Created
May 15, 2021 08:43
-
-
Save petskratt/c1c2e9002d09ba455b1ec71d93780154 to your computer and use it in GitHub Desktop.
Really dumb idea
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* A really dumb tool for ad-hoc PHP request logging - mostly useful to find malicious POST / cookie / etc payloads | |
* | |
* prepend with php.ini or .user.ini to cover all requests: | |
* auto_prepend_file = /[full-path-to-location]/dumb_sec.php | |
* | |
* @author : Peeter Marvet (peeter@zone.ee) | |
* @version 0.3 | |
* @license https://www.gnu.org/licenses/gpl-3.0.html GPL | |
* | |
* v0.3 / 20.08.2019 | |
* - include agent (if present) | |
* v0.2 / 04.02.2018 | |
* - avoid logging pwds and wordpress auth cookies | |
* - destroy used variables (for OCD, mostly) | |
* v0.1 / 17.12.2017 | |
* - initial version | |
*/ | |
if ( ! empty( $_POST ) ) { | |
// request parameters that could contain password, must match exactly | |
$neuter_params = [ 'pwd', 'password', 'pass1', 'pass1-text', 'pass2' ]; | |
// optionally: remove 'false &&' to allow storage of passwords for non-local IPs | |
if ( false && ! empty( $_ENV['MM_COUNTRY_CODE'] ) && $_ENV['MM_COUNTRY_CODE'] !== 'EE' ) { | |
$neuter_params = []; | |
} | |
// request cookies that could be mis-used, must begin with | |
$neuter_cookies = [ 'wordpress_' ]; | |
$request_safe = $_REQUEST; | |
// mask sensitive parts | |
foreach ( $neuter_params as $param ) { | |
if ( ! empty( $request_safe[ $param ] ) ) { | |
$request_safe[ $param ] = str_repeat( '*', mb_strlen( $request_safe[ $param ] ) ); | |
} | |
} | |
foreach ( $request_safe as $key => $value ) { | |
foreach ( $neuter_cookies as $cookie ) { | |
if ( strpos( $key, $cookie ) === 0 ) { | |
$request_safe[ $key ] = '**hidden**'; | |
} | |
} | |
} | |
$log = [ | |
date( 'c' ), | |
$_SERVER['REMOTE_ADDR'], | |
$_SERVER['REQUEST_URI'], | |
json_encode( $request_safe ), | |
]; | |
file_put_contents( dirname( __FILE__ ) . '/dumb_sec.log', implode( " ", $log ) . PHP_EOL, FILE_APPEND ); | |
// if present - sends data to Mallory | |
include 'dumb_agent.php'; | |
// destroy used variables (free some memory + avoid problems if used in app without proper initialisation) | |
unset ( $request_safe, $log, $neuter_params, $neuter_cookies, $key, $value, $param, $cookie ); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment