes -->
<div class="logo"><a id="logo" href="https://www.ripstech.com/latest/" target="_blank" title="get the latest version"><?php echo VERSION ?></a></div>
</td></tr>
</table>
</div>
<div style="clear:left;"></div>
</div>
<div class="menushade"></div>
<div class="scanning" id="scanning">scanning ...
<div class="scanned" id="scanned"></div>
</div>
<div id="result">
<?php
if(defined("MODE_CLI") && !empty($_POST['loc'])){
require("main.php");
}
else {
?>
<div style="margin-left:30px;color:#000000;font-size:14px">
<h3>Quickstart:</h3>
<p>Locate your local PHP source code <b>path/file</b> (e.g. <em>/var/www/project1/</em> or <em>/var/www/index.php</em>), choose the <b>vulnerability type</b> you are looking for and click <u>scan</u>!<br />
Check <b>subdirs</b> to include all subdirectories into the scan. It is recommended to scan only the root directory of your project. Files in subdirectories will be automatically scanned by RIPS when included by the PHP code. However enabling <b>subdirs</b> can improve the scan result and the include success rate (shown in the result).</p>
<h3>Advanced:</h3>
<p>Debug errors or improve your scan result by choosing a different <b>verbosity level</b> (default level 1 is recommended).<br />
After the scan finished 4 new button will appear in the upper right. You can select between different types of vulnerabilities that have been found by clicking on their name in the <b>stats</b> window. You can click <b>user input</b> in the upper right to get a list of entry points, <b>functions</b> for a list and graph of all user defined functions or <b>files</b> for a list and graph of all scanned files and their includes. All lists are referenced to the Code Viewer.</p>
<h3>Style:</h3>
<p>Change the syntax highlighting schema on-the-fly by selecting a different <b>code style</b>.<br />
Before scanning you can choose which way the code flow should be displayed: <b>bottom-up</b> or <b>top-down</b>.</p>
<h3>Icons:</h3>
<ul>
<li class="userinput"><font color="black"><b>User input</b> has been found in this line. Potential entry point for vulnerability exploitation.</font></li>
<li class="functioninput"><font color="black">Vulnerability exploitation depends on the <b>parameters</b> passed to the function declared in this line. Have a look at the calls in the scan result.<br />Click <b>⇑</b> or <b>⇓</b> to jump to the next declaration or call of this function.</font></li>
<li class="validated"><font color="black">User-implemented <b>securing</b> has been detected in this line. This may prevent exploitation.</font></li>
</ul>
<h3>Options:</h3>
<ul>
<li><div class="fileico"></div> Click the file icon to open the <b>Code Viewer</b> to review the original code. A new window will be opened with all relevant lines highlighted.<br />
Highlight variables temporarily by mouseover or persistently by clicking on the variable. Jump into the code of a user-defined function by clicking on the call. Click <u>return</u> on the bottom of the code viewer to jump back. This also works for nested function calls.</li>
<li><div class="minusico"></div> Click the minimize icon to <b>hide</b> a specific code trace. You may display it later by clicking the icon again.</li>
<li><div class="exploit"></div> Click the target icon to open the <b>Exploit Creator</b>. A new window will open where you can enter exploit details and create PHP Curl exploit code.</li>
<li><div class="help"></div> Click the help icon to get a <b>description</b>, example code, example exploitation, patch and related securing functions for this vulnerability type.</li>
<li><div class="dataleak"></div> Click the data leak icon to check if the output of the tainted sink <b>leaks</b> somewhere (is embedded to the HTTP response via echo/print).</li>
</ul>
<h3>Hints:</h3>
<ul>
<li>RIPS implements <i>static</i> source code analysis. It only scans source code files and will not execute the code.</li>
<li>Object-oriented code (classes) is not supported in this version.</li>
<li>Make sure RIPS has file permissions on the files to be scanned.</li>
<li>Don't leave the webinterface of RIPS open to the public internet. Use it on your <b>local</b> webserver only.</li>
<li>Only tested with Firefox.</li>
</ul>
</div>
<?php
}
?>
</div>
</body>
</html>