Writing your own graudit signatures is relatively easy. Mastering regular expressions can be helpful, but in their simplest form a list of words will do. I have tried to document some of the common pitfalls that might creep up on you in my Ruxmon presentation, but I know how "useful" a single slide can be. I am catching up on graudit documentation and signatures is just around the corner. Until then, I thought I would share with you some of the databases I use when looking for low hanging fruit and want to reduce the information overload (noise) that you normally get from the php ruleset. Signatures after the break to avoid spamming rss readers.
fruit.db:
exec.db:
includes.db
# PHP-fruit signatures exec\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) system\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) popen\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) shell_exec\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) passthru\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) header\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) `.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*` eval\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) header\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) include\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) include_once\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) require\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) require_once\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) fopen\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) unserialize\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) mysql_query\s*\(.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP).*\) (WHERE|where)\s+.*=.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP)[^; ]+ (LIKE|like)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP) (ORDER BY|order by)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP) (LIMIT|limit)\s+.*\$(_GET|_POST|_REQUEST|_SESSION|_COOKIE|HTTP) # Perl-fruit signatures exec\s*\(?.*\$ARGV.*\)? exec\s*\(?.*\$.*->param\s*\(.*\).*\)? system\s*\(?.*\$ARGV.*\)? system\s*\(?.*\$.*->param\s*\(.*\).*\)? `.*\$ARGV.*` `.*\$.*->param\s*\(.*\).*` eval\s*\(?.*\$ARGV.*\)? eval\s*\(?.*\$.*->param\s*\(.*\).*\)? use\s+.*\$ARGV.* use\s+.*\$.*->param\s*\(.*\).* (WHERE|where)\s+.*=.*\$.*->param\s*\(.*\) (LIKE|like)\s+.*\$.*->param\s*\(.*\) (ORDER BY|order by)\s+.*\$.*->param\s*\(.*\) (LIMIT|limit)\s+.*\$.*->param\s*\(.*\)
exec.db:
exec *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) system *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) popen *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) shell_exec *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) passthru *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) header *\(.*$_(GET|POST|REQUEST|COOKIE).*\) `.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*` eval *\(.*$_(GET|POST|REQUEST|COOKIE).*\) (include|require)(_once)? *\(.*\$_(GET|POST|REQUEST|SESSION|COOKIE).*\) move_uploaded_file *\(.*\)
includes.db
(include|require)(_once)? *\(.*\$.*\)And for those who didn't download the graudit-1.7_src release I am including sql.db
# DotNet SQL exec\s*sp_executesql execute\s*sp_executesql exec\s*sp_ execute\s*sp_ exec\s*xp_ execute\s*sp_ exec\s*@ execute\s*@ executestatement executeSQL setfilter executeQuery GetQueryResultInXML adodb sqloledb sql\s*server driver Server\.CreateObject \.Provider \.Open ADODB.recordset New\s*OleDbConnection ExecuteReader DataSource SqlCommand Microsoft.Jet SqlDataReader ExecuteReader GetString SqlDataAdapter CommandType StoredProcedure System\.Data\.sql # PHP - Database mysql_connect\s*\(.*\$.*\) mysql_pconnect\s*\(.*\$.*\) mysql_change_user\s*\(.*\$.*\) mysql_query\s*\(.*\$.*\) mysql_error\s*\(.*\$.*\) mysql_set_charset\s*\(.*\$.*\) mysql_unbuffered_query\s*\(.*\$.*\) pg_connect\s*\(.*\$.*\) pg_pconnect\s*\(.*\$.*\) pg_execute\s*\(.*\$.*\) pg_insert\s*\(.*\$.*\) pg_put_line\s*\(.*\$.*\) pg_query\s*\(.*\$.*\) pg_select\s*\(.*\$.*\) pg_send_query\s*\(.*\$.*\) pg_set_client_encoding\s*\(.*\$.*\) pg_update\s*\(.*\$.*\)I do realize that there is some overlap in the signatures, but the same overlap exists in the sense that the signatures are looking for certain categories of vulnerabilities, so don't bother flaming me for that. I hope you enjoy the databases and please let me know if you have any additions or find any bugs.
