Fork: 0
0xRoM / DirtyScripts
Transfer to URL with SHA Find file
Newer
Older
DirtyScripts / ReportToolz / rep2.php
root on 6 Feb 2020 14 KB mucho sexupo
Raw Blame History 
  1. #!/usr/bin/php
  2. <?php
  3. //error_reporting(0);
  4.  
  5. /***
  6.  * Configuration options
  7.  */
  8. $sub1 = 5; // header no in doc e.g. "5 Discovered Vulnerabilities"
  9.  
  10. /***
  11.  * Main program - Don't edit below
  12.  */
  13. echo "_____ _____ _____ 2\n||_// ||==  ||_// \n|| \\  ||___ ||    \n\n";
  14.  
  15. foreach (glob("classes/*.php") as $filename)
  16.     include $filename;
  17.  
  18. $definitions = new \Clapp\CommandLineArgumentDefinition(
  19.     array(
  20.         "help|h"            => "Shows help message",
  21.         "doc|d=s"           => "/path/to/doc.odt to use",
  22.     )
  23. );
  24.  
  25. $filter = new \Clapp\CommandArgumentFilter($definitions, $argv);
  26.  
  27. if ($filter->getParam('h') === true || $argc < 2) {
  28.     fwrite(STDERR, $definitions->getUsage());
  29.     exit(0);
  30. } 
  31.  
  32. // see if doc exists 
  33. if ($filter->getParam("doc") == false)
  34. 	die("[-] no doc set\n");
  35.  
  36. echo "[!] doc: ".$filter->getParam("doc")."\n";
  37. if(!file_exists($filter->getParam("doc")))
  38. 	die("[-] no such file! \n");
  39.  
  40. // extract doc and get contents
  41. $rand = uniqid();
  42. mkdir("/tmp/$rand");
  43. if(unzipFolder($filter->getParam("doc"), "/tmp/$rand/")) {
  44.     $source = file_get_contents("/tmp/$rand/content.xml");
  45.     echo "[+] doc extracted\n";
  46. } else {
  47. 	die("[-] unable to extract doc\n");
  48. }
  49. 	
  50. // Parse Doc's XML
  51. $line = array();
  52. $reader = new XMLReader();
  53. if (!$reader->open("/tmp/$rand/content.xml")) die("[-] Failed to open 'content.xml'\n");
  54.  
  55. // font checker
  56. /***
  57.  * FUTURE FEATURE PERHAPS
  58.  */
  59. $fonts = array();
  60. while ($reader->read()){ 
  61. 	//print_r($reader->name);
  62.     if ($reader->nodeType == XMLREADER::ELEMENT && ($reader->name === 'style:font-face')) {  
  63.     	//if(!empty($reader->name)){
  64.     		//echo "here2\n";
  65.         	//$line[] = $reader->expand()->textContent; // Put the text into array in correct order...
  66.     		$fonts[] = $reader->getAttribute("style:name");
  67.         	//echo $font;echo "\n"; // DEBUG
  68.         //}
  69.     }
  70. }
  71. $reader->close();
  72. //die();
  73. echo "[=] fonts found: ".sizeof($fonts)."\n";
  74.  
  75. // get template version used
  76. $reader = new XMLReader();
  77. if (!$reader->open("/tmp/$rand/meta.xml")) die("[-] Failed to open 'meta.xml'\n");
  78. $templateVer = 0.0;
  79. while ($reader->read()) {
  80.   if($reader->name == "dc:version"){
  81.     $reader->read();
  82.     $templateVer = number_format(floatval($reader->value), 2);
  83.     break;
  84.   }
  85. }
  86.  
  87. // step through text:h and text:p elements to put them into an array
  88. $reader = new XMLReader();
  89. if (!$reader->open("/tmp/$rand/content.xml")) die("[-] Failed to open 'content.xml'\n");
  90. while ($reader->read()){ 
  91.     if ($reader->nodeType == XMLREADER::ELEMENT && ($reader->name === 'text:h' || $reader->name === 'text:p' || $reader->name === 'text:bookmark')) {  
  92.     	if(!empty($reader->expand()->textContent))
  93.         	$line[] = $reader->expand()->textContent; // Put the text into array in correct order...
  94.         	//echo $reader->expand()->textContent;echo "\n"; // DEBUG
  95.     }
  96. }
  97. $reader->close();
  98.  
  99. // find the content we want
  100. $start = 0; $end = 0;
  101. foreach($line as $key => $val){
  102. 	if(strpos($val, "Discovered Vulnerabilities") === 0){ $start = $key; }
  103. 	//if(strpos($val, "This section provides a quick guide to plan your remediation for the vulnerabilities discovered during the test.") === 0){ $end = $key-2; }
  104. 	if(strpos($val, "Observed Hosts and Services") === 0){ $end = $key-2; }
  105. 	$line[$key] = trim($val);
  106. }
  107.  
  108. // add to sexy array's
  109. $vuln = array();
  110. $vulnPlace = 0;
  111. $switch = 0;
  112. $sub2 = 0;
  113. $sub3 = 1;
  114. if(number_format($templateVer, 2) >= number_format(1.0, 2)){
  115. 	echo "[=] Template $templateVer used\n";
  116. 	for ($i=$start; $i <= $end ; $i++) { 
  117. 		// change state (action to take)
  118. 		/***
  119. 		 * ~states~
  120. 		 * 0 = do nothing
  121. 		 * 1 = next is title
  122. 		 * 2 = next is description
  123. 		 * 3 = next is solution
  124. 		 * 4 = next is remediation
  125. 		 * 5 = next is cvss no
  126. 		 * 6 = next is risk level
  127. 		 * 7 = next is hosts
  128. 		 * 8 = next possibly title
  129. 		 */
  130. 		switch ($line[$i]) {
  131. 			case 'Discovered Vulnerabilities':
  132. 				$switch = 0;
  133. 				break;
  134. 			case 'Serious Risk Vulnerabilities':
  135. 				$sub2++; $sub3 = 1;
  136. 				$switch = 1;
  137. 				break;
  138. 			case 'High Risk Vulnerabilities':
  139. 				$sub2++; $sub3 = 1;
  140. 				$switch = 1;
  141. 				break;
  142. 			case 'Medium Risk Vulnerabilities':
  143. 				$sub2++; $sub3 = 1;
  144. 				$switch = 1;
  145. 				break;
  146. 			case 'Low Risk Vulnerabilities':
  147. 				$sub2++; $sub3 = 1;
  148. 				$switch = 1;
  149. 				break;
  150. 			case 'Description':
  151. 				$switch = 2;
  152. 				break;
  153. 			case 'Solution':
  154. 				$switch = 3;
  155. 				break;
  156. 			case 'Remediation':
  157. 				$switch = 4;
  158. 				break;
  159. 			case 'CVSS Base Score':
  160. 				$switch = 5;
  161. 				break;
  162. 			case 'Risk Analysis':
  163. 				$switch = 6;
  164. 				break;
  165. 			case 'Vulnerabilities Exist On':
  166. 				$switch = 7;
  167. 				break;
  168. 			case 'Potential Impact':
  169. 				$switch = 9;
  170. 				break;
  171. 			default:
  172. 				# code...
  173. 				break;
  174. 		}
  175.  
  176. 		//take action
  177. 		switch ($switch) {
  178. 			case 1:
  179. 				$i++;
  180. 				$vuln[$vulnPlace]['title'] = $line[$i];
  181. 				$vuln[$vulnPlace]['ref'] = "$sub1.$sub2.$sub3";
  182. 				$sub3++;
  183. 				$switch = 0;
  184. 				break;
  185. 			case 2:
  186. 				@$vuln[$vulnPlace]['desc'] .= $line[$i];
  187. 				break;
  188. 			case 3:
  189. 				@$vuln[$vulnPlace]['fix'] .= $line[$i];
  190. 				break;
  191. 			case 4:
  192. 				$i++;
  193. 				//$vuln[$vulnPlace]['rem'] = trim(strtok($line[$i], " "));
  194. 				$switch = 0;
  195. 				break;
  196. 			case 5:
  197. 				$i++;
  198. 				$vuln[$vulnPlace]['cvss'] = $line[$i];
  199. 				$switch = 0;
  200. 				break;
  201. 			case 6:
  202. 				$i++;
  203. 				$line[$i+3] = str_replace("Vulnerability Img", "", $line[$i+3]);
  204. 				$vuln[$vulnPlace]['risk'] = strstr(trim($line[$i+3]), ":", true);
  205. 				$vuln[$vulnPlace]['owasp'] = trim(substr($line[$i+3], strpos($line[$i+3], ":") + 1));  
  206. 				$vuln[$vulnPlace]['impact'] = trim(strtok($line[$i+4], " "));  
  207. 				$vuln[$vulnPlace]['rem'] = trim(strtok($line[$i+5], " ")); 
  208. 				$switch = 0;
  209. 				break;
  210. 			case 7:
  211. 				$i++;
  212. 				$vuln[$vulnPlace]['hosts'] = $line[$i];
  213. 				$switch = 8;
  214. 				$vulnPlace++;
  215. 				break;
  216. 			case 8:
  217. 				$vuln[$vulnPlace]['title'] = trim($line[$i]);
  218. 				$vuln[$vulnPlace]['ref'] = "$sub1.$sub2.$sub3";
  219. 				$sub3++;
  220. 				$switch = 0;
  221. 				break;
  222. 			case 9:
  223. 				@$vuln[$vulnPlace]['impact'] .= $line[$i];
  224. 				break;
  225. 			default:
  226. 				# code...
  227. 				break;
  228. 		}
  229.  
  230. 		//echo $line[$i]."\n"; // DEBUG
  231. 	}
  232. 	$first_desc = explode("Description", $vuln[0]['desc']);
  233. 	$vuln[0]['desc'] = $first_desc[sizeof($first_desc)-1];
  234. }else{ // old template or Dave's format
  235. 	for ($i=$start; $i <= $end ; $i++) { 
  236. 		// change state (action to take)
  237. 		/***
  238. 		 * ~states~
  239. 		 * 0 = do nothing
  240. 		 * 1 = next is title
  241. 		 * 2 = next is description
  242. 		 * 3 = next is solution
  243. 		 * 4 = next is remediation
  244. 		 * 5 = next is cvss no
  245. 		 * 6 = next is risk level
  246. 		 * 7 = next is hosts
  247. 		 * 8 = next possibly title
  248. 		 */
  249. 		switch ($line[$i]) {
  250. 			case 'Discovered Vulnerabilities':
  251. 				$switch = 0;
  252. 				break;
  253. 			case 'Serious Risk Vulnerabilities':
  254. 				$sub2++; $sub3 = 1;
  255. 				$switch = 1;
  256. 				break;
  257. 			case 'High Risk Vulnerabilities':
  258. 				$sub2++; $sub3 = 1;
  259. 				$switch = 1;
  260. 				break;
  261. 			case 'Medium Risk Vulnerabilities':
  262. 				$sub2++; $sub3 = 1;
  263. 				$switch = 1;
  264. 				break;
  265. 			case 'Low Risk Vulnerabilities':
  266. 				$sub2++; $sub3 = 1;
  267. 				$switch = 1;
  268. 				break;
  269. 			case 'Description':
  270. 				$switch = 2;
  271. 				break;
  272. 			case 'Solution':
  273. 				$switch = 3;
  274. 				break;
  275. 			case 'Remediation':
  276. 				$switch = 4;
  277. 				break;
  278. 			case 'CVSS Base Score':
  279. 				$switch = 5;
  280. 				break;
  281. 			case 'Risk Level':
  282. 				$switch = 6;
  283. 				break;
  284. 			case 'Vulnerabilities Exist On':
  285. 				$switch = 7;
  286. 				break;
  287. 			case 'Potential Impact':
  288. 				$switch = 9;
  289. 				break;
  290. 			default:
  291. 				# code...
  292. 				break;
  293. 		}
  294.  
  295. 		//take action
  296. 		switch ($switch) {
  297. 			case 1:
  298. 				$i++;
  299. 				$vuln[$vulnPlace]['title'] = $line[$i];
  300. 				$vuln[$vulnPlace]['ref'] = "$sub1.$sub2.$sub3";
  301. 				$sub3++;
  302. 				$switch = 0;
  303. 				break;
  304. 			case 2:
  305. 				@$vuln[$vulnPlace]['desc'] .= $line[$i];
  306. 				break;
  307. 			case 3:
  308. 				@$vuln[$vulnPlace]['fix'] .= $line[$i];
  309. 				break;
  310. 			case 4:
  311. 				$i++;
  312. 				$vuln[$vulnPlace]['rem'] = trim(strtok($line[$i], " "));
  313. 				$switch = 0;
  314. 				break;
  315. 			case 5:
  316. 				$i++;
  317. 				$vuln[$vulnPlace]['cvss'] = $line[$i];
  318. 				$switch = 0;
  319. 				break;
  320. 			case 6:
  321. 				$i++;
  322. 				$vuln[$vulnPlace]['risk'] = trim(strtok($line[$i], " "));
  323. 				$vuln[$vulnPlace]['owasp'] = trim(substr($line[$i], strpos($line[$i], ":") + 1));    
  324. 				$switch = 0;
  325. 				break;
  326. 			case 7:
  327. 				$i++;
  328. 				$vuln[$vulnPlace]['hosts'] = $line[$i];
  329. 				$switch = 8;
  330. 				$vulnPlace++;
  331. 				break;
  332. 			case 8:
  333. 				$vuln[$vulnPlace]['title'] = trim($line[$i]);
  334. 				$vuln[$vulnPlace]['ref'] = "$sub1.$sub2.$sub3";
  335. 				$sub3++;
  336. 				$switch = 0;
  337. 				break;
  338. 			case 9:
  339. 				@$vuln[$vulnPlace]['impact'] .= $line[$i];
  340. 				break;
  341. 			default:
  342. 				# code...
  343. 				break;
  344. 		}
  345.  
  346. 		//echo $line[$i]."\n"; // DEBUG
  347. 	}
  348. }
  349. // minor tidying of arrays
  350. for ($i=0; $i < sizeof($vuln) ; $i++) { 
  351. 	if (strpos($vuln[$i]['desc'], "Description") === 0) $vuln[$i]['desc'] = substr($vuln[$i]['desc'], strlen("Description"));
  352. 	if (strpos($vuln[$i]['fix'], "Solution") === 0) $vuln[$i]['fix'] = substr($vuln[$i]['fix'], strlen("Solution"));
  353. 	$vuln[$i]['risk'] = rtrim($vuln[$i]['risk'], ":");
  354. 	// remove html encoding
  355. 	foreach($vuln[$i] as $key => $val){
  356. 		$vuln[$i][$key] = mb_convert_encoding($val, "UTF-8", 'UTF-8');
  357. 	}
  358. }
  359.  
  360. //print_r($vuln); // DEBUG
  361. echo "[+] vulnerabilities identified\n";
  362.  
  363. delTree("/tmp/$rand");
  364. echo "[+] temp files removed\n";
  365.  
  366. $resultsFolder = substr($filter->getParam("doc"), 0, strrpos( $filter->getParam("doc"), '/') )."/rep2";
  367. if(!file_exists($resultsFolder."/")){
  368. 	mkdir($resultsFolder."/");
  369. 	echo "[+] created directory $resultsFolder/\n";
  370. }else{
  371. 	$i = 1;
  372. 	while (file_exists($resultsFolder."_$i/"))
  373. 		$i++;
  374. 	mkdir($resultsFolder."_$i/");
  375. 	$resultsFolder .= "_$i";
  376. 	echo "[+] created directory $resultsFolder/\n";
  377. }
  378.  
  379. if(writeIssueTable($vuln, "Serious", $resultsFolder."/findings_serious.csv"))
  380. 	echo "[+] serious issues: $resultsFolder/findings_serious.csv\n";
  381. if(writeIssueTable($vuln, "High", $resultsFolder."/findings_high.csv"))
  382. 	echo "[+] high issues: $resultsFolder/findings_serious.csv\n";
  383. if(writeIssueTable($vuln, "Medium", $resultsFolder."/findings_medium.csv"))
  384. 	echo "[+] medium issues: $resultsFolder/findings_serious.csv\n";
  385. if(writeIssueTable($vuln, "Low", $resultsFolder."/findings_low.csv"))
  386. 	echo "[+] low issues: $resultsFolder/findings_serious.csv\n";
  387.  
  388. $order = array('title', 'ref', 'desc', 'fix','rem','cvss','risk','impact','owasp','hosts');
  389. $orderedArray = array();
  390. foreach($vuln as $vn_no =>$vn){
  391. 	foreach ($order as $key) {
  392. 		//echo $key."\n";
  393. 	    $orderedArray[$vn_no][$key] = $vuln[$vn_no][$key];
  394. 	}
  395. }
  396. if(writeAllTable($orderedArray, $resultsFolder."/findings_all.csv"))
  397. 	echo "[+] all issues: $resultsFolder/findings_all.csv\n";
  398.  
  399. if(writeRemediationTable($vuln, $resultsFolder."/remediation.csv"))
  400. 	echo "[+] remediation table: $resultsFolder/remediation.csv\n";
  401.  
  402. if(writeOWASPTable($vuln, $resultsFolder."/owasp.csv"))
  403. 	echo "[+] OWASP table: $resultsFolder/owasp.csv\n";
  404.  
  405. viewVulns($vuln);
  406.  
  407. function unzipFolder($zipInputFile, $outputFolder) {
  408.     $zip = new ZipArchive;
  409.     $res = $zip->open($zipInputFile);
  410.     if ($res === true) {
  411.         $zip->extractTo($outputFolder);
  412.         $zip->close();
  413.         return true;
  414.     }
  415.     else {
  416.         return false;
  417.     }
  418. }
  419.  
  420. function XML2Array(SimpleXMLElement $parent){
  421.     $array = array();
  422.  
  423.     foreach ($parent as $name => $element) {
  424.         ($node = & $array[$name])
  425.             && (1 === count($node) ? $node = array($node) : 1)
  426.             && $node = & $node[];
  427.  
  428.         $node = $element->count() ? XML2Array($element) : trim($element);
  429.     }
  430.  
  431.     return $array;
  432. }
  433.  
  434. function delTree($dir){ 
  435.     $files = array_diff(scandir($dir), array('.', '..')); 
  436.  
  437.     foreach ($files as $file) { 
  438.         (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file"); 
  439.     }
  440.  
  441.     return rmdir($dir); 
  442. } 
  443.  
  444. function viewVulns($vuln){
  445. 	$s = $h = $m = $l = 0;
  446. 	for ($i=0; $i < sizeof($vuln) ; $i++) { 
  447. 		switch ($vuln[$i]['risk']) {
  448. 			case 'Serious':
  449. 				$s++;
  450. 				break;
  451. 			case 'High':
  452. 				$h++;
  453. 				break;
  454. 			case 'Medium':
  455. 				$m++;
  456. 				break;
  457. 			case 'Low':
  458. 				$l++;
  459. 				break;
  460. 		}
  461. 	}
  462. 	echo "[=] Serious = $s, High = $h, Medium = $m, Low = $l\n";
  463.  
  464. echo"
  465. Ref    | Title                             |  Risk  |  CVSS  |  Remediation  |  OWASP
  466. -------|-----------------------------------|--------|--------|---------------|------------------------------\n";
  467. for ($i=0; $i < sizeof($vuln) ; $i++) { 
  468. 	$ref = str_pad($vuln[$i]['ref'], 7);
  469. 	$title = str_pad($vuln[$i]['title'], 35);
  470. 	$risk = str_pad($vuln[$i]['risk'], 8);
  471. 	$cvss = str_pad($vuln[$i]['cvss'], 8);
  472. 	$rem = str_pad($vuln[$i]['rem'], 15);
  473. 	$owasp = str_pad($vuln[$i]['owasp'], 30);
  474.  
  475. 	echo substr($ref, 0, 7); echo "|";
  476. 	echo substr($title, 0, 35); echo "|";
  477. 	echo substr($risk, 0, 8); echo "|";
  478. 	echo substr($cvss, 0, 8); echo "|";
  479. 	echo substr($rem, 0, 15); echo "|";
  480. 	echo substr($owasp, 0, 30); echo "\n";
  481. }
  482. }
  483.  
  484. function writeIssueTable($vuln, $issue, $path){
  485. 	$towrite = array();
  486. 	for ($i=0; $i < sizeof($vuln) ; $i++) { 
  487. 		if($vuln[$i]['risk'] == $issue){
  488. 			$towrite[$i]['desc'] = $vuln[$i]['title']." - ".$vuln[$i]['desc'];
  489. 			$towrite[$i]['fix'] = $vuln[$i]['fix'];
  490. 			$towrite[$i]['ref'] = $vuln[$i]['ref'];
  491. 			$towrite[$i]['hosts'] = $vuln[$i]['hosts'];
  492. 		}
  493. 	}
  494. 	if(sizeof($towrite) > 0){
  495. 		$fp = fopen($path, 'w');
  496. 		fprintf($fp, chr(0xEF).chr(0xBB).chr(0xBF));
  497. 		foreach ($towrite as $fields) {
  498. 	    	fputcsv($fp, $fields);
  499. 		}
  500. 		fclose($fp);
  501. 		return true;
  502. 	}else{
  503. 		return false;
  504. 	} 
  505. }
  506.  
  507. function writeAllTable($vuln, $path){
  508. 	if(sizeof($vuln) > 0){
  509. 		$fp = fopen($path, 'w');
  510. 		fprintf($fp, chr(0xEF).chr(0xBB).chr(0xBF));
  511. 		fputcsv($fp, array("Title", "Ref", "Description", "Solution", "Remediation", "CVSS", "Risk","Impact", "OWASP", "Affected"));
  512.  
  513. 		//print_r($orderedArray);
  514. 		foreach ($vuln as $fields) {
  515. 	    	fputcsv($fp, $fields);
  516. 		}
  517. 		fclose($fp);
  518. 		return true;
  519. 	}else{
  520. 		return false;
  521. 	} 
  522. }
  523.  
  524. function writeRemediationTable($vuln, $path){
  525. 	$towrite = array();
  526. 	for ($i=0; $i < sizeof($vuln) ; $i++) { 
  527. 		$towrite[$i]['hosts'] = $vuln[$i]['hosts'];
  528. 		$towrite[$i]['ref'] = $vuln[$i]['ref'];
  529. 		$towrite[$i]['p'] = " ";	
  530. 		$towrite[$i]['c'] = " ";	
  531. 		$towrite[$i]['d'] = " ";	
  532. 		$towrite[$i]['u'] = " ";	
  533. 		switch ($vuln[$i]['rem']) {
  534. 			case 'Patch':
  535. 				$towrite[$i]['p'] = $vuln[$i]['risk'][0];
  536. 				break;
  537. 			case 'Configuration':
  538. 				$towrite[$i]['c'] = $vuln[$i]['risk'][0];
  539. 				break;
  540. 			case 'Development':
  541. 				$towrite[$i]['d'] = $vuln[$i]['risk'][0];
  542. 				break;
  543. 			case 'Upgrade':
  544. 				$towrite[$i]['u'] = $vuln[$i]['risk'][0];
  545. 				break;
  546. 		}	
  547. 	}
  548. 	if(sizeof($towrite) > 0){
  549. 		$fp = fopen($path, 'w');
  550. 		fprintf($fp, chr(0xEF).chr(0xBB).chr(0xBF));
  551. 		fputcsv($fp, array("Host", "Ref", "P", "C", "D", "U"));
  552. 		foreach ($towrite as $fields) {
  553. 	    	fputcsv($fp, $fields);
  554. 		}
  555. 		fclose($fp);
  556. 		return true;
  557. 	}else{
  558. 		return false;
  559. 	} 
  560. }
  561.  
  562. function writeOWASPTable($vuln, $path){
  563. 	$towrite = array();
  564. 	for ($i=0; $i < sizeof($vuln) ; $i++) { 
  565. 		if(in_array($vuln[$i]['owasp'], array_column($towrite, 'owaspId'))){
  566. 			$towrite[$vuln[$i]['owasp']]['no']++;
  567. 		}else{
  568. 			$towrite[$vuln[$i]['owasp']]['owaspId'] = $vuln[$i]['owasp'];
  569. 			$towrite[$vuln[$i]['owasp']]['no'] = 1;
  570. 		}
  571. 	}
  572. 	if(sizeof($towrite) > 0){
  573. 		$fp = fopen($path, 'w');
  574. 		fprintf($fp, chr(0xEF).chr(0xBB).chr(0xBF));
  575. 		foreach ($towrite as $fields) {
  576. 	    	fputcsv($fp, $fields);
  577. 		}
  578. 		fclose($fp);
  579. 		return true;
  580. 	}else{
  581. 		return false;
  582. 	} 
  583. }
  584.  
  585. ?>
Buy Me A Coffee