nstarke/php-vulnerability-egrep.sh

## php-vulnerability-egrep.sh
# this command searches all PHP files in a directory for vulnerable shell functions
egrep -r --include "*.php" -e "(system|exec|popen|pcntl_exec|proc_open)\(" .

# this command searches all PHP files in a directory for certain vulnerable php execution functions
egrep -r --include "*.php" -e "(eval|assert|preg_replace)\(" .

# this command returns instances where variables are echoed out without htmlspecialchars()
# it can be useful for finding XSS vulnerabilities in PHP code
egrep -r --include "*.php" -e "echo\s*\\$.*;" .

# this command returns all instances of the back-tick (`) operator, which is used to execute arbitary shell commands in PHP
# many times this returns string literals
egrep -r --include "*.php" -e "\`.*\`" .

# this command will return hard-coded database credentials / addresses
egrep -r --include "*.php" -e "(mysql_connect|mysqli)\(\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')" .

# this command will return potential unsafe SQL query executions:
egrep -r --include "*.php" -e "\->(query|exec)\(\s*\".*\".*\." .

# this command will return all PHP files in a directory for file system access
egrep -r --include "*.php" -e "(fopen|fread|fwrite|fclose)\(" .

# this command will return instances where crypto operations are performed
egrep -r --include "*.php" -e "mcrypt_|openssl_|mhash_|random_|crack_" .

# this command will return instances of weak PRNG's
# look for hard coded seed values!
egrep -r --include "*.php" -e "(mt_srand|lcg_value|rand)\(\s*\d+" .

# this command will return instances where XXE might be possible
# look for 'true'
egrep -r --include "*.php" -e "libxml_disable_entity_loader\(" .

# look for hard coded port values
egrep -r --include "*.php" -e "(\\$|\->)port\s*\=\s*\d+" .

# this command will look for hardcoded usernames and passwords
egrep -r --include "*.php" -e "(\\$|\->)?(\\[\")?(user|pass|username|password)(\"\\])?\s*=\s*\".*\"" .
	# this command searches all PHP files in a directory for vulnerable shell functions
	egrep -r --include "*.php" -e "(system\|exec\|popen\|pcntl_exec\|proc_open)\(" .

	# this command searches all PHP files in a directory for certain vulnerable php execution functions
	egrep -r --include "*.php" -e "(eval\|assert\|preg_replace)\(" .

	# this command returns instances where variables are echoed out without htmlspecialchars()
	# it can be useful for finding XSS vulnerabilities in PHP code
	egrep -r --include ".php" -e "echo\s\\$.*;" .

	# this command returns all instances of the back-tick (`) operator, which is used to execute arbitary shell commands in PHP
	# many times this returns string literals
	egrep -r --include ".php" -e "\`.\`" .

	# this command will return hard-coded database credentials / addresses
	egrep -r --include ".php" -e "(mysql_connect\|mysqli)\(\s(\"\|\').+(\"\|\')\,\s(\"\|\').+(\"\|\')\,\s(\"\|\').+(\"\|\')" .

	# this command will return potential unsafe SQL query executions:
	egrep -r --include ".php" -e "\->(query\|exec)\(\s\".\".\." .

	# this command will return all PHP files in a directory for file system access
	egrep -r --include "*.php" -e "(fopen\|fread\|fwrite\|fclose)\(" .

	# this command will return instances where crypto operations are performed
	egrep -r --include "*.php" -e "mcrypt_\|openssl_\|mhash_\|random_\|crack_" .

	# this command will return instances of weak PRNG's
	# look for hard coded seed values!
	egrep -r --include ".php" -e "(mt_srand\|lcg_value\|rand)\(\s\d+" .

	# this command will return instances where XXE might be possible
	# look for 'true'
	egrep -r --include "*.php" -e "libxml_disable_entity_loader\(" .

	# look for hard coded port values
	egrep -r --include ".php" -e "(\\$\|\->)port\s\=\s*\d+" .

	# this command will look for hardcoded usernames and passwords
	egrep -r --include ".php" -e "(\\$\|\->)?(\\[\")?(user\|pass\|username\|password)(\"\\])?\s=\s\".\"" .